A Rorschach ink blot. How do you perceive cybersecurity as a career? (Hermann Rorschach, Public domain, via Wikimedia Commons)

Too many individuals feel deterred from joining the cybersecurity workforce because they are intimidated, either because they don’t see themselves fitting in or because they mistakenly believe they need to either possess highly advanced coding abilities or acquire them through an expensive education, according to a pair of panelists speaking at (ISC)² Security Congress 2021.

Led by Sanjana Mehta and Tony Vizza, both advocacy directors at (ISC)², the session on Monday examined how the infosec space is facing an image problem that’s contributing to the ongoing cyber skills gap, and particularly a shortfall of diverse workers and younger workers. The speakers based their assertions on findings from multiple sources of research, including ISC2’s upcoming Cybersecurity Workforce Study, which comes out on Oct. 26, and a new Diversity, Equity and Inclusion research report that the training non-profit organization released Monday. 

More than 4,700 global professionals, particularly in the Cybersecurity Workforce Study survey, revealed “there is a need for at least 2.7 million workers who perform at least a quarter of their work in the cyber security realm today,” Vizza stated during the presentation. Moreover, 60% of survey participants said the organizations they work for are contending with a shortage of cybersecurity staffers.

The study showed a few positive results. For starters, it corroborates recent findings that the global infosec workforce gap shrunk did finally shrink this past year, as the total number of workers in the cyber industry jumped from 3.4 million in 2020 to 4.2 million in 2021. 

However, this success is largely attributed to the Asia-Pacific market, where the gap shrunk from 2.6 million in 2019 to 1.4 million in 2021. And that means the gap has increased in North America, Latin America and Europe, with 26,000 additional unfilled positions in North America alone. 

“Despite large-scale breaches that have impacted the lives of all of us … despite the events of 2020 that meant that organizations needed to rapidly adapt to a digital world simply to survive in a world suffering a pandemic — despite all of this, the majority of organizations are still short-staffed on the cyber front,” said Vizza.

So why is the global gap not closing faster, with some markets still demonstrably struggling? Apparently, intimidation and a feeling of not belonging are significant contributors.

Mehta noted a 2020 (ISC)² study that looked at how people outside of the cyber sector view the industry. While 70% of respondents said that cyber seemed like a good career path, they also said it wasn’t right for them. But why?

“It's because many people view the profession as having a high cost of entry,” said Mehta. “A majority of the people we spoke to in our study felt that they would need more education, or would need to earn a certification before getting the cybersecurity job.” This belief was due to the notion that cybersecurity “requires too much technical knowledge” to be a realistic career option.

This might be because many impressions of cyber may be disproportionately shaped by entertainment, news media and unreliable second-hand sources. Hackers on TV are often portrayed as characters “who possesses uncanny technical abilities that enabled them to hack a mainframe, or decrypt databases with the ease of turning on a light switch to retrieve the key data that saves the day,” said Mehta, and “this archetype is not relatable to a majority of people, and it's an entirely fictionalized representation of those in cybersecurity.”

While the cyber pro might be regarded as a heroic savior in this scenario, the heavily dramatized portrayal may be contributing to the misnomer that workers entering this field need “highly specialized technical skills to do what appears on screen to be a superhuman job.”

Meanwhile, only a quarter of the respondents said they had first-hand knowledge of someone working in cybersecurity — someone whose description of the job would be far more realistic and down to earth.

Certain demographics struggle with these negative perceptions more than others, the (ISC)² speakers noted.

Indeed, “I should point out that the perception that the field is intimidating was more pronounced amongst our female respondents than male,” said Mehta. “Women also tended to view the field as mainly composed of men. Sadly, this is a perception grounded in reality.”

There are reasons women only constitute roughly a quarter of the cyber workforce, said Vizza. “There is an overarching perception that professionals in the cybersecurity industry have a very homogenous profile — white, middle-aged males, invariably with extensive experience in IT or a computer science-related field.” And this trend is even more egregious when looking at cyber leadership positions, which skew heavily male.

Other negative perceptions women experience, according to (ISC)² research: that companies fail to accommodate the needs of mothers shortly after childbirth, that there aren’t adequate advancement opportunities, and that there are few mentors they can lean on for guidance.

“The absence of diverse role models that aspiring professionals can identify with and find inspiration from is a major barrier for awareness and consideration of a cybersecurity career,” said Vizza. “This, along with historical, social and cultural stereotypes in many countries exacerbates the perception that technology and security careers are for males only.”

Ethnic, racial, socioeconomic and regional factors also play a role in shaping perceptions of and participation in cyber, for many of the same reasons listed above. For instance, in the United States, Blacks and Hispanics still have marginal representation in cybersecurity professional positions, despite, representing over 30% of the total population,” Vizzi said.

Surprisingly, the young also may feel excluded, as almost half of all cyber pros are between the ages of 40 and 54, said Vizza. “[This] tells us that we as an industry are struggling to attract younger people into the field — people who, incidentally, have never known a time before computers,” he noted.

For inexperienced or prospective cyber pros, “there's a general perception that the bar for entry into the cybersecurity profession is set at such a high standard of educational background, and professional certifications that it perpetuates and rewards the candidates already in the field.”

“Often, younger, entry level professionals, people who can perform a variety of technical tasks that don't necessarily require professional certification are overlooked in favor of individuals who hold certifications,” said Vizza. “This is a missed opportunity, as these individuals frequently possess skills in areas such as risk management, analytics, or communications… which can be just as important to a security team.”

Vizza and Mehta stressed the importance of demystifying cyber to alienated or disenfranchised groups to help them more realistically understand what an infosec career truly looks like. These individuals might be more inclined to pursue cyber if they knew more about the plentiful opportunities and responsibilities that are up for grabs, the lucrative pay that awaits them, and the many legitimate paths they have toward establishing a career (which might mean academic degrees and certifications for some positions, but internships, apprenticeships or on-the-job training/upskilling for others).

With these lessons in mind, Vizza and Mehta offered five key recommendations for building a cyber dream team: diversity for gender; incentivize workers with professional development opportunities; be more realistic, flexible and open-minded in your hiring expectations (e.g. stop trying to hire “unicorns”), be creative in how and who you recruit; and strive to listen to and understand the specific needs of your business as communicated by company leadership.

Vizza and Mehta’s session was part of (ISC)²’s announced InclusionREADY program — described by the organization as a series of special events and presentations at the conference focused on diversity, equity and inclusion.

Also, in an effort to bolster the cyber workforce, (ISC)² on Monday announced it will pilot a new entry-level cybersecurity certification exam as part of its portfolio of industry qualifications. The program is designed to give those entering the field a clear pathway to professional development through experience-driven certifications, and the content of exam will be determined through feedback from a Job Task Analysis (JTA) survey currently taking place during the show.

“This approach underlines our commitment to making cybersecurity a more accessible, inclusive and diverse profession. This certification will give employers the confidence that newer entrants into the sector have a solid grasp of the right technical, ethical and operational practices on which to build and learn,” said Casey Marks, chief qualifications officer at (ISC)², in a press release.