six people sitting in a row waiting for a job interview

Responding to the Demand for Cybersecurity Experts: A Call to Action

magnifying glass over a superhero wearing glasses and a suit: representing finding a cybersecurity expert

These days, cybersecurity dangers are a part of everyday life. Although large data breaches, like the recent Equifax incident, capture our attention, countless others happen so frequently that they are no longer newsworthy. Given this constant drumbeat of cybersecurity threats, demand for security experts remains high.

Increasingly, I see small- to mid-sized businesses and nonprofits become targets of data breaches and other security threats. Ransomware, phishing, denial of service, and malware are just a few of the threats organizations face. But because of the differing definitions of security expert skill sets, many nonprofits are struggling to find the right security resources.

According to a study by the Center for Cyber Safety and Education, by 2022, there will be a shortage of nearly 2 million information security experts.

The Challenge of Finding Skilled Security Professionals

There's no single magic solution to addressing security threats; instead, it requires a mix of technology, processes, and people. More secure technology and processes are relatively easy to implement, but you need skilled employees to make it happen. And finding skilled employees is often very challenging.

Consider the prevention software and outsourced security market alone. Growing demand for resources in these industries is constraining the pipeline of candidates who can fill positions. I meet frequently with chief information officers, chief security officers, and security outsourcing organizations, and their challenges are always the same: They cannot find enough qualified resources for security positions in their organizations.

When I dig deeper and ask what a security expert looks like, what skills the person should possess, and what level of experience is required, I open Pandora's box. I hear at least two dozen unique roles identified — forensic computer analyst, penetration tester, security architect, and security administrator, to name a few.

The skill sets required for these and other positions are as diverse as their titles. But overwhelmingly, what I hear is that a four-year college degree, certifications, and experience are all required.

The HR Versus Hiring Manager Divide

There is often a disconnect between what human resources departments consider a requirement and what hiring managers deem necessary for the same position.

For example, data from Burning Glass, a labor market analytics company, suggests that 19 percent of executive assistant jobholders have a four-year degree. Yet, 65 percent of job postings for that position mandate one. Certainly, there are many successful executive assistants representing the 81 percent in the position today who have not earned a four-year degree. Consider how many skilled, talented people have been eliminated from consideration based on that requirement alone.

This phenomenon carries into technology as well. I serve as the executive director of an organization that works to develop programs that retrain our workforce to meet the demand for technologists. In this role, I find the requirements for experience and a college degree frustrating. How do we train for experience? How do we train for a four-year degree?

And we can all think back to when we were entering the workforce. How many times did you interview with a prospective employer only to be told you weren't qualified without relevant work experience? I am sure you wondered how you might gain experience if you had never been given an opportunity.

I have been developing and directing workforce development programs for years; I have met many people with the capacity and drive to gain the skills necessary to become a cybersecurity professional. Our responsibility, as employers and training providers, is to define pathways and provide opportunities.

Defining Pathways and Reducing Barriers to Entry

I suggest that employers take a hard look at their job posting requirements. Our work with disenfranchised youth has taught us that low income does not equal low IQ. People can be trained for positions without a college degree and succeed in the workplace.

A new resource in the field may not be able to secure a network, particularly without networking experience. However, that individual can certainly read logs and begin to see patterns that may provide information to the networking team, thus helping secure the network.

The person can learn the software used for penetration testing or the fundamentals of an operating system that will allow them an entry-level position on a help desk. There they will begin to see breaches and learn how to mitigate them.

This approach allows us to define pathways and reduce barriers to entry for these individuals.

In addition, we can continue to explore public-private partnerships that can build on-ramps and career paths. Together, we can advocate for federal workforce dollars to be directed to this growing skills gap. Working together, we'll be better positioned to address these challenges.