Professor Donna O'Shea:

I thank the Senator for that very insightful question. The reality is that there are a large number of cybersecurity courses in Ireland at the moment. Of our 52 cybersecurity programmes, 50% of these programmes are at level 9 and most exist in Munster and Leinster. There is a concern that some of these programmes may only contain one module on cybersecurity yet they have "cybersecurity" as part of their programme titles, giving the impression that they contain a much larger concentration of cybersecurity content. There is a fundamental problem in actually training cybersecurity professionals for the industry which needs to be explored as part of this session. There is a global lack of cybersecurity talent but qualification typically requires an undergraduate degree and a postgraduate specialisation. A postgraduate specialisation is mainly focused on MSc and MEng awards. I will pass over to Dr. McSweeney in a minute to talk about the ones we have on offer in MTU. Due to it being very long and extended, inflexible and expensive to actually get into the career of cybersecurity, there has been a market saturation of companies trying to fill this gap through industry certifications. The barrier is high. Then there is a market saturation of certifications, which is different from education, and is focused on an all-or-nothing approach. This is a problem.

As we go forward, we need to look at all of these courses to try to establish a baseline and to agree key knowledge, skills and abilities that should be taught across courses that have "cybersecurity" in their title. These baselines already exist. The committee members have heard colleagues mentioning the National Institute for Standards and Technology and the national initiative for cybersecurity education, NIST- NICE framework but there is also a very similar one, namely, the UK National Cyber Security Centre baseline standard. This would allow education providers that are training a cybersecurity professional to say that they know what kind of knowledge, skills and abilities are needed and these can be built into their programme structure and module content. I mentioned to the Senator previously that training a cybersecurity professional is like training a nurse. It is more or less the same thing. When one trains a nurse, on completion of their graduation they are actually expected to be able to perform their job to a baseline standard. A nurse or doctor cannot go out into a ward to administer drugs and do their job without being able to do it properly. It is the same with a cybersecurity professional. There is less opportunity for actually being able to learn on the job. On graduation, they have to be able to do this to a baseline level. That is why it is so important that there is a high degree of practical content in cybersecurity courses in order to reinforce their learning and to make sure that when they are graduated and working on the job, they have the necessary skills to actually perform that job. I invite my colleague, Dr. McSweeney, to contribute also to that point.