The number of unfilled cybersecurity positions continues to grow rapidly. Cybersecurity Ventures predict there will be 3.5 million unfilled cybersecurity jobs, globally, by 2021. According to the World Economic Forum and the Wharton School at The University of Pennsylvania, “nowhere is the workforce-skills gap more pronounced than in cyber security.”
This talent gap poses significant threats to organizations, governments and individuals, as new technologies, more digital-based services, and evolving cyber threats increase the level of cybersecurity risk at a faster pace than existing cyber teams can handle. COVID-19 adds another dimension to the cyber talent gap, as threat actors see the pandemic as an opportunity to exploit the work-from-home environment and increase in online employee activity. A survey from VMware Carbon Black, published in ZDnet, states that 91 percent of enterprises saw an increase in cyber attacks, as a result of more employees working from home during the pandemic.
Making our digital-based world a safer place will require new, more inclusive approaches to cybersecurity, with input from more diverse backgrounds and perspectives. Specifically, better utilizing the talents and experiences of women in cyber can play a key role in developing more effective approaches for solving complex cyber security challenges. However, developing effective solutions will require fresh thinking and new perspectives on cyber careers and recruiting practices, as well as how the industry looks at overall cyber security challenges and strategy. Big improvements will require big changes in thinking!
Debunking Career Myths
To begin the process of changing perceptions, it’s helpful to look at how cybersecurity careers, and the typical cybersecurity talent “persona,” are understood today. Currently, cybersecurity is portrayed to and understood by the potential employee pool as extremely technology focused and very isolating. According to Stanford University’s Clayman Institute for Gender Research, “the cultural image of tech as a space for coding-obsessed, geeky guys contributes more powerfully to significant gender gaps in tech.” Not to mention, the women portrayed in these roles often seem on the fringe, as well.
The reality is that cyber talent can come from a wide range of professionals. Today, organizations need to position cyber as a career choice for all types of individuals, with different backgrounds, degrees, and experience. Along with this change in positioning, there also needs to be a change in how the media and others commonly portray the ‘face of security,’ and more accurately brand the skills and responsibilities of cyber employees and cyber security leadership. This is also an opportunity to expand the discussion on equity in the cyber security industry. Currently, women make up less than a quarter of the cyber security workforce, according to 2019 data from an ISC(2) report. To encourage more women to pursue careers in cybersecurity, there needs to be a change in perception and the working environment, so women view the career path as one of inclusion and opportunity. As part of this, there needs to be more visible female role models who embody successful career paths in cyber.
Changing the Narrative on Cyber – Understanding the business risk
As part of changing perceptions, it can be useful to create a broader definition of what cyber security is. Fundamentally, it is a business risk profession, not just a technology profession, and it is also a business enabler. It is important to look at cyber in the broader context of its role in business, political and social networks. With digital transformation initiatives connecting nearly every facet of an enterprise, cyber is literally everywhere. Therefore, each and every employee has some need and responsibility for managing cyber in their role. Embracing this broader definition of cyber can position it as a central business function, rather than an esoteric technical one, thus expanding its appeal to a larger and more diverse potential employee pool. Moreover, this diversity can lead to a wider range of perspectives and skills that can ultimately provide more effective solutions against today’s evolving cybersecurity threats.
Because cyber is everywhere, it requires a broad set of experiences and perspectives to help identify potential risks and cyber solutions. No longer a profession for those with only a computer science degree, professionals with backgrounds in business, HR and other disciplines can apply their problem-solving skills and perspectives to cyber security, developing new strategies and tactics for reducing cyber risk and practicing better risk management. Utilizing the perspectives of diverse backgrounds and views can help an organization think through “the art of the possible” when solving cyber security challenges. This need for a wider set of experience isn’t widely understood, which is why encouraging women with diverse backgrounds to consider careers in cyber is key. A recent Forbes article examined the varied experiences of women in cybersecurity, highlighting the diversity in their roles, with their experience demonstrating a range of skills such as: people management, team building, communications, as well as threat hunting. All of these skills can be effectively applied in cyber careers and leadership roles. What is often misunderstood is that ‘cyber knowledge’ can be gained from within an organization, rather than brought to the organization by the professional.
Applying Social Changes to Cyber
Humans remain the weakest link in the cyber security chain. Deliberate or inadvertent risky behavior by employees, third-party partners and other stakeholders create opportunities for system compromises. As such, a major part of reducing cyber risk is to look broadly at the social enterprise and human behavior and apply the findings to new models for solving cyber security issues.
Obviously, when attempting to identify risk across interconnected humans, it is often best to do so with a representative understanding of those humans. Women, who comprise 49.6 percent of the population (according to Our World in Data), can help create this representative understanding, through the roles they play in social networks, and through their views on technology and digitization. For example, a married mother of two would likely bring a different perspective to ‘work from home’ risk than a 23-year-old single female. In a perfect world, both perspectives would be accounted for in forming a risk assessment. Having more women participating in the design of these strategies means a broader perspective is being built in. This is transformative and underpins a true movement for change.
Changing Recruiting – Opening Doors for Diverse Talent
It is time to change the recruiting and hiring processes for cyber. Enterprises may be missing out by only looking to technology-focused students to recruit. There are organizations that help address the need for more diversity within hiring strategies, such as: Bluescreen IT’s HACKED, Crucial Group’s Academy, TechTalent Academy’s Women in Cyber Academy and NeuroCyberUK.
James Hadley, the CEO and Founder of Immersive Labs, explains in a column in Forbes, that the cyber security industry needs to address unconscious bias in hiring, which can cause managers to hire people whose lives mirror their own. This bias can also affect how performance reviews are conducted and decisions are made regarding promotions, as well as the merit-based reward systems used by many organizations. A new, more inclusive approach to recruitment and development can help to cultivate new perspectives, systems and values across the cyber industry.
This problem will not be solved by companies alone – women themselves need to become part of the solution. Women of all backgrounds would be well-served to explore careers in cyber. Beyond filling the talent gap, for which there are millions of open roles and opportunities, the need to solve evolving cyber challenges will require teams with diverse skill sets and strengths. Why do archeologists like cyber security? Because they are good at finding things. In line with this, the industry needs to help create that “sense of purpose” that we all look for in choosing a career path.
As more opportunities for women, particularly in leadership roles, become available to a broader set of candidates, longevity also becomes an attractive recruiting tool. A career in Cyber should be a compelling career path. Women (and men) have the opportunity to quickly make an impact, accelerate professional growth and play an important and lasting role in enabling the future for so many organizations.
By changing the perceptions of careers in cyber, becoming more inclusive in how recruiting and hiring for these roles are conducted, and looking at cyber challenges with a broader perspective, enterprises can create more opportunities for women in the profession. Even more importantly, they can bring new strategic thinking into a profession that faces significant challenges from an ever-evolving threat and business-risk landscape.
For more details on this topic, you can listen to my recent podcast interview with Cybercrime Magazine.
Beth leads Deloitte Canada’s Data Protection and Privacy practice and is a member of the firm’s global Cyber Risk Services executive team. She has over 12 years’ experience advising organizations on the design and implementation of privacy governance frameworks and operational privacy and data protection programs to support program modernization, regulatory compliance, and digital transformation.