Cyber security is an inherently technological subject. It concerns the protection of physical assets (servers, computers, mobile devices), digital assets (data) which reside on or can be accessed via physical devices, and the networking infrastructure which connects devices and through which data flows. While there is great value in approaching cyber security from non-technical angles provided by social sciences and the humanities, it would be futile to attempt to completely decouple cyber security from technology. And, despite its history, it is all too easy to think of cyber security as inexorably tied to contemporary technology.
In fact, the opposite is true: technology is ephemeral, but cyber security is constant, though not unchanging. As new hardware, software, and protocols are developed, the requirement for cyber security remains, even if the details of how to implement it changes. New technology does not invalidate cyber security, indeed new technology entrenches the need for cyber security. Artificial intelligence (AI) may be a new technology particularly relevant to cyber security skills, as the ability to automate routine tasks could decrease the need for entry level cyber security roles. But like any other new technology, AI also requires security – it must be developed with security-by-design and integrated in existing systems in a security-conscious manner. There is therefore an open question about the extent to which AI decreases cyber security roles versus augmenting roles to different skillsets.
Amongst the constantly shifting technological landscape, it is critical to avoid becoming distracted by the latest developments. New technologies tend to capture not only the public imagination, but also the attention of senior government leadership and corporate executives. This has certainly been borne out with AI, where rapid technological development has been followed by rapid policy directives to devote significant national and international effort – not always misplaced – to shepherd and harness the technology. But AI is not the first, and certainly not the last, technology that will go through this cycle.
Remembering that cyber security will remain a constant requirement is crucial to maintaining an appropriately skilled workforce, ensuring that technologies are developed and deployed safely and securely. To aid with this at an international level, it would be useful to have a shared understanding of countries’ approaches to setting standards for cyber security workforces. There will be differences and similarities in the factors countries take into account when setting workforce standards. Knowing why and how these factors are relevant in some contexts will help countries assess which factors are relevant to them, and perhaps discover factors not previously accounted for, enabling them to modularly approach setting their own cyber security workforce standards.