4 Myths That Inhibit Our Search for Cybersecurity Talent
18 Aug, 2022
Min read
The hiring arena for tech talent in the United States today is a brutal seller’s market that companies and recruiters are repeatedly calling the worst in history. Victoria MacKechnie, VP of the technology group, Midwestern USA, IDA Ireland dispels four myths that surround cyber security education.
Cybercrime costs organizations an incredible $1.79 million worldwide, so bringing on board more technical talent to thwart these thieves is top of mind for virtually every company. Unfortunately, there are now about 400,000 open positions for such professionals in the United States alone, so new approaches are needed to address this talent crunch. We spoke to Professor Donna O’Shea, chair of cybersecurity at Munster Technological University in Cork, Ireland, to get her views.
As a researcher, educator, and technology expert, she believes dispelling misguided assumptions and myths about increasing the talent pool could significantly help U.S. companies –- or anyone –- better find the security professionals they need to help ward off the expanding supply of cyber criminals.
Myth 1: Only math experts need apply
A common “career day” question, says O’Shea, is whether honors-level math achievements are a prerequisite for jobs in cybersecurity. She says no; most entry and mid-level positions don’t require a high level of math to perform these jobs although it’s needed, for example, when designing cryptographic algorithms and similar tasks. “The job roles are so varied in cybersecurity that even English majors can go into the field,” she says.
O’Shea reports that what’s more important is having good critical thinking skills, a solid understanding of networks and systems “and the necessary technical blue and red teaming skills to successfully defend these networks and systems.” It’s most helpful to envision what an attacker would do in certain cases, which doesn’t necessarily involve math.
Myth 2: Cybersecurity is a field only for men
Fostering cybersecurity talent means that one clear message should get across to all young people cybersecurity is a career for everyone — for women and men, insists O’Shea. “If we want to nurture the skills our business requires, we should have more genuine conversations to better understand the barriers that cause exclusion and limit diversity in our workforces, then implement mechanisms to lower them – and do this globally,” she says.
Getting girls interested in the cybersecurity field through meaningful, exciting projects in school and via internships are among some of the approaches used to increase female participation in the industry. There are several initiatives in Ireland and the United States where such initiatives have had a significant impact, such as iWish, Women in Technology and Science Ireland (WITS), Connecting Women in Technology Ireland (CWIT), and CyberFutures (Ireland), and SciGirls, (U.S.) Techbridge Girls (U.S.) and The National Center for Women and Information Technology (U.S.). O’Shea also believes the industry needs a “few high-profile activists like Greta Thunberg but for cyber.”
The unfortunate reality is that not just women are underrepresented in the cybersecurity field; members of minority groups and those from financially disadvantaged communities also deserve special educational and recruitment efforts. There should be outreach and initiatives to demonstrate to young girls and other groups just how meaningful and compelling a career in cybersecurity can be.
“We need far more aggressive action on this topic to give equal opportunity to talented learners irrespective of gender, ethnicity, whether they’re from disadvantaged or privileged communities,” O’Shea explains. She also insists that after such efforts are underway, benchmarks should be established and progress tracked to make sure they are effective. Meanwhile, she believes industry should be tasked with creating more inclusive workplaces.
Myth 3: Advanced degrees are required for lucrative jobs in cybersecurity
The assumption for those entering the cybersecurity field is that candidates need a science undergraduate degree, followed by a postgraduate specialization in cyber, explains O’Shea. Not only is this expensive, “but it takes too long, and it’s no wonder many people take jobs in, say, software development after completing their undergraduate degree that can offer an equivalent salary,” she says.
The education inflation has also helped spawn a growing certification industry; she adds. “There are hundreds of cybersecurity certification organizations and different options for people to take. It’s very confusing for learners, and it’s very confusing for employers, also, to figure out what industry certification might be useful for a job.”
A critical step in expanding the supply of cyber professionals is demystifying how people gain access to the industry, then identifying clear pathways focused on education and job definitions aligned to industry needs. Says O’Shea: “These measures are needed before we can begin to address the skills shortage, but we should also focus on addressing the knowledge gap through up-skilling and re-skilling initiatives.”
Attractive salaries are a major motivator in attracting new and existing people to the industry, but this has a downside, too, notes O’Shea. “It can be a potential handicap if disproportionately high salaries mean that industry will turn its focus on lower-cost locations for recruiting in the future.”
An interesting program called Future in Tech was launched recently in Ireland to address people adversely impacted by the pandemic with a goal to upskill careers in tech. One of the pathways trains people to become cyber security analysts. They can be tasked with anything from installing, administering, and troubleshooting security solutions to writing up security policies and training documents for colleagues.
Myth 4: It’s up to universities to create the curriculum to train tomorrow’s security professionals
There’s abundant evidence already that this simplistic assumption is false. Certainly, colleges must play a role in educating tomorrow’s security professionals, but they should be joined by research organizations, government agencies, and industry. There is an example of how this can work now in Ireland.
Collaborating with other national agencies, industry and four leading Irish universities; the Cyber Skills initiative worked with the universities to develop specific curricula to educate existing employees so they would be able to address the skills shortage. Cyber Skills has already trained hundreds of people through its online program delivered by the universities that result in micro-credentials, and the success has been so great that the program is now expanding.
For example, two companies participating are Dell and Mastercard, with sizeable Irish operations. When it comes to Mastercard, O’Shea describes how the company “has a substantial software development team, but the company needed to close the skills gap in software security. We designed a custom educating pathway designed to upskill their workforce to code in a secure way and perform security assurance testing.” The program also makes a difference to Microsoft, Google, Facebook, SAP, Cisco, and many other American tech firms with high stakes in digital security.
Making a case for this kind of public-private partnership is the reality that cyber security as a discipline is constantly evolving. Unfortunately, the training is not evolving as quickly as the discipline. The curricula, the training material, and the course material cannot keep up. This is because, globally, we lack mechanisms to quickly incorporate material on emerging new tracks or on new skills. By working together and pooling our strengths, we can respond in a quicker, more responsive fashion in an increasingly complex and international threat landscape.