Cybersecurity Education Lags as Professionals Struggle On

Key Findings

  • Fifty-three percent of InfoSec professionals do not have post-graduate or higher degree.
  • Europe has the smallest share of respondents who say that there is a good selection of cybersecurity training programs.
  • Half of cybersecurity professionals say theoretical knowledge received in their formal education was useless when it came to performing their current job.
  • Less than a half of respondents were provided with hands-on experience at college or university.
  • Access to latest technologies & equipment and quality of internships are the weakest aspects of cybersecurity education for most geographies.

Educational background of current cybersecurity experts

InfoSec professionals are the last line of defense when it comes to ensuring organizations, business and end users can live their best digital lives disregarding online threats. Dozens of niche specialists –cybersecurity solution developers, cybercrime investigators, or Security Operations Center (SOC) analysts – are piecing together the global defense of IT systems and infrastructures that ensure our habitual way of life. Yet, there is a chronic worldwide shortage of cybersecurity experts, and there are indications that education might be a culprit for this issue.

Cybersecurity education programs often struggle to keep pace with the latest developments due to the rapidly evolving nature of cyberthreats that outpace curriculum updates. Additionally, the shortage of qualified cybersecurity instructors with up-to-date knowledge is also contributing to the challenge of delivering timely and relevant content.

The speed at which formal cybersecurity training programs are created and approved is also slowing integration of cutting-edge topics into IT education programs. The result is that InfoSec professionals do not roll over their academic training, with more than half (53%) of respondents not having a formal postgraduate or higher degree.

Highest level of education overall

Highest level of education by experience

This trend intensifies among younger respondents: while most companies do not demand candidates have information security qualifications for entry-level positions, the majority of young InfoSec professionals aged 22-24 (75%) and 25-34 years (77%) do not hold a postgraduate or higher degree. Additionally, more than three-quarters of those with two to five years’ experience did not study information technology or computer science at college or university and have evolved into their role.

Highest level of education by age

Regionally, the largest share of InfoSecurity professionals with a postgraduate or higher degree is observed in Russia (60%), Europe (57%), and LatAm (56%). North America and APAC fall within a medium range with 42 percent and 41 percent, respectively, while the least number of cybersecurity workers in META – 35 percent – hold a higher or postgraduate degree.

The highest level of education by region

The cybersecurity field welcomes workers with various educational attainment: engineering (36%), information technology (21%), computer science (15%), business management (13%), science (10%), math (3%), and others. And only 43 percent of current cybersecurity professionals had the information security subject as part of their official curriculum.

Specialization during highest level of education

As a result, when it comes to professional qualifications and keeping pace with industry advancements, many of cybersecurity experts have to receive further training to meet the needs of the rapidly evolving cybersecurity field. Almost half of professionals questioned (46%) have taken additional cyber education courses later in their career as they found handling actual security incidents requires a different set of skills than theoretical knowledge alone.

The main motivation behind their decision to undergo additional training in the information security field was to deepen their knowledge in this field (58%), with respondents also mentioning potential promotions at work (20%) and employers’ requirements (18%) as the reasons for pursuing additional courses.

What was the reason for taking up specialized courses/certifications in cybersecurity/information security/data protection?

It is noteworthy that in Europe, the share of those who had information security as part of their formal education at university was the lowest compared to other regions, and accordingly, Europe turned out to be a leader when it came to the number of respondents who undertook specialized cybersecurity training before embarking on their InfoSec careers.

Information security was part of my formal education at my university (graduation/postgraduation/doctorate degree)

I took specialized courses/certifications in cybersecurity/information security/data protection before getting into this job profile

When it comes to the key reasons IT professionals chose a career in the cyber industry, respondents mentioned the growing importance of cybersecurity and greater career opportunities in the InfoSec world, and also found it critical to securing their own area of work. “While doing work you find security is more important, not just a connection,” said one head of IT in China. Along with organizational security, there is a high demand for skilled cybersecurity professionals with many seeing it as an organic career progression. An IT director in the U.S., added: “After COVID, there was more momentum and a lot more spending and a focus on cybersecurity, more than ever before.”

