Release of Canada's new national Strategy highlights urgency of hiring qualified cybersecurity talent, say experts offering tips for HR
With the release of Canada’s updated National Cyber Security Strategy in January, experts have an urgent message for employers: start planning to hire cybersecurity professionals now.
The strategy is based on three pillars: working with partners to protect Canadians and Canadian business from cyber threats; making Canada a global cyber security industry leader; and detecting and disrupting cyber threat actors.
The federal government strategy also outlines increased compliance regulations for businesses in all industries and warns of a coming shortage of cybersecurity professionals in Canada.
HR leaders who wait too long to plan for this shortage will find themselves scrambling for qualified personnel “to identify the issues and problems and write policy and practice and procedures,” According to Ali Ghorbani, professor of cybersecurity and computer science at the University of New Brunswick.
There is a major gap between available talent and industry needs, he explains, and it’s a gap that will only grow.
Growing demand for cybersecurity skills across industries
According to a recent report by Salesforce, State of IT: Security Insights for Canada, 66% of Canadian IT security leaders expect their budgets to increase in the coming year, signaling that organizations are preparing to allocate more resources to security personnel and training.
But Ghorbani points out that a key factor in hiring that many employers miss is knowing what type of cybersecurity professional their organization needs – according to the national strategy, many Canadian businesses will need to hire cybersecurity talent beyond traditional IT roles.
For clarity, Ghorbani highlights three main types of cybersecurity roles for HR leaders to consider:
Policy and compliance experts: Professionals who can draft and maintain organizational cybersecurity policies that align with evolving regulations and new technologies. They are also trained to assess, investigate, and mitigate cyberattacks, as well as return systems back to normal running order. These professionals must be qualified with nationally recognized credentials, Ghorbani says.
Network security specialists, threat analysts: Experts who monitor and manage cybersecurity infrastructure to prevent breaches. These employees should also have standard credentials from a college or certification program, for example.
In-house cybersecurity professional: A professional who may be trained in-house to perform basic system management, to give or facilitate workshops, to study other organizations’ practices – basically to be an overseer or facilitator of best practices in the organization. These individuals may have degrees or MBAs with some cybersecurity training, but not a focus, and Ghorbani advises that their work be checked by a cybersecurity professional with more credentials.
Cybersecurity ‘not a joke’
Ottawa's national strategy encourages employers to integrate cybersecurity into their long-term workforce planning, rather than relying on outside help only when a crisis occurs. However, Salesforce’s report reveals that 30% of Canadian IT security leaders say their organization's IT security training is reactive or based on outdated best practices.
Ghorbani echoes this, stating that many employers think they are immune to cyberattacks — until they happen: “The problem with cybersecurity is that most don't feel the pain. They think it's going to happen to others, but not to them.”
It’s an attitude that employers can no longer afford, as increasing tech and AI use in organizations means ever-increasing risk that cannot be avoided, he says.
“If they are not worried about their security, especially their infrastructures, their intellectual property, their data and so on … the very first thing that they would suffer, business wise, is losing the trust and respect of their clients, if something happens,” Ghorbani says.
“Which I'm telling them – it will happen. It's just a matter of time. It will happen to everyone who is not careful enough. This is not a joke.”
AI and cross-disciplinary cybersecurity training
Cybersecurity hiring challenges are being complicated by the rapid adoption of artificial intelligence (AI) and other emerging technologies.
“As the new technologies are being adopted, cybersecurity is becoming more and more important,” says Ali Dehghantanha, director of the Master of Cybersecurity and Threat Intelligence program at the University of Guelph.
“For example, these days, one of the biggest challenges is how we can make sure that these AI systems are secure, they are not getting hacked, they are not leaking information, they are not being abused by the people or misused by the people. That's the conversation.”
While AI security is a growing concern, Salesforce’s report indicates that only 55% of Canadian IT security leaders are designing AI employee training programs, despite 71% saying they have designed security and governance protocols to account for AI.
Dehghantanha also emphasizes the importance of cross-disciplinary cybersecurity expertise, rather than limiting responsibility to IT teams alone.
“There should be cross-disciplinary expertise in cybersecurity, which means that it is no more only the work of a cybersecurity team to secure the environment, but you need to train your employees so they can take the security measurements in place.”
Training and hiring: what HR leaders need to know
Ottawa’s national strategy notes that training programs and certifications are essential for building a robust cybersecurity workforce in Canada; however, Dehghantanha points out that the current educational programs available are not likely to be enough to meet demand in coming years.
He explains that in his own program, for example, cybersecurity graduates are being hired out of master’s programs even before completing their studies, highlighting the severity of the workforce shortage.
“I can tell you that none of our students even get to the last semester before finding a position or getting hired. So that's the demand you are talking about. There is a huge demand out there.”
Avoiding hiring mistakes: cybersecurity credentials
One of the biggest risks in cybersecurity hiring is failing to properly vet candidates – Ghorbani warns that hiring managers must prioritize proper training and credentials along with a thorough investigative interview process.
“Definitely, definitely, you need to – these people have to have to have the right credentials, [have] gone through the training, got certificates, so they can actually be trusted to look at your issues and threats and attacks and come up with solutions in safeguarding it and mitigating it.”
Dehghantanha points to a growing issue where individuals falsely brand themselves as cybersecurity professionals without proper qualifications.
“There are people that they feel, or they think, that the cybersecurity market is ‘hot’ overnight, they rebrand themselves as cybersecurity professionals, and then they go to the market, go to interviews, go talk to employers, and they are not delivering.”
Partnering with universities for cyber talent
One of the most effective ways for businesses to secure top cybersecurity talent is by establishing early partnerships with universities and training programs; Ghorbani stresses the importance of investing in talent before graduation to ensure businesses hire the most qualified professionals.
“For cybersecurity, their best bet is to invest early,” he says.
“They should go to different places that offer programs, and among those people that are taking the program, if they want to hire next year, next six months, they basically go through the interview selections, and say, ‘Okay, I’ll invest $10,000 on you to pay your tuition here for one year. And once you finish, you come and work with me.’”
This approach allows businesses to build long-term relationships with potential hires, Ghorbani explains, ensuring a steady pipeline of trained professionals.
He also notes that employers can seek out university projects and internship opportunities to engage students early – for example, offering projects at the company as capstone project opportunities: “’We have a problem, we’ll give you the project. You do it for your degree, and then you get your marks’ … so that builds that relationship.”
Lastly, by integrating hiring efforts into academic programs, employers can reduce their reliance on headhunters and costly last-minute hiring efforts, Ghorbani says.
“You go early on, you build some relationships – it could be a four-year program, you go [in the] third year, get a couple of students, say, ‘Do your studies, you come and do co-op with us for a term or an internship, whatever it is, a summertime,’ and then build a relationship and hire them after. This is the best strategy … Come early, get the best.”
