Project INSIGHTS REPORT
Transforming Skills and Talent Acquisition in Canadian Cybersecurity
Cybersecurity is a growing field, with demand for services and support from a wide variety of businesses, organizations, and government organizations across Canada. The need for more talent in the cybersecurity sector has been difficult to address, and more employers are looking to underrepresented groups to fill labour shortages, including women, Black, Indigenous and racialized individuals.
To respond to this challenge, in 2020, the Rogers Cybersecure Catalyst launched the Accelerated Cybersecurity Training Program (ACTP), which targeted women, new Canadians and displaced workers, provided them with two globally-recognized cybersecurity certifications, and offered job search assistance. In October 2021, the Future Skills Centre funded the expansion of ACTP to focus on Black, Indigenous and other racialized learners, with a continued focus on women from these groups. The expansion also included research and evaluation to better understand the barriers faced by these groups and the outcomes of ACTP participants.
The ACTP program and its expansion produced promising results. Many ACTP participants experienced meaningful increases in earnings and employment within the cybersecurity sector and 97% of graduates surveyed would recommend the program to others.
Despite the success of the skills training program, graduates still reported challenges with getting hired in the sector. Cybersecurity employers continue to rely on referrals from existing employees, making it difficult for new professionals to break in. ACTP participants also felt that despite the skills acquired, employment remained challenging because of high skills expectations in job postings. Cybersecurity employers should seize opportunities to enhance their recruitment and talent development practices to support a more diverse workforce.
A Race for Talent: Insights from Canadian Cybersecurity Employers
Future Talent: Expanding and Diversifying Canada’s Cybersecurity Talent
Key Insight #1
Employers surveyed expect the demand for entry-level cybersecurity professionals to double in the next 3–5 years. While a range of technical skills are being sought, there is greater consistency in non-technical skills needed across the sector.
Key Insight #2
76% of ACTP participants surveyed were earning at least $60k three months after the program vs. only 29% at the beginning of the program.
Key Insight #3
Employee referrals are the preferred recruitment method among cybersecurity employers, but this limits companies to existing networks and undermines efforts to increase diversity and inclusion.
Rapidly changing technology and the growing threat of cyber attacks has increased the need for cybersecurity professionals across sectors and industries in Canada. But, the country has a long-standing and growing shortage of trained cybersecurity professionals. In 2023, it was estimated that the gap between the supply of cybersecurity professionals and the need for these roles in Canada grew more than 50% over the previous year.
Many in the sector are looking to diversify the profession, hoping to attract more women and racialized groups to address the labour and skills shortages. While change is underway, with a growing portion of the cybersecurity workforce being non-white, women and racialized groups are still in the minority.
To address the talent shortage and attract more professionals from diverse backgrounds, the Rogers Cybersecure Catalyst —Toronto Metropolitan University’s national center for training, innovation and collaboration in cybersecurity— launched the Accelerated Cybersecurity Training Program (ACTP) in 2020. The 7-month program aimed to connect entry-level cybersecurity candidates with the industry by providing skills training. The program was specifically designed to give women, new Canadians and displaced workers the skills they need to launch a career in the cybersecurity sector.
What We’re Investigating
In October 2021, the Accelerated Cybersecurity Training Program expanded its reach to individuals who identify as Black, Indigenous or racialized, by reserving 60 seats for these learners of which at least 30 were reserved for women.
The project also included a partnership with Blueprint ADE to support research and evaluation of the existing Accelerated Cybersecurity Training Program, to generate actionable recommendations to increase diversity and inclusion in cybersecurity. The research and evaluation included surveys and interviews with learners and employers to understand program experience and outcomes, with a focus on the unique challenges facing underserved groups in accessing cybersecurity skills training and employment
What We’re Learning
Surveys and interviews were conducted with 413 learners in the Accelerated Cybersecurity Training Program and nearly 100 employers.
Strong demand for talent, but diverse technical skills sought
Based on this project’s survey and interview of employers, demand for entry-level cybersecurity professionals is expected to double in the next three to five years. However, the technical skills sought by specific companies vary. Among those surveyed, the top technical skills demanded are:
- Intrusion detection and response techniques (41%)
- Vulnerability assessment (34%)
- Application of cloud security technologies and methodologies (33%)
With the top skill sought by only 40% of employers, there appears to be a range of different technical needs in the sector.
By contrast, there is greater consistency in non-technical skills. The top non-technical skills that employers report are needed are:
- Problem-solving and critical thinking (79%)
- Verbal communication (75%)
- Attention to detail (63%)
- Written communication (63%)
Over three-quarters of employers agreed that problem solving and verbal communication are vital skills for incoming employees.
ACTP has positive impact on skills, employment, and earnings
Early indications suggest the Accelerated Cybersecurity Training Program (ACTP) has a promising impact. Graduates who responded to feedback surveys were very satisfied with the program:
- 89% of ACTP graduates were satisfied with the program
- 97% of graduates recommended or would recommend the program
- 91% of graduates believed they acquired the skills and knowledge to be successful in a cybersecurity career
Learners also experienced increases in employment and earnings:
- Overall employment (in any industry) increased from 61% at the program’s start to 79% three months after the program’s end. However, the study design did not allow for benchmarking of employment rates with non-program participants, so we can’t say for certain that this increase in employment rates is causally linked with program participation.
