Keywords

1 Introduction

There is a worldwide shortage of cybersecurity professionals, and it is projected that by the year 2022 there will be approximately 1.8 million cybersecurity-related positions unfilled worldwide [2]. The demand for skilled cybersecurity professionals continues to outpace the supply, with suitably qualified graduates being highly sought after by industry [11, 16]. Indeed, many countries view this as an area of national priority [5].

Like other countries around the globe, South Africa faces a shortage of skilled cybersecurity professionals [13, 14]. Higher Education institutions should adapt to the increasing demand by leveraging frameworks that suggest skills needed in the cybersecurity field. These frameworks include: the Organising Framework of Occupations (OFO) [3]; Skills Framework for the Information Age (SFIA) [19]; Workforce Framework for Cybersecurity (NICE Framework) [15]; and the Cybersecurity Curricula 2017 (CSEC2017) [9]. It has been found that especially the NICE Framework and CSEC2017 represent a baseline for improving the cybersecurity field through skills development and educational training [7]. However, these frameworks are broad, and it can be challenging to determine the most relevant parts to meet industry requirements in the local context.

The purpose of this research is to identify the most relevant cybersecurity knowledge areas in the South African context. This is achieved through a comparison of the CSEC2017 with local job advertisements, to determine which areas are most sought after in industry. An assumption which underpins this approach is that organisations list the most critical skills for a role in such advertisements, to ensure suitable candidates are identified during the recruitment process. In this research content analysis was used to analyse a sample of 60 job advertisements in a systematic manner. The results can be used by Higher Education institutions to ensure the relevance of cybersecurity curricula to address local opportunities and challenges.

2 Background

Governments and industry bodies are aware of the need to increase the number of cybersecurity professionals and actively attempt to do so [7, 10]. Cybersecurity builds on the core fields of information security and information assurance, and can be defined as: “A computing-based discipline involving technology, people, information, and processes to enable assured operations in the context of adversaries. It involves the creation, operation, analysis, and testing of secure computer systems. It is an interdisciplinary course of study, including aspects of law, policy, human factors, ethics, and risk management.” [9, p. 16]. In developing countries, such as South Africa, this is especially important for the protection of online services and data, as more businesses and consumers go online [8, 13]. To ensure relevance, industry is often consulted to determine what skills are deemed necessary for cybersecurity professionals [6, 10]. However, it is not clear which skills are more sought after and whether these are adequately addressed in curricula guidance.

To produce skilled cybersecurity professionals academic institutions need to establish viable curricula and learning environments which enable the delivery of targeted cybersecurity programs. Such programs must address current cybersecurity issues and any emerging problems arising from cybercrime and cyber-attacks. Curricula are formed by looking at the knowledge, skills, and abilities (KSA) that are theoretically needed, the needs of the cybersecurity community, and accreditation standards for cybersecurity professionals. A viable cybersecurity program needs to include content that supports computer-based knowledge, interdisciplinary topics, as well as practical components that support the application of theoretical content [2]. Traditionally there has been minimal industry input, as curriculum requirements have been created without investigating the needs of local businesses [10]. To bridge this gap the use of Industry Advisory Boards is one method to ensure that curricula remain aligned with industry needs in the long-term [20].

2.1 Industry Requirements

It is the norm that even competent graduates need additional training before they are job ready. One explanation for this is a mismatch between what is taught in Higher Education and what is expected in industry [2]. In a case study representative of this problem, the Boeing Company found that the skills which graduates have are inconsistent with what is needed within the cybersecurity industry. To ensure relevant skills the company aligned itself with academic partners to create a viable curriculum using the CSEC2017 and NICE Framework. The result was that the company had increased hiring flexibility and access to competent professionals [2]. The resulting growth in the overall pool of cybersecurity professionals is also beneficial to other companies.

