Cybersecurity is a fast-paced career option for anyone who loves a challenge and the thrill of problem-solving. According to data collected by the Bureau of Labor Statics (BLS), the demand for cybersecurity jobs, including information security analysts, individual contributors, and technical cybersecurity positions, is projected to increase by 31 percent over the next 10 years.
Even though the world’s need for cybersecurity continues to grow, alongside the available two million-plus positions in the industry, the Information Systems Audit and Control Association’s (ISACA) 2021 Global Update on Workforce Efforts report shows that organizations are taking three to six months, if not more, to fill vacancies with qualified candidates. Although diversity, equity, and inclusion are not new topics in the workplace culture and hiring process, business executives need to take the responsibility to create strategic plans to intentionally hire more candidates with diverse backgrounds that offer differing perspectives.
With more than a decade of experience in the cybersecurity industry working for the Department of Defense and Booz Allen Hamilton, CEO and co-founder of CyberVista, Simone Petrella, gives insight on how companies should reframe their approach for hiring to include intersectional diversity.
What’s the situation?
Among cybersecurity analysts in the United States alone, Zippa discovered that 21.9% of employees are women, while 71.3% are men. Their most common ethnicity is Caucasian, which makes up 72.6% of all cybersecurity analysts. Comparatively, only 9.6% are Asian, 7.4% are Black or African American, 7.1% are Hispanic or Latino, and Indigenous people make up 0.4% of the cybersecurity workforce population.
Outdated hiring practices, especially those perpetuated by the “old boy’s club” mentality, continue to be used. Poaching remains prevalent. Rather than investing in building intentionally diverse hiring pipelines and training entry-level talent to fill the gaps in their systems, companies have been paying premiums for particular skills, knowledge of tools, and technology. By taking a longer-term view and looking in non-traditional areas for qualified candidates to grow into roles, companies can take steps towards achieving inclusion and equity.
“In order to make a meaningful dent in the talent gap in this industry, companies themselves have to change. That is the bottom line,” states Petrella.
Shifting Into Intersectionality
The International Consortium of Minority Cybersecurity Professionals (ICMCP) recognizes that “under-participation by large segments of our society represents a loss of opportunity for individuals, a loss of talent in the workforce, and a loss of creativity in shaping the future of cybersecurity. Not only is it a basic equity issue, but it also threatens our global economic viability as a nation.”
Without the incentive of experiencing the benefits of building a diverse team, there’s an additional dichotomy between the executives in charge of the security teams and the average tenure of that executive, which is usually around three years. The issue with creating and implementing a diversity-based hiring plan is exacerbated by hiring executives who have a short-term approach to finding talent externally. Since the alternative would come to fruition long after that executive has moved on to their next opportunity, the previous hiring plan fails at maintaining long-term employees or expanding opportunities to qualified candidates who can be trained to fill gaps in their technical skills.
Petrella has spent most of her career working to fix this problematic hiring practice, which leaves positions unfilled and companies at risk without comprehensive or fully competent security teams. She argues that hiring teams are approaching hiring from the wrong direction and need to take charge if they want to see a change in the rate of filling and keeping those hires in required positions. Beyond that, creating the circumstances for upward mobility.
More than having the financial ability to hire current experts in the field alongside spending their most considerable overhead on salaries, companies – alongside their executives – have to believe that they can get more return on their investment by hiring new talent, including Black, Indigenous, and People of Color. While recognizing that soft skills are some of the essential tools that are difficult to train, hiring managers can shift their focus to onboard candidates with diverse perspectives and executive skills that will assist in communicating cybersecurity needs across their organization.
Stepping up to the Challenge
Data from (ISC)²’s Cybersecurity Career Pursuers Study showed that the industry as a whole is pursuing more diverse career and educational backgrounds during recruitment, including the non-technical abilities of problem-solving, analytical thinking, and the ability to work independently, as well as collaboratively. Their latest report shows that whatever trends develop in today’s cybersecurity workforce, gender disparities are evident in every region. The highest percentage of women cybersecurity professionals that participated in the study are in Latin America (40%). In North America, the figure is just 21%, and results in Europe and Asia-Pacific fall between these respective ranges, at 23% and 30%.
The report further suggests that many entrants into the cybersecurity field – especially those not working in an IT position – are unsure of what to expect from their first cybersecurity job and may be wary of technical obstacles. Organizations must strategically plan when assigning initial responsibilities and offering on-the-job training to invest in the candidates’ development. While that may sound like a burden for organizations, input from professionals strongly imply that having a mentor, access to training, education, and professional achievements, such as earning certifications and being exposed to the right mix of tasks in their first few years, is critical to their growth, confidence, and longevity in the profession.
Petrella highlights that the solution lies with the executives, HR, and recruiters to create a plan for hiring that clearly articulates the skills needed for their cybersecurity positions. Their job descriptions should reflect the company’s value for the diversity of thought and backgrounds and all of the non-technical skill sets that organizations are seeking. Companies can set smart objectives, institute key performance indicators within the hiring structure, and build a platform to show progress and results — internally and externally.
Some organizations, such as the Cybersecurity Talent Initiative and ICMPC, are specifically working to increase opportunities and representation from both women and BIPOC communities, particularly African American and Latinx representation in cybersecurity. Businesses have to be willing to have difficult conversations and listen to the needs of their employees while bringing diversity to leadership not just to continue transforming the cybersecurity industry but also to remain competitive. The old boys network is strong now, but it is fast a dying breed.