It is estimated that the number of jobs in cybersecurity will grow by around 31% through 2029, seven times faster than the national average. This growth is largely a response to the enormous pressure organizations are under from a surge in cyberattacks during the Covid pandemic.
Although this is far from a new problem, and I spoke about it in 2018, the pandemic has exacerbated the situation. Late last year, an analysis by Cybersecurity Ventures predicted that the cost of cybercrime would reach around $6 trillion in 2021, with that figure increasing by around 15% per year over the next five years. If this growth curve is accurate, it would represent a tripling of the cost of cybercrime from the $3 trillion it was in 2015. To put this into perspective, the Covid pandemic is estimated to have cost the economy worldwide about 4 trillion dollars. .
While Microsoft’s recent digital defense report highlights the immense value of fairly basic digital hygiene, such as ensuring software is patched and changing the default password on devices is enough to fend off vast majority of cyberattacks, it is also clear that the industry needs to do more to unearth talent in previously unexplored areas.
For example, IT giant IBM has pledged to train 30 million people by 2030 to ensure they have the digital skills they need to thrive in the modern economy, with cybersecurity training being among most popular on its SkillsBuild platform. The company aims to train 150,000 people in cybersecurity skills over the next three years.
Basically, a key part of this policy is to partner with more than 20 historically black colleges and universities to try to create a more diverse workforce. This is extremely important at a time when the Aspen Digital Tech Policy Hub reveals that only 9% of the cybersecurity industry is made up of black professionals, with Hispanic and Asian professionals accounting for only 4% and 8% respectively.
Gender diversity is equally dismal, with women making up just 24% of the cybersecurity workforce. The UK government has dropped a campaign to get more people into cybersecurity after it came under fire for an advert suggesting a ballerina’s next job could be in cyber, but it’s clear the industry needs to do more to attract a more diverse workforce if it is to address the severe skills shortages it faces.
It’s also fairly well established that diverse teams tend to produce more creative and innovative solutions and are generally more successful. This can be especially true in cybersecurity, where the ability to understand the mindset of hackers and mitigate often extremely complex attacks is so important.
A welcoming environment
Part of the challenge is the environment in which we want cybersecurity professionals to operate. For example, long and unsociable hours are commonplace, and while this is partly due to the shortage of qualified personnel, there is also a cultural element to this that prohibits many from viewing it as a viable career.
While overt discrimination may be minimal, there are most likely barriers to inclusion within the industry that deter many talented individuals from considering careers in cyberspace. This means that organizations must go beyond simply recruiting a wide range of candidates to also ensure that the environment in which they work is supportive and helps them both succeed and grow.
Organizations should also consider the qualities they are looking for in candidates. Given the rapid pace of change in the industry, an inquisitive mindset is essential to staying abreast of the range of threats an organization faces and the different approaches attackers can take. Being able to learn continuously and adopt a problem-solving approach are therefore crucial qualities. If recruiters looked for these fundamental characteristics and then invested in the technical aspects of the position, it could significantly expand the talent pool. This is already an approach used by organizations such as the Israeli army.
At the heart of these often preconceived notions of what “good” looks like in cyber are various implicit biases. In Interrupted biasJoan Williams outlines five forms of bias that are still far too common in our workplaces, each occurring consistently over two decades of research and practice in the field.
- Evidence bias again – Williams points out how white men tend to fend for themselves on their potential and are judged accordingly. However, people who are less privileged by race, gender, etc., more often than not have to constantly prove themselves in order to progress.
- The tightrope bias – It is also well known that behaviors, such as assertiveness, that serve white males well in the workplace are often detrimental to other groups. Williams illustrates the behavioral and political tightrope of less privileged groups and how difficult it can be.
- The tug of war bias – It’s fairly well known that bias can favor members of ingroups, such as college-educated people or (still) white males, but Williams points out how biases can also create conflict within outgroups because it is unclear whether they should strive to be part of the in-group or use their political capital to defend the out-group of which they are a part.
- Racial prejudice – Racial discrimination is fairly well understood, but Williams argues that there are also many racial biases and stereotypes that harm people’s prospects in the workplace, whether it’s the leadership potential of Asian Americans or the tend to view Latinx employees as angry for displaying behaviors that aren’t judged that way for white employees.
- Maternal wall bias – I recently wrote about the maternity penalties that exist in the workplace, and Williams points out how harmful it can be to women’s career prospects.
“These five forms of bias have clear negative effects on people who experience them,” Williams writes. “Our data shows that it hurts businesses too. Increased bias is linked to decreased ability to do your best, intention to stay, ability to see a path to advancement, belonging and job satisfaction.
The book aims to make these types of biases more visible before outlining various strategies that can help organizations overcome them. If we really want to improve our workplaces, this is a book worth reading. The website that accompanies the book also contains a treasure trove of helpful resources, worksheets, and incredibly valuable research.
Take care of your people
There is also a lot to be done to improve the working lives of those already in the sector, particularly with regard to professional development and access to childcare services. This can be particularly important for minorities in the sector.
For example, the #ShareTheMicInCyber project aims to amplify the role of black professionals in the sector, while #MakingSpace aims to improve diversity at cybersecurity events. The R Street Institute has also developed CyberBase, which aims to shine a light on the work done by underrepresented groups.
This is particularly important because Camille Stewart, the former senior policy adviser for cyber, infrastructure, and resilience policy at the Department of Homeland Security under President Barack Obama, says systemic racism is essential if organizations are to defend successfully the growing barrage of attacks they face.
Opening up the sector to a more diverse talent pool would be vital even if it were on its pre-Covid trajectory, but with cybercrime on the rise since the pandemic, the need to attract talent from across society has never been so serious. This will force the industry to look within and change some of the cultures and practices that have so far put people off. Hopefully it’s a challenge they’re ready to take on head-on.