Many respondents say they were captivated by the topic, developing an interest in cybersecurity, or found better opportunities in cybersecurity and took it up as an organic career progression in the sector. “I found it fascinating as it involves constant learning and adaptation to new threats, technologies and evolving technologies,” said one respondent, a cybersecurity and technology leader in North America. “It was mainly a personal interest that led me to take this role.”

As a direct result of making a switch to a cybersecurity position, professionals say they have acquired their skillset either through executive education to stay current with the latest tools and technology or have taken a career break for higher degree upskilling. “While working as system analyst, I witnessed the increasing sophistication of cyberthreats and potential risk and began an organic evolution into cybersecurity as a personal fascination as I like problem solving and strategic thinking,” added a China-based director of technology.

Formal education system and hands-on learning

Analyzing the root causes of the cybersecurity talent and skills gap, we asked the respondents to evaluate the current availability of dedicated cybersecurity training in higher education. As a result, half of InfoSec professional respondents stated that availability of cybersecurity or information security courses in formal higher education is either poor, or very poor. This number increases to 83 percent for professionals with two to five years’ experience.

What do you think about the overall availability of cybersecurity/information security focused courses in higher education (college/universities)?

Overall availability of cybersecurity courses (poor/very poor) by experience & roles

“I think today we don’t have enough cybersecurity education for anyone to really excel in this industry. I think one of the challenges — and that’s not only for cybersecurity but in the technology sector as a whole — is that modern technology moves so fast, that something that is actual and current today gets old and turns into ‘legacy’ in one-two years. So if you are studying, for a bachelor’s degree in cybersecurity, for instance, you are preparing for a four year course. But in those four years the tech has advanced so much that the knowledge you acquired in the first or second year is already outdated in your third or fourth years of study,” noted a chief information officer for a bank in Brazil.

Regionally, the gap in overall availability of cybersecurity courses is quite large. InfoSec professionals in META (65%) agree that they have access to the least amount of training. APAC (51%) has the second poorest availability of cybersecurity courses, but they are already about 15 percent better off, and in Europe less than half of professionals complain that there is not enough training (47%). North America, Russia and Latin America all over around the 40 percent mark, when it comes to the possibility of accessing cybersecurity training.

Overall availability of cybersecurity courses (poor/very poor)

Just over a quarter (30%) of InfoSec professionals agree that the availability of cybersecurity/information security courses in higher education is good or very good. In Europe, the share of those who believe that there is a good selection of cybersecurity training programs is the lowest (20%) compared to other regions, in addition, Europe ranks in Top-3 regions with regards to those who rate availability as poor or very poor.

Overall availability of cybersecurity courses (good/very good)

A shortage of qualified instructors is also leading to inconsistencies in the quality of education and skills acquired by young professionals. Additionally, the demand for skilled cybersecurity professionals often outpaces the availability of educators with practical industry experience.

“I had to face quite a number of challenges. The quality of teachers and trainers was one as, in some cases, the quality of instructors varied and none were able to effectively convey complex cybersecurity concepts. It was challenging to find educators who combined both the theoretical knowledge with practical knowledge,” a director of cybersecurity from the United States noted.

Globally, nearly 40 percent of InfoSec workforce admit their trainers and teachers didn’t have real-life experience in the cybersecurity industry. The smallest number of academic staff with actual cybersecurity experience are in the META region and Russia.

My college/university had trainers/teachers who have corporate experience in cybersecurity (somewhat disagree + strongly disagree)

The lack of teaching personnel with real-world experience in the cybersecurity might be one of the biggest reasons explaining traditional education’s detachment from the industry and respondents hesitating to call their formal studies useful. Of the InfoSec professionals with two to five years’ experience, just 19 percent feel their formal education was extremely useful or very useful in their day-to-day work, while three-quarters of these young professionals say the theoretical knowledge they got was not useful in helping them fulfil their responsibilities. However, this trend is skewed towards mid and senior level professionals.