From an academic perspective there is relatively little research focusing on whether the taught KSAs are relevant to what is needed by the cybersecurity workforce [10]. Researchers have attempted to identify skills that cybersecurity professionals need through the analysis of job advertisements. In the Australian context Potter and Vickers [16] collected 33 security-related job advertisements and identified six main categories of jobs. Subsequently they used questionnaires to explore relevant skills for cybersecurity professionals. In the South African context Parker and Brown [14] adopted the roles, descriptions, and skills needed for the various roles from [16]. They collected 196 security-related job advertisements and identified a wider range of work roles and skills required in this context. However, the results from these studies are not sufficiently structured in terms of topics and knowledge areas to be applied to cybersecurity program development. It is therefore clear that a framework is needed to align the process of curriculum development with what is needed by industry (e.g. to structure an analysis of cybersecurity job advertisements).

2.2 Theoretical Frameworks

Various frameworks seek to improve the pool of professionals by suggesting skills that are needed in the field. These range from general frameworks, such as the OFO and SFIA, to those focused on cybersecurity, such as the NICE Framework and CSEC2017.

Organising Framework of Occupations (OFO). The South African OFO is an occupational classification system that provides a framework for the identification, articulation, reporting, and monitoring of skills demand and supply in the South African labour market. The OFO focuses on jobs and occupations: a job is said to be a set of tasks and duties to be carried out by an individual, while an occupation is a set of jobs or a category that extends to several jobs with similar tasks and duties. The OFO provides detailed definitions and a common language when speaking about occupations, which is needed in the diverse South African context [3]. However, it only lists the high-level tasks that should be performed by an individual (e.g. “Overseeing the security of ICT systems”) and is thus of limited value in determining relevant KSAs.

Skills Framework for the Information Age (SFIA). SFIA is a global framework (formally launched in 2000 and currently in its eight revision) that describes the skills and competencies required by professionals in digital work roles, such as information and cyber security. It provides a globally accepted language for the skills and competencies needed in the digital world [19]. SFIA consist of seven levels of responsibility which is characterised by generic attributes, along with descriptions of professional skills and competencies belonging to the level. The framework provides a clear description of the activities and skills needed as levels of responsibility progress. One of the key themes is information and cyber security, which is further divided into several categories. While SFIA is not specific to cybersecurity it can provide a useful indication of how activities and skills progressively become more sophisticated.

Workforce Framework for Cybersecurity (NICE Framework). The NICE Framework was created via a partnership between government, academia, and the private sector. It seeks to uplift the cybersecurity workforce through education, training, and workforce development. More specifically, it defines cybersecurity work and provides a starting point for formulating career paths and educational programs. The framework is structured into a hierarchy of work roles, competencies, and tasks, knowledge, and skills (TKS) statements. Tasks describe the work within an organisation, while knowledge and skills describe the learner (e.g. students, job seekers, and employees). These building blocks allow organisations to describe their cybersecurity work and workforce [15]. The NICE Framework can be used by educators to develop a curriculum, or degree program, covering the core knowledge and skills to perform cybersecurity tasks.

Cybersecurity Curricula 2017 (CSEC2017). The CSEC2017 was created by a joint task force of major international computing societies. It sets a standard for the content a cybersecurity curriculum should contain, aiming to grow the pool of qualified cybersecurity professionals by providing guidelines on how to structure a viable Higher Education (university-level) cybersecurity curriculum [2, 9]. However, to date there are few examples of guidance, resources, and application of the CSEC2017 to develop curricula [4, 10].

The CSEC2017 defines eight knowledge areas (KAs), as summarised in Table 1. It is structured in a hierarchy of knowledge areas, knowledge units (KUs), topics, and learning outcomes. According to the framework “each knowledge area is made up of critical knowledge with broad importance ...[representing] the full body of knowledge within the field of cybersecurity.” [9, p. 20]. Within these knowledge areas, “knowledge units (KUs) are thematic groupings that encompass multiple, related topics; the topics cover the required curricular content for each KU.” The framework also acknowledges that topics and learning outcomes may be influenced by a disciplinary lens and institutional properties (e.g. program length, geographic location, etc.).

This structure should feel familiar to Higher Education academic staff. It can be noted that there is a link between the CSEC2017 learning outcomes and TKS statements (formerly referred to as KSAs) in the NICE Framework. This allows academic institutions to link CSEC2017 curricular recommendations to work and workforce requirements that may be specified using the NICE Framework [9].

