Cybersecurity Workforce Sustainability has a Problem. DEI Could be the Solution.
It’s been a difficult few years for diversity, equity and inclusion (DEI) programs in the workplace, as organizations continue to reduce their support for dedicated DEI roles and initiatives. Forrester Research predicts that in 2024, just 20% of companies will have “a DEI function with an endorsed strategy and personnel,” down from 27% in 2023. As DEI efforts languish at many companies, some organizations still value diversity, equity and inclusion as important practices for identifying, developing and retaining talent.
That’s particularly true in cybersecurity, where it’s increasingly difficult for organizations to fill critical roles during a worsening global talent shortage. There were more than four million unfilled cybersecurity jobs at the end of 2023. While generative AI may make current cybersecurity analysts more efficient, GenAI is also helping criminals create more advanced threats faster, which increases the workload for security teams.
Part of the challenge in filling cybersecurity roles is the growing need for talent. However, companies often overlook potential talent among traditionally underrepresented groups of workers. Organizations that maintain or begin DEI initiatives can build two advantages in the search for cybersecurity talent.
One advantage is the ability to connect with groups ready to train for these jobs but who haven’t always had the support they need to get started. The second advantage is the ability to adapt the company culture to retain these new hires, develop their skills and grow their value to the organization. It’s not surprising then, that Forrester predicts “DEI-influenced recruiting will continue at leading firms because it’s good for business.”
The State of Cybersecurity Now
According to data analysis by the global cybersecurity professional group ICS2, the world needs almost twice as many cybersecurity professionals as it has now to fill open roles and operate “at full capacity.” The sooner these jobs are filled with qualified people, the more secure individual companies and entire industries will be. ICS2 also found that in 2023, 57% of surveyed cybersecurity workers said staffing shortages put their employers at moderate or extreme risk of attacks.
It’s important to hire as quickly as possible to reduce the risk of burnout that’s contributing to attrition among overworked cybersecurity professionals. According to the IT industry group ISACA, self-reported stress and burnout rates are high, with 21% thinking about leaving not just their jobs but the entire profession. Among CISOs, 28% reported thinking about quitting due to their stress levels.
At the individual level, switching careers is a viable option for protecting one’s health. At the organization and industry level, attrition will only lead to more stress for remaining analysts – and more risks for companies. At the same time, schools aren’t graduating enough computer science students to fill all the open roles – even if all of them went into cybersecurity. That gap in the talent pipeline has led industry organizations, companies, national security experts and members of Congress to look for more ways to recruit security talent.
Opportunities for More Cybersecurity Talent Diversification
One of the most often discussed ways to bring more people into cybersecurity jobs is to expand the search beyond the typical demographic in the industry. Historically, cybersecurity talent came from IT departments, which are – and in many cases still are – mostly male and mostly white. One survey of cybersecurity workers in the U.S., Canada, Ireland and the U.K. found that 70% of professionals aged 60 or older were white men, and just 2% were women.
But as jobs remain unfilled and older workers approach retirement age, the field needs more workers than the IT-to-cybersecurity pipeline can provide. The demographics are changing as more companies fill roles with computer science graduates, and career changers with cybersecurity certifications who may or may not have college degrees. Among cybersecurity professionals under age 30, 24% are women and 40% are non-white men.
Still, there’s more that organizations can do to accelerate cybersecurity diversification to fill open roles. Testifying before a congressional subcommittee in 2023, industry representatives discussed their companies’ strategies to recruit women, military veterans, neurodivergent people, people with disabilities and people who are changing careers and seeking entry-level cybersecurity positions at a later age.
Seeking more diverse hires is just the start of solving the cybersecurity talent shortage. To retain those new hires, companies must also make sure their culture and policies support those new employees so they are more likely to stay and recommend the company to other potential employees.
An Inclusive Approach to Cybersecurity Hiring and Development
Organizations that want to implement a more diverse and equitable way of sourcing and developing cybersecurity talent should start with a top-down commitment to a more inclusive culture. Simply hiring from new talent pools isn’t enough–new hires need an environment that’s a good fit to stay with the company and in the cybersecurity field.
Next, review the hiring criteria. Start with educational requirements. Many companies require a four-year college degree by default for entry-level positions, which limits the candidate pool. Take a closer look at what’s required of entry-level security analysts and consider what other experience or credentials would be acceptable in place of a bachelor’s degree. For example, a boot camp certification or an associate’s degree might provide the qualifications needed for junior roles. So might time spent working in a related field, either in the private sector or in the military. Many companies in a variety of industries now hire for aptitude and train for skills, rather than wait for candidates with the exact right skill set to appear.
Look at how your hiring managers factor resume gaps into their decisions. The pandemic forced many workers – including millions of working women – out of the workforce and into temporary caregiving roles. Now, those workers are seeking to resume their careers. For this reason, many companies now consider candidates with resume gaps on a case-by-case basis, rather than excluding them automatically.
With updated hiring criteria, companies may get the quickest wins by looking within their ranks for
employees who want to upskill into a cybersecurity role. This is a powerful way to leverage talent that already understands the company culture and mission, doesn’t require onboarding, and may be ready to move up or sideways from their current position.
At the same time, it’s wise to expand your talent pipeline by connecting with community colleges and technical schools, community reskilling programs, and veteran job-training groups. For example, there are federally funded cybersecurity training programs for veterans and their spouses across the U.S. that companies can connect with to find talent. Businesses can also expand their pipeline by training their organizations’ future workforce through internship programs. Internships can simplify the recruiting process as studies show that more than 50% of interns return as full-time employees at the company they interned.
Taking these steps can help fill open cybersecurity roles to make your company safer, help with security team retention, and avoid falling behind. As employers scramble to find or train security talent, organizations that ignore the inclusive approach may weaken their competitive posture in the battle for talent and overall security.