Note: all statements referenced in this research piece represent views of these individuals and do not necessarily represent that of their respective companies or NextGen. Unless specified otherwise, all statistics, numbers, and factual evidence are referenced from NextGen Cyber Talent’s January 20th Linkedin article.
This is the first article that is being published in the NextGen DE&I spotlight series. For those interested in learning more about the latest state of DE&I and key trends in cybersecurity, please register for our Virtual Cyber Security Forum: People, Purpose, & Passion: Building the Future (May 20th – May 21st)
INDUSTRY TALENT SHORTAGE
On January 20th, 2021, Krishnan Chellakarai, Founder & Chairman of NextGen Cyber Talent (“NextGen”) wrote an inaugural post titled It’s Time to Solve the People Problem in Cybersecurity that summarized the critical talent shortage that the industry faces. This year alone, it has been estimated that globally 3.5 million jobs are expected to be open and unfilled. Per data reported by CyberSeek (Exhibit 1), a public private joint initiative focused on closing the cybersecurity skill gap, as of March 2021 in the United States there were 464,420 open cybersecurity-related positions. What is particularly salient is that the U.S. national average for workforce supply to demand ratio is 3.9; such ratio for cybersecurity-related positions is only 2.1, 46% less than the rest of the country and represents extremely low-capacity coverage.
© CyberSeek US 2021
Key contributors to this structural problem include talent awareness (capturing interest of Millennials and Gen Z), costly entry barriers (technical skills, certifications, and degrees), and the lack of diversity and representation (women and minorities make up only a quarter of the workforce).
NEXTGEN DE&I INTERVIEW RESEARCH & KEY TAKEAWAYS
Beginning in Q2, the NextGen team began conducting research to provide insight into the complex factors that impact the talent gap and explore community perspectives on the level of diversity, equity, and inclusion in cybersecurity. We drilled into the context behind the numbers by conducting a diverse sampling of 14 individuals who are executives, mid-level managers, entry-talent contributors, and students. Through our findings, we distilled key issues and takeaways in efforts to promote greater discussion inside and outside the workplace and encourage follow-on actions from our partners across non-profits and enterprises. As shown below in Exhibit 2, we present the key demographic components of our sampling.
Through conducting our interviews, we observed noticeable trends across the stories of our respondents that illustrate a set of constraints that have impacted the workforce and what needs to be investigated further by all stakeholders to better understand and shape the industry’s future. Specifically, the identified issues are (and in no particular order):
KEY TAKEAWAY #1: TRADITIONAL BIAS FOR 4-YEAR DEGREES
Most cybersecurity careers require at least a bachelor’s degree in a related field (computer science, engineering, and/or data science) to gain entry to the cybersecurity workforce. For those who possess a degree in another area, but want to join the field, may need to find entry with a certificate program. As we highlighted back in January:
In its 2020 report on Cybersecurity Workforce, (ISC)² notes that over 76% of cybersecurity professionals have obtained at least a bachelor’s degree, with 69% of total professionals possessing a background in Computer and Information Science and Engineering. A common issue noted across our interviews is how enterprise security teams are still predisposed to hiring those with 4-year degrees. While this is a sensible practice as many 4-year programs have the brand capital and invested time filtering for promising workers, such an approach limits the range of people (especially those with associate’s degrees) who are just as capable but, for personal and financial reasons, chose to pursue their education through non-traditional means.
From a student’s perspective, in the case of Juan Soberanes, a student at Cabrillo College and at NextGen, the financial cost of a traditional 4-year degree was not an affordable investment. Possessing a deep passion for computer engineering and data, Juan has extensively pursued cyber camps and certification training opportunities to gain entry. In his own words, “I know what my passion is, and I want to be able to do things on my own terms, which does not align necessarily with a 4-year degree. To me, anything I am curious and motivated about, I can learn and will do so aggressively”.
