The cybersecurity skill gap is nothing new. It’s been a concern in our industry for the past few years, if not the last decade. However, despite increased awareness of the issue, the gap is not getting any smaller. In fact, quite the opposite.
The latest (ISC)² Cybersecurity Workforce Study puts the number of unfilled cybersecurity positions around the world at 4.07m. That’s up from 2.93m in 2018.
It’s a global issue: Regions worldwide are experiencing a shortfall in skilled workers ranging from 291,000 Europe and 561,000 in North America, up to a massive 2.6m in APAC.
Governments, industry bodies, and organizations have long tried to stem this tide by plugging the gap to uncover or develop the next generation of skilled cybersecurity professionals. So far, this has been to little avail.
A new approach has gained traction in recent years, and is already showing signs of success – increased diversity.
Actively seeking more a more diverse workforce not only widens the talent pool, but has also been shown to improve performance. Diversity doesn’t stop at gender, age or ethnicity. To stand a chance of closing the skill gap, the cybersecurity industry must widen its scope into other areas too. This was touched upon last year by US Secretary of Education, Betsy DeVos, who suggested that cybersecurity workers shouldn’t need college degrees.
Could this be a possible answer to a problem that has dogged the industry for years? If so, how do we go about turning those without a higher education into highly skilled cybersecurity professionals?
Making the case for education diversity
While DeVos’s suggestion was met with skepticism in some quarters, the case for greater education diversity is an easy one to make. For one, looking outside of those educated to degree level significantly deepens the potential talent pool.
In the UK, 58% of the workforce is not educated to a higher level, with 21% of these educated to A-level and 20% educated up to GCSE. Meanwhile, 88% of global cybersecurity professionals are educated to degree level. The gap here is evident.
By insisting on this level of qualification, cybersecurity organizations are essentially halving the size of the talent pool. And a larger pool of potential employees is far from the only benefit. Diversity of all types can increase performance across the board, in roles of different levels of technicality.
Alternative education
Widening the scope of the search and increasing the size of the talent pool is great in theory. But how can it work in practice? Of course, we cannot expect school leavers to walk into skilled cybersecurity jobs, but that doesn’t mean cybersecurity work is not an option.
In my opinion, a technical role in cybersecurity is not necessarily an entry-level job. There’s a strong argument that you have to have an understanding of technology, business infrastructure and the tools cyber-criminals are using, before you’re given the all-important role of securing an organization, its sensitive data and its finances.
That being said, there are other paths in garnering an education in the topic and there are of course less technical roles that are still critical to the cybersecurity industry, which we should not hold exclusively for those with degrees only.
There’s no doubt that cybersecurity apprenticeships are fast growing in popularity around the world, particularly in the UK and US – and they offer many benefits. For one, apprentices are equipped with the specific skills and knowledge required to work in the industry, rather than learning expansive or high-level concepts that are of little use in the day-to-day.
I also believe that a genuine interest in the industry and willingness to learn are key in making it in the cybersecurity world. For example, there is a growing number of industry events, hackathons, bounty hunting exercises, to list a few, that offer a great perspective into the key industry issues. If you’re eager to progress your career in cybersecurity, without what may be considered as the ‘adequate’ education, attend as many of these types of events as possible to absorb the knowledge of the top experts in the field.
Bringing in individuals with a different academic background can bring a new perspective to cybersecurity teams. Fresh eyes and fresh ideas can be invaluable during decision making and problem solving. After all, it is not just technical skills that are creating the shortfall in our industry: those with strong analytical and diagnostic skills, high levels of adaptability, and the ability to articulate complex ideas are also in short supply.
The cybersecurity workforce of tomorrow
The cybersecurity skill gap has been left to widen for too long. It has grown from a concern to a crisis. We need a solution, and fast.
Our industry can longer be a closed shop to all but those who follow the desired path. We need to broaden our horizons when hiring – not just to ‘make up the numbers’ but to bring a much-needed new perspective to the field.
Whether it’s gender, age, ethnicity, class or education level, diversity is about much more than demographics.
Building inclusive teams makes cybersecurity organizations much more reflective – both of the end-users we aim to protect, and the threat actors that we aim to protect them from. This can only be of benefit to us all.