It is a well-known problem in the cyber security industry that we do not have enough talent to keep our country safe. In March 2020 the United States Cyberspace Solarium Commission reported that the U.S. government “lacks the number of cyber professionals needed to secure its own networks, much less support private sector partners…There are over 33,000 unfilled cyber security positions in the U.S. government and 500,000 unfulfilled positions throughout the United States”. The Commission attributes this shortage to the high requirements for specialized skills and experience and to the complications arising from complex hiring, training, and development pathways. Other sources predict an even more significant problem as 3.5 million unfilled cyber security roles are expected globally by 2021¹.
To address this talent shortage, three severe deficiencies require immediate attention:
- A lack of diversity. People of color represent only a third of the workforce. Women account for less than a quarter of the talent².
- Only 9% of Millennial want to enter a cyber³ security career. They are either disinterested or lack resources to be adequately informed and trained.
- Training needs to provide more real-world experience. Also, there isn’t one trusted resource available where someone can learn how to start their cyber security career.
This shortage originates with bottlenecks in the talent pipeline that surface upstream, at points where many individuals are never offered a chance to explore what cyber security means, its importance, and why they’re needed to answer the call.
Let us explore those bottlenecks.
The Diversity Problem
Looking into the numbers, we have much more work to do. Nearly a year ago Ann Johnson, Corporate Vice President at Microsoft, wrote about cyber security diversity by spotlighting the under representation of women. Johnson noted that 15% of organizations did not have any women talents in the security teams and that women hold fewer leadership roles than men do and exit the industry at higher rates. This should be an alarming concern considering that we are essentially ignoring half of our potential talent pool who can make important contributions to security initiatives and protect us from future threats!
Recruiting is only one dimension of the problem. A lack of awareness and an ivory tower mentality prevent a more diverse set of people from emerging.
The path to start a career in cyber security can be pursued in several ways. Students typically start their degree in Computer Science and then take special courses in cyber security and take the training like CISSP – Certified information Systems Security Professional, CISM – Certified Information Security Manager or CISA – Certified Information Systems Auditor. Another option is to obtain a degree in cyber security and graduate from the programs that most universities offer. The degree cost varies from $4,000 to $50,000⁴, ultimately depending on the university that the student goes through.
In its 2020 report on Cybersecurity Workforce⁵, (ISC)² notes that over 76% of cyber security professionals have obtained at least a Bachelor’s degree, with 69% of total professionals possessing a background in Computer and Information Science and Engineering. Cybersecurity work is becoming increasingly important as not only those with formal titles and full-time security responsibilities are assigned to security tasks, but also IT professionals whose job includes a substantial portion (more than 25% of time) dedicated to threat monitoring and assessment. Furthermore, professionals in cyber security are often both long-tenured and highly experienced. Respondents from the report represent an average of 12 years in an IT role, with approximately 7 years at their current organization and 7 years in a cyber security role.
Unfortunately, these current pathways present certification and experience hurdles that restrict many underprivileged, under-served individuals from confidently placing themselves in the candidate pool. Compounding this is the issue that they may not have clear impressions about cyber security to begin with.
The significant costs and requisite skills can act as deterrents for many who come from poor backgrounds and less educated backgrounds. In addition to providing funnels that provide financial assistance and develop clearer road-maps of how to build a long-term career in cyber security, we must conduct community outreach for minority groups whose presence is severely weak (percentage of workforce: Middle Eastern 3%, Hispanic 4%, Black 9%). If no bridge building is done, it will not matter if the workforce becomes higher paid in order to attract the right talent. The same folks who are disenfranchised will still remain as bystanders, or worse – not even invited.
Millennial and Generation Z Awareness
Who is a cyber security professional? Is it an operative sitting in a dimly lit control center who monitors streams of bits and pieces of data? What topics, tools, and passions must the candidate have an interest in?
For a young budding student, these are hard questions to confidently ask. For us practitioners, it is equally hard, if not harder, to be prepared to answer well. But we must. To address the talent shortage, we must frame the importance of cyber security in a manner that speaks to the younger population and introduce our staff who can build familiarity and confidence.
We know that by 2025 millennials will make up 75% of the global labor force⁶. As a positive, many of the younger generations understand the importance and application of technology and see it as an important part of their future careers. However, when it comes specifically to cyber security there are several issues that the industry faces when recruiting from this talent base. In a 2018 study conducted by ProtectWise that observed 524 respondents, only 9% expressed interest in the field when asked. 37% of the group expressed no interest due to their unfamiliarity. Other reasons include lack of technical qualification (28%), education (21%), and certification (15%)⁷.
