Key Points

1. The Cyber Security system is broken, to the point that some may assert that cyber security degrees are “useless"

   
   

2. One of the main reasons for the broken system is that organizations are not investing in new talent and training, and AI adds further complications

   
   

3. Some proposals for rectifying the situation are: eliminate the experience gap through mandatory training investment; mandate industry-education-government coordination for work placements; and strengthen government regulation and skills-job alignment review

At this point, we can all agree that cyber security has a serious problem, and it's not Advanced Persistent Threats or quantum computing; it’s the HR firewall rule set that denies access without experience, and poor government policy and automation that exacerbate an already broken system.

The job market in Canada is challenging, which is not particularly significant news to recent graduates, long-time job seekers, those over the age of 45, and those who have recently become unemployed. The job market competition in Canada is fierce. This is particularly true for 15 to 19-year-olds who are now at a 22 percent unemployment rate.  Due to a variety of factors, one could conclude that education in Canada either exists as a pretext to scam people or is itself a scam. These days, some might say that a Master’s degree in Canada is helpful if one wants to pursue origami or needs some kindling to start a small fire.

This is not entirely the fault of Applicant Tracking System (ATS) hiring systems (software that helps companies manage the recruitment and hiring process), biased recruiters, or infamous catch-22 of needing experience to get initial experience. As I mentioned in a previous article, the 2024 ISC2 Cybersecurity Workforce Study's budget cuts are the most significant reason why new cyber security talent is not being hired or trained.

Why Are Cyber Security Degrees “Useless”?

Yes, some may deduce that degrees are useless, but not in the way your tough, long, disillusioned older relative warned you about. Of course, dance theory, art, or sociology don’t mesh with the brutal demands of the late-stage neoliberal job market. However, the truth is that while STEM degrees on average pay better than humanities degrees, a quick observation of Statistics Canada’s Interactive Labour Market Tool reveals that the data is from 2018 and shouldn’t be considered relevant due to the unprecedented disruptions to labour markets caused by the pandemic.

Why exactly can one be certain that cyber security degrees are useless? Are they not in demand? Is cyber security not a STEM field that requires intense knowledge? Well, that is half-true. Cyber security is in high demand, but the degree is distinct from traditional STEM degrees. Where doctors and engineers secure placements and gain work experience to verify the validity of their degrees, cyber security degrees will hopefully include lab work or projects. In my view, the reality is that the crucial experience component that employers desire is absent.

Although this lack of work placement is shifting, it remains challenging to find undergraduate or Master 's-level cyber security programs in Canada that include a work experience component. For instance, according to the Canadian Centre for Cyber Security’s Post-Secondary Cyber Security Related Programs Guide, only ten bachelor's programs and four master’s programs offer a work placement option out of a total of 147 entries.

Moreover, according to the 2024 ISC2 Cybersecurity Workforce Study, organizations surveyed around the world have experienced a significant increase in risk and disruption, yet economic pressures, exacerbated by  geopolitical uncertainties, have led to budget and workforce reductions in a number of sectors, and cyber security threats and data security incidents have only continued to grow. Resources are strained, and this impacts cyber security teams and their abilities to adopt new technologies and protect against the nuanced threats they pose to their organizations.

The conclusion of this study was that in 2024, economic conditions have significantly impacted the workforce, leading to both talent shortages and skills gaps at a time when need has never been greater. On top of this, the introduction of AI to drive transformation, cope with demand, and shape strategic decisions has come with its own challenges:

“We found that while cybersecurity teams have ambitious plans for AI within the cybersecurity function, they anticipate the biggest return on investment will occur in two or more years. As a result, they are not immediately overhauling their practices to adopt AI. Cybersecurity professionals are also conscious of the additional risks AI will introduce across the organization. As different departments adopt AI tools, cybersecurity teams are encouraging their organizations to create comprehensive AI strategies”

Interestingly, some of the key findings are:

• Cybersecurity professionals don’t believe their cybersecurity teams have sufficient numbers or the right range of skills to meet their goals

  
  

• Cybersecurity professionals are still focused on higher education and professional development once in the workforce, but they increasingly prioritize work-life balance

  
  

• Many believe that diverse backgrounds can help solve the talent gap

  
  

• The expected advancements of AI will change the way cyber respondents view their skills shortage (certain skills may be automated), yet Cyber professionals confident Gen AI will not replace their role

  
  

• It was found that 45 percent of cyber security teams have implemented Gen AI into their teams’ tools  to bridge skills gaps, improve threat detection and provide vast benefits to cybersecurity

  
  

• Organizations need a Gen AI strategy to responsibly implement the technology

How HR is Adding to the Problem & Is Far From NICE

As I mentioned above, budget cuts are the primary reason organizations are not investing in new talent and training; however, it would be inaccurate to suggest that is the only reason cyber security hiring is broken.