- Learners that report more than half their work is in cybersecurity increased from 7% of employed respondents at the program’s start to 42% three months after the program’s end
- The percentage of respondents earning at least $60,000 per year grew from 29% at the program start to 49% at program completion and 76% three months after the program’s end
Employers who engaged with ACTP often became more aware of diversity, equity and inclusion (DEI) in their workplace and took actions based on this increased awareness, from including training staff and tracking applicants’ sociodemographic characteristics.
Learners report ongoing challenges with hiring processes
Despite employer demand for cybersecurity talent and the effectiveness of the ACTP, participants described continued barriers in the recruitment and hiring process. 91% of survey respondents believed they had the skills and knowledge to succeed in a cybersecurity career, but only 70% felt confident in applying for a job. Some participants said that, despite their skills, convincing a recruiter or interviewer could be an obstacle to securing a position. Other graduates suspected there might not be a shortage of entry-level cybersecurity workers, but instead a saturation of entry-level applicants, citing competition for roles and recent layoffs or hiring freezes at large companies. Relatively modest salaries also make the ACTP and entry-level cybersecurity jobs more appropriate for those early in their career rather than those with families and higher expenses. Based on survey responses, Black, Indigenous and racialized learners had similar experiences as other learners, suggesting a sector-wide challenge.
Part of the issue may lie with hiring methods. Among the employers surveyed, employee referrals was by far the most preferred recruitment method, but this limits companies to existing networks instead of promoting greater diversity. Recruitment methods that cast a wider net, like job boards, were not considered by the employers surveyed as effective.
Both employers and applicants also note that strict criteria and high expectations in job postings can make it more difficult to match candidates to available roles. Some employers observed that the skills and knowledge expectations of entry-level roles did not reflect entry-level work. Further, employers and learners suggested that while HR professionals are responsible for drafting and/or matching candidates to postings, they may not always have the full set of information needed to flexibly assess job requirements that both meet role needs and align with the entry-level skillsets available in the market.
Mixed opinions on support for diverse candidates
While 43% of employers believe they have challenges recruiting Black, Indigenous or racialized individuals, including women in these groups, another 42% reported they did not have challenges (an additional 15% responded “I don’t know/not sure). Overall, 68% of employer survey respondents have programs in place to recruit diverse candidates for cybersecurity roles.
Some diversity, equity, and inclusion initiatives that learners found helpful were:
- mentoring programs for women and/or Black, Indigenous and racialized staff (49% of employers)
- ongoing learning and development opportunities (38% of employers)
However, some diversity, equity and inclusion practices that learners found helpful were rarely mentioned by employers:
- clubs/committees for employees with a shared background/identity
- acknowledging/celebrating achievements of women and Black, Indigenous and racialized employees
Going forward, the ACTP program could play a role in facilitating greater coordination between cybersecurity managers and HR teams for sustainable DEI reform.
Why It Matters
The Accelerated Cybersecurity Training Program (ACTP) is a promising model for addressing acute labour shortages while advancing the inclusion of underrepresented groups in Canada’s future-focused workforce. The project’s industry-led training and support program illustrates the win-win opportunity that is possible when intermediary organizations aggregate the demand for talent and implement a relevant and rigorous skills development initiative on behalf of a sector.
For policymakers and practitioners, there are implications and potential applications of this model for other sectors of the economy, especially since small and medium-sized enterprises (SMEs) dominate Canada’s private sector and it is difficult for these smaller businesses to develop training programs on their own.
This project shows the importance of job search support and connections to employers. Beyond the development of technical abilities, it is vital that skill development programs enable participants to navigate and succeed in the labour market.
Of course, it is not simply the candidates that must enhance their skills, but employers need to adapt their recruitment and talent development practices as well. To attract different candidates, it is important for employers to consider different processes, and both policymakers and practitioners can play a role in supporting this change. These efforts can be helpful in promoting greater diversity, equity, and inclusion in workplaces as well.
The ACTP program has an Industry Advisory Council composed of employer partners who provide strategic guidance, advice and support to project staff. Other practitioners may wish to consider a similar approach to enable ongoing coordination and dialogue between employers, program implementers, funders, and other stakeholders.
To summarize the project’s lessons for employers and encourage wider adoption of promising practices, the Catalyst produced a Cybersecurity Talent Management Playbook with input from the organization’s Advisory Council and HR Council. This playbook has now been shared at 12 conferences and events.
Furthermore, in recognition of the fact that cybersecurity employers are shifting their recruitment to specialized roles instead of entry-level positions, the Catalyst used the results from this FSC-funded project to develop the Advanced Cyber Education (ACE) program. The ACE provides cybersecurity professionals with the skills and knowledge required to take on specialized roles within the industry. Funded by Upskill Canada Palette Skills, this new program enables 150 cybersecurity professionals with a minimum of 1.5 years of experience to gain intermediate skills and specialize in an area identified by this project’s research.
Finally, the Catalyst developed the new Certifications for Leadership in Cybersecurity (CLIC) program based on this project’s insights. The new programming is an adaptation of ACTP and has replaced ACTP as the flagship cybersecurity training program for individuals. Funding from RBC is allowing CLIC to offer women scholarships to offset program fees an