A global cybersecurity talent shortage continues to put networks and data at risk. With more than 3.4 million jobs still open worldwide, it’s not surprising that the majority of cybersecurity workers, 70%, do not feel their organizations have enough staff to effectively defend against cyberattacks, according to (ISC)2’s 2022 cybersecurity workforce research.
When hiring cybersecurity professionals, many organizations already have high standards that impact the talent shortage.
Often they put more emphasis on specific skills or five or more years of experience for entry-level positions rather than looking for people who demonstrate ability or have skills that complement cybersecurity needs.
That’s a universal roadblock throughout the industry.
It's also contributing to a broad gender imbalance in the field. In (ISC)2's study of more than 11,000 global cyber workers, women made up a fraction of the population. Under age 30, women account for 30% of the workforce, but that drops to 24% between the ages of 30 and 38.
The gap is even greater for ages 39 and above, with the percent of women in the workforce reaching the low teens.
Women are too often blocked before they can even apply for the job. Many applicants are coming in with skill sets they’ve learned in other jobs — both technical and non-tech positions — and don’t have the exact qualifications laid out in the job description.
Shawn Richardson, senior manager, cyber security operations with NVIDIA, was told she was not technical enough. “I learned that was code for ‘you don’t know the details I know,’” Richardson said.
“I wasn’t a traditional coder or hacker; it took me time to find how to utilize my skill set,” she said.
Richardson’s skills often lacked respect, which is a common complaint according to a study by Women in Cybersecurity (WiCyS) released this year.
Participants in the study said there were incidents where they were dismissed by clients who wanted to “speak to a guy in IT.” There were also situations where their ideas were credited to the men on their team, or they were objectified rather than treated as a peer.
“I have felt the need to prove myself more than many of my male colleagues,” said Richardson. “Where it’s assumed they know what they are doing, I felt I had to work harder to show I belonged.”
Exclusion throughout the job lifecycle
Even though cybersecurity is making progress in diversity and inclusion, the “old boy network” is still in play, according to Lisa Plaggemier, executive director of the National Cybersecurity Alliance.
Too many people end up as hiring managers but without the right skill sets for the position, Plaggemier said. They are judged for their technical skills rather than their soft skills, so they aren’t prepared to conduct interviews.
The default is to only speak with people in their own image — same gender, same technical skills, same academic background, Plaggemier said. This shuts off women, especially those who come to cybersecurity outside the typical educational or tech paths.
Once they do make the hiring cut, they find it difficult to get promoted. The WiCyS report found that levels of exclusion increase the longer a woman is with the company, and the glass ceiling in cybersecurity is real.
“So far, I've only been able to increase my salary through moving employers,” said Liz Jaluague, senior security engineer with Driven.
Still there is optimism
Despite the battles fought to reach their positions, the overall state of the industry for women is getting better.
Plaggemier pointed out that women seem to be making bigger strides in cybersecurity because the industry relies on collaborative skills and networking, skill areas where women tend to shine.
Also, organizations such as WiCyS, Executive Women's Forum, Minorities in Cybersecurity, and Empow(H)er Cybersecurity, are available to help women navigate the hiring process and other barriers, which makes Jaluague optimistic about the future for women in the industry.
“Cybersecurity is a broad field,” said Jaluague.
“Many people end up working in cybersecurity by accident, and didn't necessarily study computer science or information technology," Jaluague said. "As long as you're willing to learn, someone in the community will be willing to help.”