Filling the Cyber Skills Gap

The cybersecurity workforce shortage keeps increasing every year, and many of the same talking points are heard repeatedly across webinars, conference panels, media interviews and articles, in particular– the need to fill the cyber workforce and recruit more diverse candidates. But what does that mean?

Last year, at the SANS HackFest Pen Test conference, I gave a keynote speech that highlighted a few concrete examples of how we can fill the workforce gap and emphasized the value of mentorship and diversity within cybersecurity. As a penetration tester, consultant, professor and the executive director of BlackGirlsHack, I interface daily with young women, men and nonbinary folks who are either trying to break into cyber, pivot from another field or level up from their current position. These people are largely new to cyber, often having a combination or subset of education, work experience and/or certifications.

Yet, there is one thing that is common across gender and racial lines: the desire for a job in cybersecurity. To be more specific, they are looking for an entry-level or mid-level position in cyber. As a founder and leader of a nonprofit serving Black girls and women interested in breaking into cybersecurity, I speak with so many individuals who are interested in cybersecurity—and yet we have a cybersecurity workforce gap. In this blog post, I will share a few observations and reiterate points shared in prior talks on how we can realistically solve the workforce gap problem.

The Statistics

As of 2021, 3.5 million cybersecurity-related jobs are available throughout the world, and approximately 700,000 are available in the United States alone. Additionally, research shows that the cyber unemployment rate is almost 0 percent and that many highly qualified cybersecurity professionals could easily pivot into any open position. With these numbers, BlackGirlsHack’s strategic goal of matching jobs to job seekers should be easily attainable, but, in truth, this is no small task.

The Problem

Job postings on career sites like CareerBuilder, Indeed or GlassDoor frequently contain unrealistic requirements for entry- and junior-level positions. Below are three examples from positions listed on career sites. These positions represent the roles needed to fill common cybersecurity vacancies on a governance, risk and compliance team; a blue team; and a red team and summarize key desired qualifications:

1. Junior remote risk management analyst: requires a bachelor’s degree, familiarity with common risk frameworks and a Security+ certification;
2. Fully remote security analyst: requires an up-to-date understanding of security threats, familiarity with standard frameworks and ideally an advanced-level cyber certification; and
3. Fully remote junior penetration tester: 3 years of experience in a security operations center environment and experience or familiarity with about 20 listed industry tools, half of which are not available for free.

Some of these jobs require 3 years of experience with industry certifications that require a minimum of 5 years of experience to qualify for and take. Furthermore, the job qualification requirements are unreasonable for college graduates with a computer science, cybersecurity or even a nontechnical degree from the liberal arts.

The job examples above require certifications, work experience and education. However, a typical graduate comes out of school with only one of those requirements and does not possess the work experience that recruiters need to match them with jobs. As a professor of cybersecurity and computer science at a university and as a woman who has been working in the technology/cyber field for over 15 years, I can confirm that our colleges are not generating students with hands-on experience and certifications. Only recently have colleges and universities begun working to produce a cadre of graduates with either hands-on experience or entry-level certifications, such as Security+.

Right now, as it stands, potential employees and future employers are standing on opposite sides of a football field. Trying to find a place in the middle where we can get recent graduates and people like the members of BlackGirlsHack into a job is the real need.

The Solution

BlackGirlsHack, like so many organizations, is home to a group of motivated, ambitious individuals who are eager to be employed. Yet many employers claim that they can’t find the right candidates for their cybersecurity vacancies. To fix this, we need to develop real-world strategies to bridge the gaps between employers and candidates with better hiring practices. Organizations need to take a different approach and should help create pipelines for employment, such as internships and apprenticeships, to get motivated people in the door.

Once the interns and apprentices begin to fill more of the vacancies, companies can begin targeted programs to train employees in the tasks that need to be performed. This process would put eager people into jobs and provide them with experience and hands-on training. It also provides employers with an amazing opportunity: eager employees paid lower salaries for the first year of their employment who are receiving on-the-job training to become subject-matter experts for their company’s products and services. In this way, vacancies could be filled from the bottom up.

So where do diverse employees come from? Diverse nonprofit organizations like BlackGirlsHack, Women’s Society of Cyberjutsu, Minorities in Cyber, Empow(h)er Cybersecurity and Black Girls in Cyber have an organic collection of diverse, educated candidates who have already expressed an interest in cybersecurity. These organizations have programs to develop a pipeline of qualified candidates thus, filling shortages in the cyber workforce. Companies will begin to see that engaging with diversity-based programs that focus on the trifecta of qualifications (education, certification and experience) is an excellent way to help ensure a steady flow of diverse candidates and lower their overall costs. Training programs like these help ensure that employers have a pool of employees who have the required, relevant skills.

The Business Case

Studies have shown that more diverse companies, especially companies with diverse leadership and boards, are twice as likely to hit their financial targets and have two to three times better performance. The business case for developing diverse candidates is clear: We need to fill the cybersecurity job shortages with diverse candidates so individuals can grow within a company and help increase diversity at higher levels within the organization. The long-term impact of having diverse employment pipelines is the workforce depth that can then organically progress to executive leadership teams and boards to ensure greater future corporate diversity.

The Way Forward

By changing the way they recruit candidates, organizations can achieve the dual goals of filling open positions while increasing diversity within their organizations. This starts with developing and hiring eager, diverse, entry-level candidates, incentivizing on-the-job certifications and developing effective mentorship programs, which would enable candidates to gain experience and grow professionally within the organization. This, in turn, would help ensure that well-rounded, certified professionals are available to represent the company, support its goals and train the next generation of professionals behind them.

The cyber skills gap has a manageable solution, but employers and potential employees have to meet in the middle and change existing approaches to recruitment, training and retention to reach it.