Cybersecurity needs to tackle its talent shortage head-on, but this insider believes that there is plenty of room for optimism when it comes to growing the pipeline of tomorrow.
Cybersecurity is one of the hottest topics in our digital world today. Yet, despite being one of the most talked about risks across the business world, employers continue to grapple with a severe cybersecurity talent shortage. According to the (ISC)2 2020 Cybersecurity Workforce Study, the global cybersecurity industry is in need of 3 million qualified cybersecurity workers. In addition, nearly two-thirds of the professionals surveyed in the study said that their organization was struggling with a shortage of cybersecurity talent.
This paints an ominous picture for the future of the cybersecurity workforce. Yet, while some in the cybersecurity world might view closing this gap as a nearly insurmountable task, Marian Merritt of the National Institute of Standards and Technology (NIST) thinks otherwise.
Currently the Deputy Director of the National Initiative for Cybersecurity Education (NICE) — and the former Director of Cyber Education and Online Safety Programs at Symantec — Merritt is no stranger to some of the deterrents that are keeping candidates away from pursuing a career in cybersecurity. That said, she is also optimistic that by making a few changes in recruitment strategies as well as increasing awareness of the scope of cybersecurity careers, our digital economy can turn the current trickle of cybersecurity talent into a flood.
What is Keeping Candidates Away?
According to Merritt, one of the primary hurdles to filling the cybersecurity talent pipeline is the longstanding myth that all cybersecurity work is the same, and that a love of math and coding is a prerequisite for entering the field.
“What people believe cybersecurity work to be, and what it actually is are really quite different,” said Merritt. “There is incredible variety in the work that someone can do. I mean, you can use me as an example, I have two marketing degrees. I don’t write code, yet I’ve worked in cybersecurity for nearly 25 years. And many people might not realize they already have cybersecurity job responsibilities, whether we work in legal, software development, marketing, or even purchasing. The range of competencies and work roles that include cybersecurity is remarkably broad.”
Merritt also noted that given that cybersecurity careers are still relatively new, potential candidates may be unaware of the job opportunities they can qualify for, or the speed with which they might train and qualify.
“I think one of the biggest issues we have is that it’s still a relatively new career field. So we are still seeing job standards evolve and employers are engaging with education and training providers to ensure what you learn in college and training programs results in acquiring in-demand skills employers require. We also, as a community, have a fair bit of work to do in raising awareness of cybersecurity work and how one qualifies for these great work roles.”
Building a Diverse Pipeline
When we consider the shortage of women in cybersecurity (estimated at only 24% globally) or the even greater shortage of ethnic minorities, growing diversity continues to be a priority for the cybersecurity industry. And shaking up recruiting and using data could be key to helping accomplish diversity, equality, and inclusion goals, said Merritt.
“If you’re a recruiter in an organization and you’ve been recruiting the same way with the same external recruiters and hiring people who resemble the team you already have, the time is now to think differently to increase the diversity of your applicants,” said Merritt. “We have great data at NICE about steps organizations can take to bring in more diverse talent. For example, there’s a study from the Harvard Business Review which says that if your final candidate pool has just one woman in it, you will not increase the number of women you hire. But if you have two or more, it will make a difference and you will increase the diversity, at least for women. Organizations can also embrace apprenticeship programs to develop the talent they need, regardless of educational background.”
Merritt also noted the importance of revamping recruiting messaging as a key catalyst in drawing in more diverse candidates into the cybersecurity workforce pipeline by focusing on messaging that is more inclusive.
“Research shows that the very language we use in job announcements can signal candidates to potential bias issues. Using terms like “cyber ninja” or “team player” may have hidden meanings that turn qualified people off. Knowing this, addressing this, is important to ensure that we make our positions as inclusive as we can. Of course, this is a complex topic and there are many resources out there to help employers, but we should be looking at the language in our position descriptions and job ads as well.”
Despite these challenges, Merritt also noted a sense of real positivity and opportunity as it relates to growing cybersecurity’s workforce diversity, especially within the existing cybersecurity professional community itself.
“As a professional community we are all talking about diversity and inclusion, which makes me really optimistic. Additionally, we’re also seeing the evolution and creation of affinity groups around different ethnic groups or different social groups, and that’s really important, too. We all want to feel we belong in our chosen field or organization, so whether it be groups such as Women in Cybersecurity or the International Consortium of Minority Cybersecurity Professionals (now known as Cyversity), we need more of these groups because if you can be with people that you feel similar to, they’ll support you and coach you and mentor you, and that should help more people feel comfortable. This all bodes well for bringing more diversity into the cybersecurity field.”
