OP-ED: Mind the Gap: Addressing South Africa’s cybersecurity skills shortage
Cybersecurity expertise in South Africa is rather limited as the traditional higher education institutions – our universities and universities of technology – have largely failed to adapt to and incorporate an extremely dynamic and relatively new field of study.
South Africa has recently been the target of a spate of widely publicised cyberattacks – on private sector as well as state entities. It is fairly obvious even to the casual observer that these attacks are becoming more common and diverse.
The question is, what is to be done in order to mount an effective defence against such cyberattacks, which threaten our economy, individual privacies and national sovereignty?
While the discussion on the need for effective legislation and the timeous and rigorous application thereof is becoming more mainstream, the conversation on where the cybersecurity professionals will be produced in the required numbers receives considerably less attention. This points to the questions of both education and training but also to the changing world of work and our national preparedness to this end.
Robert Colvile mentions in his book The Great Acceleration: How the world is getting faster, faster that as life speeds up, our patience dwindles. He refers to the example of the time it takes a browser to load a requested website versus the impact on visitor traffic. As an example, in 1999, websites would lose a third of their traffic if they took eight seconds to load. By 2006 that figure downed to four seconds, and currently Google puts them on notice if it takes more than two seconds. Colvile also states that humans are hard-wired to crave novelty, speed and convenience.
With the advances in computing power and Artificial Intelligence (AI), we find ourselves in a space where computers and computer systems can do our jobs more effectively, faster and more cost effectively. John Maynard Keynes in Economic Possibilities for our Grandchildren refers to the shift from manual labour to computer power, and the turmoil this is causing in different industries globally as technological unemployment. Joshua Kim, in his review of Colvile’s book (The Great Acceleration and Your Crazy Higher Ed Life), summarises that we could choose to turn off the email, the Twitter feeds, the Slack channels, and the Open Online Courses – and sometimes we do. But then we turn them back on again, as it is through these information sources and social platforms that we learn, connect, and create.
Perhaps more pointedly, Jack Ma, founder of Alibaba, the world’s leading online commerce company, has pointed out that Artificial Intelligence will destroy many jobs, but also create many new yet different jobs. The key is to adapt our education to being innovative and creative in order to prepare the current and next generation for these inevitable changes. An area in which this has become vital is in the cybersecurity domain as Artificial Intelligence and others technologies begin to play a more active role.
Cybersecurity does not only encompass the virtual or digital environment, but is integrated and influences the physical domain more and more, as for example the Internet of Things (IoT), connected with Artificial Intelligence and applications, steam onward.
So how then does this rapid acceleration affect the world of higher education and research in the cybersecurity domain, and specifically in South Africa? The short answer to this question is that South Africa, like most countries, is failing to produce enough cybersecurity specialists to secure its digital space. There are a number of systemic reasons for this – such as the paucity of school leavers with adequate mathematical skills and the dearth of opportunities to learn coding and programming skills at schools. However, the current organisation of our tertiary IT training and education pathways also poses structural constraints.
Cybersecurity expertise in South Africa is rather limited as the traditional higher education institutions – our universities and universities of technology – have largely failed to adapt to and incorporate an extremely dynamic and relatively new field of study. Students interested in following a career in cybersecurity at these institutions are still mainly routed via a three-year diploma or degree in IT or Computer Science.
Only on an Honours level, but primarily at Masters degree level, are students exposed to security-specific subjects. South Africa undoubtedly needs to produce more PhDs in Information Security for research, knowledge creation and the development of solutions. However, the greatest and arguably most pressing requirement is currently in industry and the public sector which require people with practical, hands-on skills who are able to step into a dynamic high-paced environment and perform.
Unfortunately, only a marginal number of local and affordable training options which lend themselves to producing quality and home-grown specialists are available. Other training alternatives are for learners to embark on the International Certification route, most of the content of which is of a high standard. The downsides, however, include the associated costs for the training as well as the type of exams. Some of the certifications also require candidates to have experience in the field and in most cases a solid IT base is required.
We are thus back to completing a three-year qualification and only then starting the security certification route. Further to this is that the content of international certifications are all developed for the US or European markets and not really made applicable to the South African context. This is problematic as within the South African and African market we have different challenges and ways of approaching problems, of integrating new technology and training needs.
As a result of these constraints, prospective cybersecurity students across the country find it extremely difficult to find suitable learning paths and training options. The lack of a dedicated national cybersecurity strategy from government and the limited expertise and research outputs in order to assist the state from Public Research Institutions and Higher Education Institutions is not helpful either. The National Cyber Policy Framework mandates the Department of Science and Technology (DST) with the responsibility for the “development, co-ordination and implementation of national capacity development programme”.
Furthermore, it states that the department “shall be responsible for developing and facilitating the implementation of a national cybersecurity research and development agenda for South Africa”.
To date there appears to be a distinct lack of momentum in this regard. While being mindful of the fiscal challenges which the current government is facing, cyber threats unfortunately know no boundaries and tend to be persistent and on the rise. Coupled to this is the wave of new data privacy laws internationally which can result in highly punitive sanctions for South African entities which fall victim to data breaches. We can no longer afford not to invest in creating both cyber awareness and a cyber workforce, both within the public and the private sectors.
Whereas most states have adopted an integrated approach to dealing with the international cyber skills shortage, South Africa appears to be aimless and floundering. Globally the emphasis is on recruiting individuals who display an aptitude for cyber and then upskilling them for various cyber positions in the shortest possible time – anywhere from three months to a year.
The emphasis is on developing real skills while training – hence the importance of lifelong learning pathways for cyber professionals. In this endeavour the involvement of governments in sponsoring a key number of learnerships, as well as training entities, complements investment on the part of the private sector.
The Department of Science and Technology would do well to focus on and endorse learning pathways which aim to produce a resilient cybersecurity workforce in the shortest possible lead time and at a lower cost than traditional university study. Such an initiative would require a productive partnership between the state, education and training entities and the private sector.
Other African states such as Kenya appear to be actively embracing the cyber challenge. Likewise, South Africa, which has the most technologically advanced economy in Africa, should be playing a leading role in developing the cyber economy and a supportive training framework. DM
Prof Elmarie Biermann is the Director of the Cyber Security Institute. She currently holds an Adjunct Professorship at the French South African Institute of Technology and is an Extraordinary Associate Professor in the Department of Strategic Studies, Stellenbosch University.
Noëlle van der Waag-Cowling teaches cyber warfare strategy and counter insurgency in the Department of Strategic Studies, Stellenbosch University. She is an Associate Research Fellow at the Centre for Conflict, Rule of Law and Society, Bournemouth University, England