Table 1. CSEC2017 Knowledge Areas [9]
Full size table

Due to its focus on cybersecurity and post-secondary degree programs this research adopted the CSEC2017 framework. The analysis in Sect. 4 thus aligns with the knowledge areas and knowledge units defined by this framework.

3 Research Design

This research adopts an interpretivist philosophy, and it is acknowledged that the interpretation of the data may be subjective. However, by following a structured approach to data collection and analysis it is believed that research quality and rigour was ensured.

3.1 Data Collection

Details from cybersecurity job advertisements were collected over a period of three months. Five South African online job portals were used: Careers24, Indeed, LinkedIn, PNet, and SimplyHired. These were chosen due to being well-known and comparable with similar studies [14]. A variety of search terms were used, consisting of ‘cyber security’, ‘cybersecurity’, ‘IT security’, and simply ‘security’ to ensure wide coverage. Thus a purposive sampling approach was employed. Job advertisements were manually collected and reviewed weekly by one of the researchers. This ensured that possibly relevant data was not lost due to an advertisement being removed once the position was filled.

Each advertisement was screened for relevance to a cybersecurity role and duplicate advertisements across portals were removed, keeping the most detailed version. Advertisements that were not relevant (e.g. outside South Africa or for positions such as ‘security guard’) were noted and excluded from further analysis. In addition, those that did not contain sufficient detail were excluded. For example, some advertisements consisted of only a single instruction for the applicant to send a curriculum vitae to a specific contact. This screening process ensured that only relevant job advertisements were used in the subsequent analysis. A total of 60 job advertisements were retained for analysis.

3.2 Data Analysis

Data analysis was guided by the KAs, KUs, and topics defined in the CSEC2017. Content analysis was used to analyse the content of job advertisements and compare this against the CSEC2017. According to Neuendorf [12] “Content analysis may be briefly defined as the systematic, objective, quantitative analysis of message characteristics.” In this study the type of content analysis was human-coded analysis, performed by one of the researchers. The approach can be defined as descriptive as the analysis describes characteristics of the sample of job advertisements.

During the analysis each job advertisement’s content was categorised into the various KAs, KUs, and topics of the CSEC2017. The specific focus was the area of cybersecurity a role represents, and the TKS that the employer connects to it. During the analysis no double-counting was performed and a TKS was only allocated to one topic/KU per KA. Example extracts from advertisements were retained to substantiate points within the analysis process.

4 Analysis and Findings

This section presents the content analysis of the sample of cybersecurity job advertisements (referred to as Jxx where xx presents the job advertisement number in the dataset). It starts by describing general characteristics of the data, after which the data is categorised according to KAs and KUs.

4.1 General Characteristics

Jobs were initially sorted into roles based on the title or job description. This resulted in the identification of 15 distinct roles within the data. The three most occurring roles were: IT Security Specialist (14 cases); Security/Cyber Analyst (8 cases); and Cyber Security Officer (5 cases). These roles are quite generic and don’t correspond to standard roles as described by the NICE Framework. While cases did include more specific roles, it appears that industry is not following the ‘common language’ defined by frameworks.

In terms of experience required, most jobs desired 5+ years of experience (24 cases). This was followed by 3–5 years of experience (21 cases) and 1–3 years of experience (12 cases). Possessing a technology-related Bachelor’s degree (30 cases) or higher certification or diploma (14 cases) was a general requirement. A range of certifications were also desirable, with the three most occurring certifications being: CISSP (17 cases); CISM (13 cases); and CISA (11 cases). The analysis identified reference to 13 different certifications across all cases, showing that these are sought after and that collaboration between Higher Education institutions and such training providers could be beneficial for learners [2].

