Part One of this series, which ran in our July newsletter, focused on some of the problems. Now, in Part Two, we’ll see what some organizations are doing to fill the gap.
One thing we know is that cybersecurity teams are struggling to keep enterprise networks secure at a time when the rise in remote working is providing additional security challenges – stressing not only the networks but the people responsible for keeping them running.
A global study of cybersecurity professionals by the Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG) warns that a lack of business investment, combined with the challenge of additional workloads, is resulting in a skills shortage that's leading to unfilled jobs and high burnout among information security staff.
Some employers, however, are developing pathways for cybersecurity roles. One company that hires a tremendous number of cybersecurity professionals is Deloitte; as of May 2021 the company employed more than 22,000 cybersecurity workers around the world under its Deloitte Cyber business line. Deloitte was named as the top company for hiring cybersecurity talent by Datamation. How do they do it? How are they able to maintain their constant demand for cybersecurity talent?
According to Deborah Golden, Deloitte’s US cyber and strategic risk leader, “The pandemic pushed change into a bit of hyper-speed, but we were already headed into digital transformation. Because of that, we are becoming overly diverse in terms of the types of skills we’re looking for, from everything from deep cyber to domain expertise. Don’t be concerned if you don’t have all the certifications or the degrees or the capabilities that you think were historically needed for cyber,” Golden advises.
As Joanna Burkey, CISO at HP, Inc. puts it: “Allow me to bust a popular myth: that cybersecurity professionals must be technical wunderkinds, hoodie-clad prodigies who can crack a password in six seconds.” She goes on to say, “there’s much more room under the ‘big tent’ of this industry than people think.” A 2021 CYRIN newsletter reported that both the US Department of Homeland Security and the USAJOBS website are actively seeking candidates who may lack degrees or certifications in cybersecurity or IT but are self-taught or can learn on the job.
In the case of Deloitte Cyber, they have developed a train-to-hire program for candidates in cybersecurity in topics such as software engineering, data science, and UI/UX development. Typically, these candidates engage in boot camps and other job training programs to prepare them to take on cybersecurity jobs that otherwise would be filled by a traditionally trained professional, someone who studied cybersecurity or an adjacent field in undergrad or graduate school. As Deloitte’s Golden says, “The cybersecurity landscape used to be contained within four walls. Obviously where we are today, that’s truly not the case.”
In June, an advisory report (prepared by the Solarium commission) warned that the US Government needs to radically overhaul the way it hires and compensates cyber pros if it wants to get ahead of the ever-growing digital threat.
Proposed top-line changes include accelerating pay scales to ensure government cyber pros are more than competitive with the private sector and creating job requirements so it’s easier to hire people with specialized cybersecurity certifications but who lack bachelor’s degrees.
A major report recommendation is the idea that cyber jobs are unlike other jobs the government must fill. Many people with the best skills have gained them without gathering traditional credentials such as bachelor’s and master’s degrees. The field also moves so quickly that taking time off to retrain is far more important than in slower moving fields such as contract law.
As a result, the report recommends that the newly created position of National Cyber Director (NCD) should work with the Office of Personnel Management (OPM) to develop a dedicated team of government human resources specialists that are highly trained in these differences and who can hire and manage the careers of federal cyber pros.
There are new initiatives among companies, educators, and government agencies that are seeking to find and diversify the talent pool. These strategic alliances will increase the number of available and skilled workers, while also making this field one of increasing diversity, which may draw even more people from a variety of sectors.
In Big Tech, in 2021, Microsoft announced the launch of a national campaign with U.S. community colleges to help place 250,000 people into the cybersecurity workforce by 2025, representing half of the country’s labor shortage. Google started with a full-page ad in The Wall Street Journal that says they’re planning on training 100,000 Americans for vital jobs in data privacy and security. In 2021, the company stated in a blog post that this pledge is being made through the Google Career Certificate program. In 2022 you can see ads on broadcast and Cable TV for this program.
A Fact Sheet published this time last year by the White House announced that IBM will train 150,000 people in cybersecurity skills over the next three years, and they will partner with more than 20 historically black colleges and universities to establish cybersecurity leadership centers to grow a more diverse cyber workforce.
Code.org joined Microsoft, Google, IBM, Apple, and Amazon at the White House at that August 2021 announcement and committed to teaching cybersecurity concepts to three million students. This includes two million K-12 students across 35,000 classrooms over the next three years, and the launch of a new instructional cybersecurity video series with a goal of reaching one million students of all ages; 45 percent of Code.org students are young women, and 49 percent are from underrepresented racial and ethnic groups.
In March of this year, CYRIN announced a partnership with QA Ltd. called Cyber Explorers to inspire 11-14-year-olds across the UK to pursue cyber security careers.
In 2021, women made up 25 percent of the global cybersecurity workforce, according to Cybersecurity Ventures, an uptick from 20 percent in 2019, and 10 percent in 2011. Cybersecurity Ventures predicts that women will represent 30 percent of the global cybersecurity workforce by 2025, and that will reach 35 percent by 2031.
These numbers are not an accident. There are a number of organizations contributing to this effort.
Since 2012, Women in CyberSecurity (WiCyS), an organization of women cybersecurity professionals across the world, with student chapters in several countries, has made it their mission to recruit, retain and advance women in cybersecurity. As a group they enable women in cybersecurity to collaborate, share their knowledge, network, and mentor. Along with creating professional development programs, conferences, and career fairs, they look to advance women and especially female students’ interest in cyber as a viable and compelling career path.
Companies are getting in on the act. Microsoft, for example, has co-hosted events with Girl Security on more than one occasion to explore more avenues for women in security. Girl Security and WiCyS are just two of several women’s groups and associations that have sprung up recently.
In 2021, Deloitte Cyber introduced a global awareness and recruitment campaign to attract more women with diverse skill sets and backgrounds into the cyber profession.
“Everybody knows the statistics by this point in time,” said Jen Easterly, director at CISA (the U.S. Cybersecurity and Infrastructure Security Agency), in a presentation for the Black Hat USA 2021 conference. “3.5 million unfilled cybersecurity jobs around the world, some 500,000 here in the U.S.”
“Now a particular passion of mine,” Easterly said during her presentation, “is developing diverse organizations.” (See her comments on this topic at roughly the 50 minute mark; see also remarks on joint cyber defense collaborative – 42 minutes and student scholarships and reskilling starting at 47 minute mark.) “I honestly believe that organizations that we build, particularly in technology and cybersecurity, must reflect the incredible diversity of our nation; diversity in gender and ethnicity, and sexual orientation in education and background all translates into diversity of thought. That helps us solve our most complicated puzzles, better and faster. That incredible diversity helps us be able to address these problems, much more collaboratively and effectively.”
Ron Green, executive vice president and chief security officer at Mastercard, perhaps offers the best closing comment when he says, “You can’t be what you can’t see.”
CYRIN can help. CYRIN’s online interactive virtual training platform is designed to be “always available” 24/7 to improve the skills of IT, engineering and cybersecurity professionals and students. CYRIN contains more than 60 interactive labs, courses, exercises and attacks where you can train on commonly used tools in network administration and defense, individual and red team/blue team exercises, and numerous attack scenarios where students and trainees must mitigate random attacks on industrial and enterprise networks.
To meet the test, CYRIN is continuously evolving to stay abreast of the cyber “arms” race. We constantly add new exercises and courses and our collaboration with partners like the Rochester Institute of Technology (RIT) help us add new tools to meet the existing challenges and new threats as they emerge.
But don’t take our word for it. Please take a look at our entire course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!