Several senior executives who oversee hiring and talent development have shared their perspective that which school a student comes from is not as important as the proven mindset and work ethos they bring to their work.
Steven Booth, Vice President of Product Management for Detection & Response at Salesforce and previously Chief Security Officer at FireEye, notes “What makes a great security professional is their boundless curiosity and passion to engage and explore matters, independent of whether it was a mandatory assignment. Whether they have the technical capabilities to begin with, I can teach them.”
Similarly Shelly Morales, Chief People Officer at Balbix, shared her own story (Does a degree matter?) of pursuing career advancement and growth without having completed a bachelor’s degree and has this advice for hiring teams. “It is important that hiring teams understand holistically where a candidate comes from and their level of proven success vs depending on a degree as a critical indicator of potential. It is one thing to embrace DE&I principles, but certainly to fulfill these principles requires a commitment by the hiring teams to think non-traditionally about finding and growing talent. Clear goals in screening for and accepting candidates from underrepresented groups is necessary to change the company demographics.”
KEY TAKEAWAY #2: IMPERFECT STORYTELLING
Another factor that has prevented the industry from improving its reach and building better diversity is the absence of effective storytelling. Even though there is a cyberattack every 39 seconds as noted by Cybint, the overall public misunderstanding and relative apathy toward the security sector has proven to be an obstacle for those seeking to broaden the security talent pool.
“A male figure in a hoodie sitting in a dark room 24/7”, says Serena Villalobos, a veteran Enterprise Security specialist, in response to what frequent misconceptions she often hears about cybersecurity professionals. “There are a lot of misunderstandings of who security professionals are and the work lifestyle that they lead. This affects how a firm might attract women candidates who may consider their responsibilities to raise a family against how well a career in cybersecurity would fit overall in their well-being and ultimate roadmap.”
Kai Qiang Tang, a Security engineer at Tiktok, has similarly encountered confusion as he explains to others about his profession. “Out of 60 people I knew well from college, only one other peer chose to pursue a career in security like me. Unlike more well-known fields such as software programming, security comes across as opaque or boring. When people hear that I do security, they assume I look at dashboards and logs all day, essentially sitting in a passive role. In some cases, the person commented that it must be boring looking at video cameras all day! Quite the contrary. I wear an offensive security role and focus my time on penetration testing. Essentially, I love trying to break things and then make them stronger.”
The anecdotes that Villalobos and Kai Qiang Tang share are representative of a deeper problem – that the industry broadly has a public relations and marketing performance issue with mainstream society. By 2025, Millennials will make up 75% of the global labor force. As we noted back in January:
What seems to be the issue? Considering that the reported median salary for entry level cybersecurity analyst is $70,544 (Exhibit 3), the economic incentives should play a major factor in encouraging young job-seekers to submit their applications.
Hakeem Oseni, Vice President in Information Cyber Security at Wells Fargo and active mentor, has seen firsthand the difficulties in petitioning the younger generation. “I sit on the local chapters for a few professional organizations that are promoting our field and recruiting. In one case, we offered a free program for 500 seats and distributed our pitch through non-profits, YMCAs, and local churches. Perhaps it was our marketing approach, but we had very low turnout. You would think that with available training resources and a promised future that enables students to create generational wealth it would be a strong pull.” Oseni goes on to identify other important cultural nuances and how such forces can play an influential role in shaping public perceptions on security. “It is revealing to see how strongly the Israeli community embraces their cyber culture. I think generally while the US has become more exposed to security, as a whole, our youth places less focus on its importance.”
Ultimately, the burden is placed on industry stakeholders to figure out how to be effective ambassadors and better educate the youth’s perceptions on security issues and more intimately understand the argument for “so wha?t”. Many already possess significant appetite for online media and services, ranging from video gaming to social media applications. As Qiang Tang observes, it is vital to make connections that tie back to their daily usage of technology and deliver motivational stories about the importance of taking the next step towards“ethical hacking” or “white hat” responsibilities. In some cases, the allure for quick economic gains and publicity, even the wrong kind, such as performing theft of digital assets can sway many youths down the wrong path.