It’s suggested that competent cybersecurity professionals need to have both technical and non-technical (soft) skills [9, 16]. However, in the sample of job advertisements there was infrequent reference to soft skills, with a more prominent focus on duties to be performed and experience/qualifications needed. The most sought-after soft skill was ‘communication’ (14 cases) which aligns with previous research [10, 14]. Following this the ‘ability to work in a team’ was sought (8 cases). Representative example extracts are: “good written, oral, and interpersonal communication skills” [J33] and “work effectively with team members” [J39]. While more reference to soft skills may have been expected, this confirms the importance of expanding curricula to include social and emotional learning which develops intrapersonal, interpersonal, and cognitive skills [1].

4.2 Knowledge Areas

Job advertisements were analysed according to the KUs and topics, which link to a KA. The overall coverage of KAs by job advertisements is illustrated in Fig. 1. This figure shows the relative importance of each KA based on the number of KUs counted within each area. It can be observed that the most frequently encountered KA is ‘Organisational Security’ (31%) while ‘Component Security’ (2%) occurs the least. In the following sections each KA will be analysed in more detail.

Fig. 1.
figure 1

Distribution of knowledge areas (N = 60)

Full size image

Organisational Security. There are nine KUs within this KA. This was by far the most referenced KA, accounting for almost a third of all content. However, it is acknowledged that this KA contains the most KUs (as defined by the CSEC2017) which contributes to its high coverage within the data.

The ‘Risk Management’ and ‘Security Governance & Policy’ KUs occurred most frequently (54 cases each). This indicates that 90% of organisations see these as issues that need to be addressed. The industry data aligns with security literature, which has a long history recognising the importance of effective security governance. An important management topic is managing cyber risk within an organisation. The topic ‘Risk assessment and Analysis’ was referred to in 22 cases, showing its importance. Examples of this requirement are:

“Knowledge of risk assessment tools, technologies and methods.” [J03] and “Perform regular risk assessments and keep management aware of threats.” [J39]

The topic ‘Security Governance’ was referenced in 15 cases, with an example of this requirement being:

“Responsible for monitoring the governance aspects related to the Security within company to ensure the standards are maintained.” [J24]

Other prominent topics which relate to the above mentioned areas include ‘Strategic Planning’ (14 cases) and ‘ Performance Measurements (metrics)’ (11 cases). These activities can help to support key stakeholders with decision making and organisational strategies which rely on security.

From an operational perspective, ‘System Hardening’ (21 cases) and ‘Incident Response’ (19 cases) were desirable skills. This aligns with previous findings highlighting key cybersecurity skills [10, 14]. While these topics focus on systems and processes, it was also seen that ‘Security Awareness, Training and Education’ (14 cases) was a common topic. This relates to the Human Security KA which is discussed below. An example of this requirement is:

“Educates management & staff on security risk through reporting and presentations. Monitors Information Security industry trends and educates the organization of critical information.” [J51]

Lastly, it was noticeable that ‘Project Management’ ability and experience (18 cases) was a desirable soft skill. This is also recognised by computing curricula and previous research [2, 10]. A summary of the KUs mentioned in job advertisements is shown in Fig. 2.

Fig. 2.
figure 2

Knowledge units within organisational security

Full size image

Human Security. There are seven KUs within this KA. The ‘Awareness and Understanding’ KU featured most prominently (38 cases) and links closely with organisational security. Specific topics which featured more prominently include ‘Cyber vulnerabilities and threats awareness’ (14 cases) and ‘Cybersecurity user education’ (7 cases). There is large body of research in these areas, with organisational case studies in the South African context [18]. It has also been shown that cyber situational awareness is strongly linked to implementation of security measures [17]. Thus this KA has an important influence on others. An example of this requirement is:

“Develop an awareness and communications plan for the technology and greater business and executives that is aligned with strategy and considers a range of risks and themes.” [J02]

Another prominent topic is ‘Enforcement and rules of behaviour’ (21 cases). This refers to methods and techniques to ensure compliance with security policies, using both positive and negative behavioural enforcement. An example of this requirement is:

“Ensure that all Information Security policies and procedures are followed according to the [organisation] requirement.” [J42]

As this topic deals with individuals and their behaviour it has an interdisciplinary nature very different to other areas in computing. The CSEC2017 emphasises that cybersecurity is an interdisciplinary course of study, and that an awareness and understanding of human-centred security is important [9]. A summary of the KUs mentioned in job advertisements is shown in Fig. 3.

