This paper addresses a number of increasingly urgent questions about the defence of information systems against criminal hackers, the first of which is this: can the world produce enough appropriately skilled human defenders of digital systems to defeat the humans who seek to compromise such systems for nefarious purposes?
Multiple studies suggest that a significant 'cybersecurity skills gap' currently exists and that it is hampering efforts to defend information systems against criminal hackers. As countries around the world scramble to increase the supply of cyber-skilled humans capable of making a worthwhile contribution to defence of the digital infrastructure on which so many economies now depend, massive education and recruitment efforts are being funded. The success of these efforts is predicated on an unproven assumption that there will be an adequate supply of willing participants who possess the necessary traits and abilities to become effective cybersecurity professionals. In other words, it is assumed that most people can be trained to become effective cybersecurity professionals and enough of them will want to do so. In questioning that assumption, this paper provides a critical review of existing efforts to assess cyber-aptitude and ability and considers the results of a number of experimental fast-track cybersecurity training programs. The challenge of recruiting and retaining participants in a profession that can be both highly demanding and lacking in some traditional forms of job satisfaction is also discussed. To address the problems raised, the paper presents several positive scenarios for consideration in the areas of technology, economics, and governance.