Usefulness of higher education


Usefullness of higher education by experience (extremely/very useful)

Usefulness of higher education by roles (extremely/very useful)

“The problem that I see when you compare the academic world with the business world is that the academic is always trying to catch up […] I think that we need to have a way to pave the way for a closer connection between the academic world and the business because sometimes the academic world is too theoretical or too philosophical and the pace of the market makes the business go after the knowledge and people with the skills that the academic world cannot prepare,” said one cyber IT specialist in Brazil.

The challenge educators are now facing is in finding a way to make sure InfoSec training is up-to-date and meets the demands of the IT industry. The current picture was not too good as the survey revealed that one-in-two cybersecurity professionals believed the knowledge taught in formal education was somewhat (14%), slightly useful (13%) or of no use at all (24%) when it came to helping them in their role. In addition, only 44% InfoSec professionals agree/strongly agree that the practical as well as theoretical knowledge they got was useful to fulfil their responsibilities.

Somewhat disagree/strongly disagree

Theoretical knowledge I got at my college/university has been useful when fulfilling my work responsibilities

Technical/Practical knowledge I got at my college/university has been useful when fulfilling my work responsibilities

One respondent, an IT industry cybersecurity director in the U.S. questioned for the report, said: “I felt unprepared to handle real world security incidents and challenges despite taking up some cybersecurity courses, and I was also not ready for the rapid changes in the domain.”
Access to the latest technologies and equipment, and the quality of internships emerged as the weakest aspects of cybersecurity education for most geographies.

“Cybersecurity is a rapidly evolving field and staying current to the latest tools and technology is critical. So access to these resources during education and training was sometimes limited which made it extremely challenging, especially when you are trying to keep pace with industry advancements,” a cybersecurity professional from the United States noted.

Overall North America APAC Europe Russia META LatAm
My college/university had trainers/teachers who have corporate experience in cybersecurity 3.23 3.53 3.29 3.06 3.33 2.91 3.75
My college/university had had access to the latest technologies and equipment needed for carrying out real life cybersecurity tasks 3.13 3.53 3.07 3.22 3.08 2.82 3.55
My college/university provided me with hands on experience in real life cybersecurity scenarios (live projects) 3.18 3.53 3.25 2.95 3.00 2.92 3.73
My college/university provided me Internship with close to real job experience 3.18 3.26 3.16 3.03 2.96 2.97 3.83
Poor (below 3) Average (3-3.7) Good (above 3.7)

Limited hands-on experience is something the overwhelming majority of InfoSec professionals questioned highlighted. Most reported that theoretical knowledge alone is insufficient in the field of cybersecurity. Many formal education programs face challenges in providing students with adequate hands-on experience and practical skills, crucial for dealing with real-world scenarios. Less than a half of respondents of respondents said their college or university program offered them hands-on experience in real life cybersecurity scenarios as live projects – 23% strongly agreed with this statement, while 26% somewhat agreed with it.

“There was no such thing as handling real-life situations, it was simulating real security incidents and learning to respond effectively. So this was missing from the educational programs. Handling actual security incidents requires a different set of skills than theoretical knowledge alone,” a cybersecurity professional from the United States reflected.

Another added: “Not many people are taking up these kinds of courses and even if they do, they receive more theoretical knowledge, and do not have hands-on practical knowledge.”

Based on the above-mentioned criteria, namely training staff’s experience in cybersecurity, access to the latest technologies, experience in real-life cybersecurity incidents, and internships with real job experience, the META region has the poorest quality of cybersecurity education as it scores less than 3 points on all assessment criteria, while LatAm has the best quality of cybersecurity education as it scores more than 3.7 points on all aspects.