4 Myths That Inhibit Our Search for Cybersecurity Talent

Cybercrime costs organizations an incredible $1.79 million Opens a new window worldwide, so bringing on board more technical talent to thwart these thieves is top of mind for virtually every company. Unfortunately, there are now about 400,000 open positionsOpens a new window for such professionals in the United States alone, so new approaches are needed to address this talent crunch. We spoke to Professor Donna O’Shea, chair of cybersecurity at Munster Technological University in Cork, Ireland, to get her views. 

As a researcher, educator, and technology expert, she believes dispelling misguided assumptions and myths about increasing the talent pool could significantly help U.S. companies –- or anyone –- better find the security professionals they need to help ward off the expanding supply of cyber criminals. 

Myth 1: Only math experts need apply

A common “career day” question, says O’Shea, is whether honors-level math achievements are a prerequisite for jobs in cybersecurity. She says no; most entry and mid-level positions don’t require a high level of math to perform these jobs although it’s needed, for example, when designing cryptographic algorithms and similar tasks. “The job roles are so varied in cybersecurity that even English majors can go into the field,” she says. 

O’Shea reports that what’s more important is having good critical thinking skills, a solid understanding of networks and systems “and the necessary technical blue and red teaming skills to successfully defend these networks and systems.” It’s most helpful to envision what an attacker would do in certain cases, which doesn’t necessarily involve math.

Myth 2: Cybersecurity is a field only for men

Fostering cybersecurity talent means that one clear message should get across to all young people cybersecurity is a career for everyone — for women and men, insists O’Shea.  “If we want to nurture the skills our business requires, we should have more genuine conversations to better understand the barriers that cause exclusion and limit diversity in our workforces, then implement mechanisms to lower them – and do this globally,” she says.

Getting girls interested in the cybersecurity field through meaningful, exciting projects in school and via internships are among some of the approaches used to increase female participation in the industry. There are several initiatives in Ireland and the United States where such initiatives have had a significant impact, such as iWish, Women in Technology and Science Ireland (WITS), Connecting Women in Technology Ireland (CWIT ), and CyberFutures (Ireland), and SciGirls, (U.S.) Techbridge Girls (U.S.) and The National Center for Women and Information Technology (U.S.). O’Shea also believes the industry needs a “few high-profile activists like Greta Thunberg but for cyber.”  

The unfortunate reality is that not just women are underrepresented in the cybersecurity field; members of minority groups and those from financially disadvantaged communities also deserve special educational and recruitment efforts. There should be outreach and initiatives to demonstrate to young girls and other groups just how meaningful and compelling a career in cybersecurity can be.

“We need far more aggressive action on this topic to give equal opportunity to talented learners irrespective of gender, ethnicity, whether they’re from disadvantaged or privileged communities,” O’Shea explains. She also insists that after such efforts are underway, benchmarks should be established and progress tracked to make sure they are effective. Meanwhile, she believes industry should be tasked with creating more inclusive workplaces.  

Myth 3: Advanced degrees are required for lucrative jobs in cybersecurity

The assumption for those entering the cybersecurity field is that candidates need a science undergraduate degree, followed by a postgraduate specialization in cyber, explains O’Shea. Not only is this expensive, “but it takes too long, and it’s no wonder many people take jobs in, say, software development after completing their undergraduate degree that can offer an equivalent salary,” she says.

The education inflation has also helped spawn a growing certification industry, she adds. “There are hundreds of cybersecurity certification organizations and different options for people to take. It’s very confusing for learners, and it’s very confusing for employers, also, to figure out what industry certification might be useful for a job.”

A critical step in expanding the supply of cyber professionals is demystifying how people gain access to the industry, then identifying clear pathways focused on education and job definitions aligned to industry needs. Says O’Shea: “These measures are needed before we can begin to address the skills shortage, but we should also focus on addressing the knowledge gap through up-skilling and re-skilling initiatives.”

Attractive salaries are a major motivator in attracting new and existing people to the industry but this has a downside, too, notes O’Shea. “It can be a potential handicap if disproportionately high salaries mean that industry will turn its focus on lower-cost locations for recruiting in the future.” 

An interesting program called Future in Tech was launched recently in Ireland to address people adversely impacted by the pandemic with a goal to upskill careers in tech. One of the pathways trains people to become cyber security analysts. They can be tasked with anything from installing, administering, and troubleshooting security solutions to writing up security policies and training documents for colleagues.

See More: How To Become Cyber Resilient Amid Increasing Threats

Myth 4: It’s up to universities to create the curriculum to train tomorrow’s security professionals

There’s abundant evidence already that this simplistic assumption is false. Certainly, colleges must play a role in educating tomorrow’s security professionals, but they should be joined by research organizations, government agencies, and industry. There’s an example of how this can work now in Ireland.  

Collaborating with other national agencies, industry and four leading Irish universities; the Cyber Skills initiative worked with the universities to develop specific curricula to educate existing employees so they would be able to address the skills shortage.. Cyber Skills has already trained hundreds of people through its online program delivered by the universities that result in micro-credentials, and the success has been so great that the program is now expanding. 

For example, two companies participating are Dell and Mastercard, with sizeable Irish operations. When it comes to Mastercard, O’Shea describes how the company “has a substantial software development team, but the company needed to close the skills gap in software security. We designed a custom educating pathway designed to upskill their workforce to code in a secure way and perform security assurance testing.” The program also makes a difference to Microsoft, Google, Facebook, SAP, Cisco, and many other American tech firms with high stakes in digital security.  

Making a case for this kind of public-private partnership is the reality that cyber security as a discipline is constantly evolving. Unfortunately, the training isn’t evolving as quickly as the discipline. The curricula, the training material, and the course material can’t keep up. This is because, globally, we lack mechanisms to quickly incorporate material on emerging new tracks or on new skills. By working together and pooling our strengths, we can respond in a quicker, more responsive fashion in an increasingly complex and international threat landscape.

What steps have you taken to get rid of the misconceptions that limit the discovery of talent within the cybersecurity industry? Let us know on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window . 

MORE ON CYBERSECURITY

• Can Cybersecurity Firms Survive the Upcoming Global Recession?
• (ISC)² To Train a Million People in Cybersecurity for Free to Bridge the Widening Skills Gap
• Quantum Computing: How Qubits Could Change the World of Cybersecurity
• How to Implement a Cybersecurity-First Culture