In the wake of the pandemic’s forced distribution of the workforce, millions worldwide will continue to depend on remote access for months -- or even years. And a hybrid of remote work is likely to become a permanent fixture in many organizations. All these changes mean that CIOs and other IT leaders must attract, retain and hire professionals with broad cybersecurity skills, but that’s not as easy as it sounds.
The cybersecurity skills shortage continues to climb, and the cybersecurity professionals out there are in high demand. They’re constantly courted by recruiters, making retention almost as big a challenge as hiring. Part of the retention solution comes down to culture. Changing the culture and increasing diversity in the hiring process in terms of gender and different backgrounds is the key to altering the status quo. Otherwise, IT organizations face a future of increasing cyberattacks and a chronic inability to meet security staffing needs.
Attrition and the skills gap
In a recent report on the cybersecurity skills shortage, 68% of responding organizations said they struggle to recruit, hire and retain cybersecurity talent. Seventy-three percent of organizations had at least one intrusion/breach over the past year that can be partially attributed to a gap in cybersecurity skills; 47% had three or more.
Organizations that take longer to fill cybersecurity positions experience more attacks. ISACA’s State of Cybersecurity 2020 Survey found that when organizations took three months to fill an open position, 35% experienced an increase in attacks. Of those taking six months or more to fill a position, 38% saw more attacks.
There’s also a connection between talent retention and diversity and inclusion in the workplace -- and this is certainly true for the cybersecurity industry. The researchers at McKinsey note that companies with an inclusive work environment and diverse employees tend to be more successful at retaining their workforce.
Breaking down the stereotypes
A number of perceptions and misconceptions contribute to the lack of diversity in the cybersecurity field, with respect to both gender and employment background. The ISC(2)’s 2020 Cybersecurity Perception Study found that not enough job seekers are considering cybersecurity roles. They see the sector as a set of highly specialized technical roles that require a specific set of skills that they don’t have and can’t or aren’t interested in acquiring. While they agree that cybersecurity is a good career path, it’s not one they want to go down.
Women currently comprise just 14% of the cybersecurity workforce. Because men have so long dominated the industry, there’s a perception that cybersecurity is a man’s job. The stereotypical image of hackers is men in hoodies working in a basement, and the matching stereotype of cybersecurity professionals as men in dimly lit back offices. This just isn’t the case.
These stereotypes need to stop if the industry hopes to become more inclusive and diverse.
The ISC(2) study found that women were likelier to perceive the industry as intimidating and to be put off by lack of diversity. Currently, men are five times more likely to be in a CISO role than women.
Yet increasing the female population in cybersecurity is good for business. Women leaders in this field have different priorities, such as learning and development initiatives for employees about security and risk management -- which makes the company more secure. Women tend to bring a greater diversity of background, as well. Forty-four percent of women in information security fields have degrees in business and social sciences, compared to 30% of men. This can mean that they look at things from a different perspective than those who focused solely on an educational track of engineering or computer science.
Widening the pipeline beyond traditional IT candidates
As just noted, it’s important to look beyond traditional IT experience. Recruiting nontraditional candidates requires a holistic look at the workforce. To bridge the skills gap, organizations need to develop new candidates through education, upskilling current IT professionals and developing new skills within the existing employee population.
To build from within, consider the role that certifications can play. Certifications increase knowledge and skills of individuals already in or entering the cybersecurity field. Employers know that certifications prepare workers from IT roles to take on cybersecurity responsibilities. Certifications also allow individuals to diversify their skill set and oftentimes propel their career growth.
Military veterans and military spouses are another segment of the workforce that organizations can tap to reduce the cybersecurity talent shortage. Organizations that make a dedicated effort toward military recruitment have benefited from teams with diverse perspectives and skill sets that fit well in a cybersecurity career.
A new light on cybersecurity careers
At a time when more people work from home than at any point in history, the cyber threat is more intense than ever. This makes the well-known cybersecurity talent gap yet more dire. Retaining that talent, as well as finding new sources of talent, has become a corporate survival skill. Research demonstrates that organizations with more diverse and inclusive cultures are better at retaining talent; it also shows that many people feel a cybersecurity career is out of reach for them. This requires a re-education effort to show people that many backgrounds are welcome and, in fact, needed in the field and that certifications are steppingstones into this in-demand, wide-ranging and rewarding career path.
Sandra Wheatley is responsible for Fortinet’s threat intelligence, customer marketing, security academy and veteran’s training programs. She has served on multiple non-profit boards and is a founding board member of US2020, a White House Initiative to improve STEM learning and increase the pipeline of STEM workers in the U.S. She holds a B.S. degree from Santa Clara University, a diploma in Community Leadership from Boston College, and a diploma in Corporate Responsibility from U.C. Berkeley.