“What many don’t realize is that often an invisible competitor for the next generation of talent are digital crime syndicates. We have organized collectives consisting of bad actors who will actively recruit teenagers to build viruses and malware” says Mary Gardner, a 23-year security veteran who has served as CISO for F5 and Seattle Children’s Hospital. The temptation to commit online crimes is real. Back in late 2014, Lizard Squad, an international hacker group, claimed responsibility for a series of DDoS attacks that took out the online servers for Playstation Network and Xbox Live. In connection with that crime, an 18-year old UK resident was arrested. That same year, another Lizard Group member based out of Finland was convicted for 50,700 aggravated break-ins, committed when he was 15. Most recently, a 17-year old “mastermind” in Florida orchestrated a bitcoin scam that involved the takeover of dozens of high-profile Twitter accounts. It became one of the most infamous cybersecurity incidents in Twitter’s history, “as accounts belonging to high-profile users like Elon Musk, Bill Gates, Barack Obama, and Joe Biden were compromised in quick succession to promote a bitcoin scam Clark used to accept more than $100,000 in the cryptocurrency” as reported by the Verge.
Recognizing the need to better connect with a younger audience and to convey the importance of ethical hacking, enterprises are investing in social marketing outreach and education webinars that are tailored to groups of people who are underrepresented. For example, in efforts to deliver messages that stick long after the discussions end and to promote diversity and champion greater women representation, Ciara Lakhani, Chief People Officer of Dashlane, shared how Dashlane back in March hosted a virtual happy hour and live Zoom webinar with white hat hacker, Rachel Tobac of SocialProof Security, to demystify cybersecurity for stakeholders and their businesses. As Lakhani notes, it is a main priority for Dashlane to be able to pull in female experts and those from marginalized backgrounds into engaging sessions that are designed to help raise awareness and build confidence for young talent of similar backgrounds who are exploring a career in security
KEY TAKEAWAY #3: EXPANDING THE “ENTRY-ROLE” ASSIGNMENT
While making effective pitches so that a greater pool of talent arrives does move the needle in the right direction, there is another layer of friction that deters wider groups of candidates from emerging. At a glance, typical professionals in cybersecurity are both long tenured and highly experienced. As (ISC)² mentions in their workforce survey, respondents on average possessed 12 years in an IT role, with approximately 7 years at their current organization and 7 years in a cybersecurity role.
As Lauren Ayala, a Senior Systems & Network Associate and DE&I champion, notes “At the security entry level we have the SOC help desk. But note that there are barriers to get into the SOC. To be effective and add value, the candidate is expected to already have years of experience under their belt and knowledge of the tools being used. For security teams that prioritize those with immediate value add and require little to no formal training, they tend to prefer individuals who come from a pre-existing background.”
From another perspective, Kai Qiang Tang observes that security teams often face unique challenges when it comes to managing their intern cohorts. “Depending on the company, often interns are on rotational assignments and are only there for several months. Even with backgrounds in engineering, IT, or computer science, there is a limit to how much they can produce in the short term and how deep they can get engaged. That is why it is especially hard to learn all required skills for an entry level cybersecurity job in university. In my experience, this is often why many new technical grads will choose to be a software developer as their first job and thus resulting in less available talent who would pursue cybersecurity. Additionally, because of the barrier to entry and cost, for international students who are talented, they prefer to quickly land a job and start the immigrationprocess, essentially deterring them from applying.”
Hiring the right junior talent who complements and propels the team’s productivity under pressing timelines is a tall order. Established organizations have codified protocols for filtering candidates across committee resume reviews, behavioral interviews, standardized aptitude and technical assessments, and superdays. But even these well-defined processes are imperfect and can filter out a great potential candidate.
