Filling the Cybersecurity Skills Gap
The internet underpins much of functioning society today. At the end of 2021 the internet had more than 4.9 billion users — that’s 63% of the global population — and the average daily time spent online stood at 170 minutes.
In addition to all the positive contributions the internet brings to our lives and livelihoods, there are those that choose to use it for their own malicious purpose. Cyber attacks are growing at an exponential rate, threatening entire infrastructures, industries, and governments. Recent cybersecurity statistics cited by Fortinet showed significant increases in the use of both malware (up 358%) and ransomware (up 435%) during 2020 with similar increases across other common attack types.
An entire industry has been developed to defend against cybercrime, to protect our data, our integrity and our livelihoods. Yet, there is an ongoing shortage of skilled professionals to fill the 2.72 million cybersecurity job openings around the world. As cybercrime continues to proliferate and is a universal problem, how can we address this gap? It will take diversifying recruiting efforts, investing in alternative pathways, sourcing from non-traditional talent pools, and new ways of thinking.
Cybersecurity For Everyone, By Everyone
As most industries are coming to realize, sustainable success is largely dependent upon diversity, and the same holds true for the future of cybersecurity. Not only are today’s sophisticated threat actors diverse in their geography and their motivations, but they come from varied economic backgrounds and are diverse in gender, race, and neurodiversity. In order to effectively understand and combat our adversaries, we need to reflect those communities in our Security teams. Bringing a diverse set of professionals into the mix makes us all better at defending ourselves against threats.
Diverse workforces are also more creative, and by adding new, diverse perspectives, defensive security teams are better positioned to out-think cyber attackers. It only helps our defenses to bring new and diverse perspectives into the field. This includes women (who still make up only a quarter of the cybersecurity talent pool), veterans, students, economically challenged groups, and individuals seeking a career shift.
The notion that an individual needs to have technical skills to be successful in a cybersecurity role can deter people from considering a security career. But this is a common misconception. It's the business skills that are also critical — problem solving, analytical thinking, communication, relationship-building, and curiosity. These are all skills that can make someone successful in the field. Not only do such biases hinder diversity, but they could also hamper an organization’s ability to defend against an attack.
Shifting Our Industry Mindset
In order to solve these challenges, it’s important that we shift how we hire and what we look for. This includes hiring from non-traditional talent pools and those possessing diverse qualities that align well with cybersecurity.
The veteran population, for instance, is often well versed in the leadership, teamwork, and strategic thinking skills integral to a successful cybersecurity career, and about 200,000 of them leave US military service and return to life as civilians every year. Clearing the networking and certification hurdles for this population to join the ranks of technology companies could make a notable difference in both the cybersecurity skills gap and veteran unemployment rates.
Organizations can also consider developing their own people to become cyber experts by investing in reskilling efforts and branching out to groups who are not traditionally involved in computing. The Security field — including roles across communications and enablement, engineering, awareness, operations, governance, risk, compliance, program and product management, offensive security teams, and so much more — needs team players, individuals, non-technical and technical skills, and those with transferable skills. One thing this industry isn’t short on? Myriad career paths.
Getting in the Game
From a very early age, there are fun, accessible, and challenging extracurricular activities that can provide an introduction to cybersecurity, allowing school children to explore many concepts through experimentation and focused activities. In the UK, the National Cyber Security Centre’s (NCSC) Cyber First program is an excellent example of this. Africa’s Absa Cybersecurity Academy includes formal technical learning, practical and experiential learning, and intensive, customized personal mastery and soft skills. Fortinet, as part of the White House National Cyber Workforce and Education Summit, is offering a free education-focused version of its Security Awareness and Training service for all K-12 school districts and systems in the U.S. And, The Girls Scouts of the USA has teamed up with the U.S. Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA), and CYBER.ORG to develop a Cyber Awareness Challenge for Girl Scouts and girls in grades 6-12 in the continental U.S. In addition, they have cybersecurity curriculum for all levels of girls in the program to teach them about this important topic.
University students can take part in competitions, such as the Cyber 9/12 Strategy Challenge from Atlantic Council, which welcomes cross-disciplinary teams and takes place annually across the globe. And as a direct result of taking part, some students — with no cyber related degree or background — have actively sought out career opportunities within the industry.
University students may also have the opportunity to gain first hand field experience providing support services within their local community which helps prepare them for work. The Consortium of Cybersecurity Clinics is a consortium of universities that share best practices. Salesforce Futureforce interns and new graduates work on real projects that affect how the business runs, giving them the opportunity to make a tangible impact on the future. Fortinet has an Academic Partner Program that provides academic institutions with Fortinet's industry-recognized certification curriculum and resources to introduce students to a career in cybersecurity. And the World Economic Forum has an inclusive cyber talent project to increase inclusivity in the cyber field led by their global shapers, a network of young people driving dialogue, action and change.
Many leading cybersecurity companies also provide training services for those wishing to advance their career or transition into a cybersecurity role from outside the industry. For example, Fortinet's Training Institute, offers an extensive range of self-paced online learning courses for free.
A Very Good Place to Start
If you’re interested in launching your own cybersecurity career, the Cybersecurity Career Path, produced as part of the Cybersecurity Learning Hub initiative in partnership with Salesforce, Fortinet, Global Cyber Alliance and the World Economic Forum, is a great place to start. It provides a growing library of career-orientated information, expert interviews, and training modules which enable learners to map their own career path through a variety of in-demand cybersecurity roles. Together, we will fill these cybersecurity roles and make the world safer, one cybersecurity professional at a time.
This post was authored by members of the Cybersecurity Learning Hub Team:
Gill Thomas is Director of Engagement for the Capacity & Resilience Program at the Global Cyber Alliance (GCA). Gill spent 20 years in telecommunications and joined the cybersecurity profession after returning from a career break to find digital transformation fuelling opportunity and growth but also an exponential rise in cybercrime. She became increasingly fascinated by cybersecurity and the devastating impact cyber incidents have across global communities. At GCA she works with partners around the globe delivering projects that reduce cyber risk for all.
Melonia da Gama is Director of Marketing for the Fortinet Training Institute. She has more than 20 years of experience developing and managing marketing and communications on a global scale for various industries, including network security. Melonia joined the cybersecurity industry in 2020 bringing with her transferable skills and experiences from previous positions. She is responsible for promoting all programs under the Fortinet Training Institute. These programs target IT and Security Professionals but also aim to create diversity in the cybersecurity industry by developing programs for women, minorities, veterans, students, and other under-represented populations.
Seán Doyle is Lead at the World Economic Forum’s Centre for Cybersecurity in Geneva, Switzerland. His work focuses on cybersecurity skills development and public-private partnerships to increase cyber resilience in areas like banking, payments and critical infrastructure. Before this, Seán spent a decade in corporate investigations. He feels that working in cybersecurity allows him to have a wide impact, helping protect individuals, communities and economies.
Rachel Holz is a Cybersecurity Lead with over 25 years of experience who started at Salesforce in 2016 and has worked in Security and on the Trailhead team. Rachel has a background in human resources, organizational effectiveness, and instructional design and before joining Salesforce, she worked as a management consultant. She loves working in cybersecurity because it keeps her on her toes and has enabled her to use all her skills in a way that feels impactful and relevant.
Laura Pelkey engages with customers, partners and the security industry to drive awareness and adoption of security best practices. She has worked in the security industry for over 10 years and is extremely passionate about helping people keep their valuable data secure. Currently, Laura runs the Salesforce’s external security awareness programs.