Every so often, a new statistic makes headlines about the number of open jobs in America's cybersecurity workforce — 359,000 in 2020, about 465,000 in 2021, and more than 700,000 in 2022. The pressure is on to close the gap, particularly with the latest US National Cybersecurity Strategy envisioning an industry in which "every organization with an unfilled position plays a part in training the next generation of cybersecurity talent."
One outside-the-box suggestion I believe needs more traction is this: Let's fill these positions with people who don't meet the "traditional" qualifications.
The industry is starting to move in this direction. Accelerating progress will not only strengthen our cyber workforce but also bring in the diverse perspectives and backgrounds essential to creative, effective problem-solving. This would vastly expand the pool of available talent from today's tiny splash pad to the Olympic-sized pool the nation requires.
Here are three places to start.
1. Rethink Four-Year Degree Requirements
Our industry has been doing admirable work with universities, especially in fostering diversity and inclusion in the field. But four-year degree programs are just one entry point into a cyber career, and mandatory degree requirements often cause unnecessary barriers to entry for top talent. Did you know that only 37.7% of people 25 years or older in the nation have a bachelor's degree right now?
Job postings with requirements for four-year degrees exclude many promising candidates, such as people who joined the military right after high school or continued their education at a community college. Research from Handshake found that rather than solely focusing on a candidate's formal education, focusing on skills tripled the number of qualified veteran tech candidates and resulted in a significant increase in female and Black candidates. Another study by Test Gorilla showed that 91.1% of organizations using skills-based hiring saw an increase in overall diversity.
A degree is only one means of preparing someone to enter the cyber workforce. Skills assessments go a step further by evaluating individual ability to perform tasks and apply their knowledge. Skills assessments enable candidates of many backgrounds to demonstrate their ability to perform the tasks of a position just as they would on the job — and they can be a highly valid and reliable measure for predicting strong performance after hiring.
2. Assess for Aptitude and Skill
Let's face it: We can't fill positions today with the skill sets and requirements of five years ago. Cybersecurity is a dynamic domain — and success doesn't come from any single skill set or career trajectory.
Still, there's a prevailing attitude in cybersecurity that you can't perform in a role without prior experience. This creates a Catch-22, especially for underrepresented groups who may not apply for jobs if they feel they don't meet the "traditional" requirements. Diversity is something the field sorely needs — for instance, Black talent makes up only 15% of the current cyber workforce, and in 2021, only 6.8% of CISOs identified as Black or African-American. Additionally, only 24% of the cybersecurity workforce are women, with Black (9%), Hispanic (4%), and Asian (8%) women making up a disproportionately low percentage of the workforce. We are losing the opportunity to strengthen our overall capability in cyber through greater diversity in our workforce.
Aptitude-based assessments measure inherent traits or cognitive skills outside of experience, like a sense of curiosity, a love of problem-solving, a tinkering mindset, and a collaborative work style, helping hiring managers identify an applicant's personality, work style, and cognitive ability to suit the field. These tools uncover promising talent who might otherwise be missed because of lack of education or experience.
3. Double Down on Development
Finally, to keep, nurture, and grow future cyber professionals, we need to deepen our commitment to learning, both as employers and as an industry.
Reskilling your existing employees can be just as effective — sometimes more so — than making an outside hire. Given today's dire need for cyber talent, organizations should explore all entry points and career pathways for building their cyber workforce.
What continuing education programs do you offer to help your workforce stay current and hone their skills, both from within and outside of your organization? What mentoring opportunities do you offer to support developmental success? What reskilling programs have you introduced to find that hidden expert in your existing staff? What pathways do you create so employees can easily move to new types of cyber roles?
Strength Through Diversity
By expanding our thinking about job postings, assessments, and development of the talent pool overall, we'll help make our industry's workforce more diverse, providing cyber teams with a high degree of cognitive diversity to generate accelerated learning and performance.
It's time we fully embrace the nonlinear, nontraditional entry points into cybersecurity and expand the methods for recruitment and development of our talent. Investing today in a diverse set of cyber professionals will help pay dividends in the future, not only in closing the widening talent gap, but in strengthening the nation's cyber capabilities.