Cyber threats today know no borders, yet the experts capable of stopping them are increasingly moving to places where they are better paid, recognized, and offered clearer career paths. As a result, Europe is facing a serious shortage of cybersecurity professionals, with an estimated 300,000 vacant positions, while most companies struggle to find qualified experts.
In response to this issue, the European Union Agency for Cybersecurity introduced the European Cybersecurity Skills Framework (ECSF) in 2022 — a framework that defines key professional profiles, required competencies, and clear career pathways in cybersecurity.
The ECSF includes 12 professional profiles, such as CISO, Penetration Tester, Cybersecurity Auditor, Incident Responder, and Cyber Threat Intelligence Specialist. For each profile, responsibilities, knowledge, and skills are clearly defined, making the framework a common language between education, the labor market, and institutions.
The value of the ECSF lies in the fact that it:
• enables employers to define job positions more precisely,
• helps students understand which competencies they should develop,
• supports educational institutions in adapting their programs to labor market needs,
• provides countries with a foundation for planning cybersecurity capacities.
When it comes to Montenegro, recent years have shown visible progress in building an institutional cybersecurity ecosystem. Institutions such as the National Security Agency, the Ministry of Interior, the Government CIRT, the Ministry of Public Administration, and the newly established Cybersecurity Agency all play a role in this process. Alongside institutional development, private initiatives are also emerging through academies and institutes, while a particularly important role is played by the Western Balkans Cyber Capacity Centre (WB3C) in Podgorica.
However, when the domestic system is compared to the ECSF framework, it becomes clear that there is still room for further development. Certain profiles are not yet formally recognized as separate professional roles within the public sector. Academic programs exist, but they are not directly mapped to ECSF competencies, making it more difficult for students to navigate professionally and understand potential career paths. An additional challenge is that professional certification is still largely left to individual initiative, instead of being systematically supported through state or institutional programs.
Another major issue is the migration of skilled professionals. Montenegro is facing a pronounced “brain drain” effect, where young experts leave for countries and companies that offer clearer career paths, more competitive salaries, and a more stable professional environment.
Technology alone is not enough — true cybersecurity is built by people who have knowledge, a clear professional role, and a reason to stay. And that is precisely where our greatest task lies.
Dejana Đapić
Youth Cyber Ambassador, W4C
