Closing the cyber workforce gap
According to the 2020 (ISC)2 Cybersecurity Workforce Study, the cybersecurity industry needs 3.1 million qualified cybersecurity workers, with 879,000 sitting in the U.S. alone. With more and more attacks, like SolarWinds and Colonial Pipeline, current cybersecurity professionals already spread thin are getting burnt out. The cause of the shortage and how to shorten the gap is challenging.
In this week’s Reimagining Cyber episode, “Closing the Cyber Workforce Gap,” Marian Merritt, Deputy Director for the National Initiative for Cybersecurity Education (NICE) at the National Institute of Standards and Technology (NIST), addresses the talent shortage gap, explores the root causes, and suggests how to close the gap.
What’s causing the talent shortage gap?
The cybersecurity talent shortage is real, says Merritt, though it is getting better.
“I will say that we've increased the number of people entering the field, we've certainly been putting a great deal of effort into improvements in the quality of the curriculum that's out there, the number of centers of academic excellence, you know, those really prestigious cybersecurity academic programs. They've been growing in huge numbers in the last several years, so progress is being made, but the demand continues to outstrip supply.”
The root cause of the shortage has many contributing factors. Cybersecurity is a relatively new field that is rapidly growing, with employers getting more specific about the skills required to take on particular roles. The specificity of the requirements and job descriptions are narrowing the candidate pool.
“Job descriptions [are] being over-spec'ed, so that when candidates are reviewing your job position, they may self-select out of the running for it. So, there are people who are getting left behind and finding it challenging to find jobs, despite the fact that they've got really good, you know, experience or they've graduated from prestigious programs,” she said.
How do we close the gap?
- Standardize the cybersecurity vernacular. National Institute for Cybersecurity Education (NICE) is a partnership between government, academia, and the private sector, that works to promote cybersecurity training and workforce development. NICE offers a cybersecurity workforce framework that provides an excellent way for employers, HR personnel, and employees to define jobs in cybersecurity and speak a common language. It also helps identify the training needs necessary for a particular role, the career path associated, position requirements, and KPIs for those roles. The NICE framework is beneficial for organizations building out their cybersecurity teams to see any potential gaps or any additional training needed.
- Leverage CyberSeek. CyberSeek is a dynamic and interactive website that offers a heat map of available roles as well as a career pathway tool.
The heat map indexes the number of available roles by state and metro area; and includes an overview of the knowledge, skills, and tasks associated with each role.
The CyberSeek website also offers an interactive career pathway tool, allowing users to explore entry-level, mid-level, and advanced opportunities in a particular career path. Users can explore the number of open positions, degrees required, skills needed, and associated salary ranges by drilling into specific roles.
- Entry-level means entry-level. The cyber industry needs to increase the number of entry-level roles.
“An entry-level job, by definition, should not require three years of experience, and we just don't have enough,” Merritt says.
“Most jobs out there require 5-10 years of experience, so there is a conundrum here. We need employers to think very carefully about entry-level, not only because we just need more entry-level positions for people coming out of schools, but additionally, retention is such an issue in the cybersecurity field.”
- A/B test job descriptions. By using lengthy and certification-specific job descriptions, employers are narrowing the candidate pool leaving qualified candidates out.
“We've seen the data, if a woman doesn't feel when she looks at a job description that she qualifies 100%, she won't apply,” Merritt says.
“If the language used is somehow gendered…using terms like cyber ninja, or you've got to be a team player, or we work hard to get the bad guy…to a lot of people that says men.”
Try A/B testing job descriptions and see if it enlarges or changes your applicant pool.
- Test skills with cyber ranges. Cyber ranges provide hands-on experience for cyber professionals in real-time. NICE sponsors a cyber range called the NICE Challenge Project. It is available and offered to students at universities, which is a great way for students to showcase their skills.
“Additionally, we are seeing employers start to use assessments or, you know, capture the flags or these ranges as a way of screening candidates, or having candidates as they become finalists, you know, demonstrate their capability. You can also use them as training tools for people in house and identify gaps in knowledge,” Merritt coaches.
- Share what’s working. We hear that a lot in the cyberspace. Intel sharing when hiring is no different. In the Federal space, NICE hosts the Federal Cybersecurity Workforce Summit, an annual event geared specifically towards federal colleagues tasked with attracting top cybersecurity talent. This year’s event is virtual and will be hosted on April 26, 2022.
- Start from the ground up. Exposing school-aged children to cybersecurity at a young age can help them garner interest in cyber early on. NICE hosts an annual conference, the NICE K12 Cybersecurity Education Conference, every December. This year’s virtual event is December 6-7,2021. Additionally, NICE hosts Cybersecurity Career Awareness Week, October 18-23rd, each year to help bring awareness to the cybersecurity space.
The more children and students that get interested in cyber, the more the industry benefits as a whole.
Does your organization have a cyber security talent gap? Take advantage of the NICE resources to shore up that gap.
CyberRes is a Micro Focus line of business focused on helping companies protect, detect, and evolve their security framework and helping organizations become more cyber resilient. To learn more, visit CyberRes.com.