Responsibilities are complex and require different job descriptions, reduced bias and a variety of skill sets, industry leaders say.
Much has been written about the shortage of cybersecurity professionals, and experts say diverse candidates can help fill the void–if organizations would only start thinking differently about how to attract candidates.
Women will hold 25% of cybersecurity jobs globally by the end of 2021, according to a projection by Cybersecurity Ventures. That’s up from 20% in 2019, the firm said. Meanwhile, only 12% of Black professionals worked as information security analysts in 2020, according to the U.S. Bureau of Labor Statistics.
Meanwhile, a 2019 (ISC)2 study found that the global cyber workforce will need to grow more than 145% to meet the demand for professionals.
Diverse security teams are important because they “consistently prove that they are capable of greater innovation, creativity and productivity,” said Zaira Pirzada, principal, advisory at Gartner. The firm’s research finds that a diverse workforce improves performance by 12%, and it increases an employee’s intent to stay with an organization by 20%, Pirzada said.
“Diversity also fosters creativity, reduces fear and helps solve complex problems through the inclusion of a variety of perspectives,” she said. While it might seem counterintuitive, there is no shortage of diverse candidates for cybersecurity roles, but there is a skills shortage, Pirzada noted.
Cybersecurity professionals have complex responsibilities, like balancing the demands of business, managing an ever-evolving threat landscape and making complex risk decisions,” she said. These responsibilities require people who are forward-thinking, innovative and creative.
“Diversity can enhance a security team by improving decision-making and creative problem solving,” she said. “Ultimately, a more diverse security team will more effectively meet business demands.”
Poorly written job descriptions, bias, exacerbating the problem
Yet, Gartner finds that “security leaders artificially limit their talent pool by overburdening their job search with narrowly-defined qualifications,” Pirzada said. Instead of requiring that a candidate possess a litany of certifications and potentially unnecessary technical experiences, security leaders should broaden their search and look for diverse candidates with varied skill sets, she said.
Ian McShane, field CTO at security operations software provider Arctic Wolf, agreed, saying that unconscious bias, poorly written job descriptions and preconceived notions of what is required for security jobs are not only deepening the skills shortage but a diversity shortage in the industry as well.
Much of the issue is self-imposed, McShane added, and organizations must reframe their expectations of who can fill roles and what skills are required for addressing today’s cybersecurity issues.
The industry is “dominated by middle-aged white people who have privilege and all the luck in the world,” said McShane, who is also a former Gartner analyst.
Tech vendors in particular, “don’t make it easy” with their hiring criteria and tend to use words like “cutting-edge,” “rock star” and “unicorn” in their job descriptions, which creates a bias, McShane said.
Organizations sometimes also post job descriptions that read “like something out of the ’80s or ’90s,” with boilerplate wording, and written “by someone with no idea what the job should be.”
Pirzada echoed that, saying that “the hindrances to hiring diverse cybersecurity candidates are often related to company culture and security culture, both of which can be rife with conscious and unconscious biases. Biased job descriptions, less diverse interview panels, stressful and unforgiving workplaces that offer very little growth potential all can be major obstacles to hiring and retaining diverse employees, especially in cybersecurity.”
Patricia Titus, chief privacy and information security officer at Markel Corp., a global holding company for insurance and investment operations, said she sees progress being made at “the rank and file [level], but I still think we aren’t at the executive levels.”
Impediments to a more diverse cyber workforce are varied, Titus said, “but likely due to the level of risk, long hours and stress this professional has. Cybersecurity is not the profession for everyone, that’s for certain.”
Markel’s security team is 34% women and 66% men, she said and added that it is important to have “a great variety of people from very diverse backgrounds,” including age, tenure, gender and ethnicity.
To help alleviate the problem, Deloitte Cyber recently launched a global awareness campaign to attract more women with diverse skillsets and backgrounds into the cyber profession. About 25% of the practice’s over 22,000-member team is women, and Deloitte Global Cyber Leader Emily Mossburg acknowledged that more work needs to be done–both at the company and the industry at large–to elevate women in the cybersecurity field.
The impetus was an “industry misconception that cybersecurity is a technical problem that requires technical expertise, which tends to be heavily male-dominated,” Mossburg said. “There continues to be a disconnect between what skills make a cyber professional and then what those professionals look like.”
So far, “we have been blown away by the response to the campaign globally,” she added.
Consider looking from within
McShane recommends that organizations not bury the requirements for a job halfway down a page and take into consideration things like experience and soft skills as opposed to degrees and certifications.
There needs to be a willingness to “look beyond traditional job descriptions,” he said.
“I would rather work with someone with a willingness to learn and good communication and has empathy.”
The words used in job descriptions are impacting people who are applying for the roles, he said. It’s important to specifically mention what the person will do day-to-day. That way, “someone’s life experiences might line up with those tasks,” McShane said.
Organizations should also look internally to fill cybersecurity roles. “We don’t see enough people moving laterally from IT roles to cybersecurity” ones, he said.
Titus concurred, saying “don’t be afraid to hire people with little experience, but rather focus on if they’re driven to learn and grow. Those people may become your gemstone and likely your best employees.”
Her team hired one of their administrative assistants and she is surpassing all expectations, Titus said. “Take a risk on someone, and you may find the rewards are vast.”
CISOs should look at cyber in the broader context of its role in business, political and social networks, Mossburg said. Cybersecurity runs throughout organizations, so every employee has some need and responsibility for managing it in their role, she said.
Commit to enhancing your cultural understanding
To attract diverse candidates, organizations should commit to working on themselves and their culture first, and work with their employee resources groups and diversity, equity and inclusion teams to enhance their cultural understanding, Pirzada advised.
“If these options are not available to them, then leaders can commit to self-study through literature, podcasts, and other forms of media,” she said. “Once leaders can understand how their unconscious biases play out in their workdays and lives and how they affect others, they can better understand how to shift the workplace environment for the better. Basically, change comes from within.”
Leaders should also partner with HR to look outside of their traditional hiring networks. By casting a wider net and broadening their search to less traditional environments, security leaders can conduct a more equitable and less biased job search, Pirzada said.
“This can include [historically Black colleges and universities] HBCUs, disability networks, veteran networks, women-led networks,” she said. “In so doing, the potential for diversity in security is high.”