Fig. 3.
figure 3

Knowledge units within human security

Full size image

System Security. There are seven KUs within this KA. Two KUs were more prominent, namely ‘System Control’ (50 cases) and ‘System Management’ (37 cases). Within system control, ‘Audit’ is a prominent topic which featured in 19 cases. This topic focuses on logs (logging and log analysis) and their use for intrusion detection. This was also found to be important in previous research [14].

The topic ‘Penetration Testing’ (13 cases) was also commonly seen. This relates to a cybersecurity professional’s ability to proactively protect the organisation and as such was found to be needed by previous researchers [10, 14]. Examples of this requirement are:

“Participate in the design and execution of vulnerability assessments, penetration tests, and security audits.” [J33] and “Perform mobile, complex application, infrastructure, as well as social engineering assessments and penetration testing.” [J32]

Within this KA consideration of the system as a whole, rather than just connected components (i.e. systems thinking), was also emphasised. This aligns well with most computing curricula. A summary of the KUs mentioned in job advertisements is shown in Fig. 4.

Fig. 4.
figure 4

Knowledge units within system security

Full size image

Connection Security. There are eight KUs within this KA. The ‘Network Defence’ KU had the most references (48 cases). A prominent topic is ‘Implementing Firewalls and Virtual Private Networks (VPN)’ which featured in 20 cases. Examples of this requirement are:

“Direct experience with anti-virus software, intrusion detection, firewalls and content filtering.” [J03] and “Daily administration of firewall rules, IPS Policies and Filters via change control procedures.” [J34]

It is acknowledged that keeping track of emerging trends and maintain currency of knowledge are important aspects of a cybersecurity role [10]. The ‘Emerging trends’ topic was also visible in the data (9 cases), for example to “Investigate, document, and report on information security issues and emerging trends.” [J29]. A summary of the KUs mentioned in job advertisements is shown in Fig. 5.

Fig. 5.
figure 5

Knowledge units within connection security

Full size image

Data Security. There are eight KUs within this KA. The most frequently occurring KU was ‘Digital Forensics’ which featured in 50 cases. A topic which featured prominently was ‘Reporting, incident response and handling’ (24 cases). An example of this requirement is:

“Perform daily information security monitoring, reporting and verifying the integrity and availability of business-critical resources, systems and key processes, reviewing system and application logs, and verifying completion of scheduled jobs within the Information Security portfolio.” [J05]

Another important topic was the ‘Investigatory Process’ (11 cases). An example of this requirement is:

“Participate in incident response planning and investigation of security breaches, and assist with disciplinary and legal matters associated with such breaches as necessary.” [J46]

It could be observed that the requirements were often linked to security governance and risk management, through monitoring and reporting of security metrics. It was somewhat surprising that the ‘Data Privacy’ KU did not feature more prominently. This could be attributed to data being collected before the POPIA commencement date, or the search terms used. It would be expected that data privacy is an important topic in the current South African context. A summary of the KUs mentioned in job advertisements is shown in Fig. 6.

Fig. 6.
figure 6

Knowledge units within data security

Full size image

Software Security. There are seven KUs within this KA. There was demand for all KUs, with ‘Deployment and Maintenance’ and ‘Design’ featuring most prominently (20 cases each). Within deployment and maintenance the most important topic was ‘Patching and the vulnerability lifecycle’ (16 cases). This aligns with previous research which emphasises patch management and vulnerability assessment as important skills within cybersecurity [10, 14].

The importance of documentation was also seen, with the topic ‘Security Documentation’ featuring in 10 cases. An example of this requirement is:

“Document technical issues identified during security assessments.” [J32]

This confirms the importance of communication as a soft skill for cybersecurity professionals. A summary of the KUs mentioned in job advertisements is shown in Fig. 7.

