Organisations facing a significant and growing need for cyber expertise must reconsider hiring processes and seek out a more diverse talent pool, according to professors from IÉSEG School of Management
The need for cybersecurity experts is growing as industry and governments look to bolster their defences against cyber risks. Yet the need for experts across all different types of roles is simply not being met.
With a global shortage of 3.4 million cybersecurity experts reported last year alone, organisations face a significant recruitment crisis. This shortage is leaving organisations and the public vulnerable to increasingly costly and harmful cyber risks.
While hiring managers struggle with the ongoing skills gap in cybersecurity, pervasive stereotypes about who cybersecurity specialists are and what they do can limit interest from candidates in pursuing these roles, making the problem worse. This is driven by a belief that cybersecurity is the domain of young, white, highly technical males fighting hackers in the online world. The demographic perception has some validity as it reflects real trends. In the US, women represent only 24% of the cybersecurity workforce, while all ethnic minorities combined total only 22%. These demographics can discourage people from underrepresented groups from considering and applying for cybersecurity positions.
One driver of these demographics is rooted in the second part of the misperception – that cybersecurity is only about fighting hackers. This misperception can discourage people from considering cybersecurity careers for two reasons. First, they may not identify with the uber-geek persona frequently promulgated by popular media when portraying cybersecurity experts. Secondly, because these stereotypes form when people are quite young, they dissuade certain groups from developing the technical skills to fill those technical roles. The combination of these misperceptions about cyber roles and the self-perceptions of not being the ‘right’ demographic or having the ‘right’ skills creates a self-perpetuating crisis in cybersecurity.
In addition to external recruitment, organisations can look within for individuals with these transferable skills and provide pathways to move into cybersecurity roles. There is a huge base of potential participants who could enter the field
But the presentation in popular media that cybersecurity is about defending against hackers reflects only one particular aspect of cybersecurity.
In fact, there are many other threats – from fire, floods, and natural disasters to outdated or failed systems, to human error on the part of employees. Hence, there are many cybersecurity roles that do not require extensive technical skill. IT audit, risk analysis, compliance, training, policymaking and governance are often overlooked areas of cybersecurity that could appeal to many people without technical backgrounds. Instead, these roles require skills which are highly transferable from other fields.
One vital transferable skill that is in high demand is project management. Cybersecurity professionals need to properly plan, execute, and manage projects to keep their systems secure. Basic analytical skills are also needed to understand business processes and identify potential vulnerabilities. Leadership, communication, and teamwork skills are required for coordinating and implementing policies, providing training, and managing security incidents. Yet these skills are not the focus of most recruiting campaigns.
Junking the jargon
To address this growing crisis, we must reconsider our approach to recruitment. One starting point is through job postings.
Jargon is helpful between experts in the workplace but in job descriptions, it can alienate well-qualified candidates who are put off because they lack technical expertise. Job descriptions need to be rewritten to use plain language and emphasise much-needed skills such as communication, problem-solving, and teamwork, which are equally important to technical skills for many roles. They should also highlight transferable skills, such as project management and risk analysis, to make roles attractive to individuals from different backgrounds.
Organisations should also actively seek out and recruit a diverse pool of cybersecurity professionals, including individuals from underrepresented groups. Recruiting these individuals may require different tactics. This includes looking at partnering with academic institutions, affinity groups, and industry bodies to create those key pipelines of talent into the industry. Rather than looking only to engineering or computer science programs, expanding recruitment efforts to schools of business, public administration, and education can develop fruitful opportunities among more diverse student bodies. Programmes like the Master in Cybersecurity Management at IESEG School of Business create opportunities for students from different backgrounds to position themselves for various roles in cybersecurity.
In addition to external recruitment, organisations can look within for individuals with these transferable skills and provide pathways to move into cybersecurity roles. There is a huge base of potential participants who could enter the field once provided with some cross- or up-skilling. By doing this, organisations can tap into a wealth of hidden talent and diverse perspectives in their own ranks, leading to more innovative and effective cybersecurity solutions. It also ensures a sustainable approach to developing the next generation of cybersecurity experts, helping us stay ahead and alert in the ever-evolving digital landscape.
The shortage of cyber professionals today is huge and is growing faster than ever, and cyber risk will only increase as more of our lives depend on secure digital systems being in place.
Indeed, jobs for information security analysts will grow by 33% through 2030. To solve the recruitment crisis within the cybersecurity industry, we must act now to challenge stereotypes, prioritise transferable skills, and actively work to diversify the talent pool.
Only through intentional efforts to expand our ranks can we ensure that we are equipped and prepared to defend against cyberthreats and protect the security and privacy of the public. More than ever, governments and industry must do their part by attracting and training individuals from diverse backgrounds to fill the diverse roles needed to keep us safe from all types of threats.
Professor Christine Abdalla Mikhaeil teaches management of information systems and professor Jennifer Ziegelmayer is the academic director of the new Masters in Cybersecurity Management at IÉSEG School of Management in France