Addressing the Skills Shortage in Cybersecurity


  • Gareth Davies University of South Wales, UK
  • Angela Mison University of South Wales, UK
  • Peter Eden University of South Wales, UK



Murphy's law, Finagles law, resistentialism, cybersecurity, career path, skills, skills shortage


Security by design is an up and coming paradigm which seeks to decrease the opportunity for corruption and disruption, and to increase the inherent stability, dependability and resilience of systems.  Cyber experts need to be involved in the design phase as Finagle's Law, interpreted for cybersecurity, is 'if it can be hacked, it will – at the worst possible time'. Testing is designed to counter Murphy's Law and reduce resistentialism. Defensive programming, original cybersecurity, carries an overhead, for which there is often no demonstrable return.  The priority of the design stage cybersecurity expert is to plan for contingencies and think like a hacker.  It is about risk management; understanding this dictates security by design requirements in the knowledge that interconnected systems' security is only as strong as its weakest link. Definition and audit of Service Level Agreements (SLA) are an essential part of cybersecurity, as is the audit of any third party suppliers of componentry of the system under design.  Governance and policy definitions, exciting for some, are integral to cybersecurity.  Beyond this, the cybersecurity expert must consider system failure.  Recent ransomware attacks have demonstrated the necessity for business continuity plans as recovery has still taken time.   The Blue Team Field Manual has an impressive list of necessary documentation and actions required in this event, but glosses over the effort required. While the above is rolling maintenance, threat hunting differs.  Every vulnerability or threat must be evaluated for consequential impact.  Either a passionate interest in psychology or an extremely jaundiced view of the world is a necessary attribute for cybersecurity.  Reality is so different from the aspirations of potential pen testers, incident responders, and AI security engineers facing 3 – 5 post-graduation years to proficiency, it is no wonder disillusion results in a shortage of 3.5 million cybersecurity experts.