A rise in remote cybersecurity job openings could give businesses the opportunity to diversify their workforces with more security-savvy women and people of color, industry groups report, but the change will not happen if employers don't think hard about their long-term strategies.
This week CyberVista and the International Consortium of Minority Cybersecurity Professionals (ICMCP) released a joint report on the cybersecurity job market in Q2 that the organizations say bodes well for these underrepresented groups.
According to the report, while the world and workforce reel from the coronavirus pandemic, cybersecurity jobs are on the rise: with 348,082 open positions in June 2020 compared to 261,545 in April (as per LinkedIn job postings).
The rebound is most significant in healthcare and financial services, with 120,000 and 115,000 respective openings since June 18th, followed by information technology and services (114,000+), retail (85,000+), and computer software (77,800+). The uptick isn’t purely for cybersecurity roles but for a variety of IT roles that require security expertise.
"Everyone is working remotely. Everyone is connecting to corporate networks," says Simone Petrella, CEO of cybersecurity training firm CyberVista, in an interview with Dark Reading. Since those home connections need to be securely set up and maintained, there's a bigger demand for IT professionals with security know-how.
That's welcome news for IT/security pros in a dismal job market just on its own. But the report also points to a more-remote workforce as an opportunity for companies to hire more women and minorities who may not live in the high-tech, high-cost cities where such opportunities are usually based.
"Organizations no longer have to limit themselves to hiring new talent within a limited physical proximity. This physical proximity component has created an inability for companies to always hire the most diverse talent for the position," states the joint report.
"Therefore, this helps increase the likelihood that organizations can more aggressively pursue diversity and inclusion initiatives given that people of color, women, or other underrepresented groups may not have previously had access to cities with the highest cost of living in the country."
The report also points to open positions in smaller cities, including Tucson, AZ (2,210 open positions), Colorado Springs, CO (1,883), Dayton, OH (1,599) and Albuquerque, NM (1,306) as further signs of broadening opportunities.
Of course, while borderless hiring opens the door a bit more for underrepresented individuals to stick their foot in, that only really works if organizations make some fundamental changes.
A Call to Action for Employers
"My stance is that employers need to proactively step up and invest, and that means time, money, and resources in a mid- to long-term strategy," says Petrella. "They have to identify candidates that they can mold and grow into these cyber roles."
"HR has really got to change the lens with how they look at people," says Larry Whiteside Jr., president of ICMCP. "They've created this mechanism by which they grade people for roles and salaries that's antiquated to where we are today."
It also matters for what roles these women are being hired. Pam Nigro, ISACA board director, and vice president of information technology and security officer at Home Access Health Corporation, points out that there is still a gender divide in technical vs. non-technical positions.
"I have seen many women hired for governance, risk, and compliance roles writing policies, standards, processes, and controls, as well as hired to do risk or security assessments, or cybersecurity awareness and training campaigns," she says. "These roles are extremely important and valuable to any cybersecurity team; however, the misconception continues even to this day that women are not 'technical' enough. I have personally experienced this firsthand and have been typecast in the past."
Indeed, while "any increase in the diversity of the cybersecurity workforce is positive," says Maxine Holt, senior research director of cybersecurity at Omdia, the lack of diversity has been "frankly, embarrassing" for far too long, and there is much more to be done.
"The gap continues to be wide because the systemic biases that exist in cybersecurity (and elsewhere) cannot be fixed overnight," she says.
"Organizations are making positive steps to change bias and improve cybersecurity opportunities for women and other minority groups, but this is a journey that will never end, because even when we get to a truly representative diverse cybersecurity workforce, we need to work hard to maintain that diversity."
Nigro is not optimistic: "While this could be an opportunity to expand the search for security talent to include more women and other underrepresented groups, I have not been seeing hiring practices change — many postings are still asking for five or more years of experience, which often exclude many women and minorities new to the profession from joining cybersecurity teams," she says.
Where Change Must Begin
If things are to change internally, Omdia's Holt says organizations must first deal with unconscious bias. "We must also challenge attitudes of 'I just want someone who can do the job.' Why must we challenge this? It's because cybersecurity is full of men 'who can do the job' – because women and other minority groups haven't had the same opportunities," she says.
"We need to give these minority groups in cybersecurity the same opportunities as men, and recognize that we can build talent as well as buy it in."
The importance of doing so goes well beyond good PR and repairing long-standing inequities in hiring.
"Diversity of thought based on background and experiences is important. In cybersecurity, we’re literally trying to solve a new problem every day," says ICMCP's Whiteside. "It's outside-the-box thinking brought to the table by all these different people, having different trains of thought based on who they are, where they're from, their experiences over time... A lot of people don't realize how these things matter."
Efforts to improve cybersecurity's diversity have shown results. The (ISC)² 2019 Cybersecurity Workforce Study indicates the gender gap is winnowing, with more women assuming those roles and more women than men who intend to work in IT security starting from college.
The association polled 3,237 individuals responsible for securing critical assets at their organization. Respondents included those spending at least 25% of their time on cybersecurity activities at work and hail from North America, Europe, Latin America, and Asia-Pacific. From that survey, (ISC)² gleaned that women accounted for 30% of overall respondents, up from 24% the year before.
Also notable was that 63% of women working in cybersecurity said they planned to follow that career path as early as college, compared to 54% of their male counterparts.
(ISC)² suggests this could be thanks to recent years’ initiatives drawing girls to computer sciences.
"As women succeed in the profession, they serve as role models for other women wanting to join the cybersecurity workforce,” said the (ISC)2 Research Team in an email interview with Dark Reading. “This will make the workforce more diverse, and as a result more innovative and better able to solve problems, and help address the cybersecurity skills gap."
Still, despite these gains, the data also shows that women continue to be paid less than men, with female cybersecurity professionals in North America earning just under $80,000 on average, compared to $96,500 for men. In addition, 22% of women cited discrimination as a career obstacle, compared to 13% of men.