It is clear that the industry should invest more in education, socialization, and accessible training so that the younger generations can build an intimate understanding of cyber security. In the coming years, as a veteran operator in the field, I will call upon my peers and build a coalition to make this possible by building a strong presence and providing the much needed resources to broaden our talent pool.
How to Centralize Learning and Provide the Lessons that Matter
The cyber security industry needs to rethink its emphasis on sourcing talent from graduates of computer science programs from four-year colleges. In the Harvard Business Review article “Cybersecurity Has a Serious Talent Shortage. Here’s How to Fix It,” Marc van Zadelhoff writes that because security is a universal problem afflicting all parts of business operations, we need to offer programs that provide applicants with nontraditional backgrounds with entry experience that helps them rise up the learning curve.
This means we should prioritize learning that applies case studies to help students understand real issues faced by security professionals. A combination of hands-on training and theory can deliver compelling learning opportunities for students who want to advance their studies and gain direct exposure. It’s imperative that experts and teachers think through how to develop traits that cannot be strictly taught a classroom. Specifically if we are able to amplify “their curiosity, passion for problem solving, strong ethics, and an understanding of risks” students can readily cultivate the required skills from direct “job training, industry certifications, community college courses, and modern vocational and skills education programs”⁸.
In addition to providing students with basic technical skills and practical knowledge of the technology being used in the field, it must be made easier for students to access all the necessary know-how of starting a career in cyber security within a centralized platform or portal. Security content is already quite dense and complicated and many aspiring trainees will have many questions, but we should make the answers to questions about how to jump start their career, easy to develop and ultimately build their confidence to make a long lasting career.
NextGen Cyber Talent Confronts the Challenges Ahead
The attacks being waged daily in the cyber arena are becoming increasingly more sophisticated and far reaching. While enterprises and organizations exhaustively spend technical resources to make their defenses iron-clad, we must not forget that fundamentally this is a people problem. We’re only as strong those in our communities who are the most exposed to digital threats.
NextGen Cyber Talent (NextGen) is excited to announce broader efforts with executives and community leaders to address the issues discussed in this paper and reverse the shortcomings the industry faces. NextGen is a fellowship of dedicated cyber security experts, Chief Information Security Officers (CISOs), and technology experts. We have a singular vision to contribute our experience and knowledge toward developing the next generation of diverse talent.
Throughout our careers, we found an inversely proportional relationship between the demand and supply of cyber security professionals that urged us to create awareness, train, facilitate placement opportunities and give back to the community with a purpose. Many organizations and leaders are now aligned to bring diversity and inclusion in the cyber security workspace. A diverse workforce not only means including individuals from various socioeconomic groups but also including gender and neuroatypical or neuro divergent talent.
The Cybersecurity Career Journey Starts with Awareness
This journey starts with awareness, education and support in securing jobs for a more diverse talent pool. NextGen’s primary focus is encouraging and empowering the young and diverse population in this journey. Many potential candidates don’t see themselves as cyber security experts because they simply don’t know what this career really means and asks of them.
NextGen’s programming to heighten awareness is aptly designed for Millennials and Gen Z. Through popular social media, a variety of content is published that talks about what cyber security is, how can students bring a unique perspective to this field, how can they make a difference in the corporate world, and what does a day in the life of a cyber security professional look like.
Through our content, NextGen supports women as they discover how to tap their potential, explore the technical side of their intellect and gain the confidence to perform. For students who are energized to learn, NextGen gives top-notch learning opportunities by collaborating with established industry leaders. We also help students convert all their efforts and success into real jobs. We provide job placement support for students who successfully complete their training. Our platform for underprivileged and under-served students helps them learn cyber security and data protection concepts, techniques, processes and solutions by engaging with coaches who are domain experts and stalwarts in the field of cyber technology.
We suggest relevant courses based on a student’s profile and enable them to design their career path by providing full-time placements, internships or externships. Apart from training and education, students also receive scholarship opportunities, along with mentoring and soft skills training. We also encourage and guide minority professionals who aspire to launch their own security startups and offer special courses designed to equip them with required leadership and entrepreneurial skills.
Our strength lies in our partnerships with cyber tech experts, technology providers and enterprise organizations. At NextGen, we focus on inclusivity and aim to develop the next generation of diverse cyber security talent where equal opportunities are available to all.
There’s much work to be done to move the needle in the right direction. We hope you’ll join us.
Authors: Krishnan Chellakarai (Founder & Chairman, NextGen) and Gary Gauba (Co-Chairman, NextGen)
Contributors: Allen Ding (Investor, The CXO Fund), Ritu Shritvastav (Sr. Director HR, Gilead), and Horacio Zambrano (CMO, TruU)