Fig. 7.
figure 7

Knowledge units within software security

Full size image

Societal Security. There are five KUs within this KA. There was relatively little mention of tasks, knowledge, and skills related to this area. The most frequently occurring KU was ‘Cyber Law’ (16 cases). Job advertisements rarely asked for applicants to be aware of specific laws, but to monitor and ensure compliance with applicable cyber legislation, for example:

“Evaluate security exposures, misuse or non-compliance to law or legislation and ensure implementation of security controls to address these.” [J41]

Knowledge of ‘Privacy laws’ as a topic was only relevant to 3 cases. Here reference was to data privacy laws, in general. More broadly, the ‘Cyber Ethics’ KU was referred to in 14 cases, with specific mention of the topic ‘Ethical Hacking’ in 7 cases. In general job advertisements also emphasised the importance of high ethical standards and trustworthiness for a cybersecurity professional. A summary of the KUs mentioned in job advertisements is shown in Fig. 8.

Fig. 8.
figure 8

Knowledge units within societal security

Full size image

Component Security. There are four KUs within this KA, which had the least coverage in the job advertisements. The ‘Component Design’ KU was most referred to (18 cases), with the topic ‘Principals of secure component design’ featuring most often (9 cases). An example of this requirement is:

“Test, install, configure and upgrade new and existing network components to ensure optimal performance.” [J48]

While this KU features specialised topics, such as reverse engineering and supply chain issues, it also includes common software engineering tasks such as unit testing and security testing. Thus this is an important KA for the software development lifecycle. A summary of the KUs mentioned in job advertisements is shown in Fig. 9.

Fig. 9.
figure 9

Knowledge units within component security

Full size image
Table 2. Ranking of knowledge areas
Full size table

4.3 Summary of Findings

The content analysis highlights the CSEC2017 KAs, KUs, and topics which were most frequently found in the sample of job advertisements. A total of 1015 TKS statements were identified and mapped to KUs, an average of 127 per KA or 17 per job advertisement. The discussion provided a visual indication of how frequently each KU was encountered. However, to get a better understanding of the relative importance of KAs, Table 2 provides a ranking based on the average KU count.

There were 11 KUs that were identifed in at least half of the job advertisements: Risk Management (54); Security Governance & Policy (54); System Control (50); Digital Forensics (50); Network Defense (48); Systems Administration (44); Business Continuity, Disaster Recovery, and Incident Management (40); Awareness and Understanding (38); System Management (37); Security Program Management (31); and Usable Security and Privacy (30). It could be argued that these are core aspects of the discipline.

On the other hand, there were five KUs that were not identified at all during the analysis: System Retirement; Physical Interfaces and Connectors; Physical Media; Cryptanalysis; and Component Reverse Engineering. While it is beyond the scope of the paper to comment on possible reasons for this, these areas should be carefully examined for relevance. Within South Africa, Higher Education academic staff could use these collective findings to guide curriculum development which matches local industry needs.

5 Conclusion

This research used a content analysis of a sample of job advertisements to identify the most relevant cybersecurity KAs in the South African context. It ranked these areas according to the frequency with which they were encountered in the data, thus helping to prioritise TKS that are in high demand. It was found that organisational security, and several related KUs, were most frequently encountered. The findings also highlighted communication, the ability to work in a team, and project management as soft skills which are important in the cybersecurity domain.

Since cybersecurity is a vast, interdisciplinary domain these findings have value in guiding Higher Education institutions in the development of cybersecurity programs. It can help academic staff to make the most efficient use of their time to prepare content. An additional benefit is that graduates who successfully assimilate the identified TKS will be better prepared to meet industry requirements. This could lead to increased graduate employability and the fostering of closer collaboration between academia and industry.

The findings from this study present a snapshot of data, and to maintain relevance data collection and analysis should be repeated with regular frequency. It is acknowledged that human-coded content analysis may raise reliability concerns, despite being conducted in a systematic manner. A similar investigation using topic modeling techniques could be useful to confirm the results. It is also possible to focus more on specific roles, such as those related to privacy, by employing suitable search terms. Naturally the methodology can also be repeated in other countries and contexts.