As any hiring manager looking to expand their security team can attest, there’s a dire shortage of cybersecurity professionals in today’s labor market. In the United States alone, there are nearly half a million unfilled job openings in the field. However, part of the problem is that organizations are limiting their potential candidates with narrow requirements. By shifting focus toward hiring people from more varied backgrounds, organizations can leverage untapped talent to not only fill an urgent skills gap, but also assemble a more effective and diverse cyber workforce.
Diversity is Security
People of different genders, races and educational and socioeconomic backgrounds tend to communicate, collaborate, solve problems and evaluate risk differently. Security teams that incorporate a variety of perspectives are less vulnerable to unconscious biases than homogenous teams. These blind spots can result in missed threat vectors or inaccurate risk assessment. There’s a perception that cybersecurity is primarily driven by technology, but 85% of security breaches involve a human factor. Cybersecurity teams need to understand the psychology of both users, including non-technical ones, and adversaries attempting to exploit human behavior. And they must be able to communicate effectively across the entire organization.
Cybersecurity is a multidisciplinary field: an effective cybersecurity program requires expertise in areas such as privacy and regulatory requirements, education, documentation and business risk assessment. Professionals with these skill sets can be invaluable members of a security team, if they aren’t shut out by rigid technical requirements. Thirty percent of cybersecurity professionals transitioned from outside the IT and engineering fields, suggesting that needed technical knowledge can be learned on the job.
To diversify America’s cybersecurity workforce, the Biden administration is pushing educational initiatives to open up the field to a larger population. It will take time for these programs to have an impact, but there are steps that your organization can take today to cultivate a diverse security team:
- Remove unnecessary degree requirements, such as a four-year degree in a specific field, from job postings. Requiring a specific degree locks out self-taught technical experts and people transitioning from another field, who are often highly motivated and adaptable.
- Limit security certification requirements, particularly for entry-level roles. Costly certifications can be a barrier that excludes candidates from diverse economic backgrounds.
- Prioritize soft skills over years of prior experience. Cybersecurity experience is rare, and skills such as communication, abstract thinking, leadership and independence are often more critical to long-term success anyway.
- Provide apprenticeship, mentorship and training programs to support professional development, especially for underrepresented minorities. A study by (ISC)² and ICMCP showed that nearly two thirds of people of color considered training programs to be very important to their success in the field.
- Offer flexible working conditions to accommodate caregivers.
- Invest in building cybersecurity skills among your existing workforce, who already know your business.