ISC2 took part in the recent Brussels Cybersecurity Summit, which played host to over 500 key European policy makers and global experts in cybersecurity looking to tackle current economic and technology disruption and take a fresh look at policy plans through to 2027.

Cybersecurity is a critical consideration for the European Union (E.U.) and its member states. Nowhere was this clearer than at the Brussels Cybersecurity Summit, a two-day E.U. forum that brought together over 500 key stakeholders, not only policymakers, but also a wide variety of external stakeholders from across the European public and private sector.

At the invitation of the Centre for Cybersecurity Belgium (CCB), ISC2 was a part of this event, delivering a keynote address during the Competence and Coordination track, representing and advocating for the cybersecurity professionals in discussions with policymakers across the European Commission, European Council, and the member states.

A Closer Look at Cybersecurity Skills

ISC2 CEO Clar Rosso delivered the keynote address for the Competence and Coordination track, which looked specifically at cybersecurity skills in the future – and whether artificial intelligence (AI) will be a means to help bridge the on-going skills gap in the sector or if training will take the lead role in addressing skills challenges. Rosso was joined in a post-keynote discussion by panel moderator Lauri Tankler, Head of the national cybersecurity coordination center for Estonia (NCC-EE) and Chair of the NCC Network; Wouter Joosen, Professor and Head of Distributed and Secure Software, KU Leuven; Rick Verhagen, an AI cybersecurity specialist at Darktrace; Arnaud de Vibraye, Junior Manager for Skills and Human Factors at ECSO and Jean-Luc Peeters, Head of CERT.be, Centre for Cybersecurity Belgium (CCB).

The keynote highlighted a number of areas for consideration and discussion. Most notably, Rosso highlighted the finding from latest ISC2 Cybersecurity Workforce Study that in the E.U., there are just under a million cybersecurity professionals, but that alongside the active workforce, there is a shortage of approximately 274,000 individuals, a deficit requiring a minimum 29% increase in the active workforce to address.

Furthermore, there is also a skills gap to consider alongside the physical personnel gap. Overall, 91% cybersecurity professionals have reported that they have a skills gap in their organization, with 14% indicating the shortfall to be a critical gap. Breaking this down, there are particular skills shortages in AI and machine learning (ML), cloud computing, along with implementing trust and access. Beyond these, non-technical skills like strong problem-solving ability, curiosity, eagerness to learn, and communication skills are in high demand in cybersecurity roles.

Outside of the track, Margaritis Schinas, the European Commission Vice-President in charge of Promoting the European way of life echoed the concerns about the workforce gap, noting Commission data that aligns with the ISC2 findings for the region. He noted that legislation and support initiatives are needed and are being delivered. For instance, there is the Cybersecurity Skills Academy. Schinas noted that the Academy is not a school, but rather a single point to secure funding opportunities, jobs and education from. Its work will ultimately encourage young people to pursue a cybersecurity or related career path. Committed to enhancing and expanding the cybersecurity workforce in the E.U., ISC2 was the first organisation to make a pledge to the Cybersecurity Skills Academy launched by the European Commission. ISC2 committed to provide its Certified in Cybersecurity (CC) certification and education program to at least 20,000 individuals in the E.U., preparing them for entry- and junior-level cybersecurity roles.

Technology Mitigating Skills Shortages

Automation is being used in part to mitigate shortages, with 61% using cybersecurity automation in some form to compensate for not having people in place to carry out the same function.

Given the extensive use of automation, it was little surprise that 30% of E.U. respondents to the ISC2 Cybersecurity Workforce Study believe that AI will play a significant role in securing organizations, while 42% also predict that AI will become a significant cybersecurity challenge by 2025.

These metrics underlined much of the industry challenge, as well as shaping discussion that followed, in particular around how to create a path forward to reducing both shortages.

Keeping Pace with Demand

Panel moderator Lauri Tankler canvassed the audience with the statement “individual training initiatives are too slow”. Opinion was mixed, but the point was made that training is not a one-size fits all approach, and that AI is likely to play more of a role in shaping individual training in the future. Rosso highlighted ISC2’s use of adaptive learning across three certifications as an example of how intelligent courseware and exams that align with the individual and their responses has delivered many benefits, including reducing exam times considerably compared with the time needed to complete traditional linear exam papers. The feedback from individuals who have used this approach indicates that it has reduced their study time by more than 25%.

ESCO’s Arnaud de Vibraye also noted that the organization is actively engaged in skills and human factors. While he didn’t necessarily agree with the statement, he agreed that there's a great deal of work still to be done, particularly in the field of AI and the role it plays in business and in society in general, with it being a global need, not just a European one. He added that adapting education curriculum to expose and familiarize people early on in life will be important to prepare the next generation of society for a more AI-driven and cybersecurity-centric technology age. However, such an adaptation of curriculum is going to be a long-term effort and that existing universities and courses are a strong starting point for delivering this change.

Darktrace’s Rick Verhagen also rebutted the idea that things are moving too slowly, but added that AI has the potential to enable a proactive cybersecurity approach. Instead of the classic cat-and-mouse game, we can stay ahead of threats. In his view, the real issue is not that we're moving too slowly; it's about ensuring that we move ahead of the threats.

A False Sense of Security?

Tankler posed the statement “AI solutions may lead to a false sense of security due to their inability to replace human adaptability, critical thinking skills, and accountability”.

In response, Wouter Joosen, who is also leading the Flemish Research Centre on Cyber Security, added the point that it's not about AI itself, but rather how people communicate and assure users and customers about its security. De Vibraye also pointed out that while AI is already incredibly powerful today and constantly improving, there's still a significant role for critical thinking. He reiterated that AI is not perfect and there's a need for legal and ethical considerations whenever AI is involved. Relying solely on AI can indeed lead to a false sense of security in any scenario, with a human-AI partnership being a better approach rather than one replacing the other, which Rosso also agreed with, noting that there is concern about organizations investing in a single technology solution where AI is concerned, which like only asking a single person for an opinion, can result in a skewed outcome. Such a lack of critical thinking can result in organizations being placed in a precarious position.

Jean-Luc Peeters from CCB was very clear, stating that you can't simply trust the machines and their results blindly. He raised concerns over the black-box nature of AI and a number if cybersecurity countermeasures. Not understanding what's happening behind the scenes is a batter, and he believes that everyone on a cybersecurity team needs to have a sufficient understanding, without needing to be a mathematician, to comprehend the results being generated by the tools and technology in use. This was not an argument against AI and ML, both of which are needed in his view, but not at the price of having no visibility or awareness of how outcomes are being achieved.

Skills Needed for Critical Infrastructure Support

Illustrative of the challenge within the E.U. in the current geopolitical climate is the ability to monitor, protect and maintain continuity of operation of increasingly digitized systems and services that are critical to the smooth and frictionless movement of trade, money, people and services.

Relevant to the skills discussion, Juhan Lepassaar, Executive Director of the EU Agency for Cybersecurity (ENISA), highlighted in a separate talk that by 2030, the proliferation of smart devices across critical infrastructure such as energy networks, transport and the European industrial base will pose significant cybersecurity challenges, necessitating the retrofitting of legacy systems and development of necessary skills to defend and protect key capabilities.

Across this and the other tracks, the Brussels Cybersecurity Summit showed how the E.U. member states and its policymaking bodies are investing, understanding, debating and engaging with a wide array of stakeholders over the future of cybersecurity – from technology to training, from education to qualifications – in order to strengthen its skills and industrial base for the future. ISC2 is and will continue to participate on behalf of members to ensure their needs and views are heard and that the real-world experiences of cybersecurity professionals can be conveyed to influence and inform decision making and policy development.