With the acceleration of digital transformation, the cyber talent gap has widened to a chasm. According to the most recent Cybersecurity Workforce Study by ISC, there were 2.72 million unfilled job openings in the fourth quarter of 2021. The report estimates the global cybersecurity workforce needs to grow by 65% to effectively defend organizations’ critical assets.
It’s not just a talent gap: There is also a gaping diversity gap. In the U.S., African Americans make up only 3% of information security analysts, per U.S. Labor Department Statistics. And, despite efforts to attract more women into the field, the percentage of women cybersecurity professionals remains relatively stagnant at about 25%.
The talent gap and the diversity gap in cybersecurity are inextricably intertwined. By addressing both challenges in tandem, CISOs and other leaders can create new and innovative processes to build the talent pipeline and more broadly support greater DEI in training, hiring, attracting, retaining and inspiring the next generation of cyber talent.
Expanding our Thinking on Diversity in Cybersecurity
Efforts to improve diversity, equity and inclusion (DEI) in hiring practices have become top priorities for cybersecurity organizations—as across all sectors—because reducing barriers caused by race, ethnicity and gender can bring in more talent at all levels. However, beyond race, ethnicity and gender, our industry also can benefit by extending our DEI talent and recruitment efforts to include people of all ages, and individuals from diverse socio-economic, professional and educational backgrounds.
There is more talent out there than it might seem at first glance. At least there is a lot more potential talent. But many individuals with potential, particularly younger people, may come from underserved, underprivileged populations. Many don’t know where to get started in cyber, nor do they get opportunities for education or training. In some cases, talented and motivated individuals may not be able to go to a four-year college.
How can we attract these individuals to pursue cyber, assuming they have interest and desire? Can we give them a simpler route to the profession? Can we change the mindset of those in a position to hire, so there is a greater openness to bringing on individuals who may have talent in cyber but may not have a college degree?
Developing a New Mindset and Practices to Hire Diverse Candidates
Expanding our talent pool and finding the next great cyber workers and leaders requires CISOs and hiring organizations to take on a more open and flexible mindset. It also demands reassessing our hiring criteria. If your organization insists on a four-year college degree, or a wide range of certifications to hire anyone for the cybersecurity team, you are limiting the talent pool and your opportunity to choose from a more diverse group of individuals. Perhaps it is time to change those practices for at least a percentage of new hires.
With a more open mindset and less proscribed set of criteria, CISOs and business leaders can create a virtuous circle. We can build cultures in which more workers of diverse skills and backgrounds are attracted and inspired to apply for work at your organization. A DEI-inspired culture addresses:
- How to identify people with talent and motivation, whether in high school, community colleges or in other fields where individuals may be seeking career change.
- How to get these individuals trained, educated and inspired in cyber.
- How to nurture their skills and help them find internships, jobs and other opportunities to advance their education and careers.
- How to mentor them and develop their skills so they can not only be successful in cyber but can also develop into leaders for the next generation of cyber professionals.
Fostering New Opportunities in Cybersecurity
Creating opportunities in cyber for individuals of underprivileged or under-represented backgrounds is a mission that is close to my heart. Separate from my work as CISO at Gilead, I am founder and chairman of the non-profit NextGen Cyber Talent. We seek to expand the talent pool in cybersecurity and address diversity through education, training, professional development and partnering with the community at large.
I was inspired to form this organization based on my own career experiences, and by the desire to give something back to a profession I’ve loved and a field in which I’ve thrived. More than 25 years ago, someone gave me my first job in information technology as an application developer and trusted that I could do the work. I know that I can do that same thing for others.
Today, with a talent shortage plaguing the industry, we all can give back to the profession by bringing in more people through less traditional paths. If we train new candidates well, mentor them, and inspire them, most will make vital contributions to the world and find self-satisfaction in their careers.
It’s not just the individuals we support who benefit from more DEI-driven hiring processes and attitudes; we know that encouraging diversity has a positive impact on cyber leaders, cyber teams and companies too. As cybersecurity continues to become more complex and sophisticated, the old ways of doing things are not always the best ways of doing things.
We need diverse thinking among our teams, people to question what we are doing and why. Bringing in early talent who are fresh to the cyber world and to the job market is a way of bringing in new ideas and new ways of thinking. These opportunities and the innovation they drive are inspirational and motivating, not only to new hires, but across cybersecurity teams and beyond.
Taking the Next Steps to Broaden Your Cyber Talent
What are some of the things CISOs and their organizations can do to open their mindsets and encourage more diversity in finding, hiring, training and mentoring individuals of more diverse backgrounds?
- Add more diversity to hiring panels. If you want diverse candidates, you must have a diverse set of panels as well. If you have an all-male panel, it is more likely you will hire more male candidates. Make sure diversity is encouraged and rewarded.
- Open up company policies and be more flexible. Many companies require a degree from a four-year college, or even a specific GPA from a college. That mindset must change. There are other ways to evaluate cyber talent that don’t require a degree. The same holds true for certifications. People can learn and earn certifications on the job, so it doesn’t always have to be a prerequisite for getting hired.
- Experience is not everything. Work experience is another area where mindsets need to change. In hiring young/early talent, you may not need or want a specific number of years of experience. You can invest in people. This may not apply to every job in your cyber department, but if you can allocate one person or several people to fresh hires, you can expand your talent pool to be more diverse.
- Leverage diversity in your internship programs. Make sure that a portion of your interns fit a DEI profile and try to convert them into employees when they are ready to take the next step. Also, try to be flexible with your internships so that you can support interns who work virtually and not necessarily on site. This will not only open a wider pool of talent; it will also provide practical experience to individuals in how to work remotely in cyber.
- Change how you write job descriptions if necessary. All the concepts we are talking about – college education, work experience, certifications, on-site internships – are reflected in how you write job descriptions. If you want more diversity, be more flexible and less prescriptive in how you write the descriptions.
- Have an expansive view of DEI. DEI is not just about hiring young people. Look for people who may be in other fields. At NextGen Cyber Talent, we work with other nonprofits, such as Love Never Fails, to identify individuals who may have potential but have been denied opportunities for one reason or another. As another example, we partner with military spouses and bring them into cyber.
- Cultivate a culture of teaching, learning and mentoring. Use the hiring of diverse workers to cultivate and motivate an atmosphere of teaching and mentoring at your organization. If you develop a culture as an organization that encourages mentorship and learning, it will be easier to hire, retain and promote people in the future.
Closing Thoughts and a Call to Action
If I could offer one final message for CISOs it is this: If you don’t already have diverse candidates in your employee population, now is the time to get started. If you’ve already started, explore ways to do more.
Be open. Start from a place of wanting to give something back to the community. I often use mentorship as an example. If you give 25 hours a year you can effectively mentor someone. That’s an hour every other week. To make a bigger impact, do it for an hour every week.
If you have a will to give something back, you can always find an opportunity. And once you’ve found the opportunity, if you are inspired, you can always do more.
Krishnan Chellakarai is chief information security officer at Gilead Sciences and founder and chairman of NextGen Cyber Talent.