There is No One Definition of a Cybersecurity Professional and No One Path to Get There
Frost & Sullivan puts the cybersecurity workforce gap at 1.8 million by 2022, while Cybersecurity Ventures pegs it at 3.5 million by 2021. No matter how you measure it, the number of unfilled cybersecurity positions is big and it’s a problem we’ve been lamenting for years. The traditional approach to address the shortage has been to encourage more individuals to pursue technical and engineering degrees. But which individuals? And if you aren’t “technical” does that mean there’s no room for you in cybersecurity? If we think more broadly about the type of talent we need and how to build even better security teams, we’ll see that the solution to the workforce gap is through inclusion.
Consider that the number of women in the digital security workforce is 11 percent, while blacks, Hispanics, and Asians represent less than 12 percent. And people with disabilities have much lower employment rates across all fields, than those without disabilities. There are also individuals who have stepped away from their careers for several years for family or personal reasons and are interested in returning to work. We can dramatically expand the universe of qualified workers by tapping into the tens of millions of individuals on the sidelines.
Our adversaries have figured this out and aren’t limiting themselves in this way. They’re making use of all the talent they have – male and female, different ethnicities, different social backgrounds, and different nationalities – to launch attacks against us. Yet we’re operating at a deficit, not just in terms of the number of defenders we have, but also because security teams that consist of people with different backgrounds, skills, and perspectives, fosters creativity and innovation that can produce safer and more secure organizations. There is also well-documented evidence that companies with more diverse workforces perform better financially – 21 percent experience above average profitability and 33 percent above average earnings-before-interest-and-taxes (EBIT). And diversity can assist with recruitment and retention. On so many levels, diversity and inclusion are good for business.
To create a diverse talent pool and, in time, put a stop the perpetual scrambling for cybersecurity workers, we must focus on six pillars:
1. Education – Provide opportunities, mentorship, return to work programs and other resources to ensure a diverse talent pool is expanding their knowledge and skills in cybersecurity to launch, change or restart their careers.
2. Outreach – Raise awareness early, starting at the K-12 level, for the breadth of opportunities within the field of cybersecurity.
3. Accessibility – Create an open environment for people with disabilities who require assistive technology to do a job, whether technical or consultative, but are otherwise qualified.
4. Leadership – Offer training on leadership skills and coaching to help employees advance or move laterally into cybersecurity, even at later stages in their careers.
5. Community – Proactively build and support inclusion within your organization by offering networking and knowledge-sharing events and by actively participating in such events as a cybersecurity professional.
6. Engagement – Challenge every employee within your organization to take a personal interest in disrupting the status quo by sponsoring extraordinary job candidates with diverse backgrounds. At Cisco we do this through the Multiplier Effect Pledge.
These efforts can be corporate-wide or at the local level. The goal is to raise awareness, eliminate barriers, and create an inclusive environment so that more people will explore and pursue careers in cybersecurity.
In addition to these types of initiatives, we can also focus on dispelling the misconception that cybersecurity is a purely technical discipline. As the field has matured we’ve seen that many domains must come together to perform security well – infrastructure security, application security, data science, and business risk. I’ve worked with many successful cybersecurity professionals in each of these domains who didn’t have “traditional” technical backgrounds. They had degrees in math, social science or business.
By way of example, let’s look at the area of business risk, which includes strategy, risk, and compliance. For those who may think they aren’t suited to cybersecurity, this domain presents ample opportunity for two important reasons.
First, the entire purpose of cybersecurity is to enable and support business objectives. Yet the IT department and cybersecurity are often viewed as the office of “no.” The security team must include individuals with the business acumen to understand business objectives and understand where risks reside. This will allow IT and cybersecurity to work with business leaders to align security with digitization strategies that leverage the Cloud, Internet of Things, and analytics.
Second, there is a huge communications and knowledge gap between executives in the board room and technical security staff sitting in the Security Operations Center. They speak two very different languages – revenue and business risk vs. speeds and feeds. Security professionals who succeed have mastered the ability to translate technical, cybersecurity topics in terms that are meaningful to board members and can outline business implications. Individuals with skills in problem solving, collaboration, and communication along with a background in general business administration/management, finance, and economics can help bridge the gap and excel within the operational realm of cybersecurity.
There is no one definition of a cybersecurity professional and no one path to get there. By increasing awareness of the varied skills needed and providing support to cultivate such talent, we have an opportunity to expand the pool of workers and improve security and financial performance in the process, with teams that are based on inclusion and diversity. We need to marshal all our resources to strengthen our defenses.