Where is the love?
Depending on your media outlet of choice, the current cybersecurity staffing shortage is either pressing or catastrophic. In either case, a staffing shortage exists and the industry needs to take more proactive steps to look beyond current talent pools to fill open positions, as well as positions that will be created as the industry continues to expand.
Staffing shortages are not unique to security, nor should one be unanticipated given the ubiquity of connected devices and the amount of data going to, flowing through, and resting on those devices, corporate networks, and storage systems. Security hiring managers need to find ways to attract, cultivate, and retain security professionals. One element of this is altering the historically limited view of what constitutes a “good” security practitioner, i.e., someone with a background in security (awfully hard to come by if a person is new to the field). Another related aspect of beating the security staffing deficit is inviting those outside of or unfamiliar with the field into the fold.
Man, you gotta have love just to set it straight
The dearth of women in security is a familiar topic. Conversations have been percolating for years, yet according to the latest Bureau of Labor Statistic report, women comprise only 19.7% of infosec practitioners (which is, actually, a meager 1.6% increase over the previous report). Worse still, the industry is even more deficient at attracting Hispanic/Latino, Asian, or Black/African American workers. The percentage of employee make up in those categories peaks at 5.2% for Hispanic/Latino security analysts and drops to 3.4% and 3.0% respectively in the remaining two (all of which are decreases from previous years). Reasons for this are varied, but at the heart of the issue is lack of information and funding for security programs in inner city public schools. STEM was created to promote science, technology, engineering, and mathematics to school children, but its dispersion is dependent on regional considerations, funding chief among them. Students in poorer districts are at a distinct disadvantage educationally (and not just in cybersecurity education); minority residents are also more highly represented in these same underfunded communities.
The International Consortium of Minority Cybersecurity Professionals (ICMCP) is one organization looking to take on the challenge of growing awareness of cybersecurity opportunities for minority students. The group provides educational funding, internship programs, mentoring, and a veterans’ outreach program, the aim of which is “geared toward converting ‘warriors’ into ‘cyber warriors.’”
More organizations—The Executive Women’s Forum and various “Women in Cyber Security” conferences—have been dedicated to promoting women in security throughout the years, but is it enough?
Take control of your mind and meditate
The industry as a whole is affected by a scarcity of practitioners, so theoretically the industry as a whole should be responsible for finding, attracting, educating, training, and supporting new recruits. Because the numbers of workers in security are so low among Hispanics/Latinos, Asians, Black/African Americans, and women, it stands to reason that those communities present ample opportunities for recruitment. Organizations such as IBM, ISC², the National Cybersecurity Institute, and Cisco are offering contributions by sending speakers out on the circuit to actively promote the idea of building more diverse groups and, said one Executive Security Advisor at IBM, “creating an atmosphere of acceptance in the workforce.”
The U.S. government, too, is doing its part through the CyberCorps scholarship program, and more broadly, the Cybersecurity National Action Plan (CNAP) to which the Obama administration allocated a $19 billion budget for fiscal year 2017. One aspect of the CNAP is a student loan forgiveness program for students who gain full-time cybersecurity employment with the government upon graduation. The program, though, could be edited or scraped altogether once the new administration takes control in January, which means industry has to do its best to pick up the baton and run forward.
Let your soul gravitate to the love, y’all
Security-minded organizations have an opportunity to improve recruitment and training in the field by making a concerted effort to look outside the traditional security hiring box. A few security leaders have offered that “blind” hiring could be one method of removing any racial or gender bias. Before the industry can get to the hiring stage, though, more young children—across diverse communities and geographies, not just a select and privileged few—must be exposed to cybersecurity. Any preconceived notions about who is “right” to work in security must be thrown out the window, and all reasonable possibilities should be explored. Most importantly, just like local fire and police departments regularly visit elementary and middle schools, providing a fun yet educational experience for youngsters, security vendors could form their own consortia to venture forth into communities and teach kids about the virtues of a career in cybersecurity. Bring security to them rather than offering kids’ areas at conferences or offsite events. Make it easy. Make it interactive. Make it enjoyable. School-aged children, after all, have never known a world without computers in their pockets; kids should be prime targets to soak up skills needed to become successful security practitioners.