Emma MacMullan, a senior cybersecurity advisor who has worked across the public and private sector and been engaged in building teams, observes a common pattern when it comes to hiring talent in security teams. “I have seen career postings which identify how the right candidate will have ‘X’ number of years of work experience, be well-versed in the employed technologies, and bring tactical know-how in dealing with specific issues. The problem with looking for the perfect paper resume is that it ignores the reality that there are many qualified people who could succeed in the role, but at present lack particular knowledge and exposure that would make them a ‘perfect’ value-add. Instead, we must redefine what strong candidates are. I dislike the notion of ‘lowering the bar’. Just because a team chooses to hire someone who doesn’t check all the boxes, it doesn’t mean they are diluting the firm. Instead, it requires frank dialogue and an understanding of what ‘long-term talent success’ looks like for the hiring manager and management. I often discover top candidates through their character qualities when I interview them. They are scrappy and are deeply motivated to figure out how to fill into their roles with excellence despite not meeting all the requirements. I find that some of the best hires are the ones who can offer a diverse perspective and drive innovation. They want to be here, and they are valued members of the team.”
Gardner echoes a similar approach when hiring entry level staff. “I talk to managers and help my HR partners prioritize what to look for. We should not worry about degrees and certifications, but instead emphasize the personalities through behavioral assessments. Who is curious? Who is driven and wants to learn? That is the thing about IT that security professionals should love. Personally, I rarely leave work without learning something.”
As Oseni puts it, “Job postings aren’t created in a vacuum. The person making the hire often subconsciously has a type of worker in mind and is translating from their previous experiences working with the target talent. For instance, how easily a candidate from a DE&I background fits that description is team dependent. Is there already someone of such background working with the organization who has been successful and can embody the search profile?”
These points touch on something fundamental to the security industry itself. Given that time is of the essence, that experienced talent is urgently needed to parachute in with little to no training, and that naturally teams are inclined to hire those from known channels, what if by design the recruiting mechanisms and the overall system promote certain types of people and exclude others?
As shown in Exhibit 4 provided by CyberSeek, common feeder roles into cybersecurity include networking, software development, systems engineering, and IT. On paper, individuals with such backgrounds will be able to leverage their past experiences and contribute greatly to the security team. But digging into the numbers behind these feeder roles, one problem continues to emerge – even these fields have more work to do in building greater representation.
Per Statista, as of February 2020 women globally only made up 8% of software developers. Separately, while not necessarily representative, a 2019 Wired report tracked that Black, LatinX, and Indigenous population only combined represented less than 15% of the workforce at Apple, Facebook, Microsoft, and Google. In 2020, TrustRadius published its first annual report on People of Color in Tech. There are an estimated 12 million workers in the US technology industry and per the Brookings Institute, just 6.8% of computing and math-related jobs are occupied by Black and LatinX individuals.
The statistics are telling because, although the security industry is not alone in dealing with a DE&I problem, its unique dependency on in-sourcing talent from feeder programs that have historically struggled with improving diversity and inclusion means what we see today with the talent gap in cybersecurity and the industry’s underwhelming representation as whole is really the byproduct of design flaws.
As executives and management are increasingly invested in building world class teams and champion DE&I, it is worth introspecting on the dynamics of their hiring practices and what would be required for each organization to build sustainable programs that onboard workers who come from non-traditional backgrounds and, with sufficient development, can eventually become strong performers and ambassadors.
One way enterprises can help is by building partnerships with nonprofits and programs that focus on specific networks of marginalized communities and assisting in their early career entries and subsequent professional development. At NextGen we train students and professionals on cybersecurity and data management with a uniquely designed course curriculum put together by our team of industry experts and coaches. We seek to educate the diverse community of professionals on cybersecurity and empower the next generation of talents by designing a career in cybersecurity and data protection by partnering with the community at large.
