OTTAWA — The shortage of cybersecurity workers in Canada is so acute that even the national cyberspying agency can’t get all the people it needs.

“We’re always looking to hire and we can’t fill jobs fast enough, honestly, just because of the gap,” said Melanie Anderson, director of cryptographic security and systems development in the Canadian Centre for Cyber Security at the Communications Security Establishment.

The CSE, which answers to the minister of defence, has both offensive and defensive missions. It captures signals intelligence and breaks codes, carries out cyberattacks against threats to Canada and helps the companies that run critical infrastructure in Canada protect themselves from hacks. Some of those assignments involve some exotic work that can offer unique appeal.

But Anderson told The Logic in an interview that a lot of the positions at the CSE are “kind of standard cybersecurity jobs,” such as software development. There are simply too many of those posts and not enough people to do them.

Across the country, one in six cybersecurity jobs goes unfilled, according to the International Association for Information Security Leaders. Canada’s Information and Communications Technology Council calls the situation a crisis. The field has almost zero unemployment and salaries are high, but workers report burnout and many young people who start cybersecurity education programs quit them.

The worries have reached the top of the federal government. Last fall, a standing committee of deputy ministers—the top career public servants in Ottawa—devoted to cyber matters spoke with Chris Inglis, then the Biden administration’s national cyber director, about overhauling Canada’s national cybersecurity strategy.

Through an access-to-information request, The Logic obtained a copy of the preparation package for Public Safety deputy minister Shawn Tupper, who co-chaired the session with Caroline Xavier, the head of the CSE.

The 2018 cybersecurity strategy, which the federal government is revamping, noted there was a talent shortage in the field, but almost in passing. Its prescription was to encourage more students into science, technology, engineering and math (STEM) and to encourage non-STEM students to “specialize in the skills needed for cybersecurity jobs.”

That didn’t work, or not well enough. Meanwhile, a recent CSE assessment found the pandemic-driven shift to hybrid work for many computer-oriented jobs has increased the “threat surface” that cybercriminals and state-sponsored hackers can target.

“I would say there are five overarching themes we’ve heard so far from partners,” said the speaking notes prepared for Tupper at last November’s meeting. “These include the need to address the national cyber-skills gap. If there is one issue everyone can agree on, it is this one.”

(The others were improving public awareness, sharing more information on threats, working together better and addressing cybercrime and helping its victims.)

Amid the desperate shortage of people, the public sector competes with the private sector, small- and medium-sized entities compete with large ones, and Canada competes with the U.S. for the same talented people.

One of those small public entities in Canada is British Columbia’s School District No. 42, which covers Pitt Meadows and Maple Ridge in suburban Vancouver. In January, it suffered a data breach, when a database with information about 19,126 students and staff was posted online. 

The material wasn’t intensely private—names, schools, departments and email addresses—but the district warned that bad actors could use it for targeted phishing attacks.

The district’s IT director Kevin Abma was new on the job at the time. The district reported the incident to the RCMP, but nobody has been caught, Abma told The Logic by email. 

He has about 20 staff covering 28 schools and a postsecondary college, with 16,000 students, plus staff and administrators. Rather than hiring cybersecurity specialists, “our approach instead has been to actively train all IT staff in cybersecurity and supplement their efforts with consultants,” Abma wrote.

“This is a topic at every IT-director gathering and a shared area of concern. Everyone knows that it is only a matter of time before their organization is compromised,” he wrote.

User education would go a long way, in Abma’s view: “Being able to offer annual training for staff in the area of cybersecurity would dramatically increase our resilience,” he wrote.

The CSE’s Anderson agreed with Abma. “Cybersecurity” is a broad domain, she said, that includes education, government and corporate policy and human behaviour. Trying to get people to not reuse passwords from one website to another—to practise basic cyber hygiene—is not a math or programming challenge.

Atty Mashatan, an associate professor at Toronto Metropolitan University and director of its Cybersecurity Research Lab, told The Logic in an interview at a job fair that technical skills are important, but so are depth and breadth of knowledge.

“You can talk to any of these employers—what they need, more so, is the person who understands the context of the business, understands risk management, understands business continuity management,” she said.

A business graduate “may not know as much computer science programming as computer science people, but they know how to talk to an executive,” she said. “They can be the bridge between that technical side of the house and that executive side of the house. This bridge is [an area in] the cybersecurity sector where the shortage is more pronounced.”

The CSE organizes secondments with the private sector to make sure its staff stay as current as possible on how the business they’re trying to protect works.

The agency also sees public education in cybersecurity as a long-game recruitment tool. When the CSE issues step-by-step instructions on securing a home internet router, it hopes that will lead to better secured home internet routers—but also that the information will pique the interest of a young person.

But developing a cybersecurity workforce that more closely reflects the makeup of the country won’t be easy. The ICTC reported last fall that the cybersecurity workforce is older, whiter and more male than the general population—just 20 per cent of cybersecurity workers in Canada are women, and 25 per cent are Black, Indigenous or otherwise people of colour.

This is partly a perception problem, said Anderson, who credited a female dean with helping keep her in a computer science program: “Sometimes I find … women don’t understand where they can add value in cybersecurity, if they don’t identify as the hacker sitting in the basement in the dark playing video games—which is often how the media portrays cybersecurity professionals.”

But dropout rates among people who have gone as far as enrolling in cybersecurity programs are also out of whack: According to an ICTC survey, whose numbers it included in last fall’s report on the sector, 30 per cent of male respondents dropped out of cybersecurity-related studies but over 50 per cent of female ones did.

“I’m honestly not surprised by that stat,” said Anderson. Many science, math and engineering programs value individual brilliance and on-the-spot performance over asking for help and working in teams to figure things out, she said, and that selects for a certain type of personality.

“In one of my computer science classes, there were three women. We banded together to work through some of the problems because we were looking at it from a slightly different perspective,” Anderson said. In that group, “we also didn’t feel like we’re going to be ridiculed for asking questions when maybe we didn’t fully understand something.”

Anderson does her part now by speaking at high schools and recruitment fairs and teaching girls coding through programs like Hackergal.

The lack of diversity in the field is a problem, Anderson said, and not just because the sector doesn’t have enough bodies. A cybersecurity team without diverse viewpoints, expertise and backgrounds isn’t well equipped to fight off diverse threats against systems serving diverse users. “Cybersecurity is a team sport,” she said.

As important as it is, cybersecurity is often just not talked about.

A 2021 hack brought Newfoundland and Labrador’s health system to its knees and included the theft of personal and health information.

“We do not publically [sic] disclose information about our security program” was the province’s response to most of The Logic’s questions about how its health system handles the worker shortage.

Toronto’s Hospital for Sick Children suffered a ransomware attack at the end of 2022. A spokesperson acknowledged The Logic’s inquiries but did not answer them.

With files from Jonathan Got