It’s estimated that the number of cybersecurity jobs will grow by around 31% until 2029, which is seven times faster than the national average. This growth is in large part a response to the huge pressure organizations are under in the face of a surge in cyberattacks during the Covid pandemic.
While this is far from a new issue, and indeed I touched on it back in 2018, the pandemic has exacerbated the situation. At the backend of last year, analysis from Cybersecurity Ventures predicted that the cost of cybercrime would reach around $6 trillion during 2021, with this figure growing by around 15% per year in the next five years. If that growth curve is accurate, it would represent a tripling of the cost of cybercrime from the $3 trillion it was at in 2015. To put this into a degree of perspective, the Covid pandemic was estimated to have cost the global economy around $4 trillion.
While Microsoft’s recent Digital Defense Report highlights the immense value of doing fairly basic digital hygiene, such as ensuring software is patched and changing the default password on devices is enough to rebuff the vast majority of cyberattacks, it’s also clear that the industry needs to do more to unearth talent in previously unchartered areas.
New talent
For instance, IT giant IBM has pledged to train 30 million people by 2030 to ensure they have the digital skills they require to thrive in the modern economy, with training in cybersecurity among the most popular on its SkillsBuild platform. The company aims to train 150,000 people in cybersecurity skills in the next three years.
Crucially, a key part of this policy is to partner with over 20 Historically Black Colleges and Universities to try and create a more diverse workforce. This is extremely important at a time in which the Aspen Digital Tech Policy hub reveals that just 9% of the cybersecurity industry consists of Black professionals, with Hispanic and Asian professionals making up just 4% and 8% respectively.
Gender diversity is similarly dismal, with women representing just 24% of the cybersecurity workforce. The UK government scrapped a campaign to attract more people into cybersecurity after they were criticized for an advert that suggested a ballerina’s next job could be in cyber, but it’s clear that the industry needs to do more to attract a more diverse workforce if it is to meet the intense skills shortages it faces.
It’s also pretty well established that diverse teams tend to produce more creative and innovative solutions and are generally higher performing. This can be especially so in cybersecurity, where the ability to understand the mindset of hackers and mitigate what are often extremely complex attacks is so important.
A welcoming environment
A part of the challenge surrounds the environment we want cybersecurity professionals to operate in. For instance, long and unsociable hours are commonplace, and while this is in part due to the shortage of skilled personnel, there is also a cultural element to this that prohibits many from considering it a viable career.
While overt discrimination may be minimal, there are quite probably barriers to inclusion within the industry that put many talented people off considering cyber a career for them. This means that organizations need to go beyond simply recruiting a diverse range of candidates to also ensure that the environment they work in is supportive and helps them to both succeed and grow.
Organizations should also consider the qualities they’re looking for in candidates. Given the rapid pace of change in the sector, a curious mindset is vital in order to keep up to speed with the range of threats an organization faces and the different approaches attackers might adopt. Being able to continuously learn and adopt a problem-solving approach are therefore crucial qualities. If recruiters looked for these core characteristics and then invested in the technical aspects of the job it could broaden the talent pool considerably. It’s already an approach used by organizations such as the Israeli military.
Examining biases
At the heart of these often pre-conceived notions of what “good” looks like in cyber are various implicit biases. In Bias Interrupted, Joan Williams outlines five forms of biases that are still far too common in our workplaces, with each consistently occurring over the two decades of research and practice from the field.
- The prove-it-again bias – Williams highlights how white men tend to get by on their potential and are judged accordingly. People who are less privileged by their race, gender, and so on, however, more often have to constantly prove themselves in order to get ahead.
- The tightrope bias – It’s also well known that behaviors, such as assertiveness, that serve white men well in the workplace are often harmful to other groups. Williams illustrates the behavioral and political tightrope that less privileged groups and how challenging this can be.
- The tug-of-war bias – It’s fairly well known that biases can favor those members of in-groups, such as college-educated individuals or (again) white men, but Williams highlights how these biases can also create conflicts within the out-groups as it’s not clear whether they should strive to be part of the in-group or use their political capital to stand up for the out-group they’re a part of.
- Racial biases – Racial discrimination is fairly well understood, but Williams argues that there are also numerous racial biases and stereotypes that harm the prospects of people at work, whether it’s the leadership potential of Asian Americans or the tendency to view Latinx employees as angry for displaying behaviors that wouldn’t be judged so for white employees.
- Maternal wall bias – I’ve written recently about the motherhood penalties that exist in the workplace, and Williams highlights how harmful it can be to the career prospects of women.
“These five forms of bias have obvious negative effects on people who experience them,” Williams writes. “Our data shows that they hurt companies too. Increases in bias are linked with decreases in ability to do one’s best work, intent to stay, ability to see a path for advancement, belonging, and career satisfaction.”
The book aims to make these kinds of biases more visible before outlining various strategies that can help organizations overcome them. If we are to truly make our workplaces better then it’s a book that’s well worth reading. The website that accompanies the book also comes with a treasure trove of useful resources, worksheets, and research that is incredibly valuable.
Looking after your people
There is also a lot that can be done to improve the working lives of those already in the sector, especially around things such as professional development and access to childcare. This can be especially important for minorities in the sector.
For instance, the #ShareTheMicInCyber project aims to amplify the role of Black professionals in the sector, while #MakingSpace aims to improve the diversity at cybersecurity events. The R Street Institute has also developed CyberBase, which aims to highlight the work done by underrepresented groups.
This is especially important as Camille Stewart, the former senior policy adviser for cyber, infrastructure, and resilience policy at the Department of Homeland Security under President Barack Obama, argues that systemic racism is essential if organizations are to successfully defend the growing barrage of attacks they face.
Opening up the sector to a more diverse pool of talent would be vital even if it was on its pre-Covid trajectory, but with cybercrime mushrooming since the pandemic, the need to attract talent from across society has never been more serious. It will require the industry to look inside itself and change some of the cultures and practices that to date have put people off. Hopefully, it’s a challenge they are willing to tackle head-on.