Another way organizations can expand their diversity hiring is to create roles that do not require senior level expertise or education and offer training and job rotation to help them develop the skillset, as Annamarie Dunn, VP of Culture & Talent at Cadence recommends. “A culture shift is needed to make a real impact in diversity hiring. Leadership needs to set expectations to think more broadly about who will be successful in the role, and how aspects of the role can be taken on by junior talent. Greater diversity exists today for women and minorities currently in school and graduating in technology fields. Invest in training, set expectations with hiring managers to hire and engage interns and new college graduates to do meaningful work, and develop them over time.”
KEY TAKEAWAY #4: DESIGNING PROGRAMS THAT “FIT”
The design of professional education and development programs that seek to empower marginalized and underrepresented communities requires careful construction and constant feedback iteration from all stakeholders, ranging from the students to the enterprise partners who make hiring decisions.
As David Ng, a cybersecurity manager puts it, “The training courses and certifications have costs, from hundreds to thousands of dollars. For some the barrier to apply is the price tag and for others it is the number of hours. Unless the individual is being sponsored by their employer or is willing to make the financial and scheduling tradeoff to elevate their career positioning, it is often the case that many will lack resources. In our field the workflows and staff requirements can be very process-oriented, and with certifications and training more often being mandatory for entry, making it difficult to balance well DE&I initiatives when there exist these tolls.
The problem can be understood through a fundamental UX and product design lens. On the one hand, not all learners are suited for a career in cybersecurity, and those who are interested must credibly signal their commitment to go through rigorous development to perform on the job. These students will need to be self-motivating and demonstrate they understand what it is they are signing up for. But on the other hand, if pre-professional development and certification training programs fail to effectively define their audience the modules and services are geared towards and to make clear what level of customization (content, scheduling, and support) they offer, these programs will face difficulty in managing student engagement and positioning their development journey.
At NextGen, the programming team is attuned to our students’ experience and is working to ensure that the offered courses in our platform align well with their scheduling availability, commitment expectations, and overall learning experience. Back in March, NextGen released its pilot cohort study to understand our students’ anonymous perspectives on the content fit, their progress, and where things could be improved. While feedback was generally positive, the team identified follow-on improvements to drill into and calibrate into future sessions.
Babita Gurnani, Program Administrator at NextGen and has served over 15 years in education administration and compliance, notes that the diverse nature of program candidates (ranging from students to working professionals) requires weekly operational planning and a holistic assessment of the cohort tracking across the initial number of sign-ups, session engagements, and ultimately examination completion. In a few cases where the content turned out to be more difficult than anticipated or the time of when courses are scheduled and workload is extensive, the responsibility is on the program providers to have closed conversation with learners to understand their profiles and ensure that the program is appropriate for their needs. Then to translate these conversation learnings back into the overall program design for future scaling.
Additionally, programs that have women in their cohorts need to also be attuned to impostor syndromes. As Lakhani, MacMullan, and Ayala have identified through personal anecdotes and field observations, security and engineering are challenging positions. If the role is very technical, it can be a deterrence. Often, it is perceived that men may have a biased acceptance to tackle technical challenges, irrespective of their level of readiness. By being sensitive to these psychological limiters, providers can ensure that there is sufficient confidence building workshops and tailored training sessions for women that sets them up for success.
KEY TAKEAWAY #5: IMPROVING MENTORS & COMMUNITY OUTREACH
“My first champion was my high school physics teacher. She had worked at NASA and the way she communicated her own story made me very passionate about hardware technology. I think it was because of her support that I ultimately chose to pursue studies in mechanical engineering” says Tiffany Lee, graduate of SF State as well as the NextGen pilot cohort. Lee goes on to state “I was curious about cybersecurity through my network and was also interested about their mission in DE&I. While I never thought in depth about how my own success would be affected if I were the only woman, it does make me pause and think about which organizations do care about female inclusion and how I can tap into their offered resources to succeed.”