During my undergraduate degree in world conflict and peace studies, I observed that most conflicts stem from a lack of communication or a shared language. At a fundamental level, there is a significant gap because of the lack of a standardized language. To rectify this, the National Institute of Standards and Technology (NIST) published the Special Publication 800-181, The National Initiative for Cybersecurity Education (NICE) Framework, in 2017. Canada has since adopted the NICE framework to create the Canadian Cyber Security Skills Framework in 2023.

The National Initiative for Cybersecurity Education (NICE) framework categorizes cyber security competencies for the various roles and Knowledge, Skills, and Abilities (KSAs). I note that while Canadian cyber security degree programs effectively teach knowledge and foundational skills, they fall short in the "abilities" component, which can only be developed through practical experience. HR departments, however, treat all three components as a requirement, creating a catch-22 experience gap requirement. It follow then that the combination of HR departments' risk aversion and tight budgets creates a perfect storm, leading to a talent shortage.

Bad Policy and Government Decisions Have Ruined the Credibility of Postsecondary Education

International students, especially those from South Asia, have created significant business for some private colleges, which often lure students with false promises. Immigration Minister Mark Miller referred to these institutions as “puppy mill” schools. It involves the folling: students are charged four times what Canadians pay to attend college in Ontario while receiving substandard education that doesn't prepare them for meaningful employment.

Unfortunately, this systematic exploitation has created a credibility crisis that affects all postsecondary education in Ontario. When HR departments and employers see degrees from Canadian institutions, they now face the challenge of distinguishing between legitimate educational institutions and those “puppy mills.”

The credibility crisis in Ontario's postsecondary education stems from government policy decisions that has systematically reduced funding to legitimate educational institutions.

How AI is Poised to Make The Job Market Worse

The automation of entry-level cybersecurity and IT help desk roles is creating a significant career progression problem that will likely exacerbate the experience gap. The fundamental issue is that AI will exacerbate the entry-level crises by eliminating precisely the entry-level positions that traditionally served as stepping stones to senior roles or even entry-level roles. The menial tasks that AI is designed to automate— basic incident response, routine monitoring, simple troubleshooting, and repetitive security assessments— are the same daily activities that historically proved to employers that candidates had developed practical competencies beyond their theoretical education.

The Path Forward

1. Eliminate the Experience Gap Through Mandatory Training Investment. Organizations must abandon the false economy of demanding pre-existing experience over investing in job training. While tight budgets drive risk-averse hiring, the cost of a single cyber security incident far exceeds the investment required to train motivated graduates. It might be worth reminding these companies that refusing to train entry-level talent is like gambling their entire business on an increasingly shrinking pool of experienced professionals and creating a strategic vulnerability that threat actors can exploit more easily than any technical system.

   
   

2. Mandate Industry-Education-Government Coordination for Work Placements. Canadian educational institutions must be required to coordinate with government and private industry to create robust work placement programs that directly funnel graduates into in-demand positions. This cannot remain optional—with only ten bachelor's programs and four Master's programs offering work placement out of 147 total entries, the current system is systemically failing students and employers alike. These partnerships must be structured to provide real-world experience that develops the "abilities" component of the NICE framework.

   
   

3. Strengthen Government Regulation and Skills-Job Alignment Review. The Canadian government must implement stricter regulation of educational institutions and conduct a thorough review of the mismatch between job-ready skills and student abilities. This includes shutting down diploma mills that have destroyed credential credibility, establishing minimum standards for cyber security program outcomes, and creating accountability mechanisms that tie institutional funding to graduate employment rates and employer satisfaction. That is, educational institutions should be required to demonstrate that their curricula align with current industry needs and that graduates possess demonstrable competencies, not just theoretical knowledge.