From the Spring 2022 Issue

Cyber Talent: Hiding in Plain Sight

Dr. Jason Edwards
Director of Cybersecurity Strategy and Planning | USAA

Griffin Weaver
Senior Legal Counsel | Dell Technologies

We live in a time when ransomware attacks, nation-state “cyber warfare,” and having a remote workforce is the norm rather than the exception. If you ask most company executives, particularly those responsible for protecting company information and systems, Cybersecurity has never been more important. It’s essential to have the right tools, the proper funding, and, most importantly, the right security professionals to be successful. However, according to recent data, companies are not just having a challenging time finding professionals; they’re outright desperate. According to data from CyberSeek, over 600,000 cybersecurity positions are waiting to be filled. That means roughly 38% of the cybersecurity positions in the U.S. currently remain unfilled. So, what’s causing the problem, and how can we fix it? 

If we look closely, we will find that it is not the lack of talent/experience in the workforce, but rather a cumbersome, complex, and outdated hiring “system” that is the cause. This “system,” made up of traditional hiring practices, cultures, and stigmas, prevents companies from filling their vital cybersecurity positions. Great talent exists, and companies need to take advantage of it. Here are some ways for companies to tap into this talent and resolve the current cybersecurity professional shortage. 

1. Stop Requiring College Degrees for Entry-Level Positions

Recently, several articles have been written about how companies are insisting that job candidates have college degrees for jobs that don’t need them. Cybersecurity is an industry where job candidates DO NOT need college degrees. If you look at the current cybersecurity workforce, you will find that a large portion of the professionals, including many of the “experts,” entered the industry through a nontraditional path. For example, one of the leading cybersecurity voices, Brian Krebs, does not hold a technical degree. 

Instead, companies should focus on how a candidate’s skill set and experience could translate to the cybersecurity field. To do that, companies need to (1) train their recruiters on what is essential (e.g., analytical skills, etc.) vs. not necessary (e.g., college degree) and (2) cultivate a culture where college degrees are not the focus of an employee’s worth or potential. For example, a candidate with a military background but no cybersecurity degree may excel in a strategy, compliance, or incident response related role because their military training prepared them to think strategically, execute procedures, pay attention to detail, and stay calm under pressure. 

2. Train ’em and Pay ’em 

The legal system in the UK and U.S. military are excellent examples of how companies can train and cultivate a skilled and loyal workforce. Instead of requiring a postgraduate degree, a legal career in the UK is obtained through a basic undergraduate degree and years of apprenticeship. This apprenticeship allows graduates an opportunity to get valuable experience, showcase their potential, and get paid for the work they perform. Similarly, the vast majority of military-technical careers, including Cybersecurity, are inducted from pools of recent high school graduates with years of apprenticeship to follow. The advantages to this junior workforce are multiplied when compared to the costs of waiting and then paying for college graduates. A junior apprentice can start working immediately, assisting in what is possible, as they are trained to do what is necessary. Most companies confuse internships with apprenticeships, and there are many significant differences. Internships give college students perspectives on future employment, while apprenticeships develop employees to meet today’s needs.  

3. True Diversity is When Companies Take Chances on People

Companies realize they need more diverse personnel to be competitive within their industries and better connect with their consumer base. However, diversity is complex and often misunderstood. For example, Jason grew up in a poor Illinois community. He lived in a government housing project until leaving for Army basic training three days after graduating from high school. There was little hope that he would amount to much in life based on his circumstances. The only hope he had, in his mind, for changing this bleak outlook was to join the military. However, that shouldn’t have been his only hope for obtaining a better future. 

Now, several universities provide cybersecurity programs specific to non-degree cybersecurity professionals. We work/have worked for several of these universities over the past few years. These programs are much more diverse in circumstance than college graduating classes. These programs also include many at-risk or struggling adults from difficult neighborhoods. The dedication required for a single mother to work 50 hours a week to sustain their family and then attend 12 hours of night and weekend classes for ten months is incredible. Those are the future employees we should be taking chances on.

Make it Happen

In short, if companies want to address their current Cybersecurity recruiting challenge, they will need to make changes. They will need to change how they view candidates, what is required, and be willing to train the suitable candidates. Many companies talk about talent and diversity yet are unwilling to embrace programs and ideas that make them a reality. In our industry, many still consider Cybersecurity the domain of super-hackers and encryption specialists who must have four-year college technical degrees. Instead of checking boxes, we should be onboarding talent from diverse experience levels, socioeconomic statuses, and ages. We have taught many new-to-cybersecurity professionals that bring an incredible amount of transitional experience and an insatiable desire to succeed. Let’s allow them to do so.  lock

  1. Help Net Security November 25, Help Net Security, & 25, N. (2021, November 24). Nearly 600,000 open cybersecurity-related jobs were listed over 12 months. Help Net Security. Retrieved March 9, 2022, from https://www.helpnetsecurity.com/2021/11/25/open-cybersecurity-related-jobs/
  2. Auguste, B. (2021, July 30). Opinion | the majority of Americans lack a college degree. why do so many employers require one? The Washington Post. Retrieved March 9, 2022, from https://www.washingtonpost.com/opinions/2021/07/20/majority-americans-lack-college-degree-why-do-so-many-employers-require-one/

Dr. Jason Edwards

Griffin Weaver

Leave a Comment