Lee’s story is echoed by all the female respondents that were surveyed in NextGen’s research. Stories ranged across “I lucked into cybersecurity through a mentor”, “I was told I could succeed even without a technical pedigree”, “I was part of team and community that championed my development and was encouraged to excel”, and “Without my mentor and supportive directors, I would never have become an executive”. Their collective feedback reflects a consistent theme that, especially among women talent in cybersecurity, mentorship helped them overcome psychological and network barriers that often make it difficult to either break into the industry or advance higher in their careers.
As Lakhani details, “It is necessary but insufficient that executives champion budget donations and company cultures to align their hearts and minds to solve DE&I and a fundamental problem of making minorities feel like they belong. What is more vital is for orchestrated changes from security ambassadors so that more people from marginalized communities receive the proper encouragement and support to enter the field. There are actionable things that companies can contribute to by encouraging employees to go beyond the workplace and offer mentorship so that younger people of marginalized communities can boost their confidence and be set up for success.“
The University of Pennsylvania conducted studies around the impact of mentorship on enterprise success. Studies found that mentorship, in both the mentor and mentee capacity, made these employees more valuable to the organization. Results show that mentees were more likely promoted than those who were not involved in a corporation’s mentorship program, and as a result, were more likely to reap positive financial rewards, generate stronger retention rates, and achieve excellent performance ratings. Additionally, it was found throughout the studies that a mentorship program helped increase confidence and integration into the workplace. Not only does a mentorship program offer a plethora of opportunities to both mentors and mentees alike as demonstrated by numerous studies, it also allows the organization to address DE&I head-on by creating a program that accurately represents the diverse-rich cybersecurity workforce of all professional levels.
The active learning that comes from a mentorship program allows talent to navigate their career development more successfully. “Mentorship at the early stages of a career can be a powerful tool for success if you apply it wisely. Whether you already have a path in mind or are just exploring the possibilities, there are multiple advantages you can gain from the wisdom of those before. Mentoring will not only aid in paving your future path by opening up the doors to unexplored territories, but also allow you to learn from your mentor’s mistakes and avoid pitfalls,” states Lucia Milică, Global Resident Chief Information Security Officer, Proofpoint.
The challenges of building a sustainable, scalable, and active mentorship network are well documented. Many local, regional, and national organizations spend millions of dollars annually attacking the problems of mentorship discovery, facilitation, and monitoring that ensure both parties, mentees and mentors, receive the resources they need to develop an impactful relationship. To implement an effective model requires the network to retain an engaged mentor base with strong domain expertise, possess a good understanding of the student and talent funnel dynamics (such as where they come from, what programs they apply to, etc.), and be well equipped to track measurable OKRs of what success for the talent ultimately looks like from the short-term and long-term vantage point.
To this end, NextGen understands the impact of having a mentor on the professional and personal development of early career cybersecurity students and has begun creating a program to offer this value to their students. Chellakarai highlights the true impact of mentorship and value in the development of students by stating, “the NextGen Mentoring program aims to foster relationships where candidates can empower each other to realize their full potential, create space for reflection and self-awareness, and gain a deeper understanding of the Cyber Security domain.
With malicious exploits and cybersecurity breaches on the rise, the cybersecurity field is only going to continue growing. Attack surfaces rise exponentially as technology progresses, creating even a larger demand for a workforce to support and protect our data. There are structural barriers to entry that constrain the pipeline for the next generation of cybersecurity workforce talent. These barriers consist of gender and/or cultural biases, onerous job requirements for entry-level careers and imperfect technical onboarding processes, and a poorly defined public narrative around the cybersecurity field, leaving the industry with many critical areas that require fixing.
It is NextGen’s view that through the development and promotion of education outreach, targeted professional training, and mentorship programs, all of which are packaged to support early career cyber professionals and those transitioning from other fields, the industry as a whole can help solve the talent gap and pull in more underrepresented talent onto the field.