Resonating With Youth
Reaching out to children and parents is also key for building a long-term sustainable talent pipeline, said Merritt — who during her tenure at Symantec created the Symantec Cyber Career Connection, a cybersecurity career program for underserved young adults which launched in 2014 — especially as the opportunities continue to grow. Parents in particular play a key role in developing interest in cybersecurity, with Merritt noting the industry needs to do a better job of resonating with parents or other family members equipping them with the knowledge they need to empower children interested in pursuing cybersecurity careers.
“Parents have such an important role in not only helping young people become aware of the steps towards qualifying for careers, but also just supporting their children’s dreams,” said Merritt. “Unfortunately, in many cases, parents may not feel equipped to guide children interested in cybersecurity towards a career in the same way they would if their child was interested in becoming a lawyer or a firefighter. Therefore, the more that we can do to inform teachers, school counselors, and parents about the qualities that succeed in cybersecurity careers — and that girls and boys alike can be equally successful in this field — the closer we can get to building a robust and diverse talent pipeline.”
“And then for young people, there are great resources out there that cost very little or are free where people can start learning in cybersecurity — such as the websites the National Cyber Security Alliance and NICE have — so I would encourage young people to explore those. And then look for clubs, competitions, and exercises such as capture the flag. They can seem so intimidating at first, but I’m telling you the people who run those programs are so supportive and inclusive. A parent or student who does outreach will find themselves welcomed and embraced.”
Merritt also noted how important it is to dispel the myths around costs as a barrier to entering the cybersecurity field.
“While it’s great if you can enroll in a program, qualify for an industry certification or even build a home-based lab, it’s not necessary to start learning cybersecurity. And it would be terrible if people turn away from cybersecurity because they think it is an expensive field to get into. Truly, cybersecurity can be very inexpensive to get into. I have met so many people who’ve even started learning on their phones by watching YouTube videos. So, it doesn’t matter who you are, where you’re sitting, what kind of device you have; you can start learning cybersecurity today.”
Embracing Opportunities to Empower
Central to driving awareness and interest in cybersecurity careers is for organizations to engage in opportunities to empower students and parents to look at cybersecurity as a viable and exciting career path, whether that is through formal initiatives such as Cybersecurity Awareness Month or setting up informal tours of local industry.
“We can’t afford to miss creative opportunities to empower people,” said Merritt. “For example, we have been working on Cybersecurity Career Awareness Week (CCAW) for a number of years. We encourage organizations to create commitments for CCAW: events, webinars, or classroom visits (whether virtual or in-person). People are creating posters and infographics to explain cybersecurity work, and these all go a long way to make individuals consider careers in cybersecurity.”
“But what I find really empowering is how current professionals are now getting involved in going out and encouraging individuals to get involved in cybersecurity by just sharing what they like about the field, how they qualified, what kind of roles they are hiring for and other exciting tidbits of info. You never know who you might influence in your circle. Additionally, it’s long been known that young girls tend to consider careers based on the people that they know. And if they don’t realize, ‘Oh, the neighbor two doors down happens to be a cybersecurity professional,’ that could be a lost opportunity. So, it could be as small as, ‘I’m going to talk to somebody and tell them I work in cybersecurity.’ That alone could be so influential.”
Marian Merritt is the Deputy Director for the National Initiative for Cybersecurity Education (NICE) at the National Institute of Standards and Technology (NIST). Her areas of focus include industry engagement, apprenticeship, and small business cybersecurity.
Marian has over 20 years of experience working in the cybersecurity industry.
She previously was with Symantec Corporation as their Director of Cyber Education and Online Safety Programs. In that role, she created a cybersecurity career program for underserved young adults which launched in 2014. The Symantec Cyber Career Connection continues in partnership with non-profit workforce development organizations in several US locations. Marian attended Boston University’s Questrom School of Business for her undergraduate degree and holds an MBA from the Wharton School at the University of Pennsylvania.
Resources from the National Initiative for Cybersecurity Education (NICE)
To learn more about Cybersecurity Career Awareness Week, visit https://www.nist.gov/itl/applied-cybersecurity/nice/events/cybersecurity-career-awareness-week
To learn more about getting girls into STEM careers, watch this.
To learn more about the challenge of that first role in cybersecurity, watch this.
To learn more about writing position descriptions for greatest impact, watch this.