A back-to-school plan for reaching the next generation of cybersecurity professionals

The cybersecurity landscape experienced a period of turbulence over the past eighteen months, as companies around the world quickly adopted remote and hybrid working models at the onset of the pandemic; beyond providing threat actors with new vulnerabilities to exploit, this shift challenged our expectations about where works happen and, more importantly, what workers are considered critical to a functional, stable society.

This, coupled with a series of high-profile ransomware attacks, has thrust cybersecurity into the spotlight.

Unfortunately, when it comes to diversifying the cybersecurity workforce, this flurry of coverage is too little too late in presenting the field as viable and economically rewarding.

The State of Things

Brookings Institute found that more than half of essential frontline workers – many of whom are Black (16%) and Hispanic (21%) – earn less than $20 an hour. Even if an essential worker were able to work 40 hours a week, every week, taking no holidays, they would earn a maximum of $41,600 – nearly a third of the average cybersecurity employee – while, at the same time, facing health risks which are not constrained to the current pandemic.

At the same time, today’s technology workforce does not represent the general populace – the Information System Security Certification Consortium ((ISC)²) found that just 9% of cybersecurity workers self-identified as African American or Black, 4% as Hispanic, 8% of Asian, and 1% as American Indian, Alaskan Native, and Native Hawaiian/Pacific Islander.

Unfortunately, there is little being done to address this head-on, as lower-income community members are more likely to choose a career – either consciously or unconsciously – from CISA’s critical infrastructure workforce with lower pay and a higher risk of exposure to the current pandemic than those who choose careers in cybersecurity due to the simple fact that the latter is lacking in visibility as an attainable and rewarding field.

Our shared challenges – with the total number of data breaches increasing every year since 2009 – in cybersecurity do not stem from inadequate financial investment; rather, they stem from a lack of diverse people with different life experiences working together towards the shared goal of improving security.

Symptoms of this problem are obvious to employers: according to the 2021 mid-year CISO Trends Report by CSHub, over half of respondents reported that they don’t have the right people for the cybersecurity operations of today and tomorrow. Yet, the average financial damages caused by a data breach grew around 10% year over year to $4.24 million in 2021, based on data from Atlas VPN. This chasm between the current labor force and the potential for harm to companies must be bridged – and solutions must be multicultural and multigenerational.

Many new employees joining the field of cybersecurity this year report that they were unaware of it as a career option when they were in middle school or high school, with 77% of students studied by (ISC)² saying that cybersecurity was not offered as part of their high school curriculum. Children can identify people’s jobs that are visible in their community, which means that their parent’s wealth and neighborhood indirectly influence their career options.

While young people may understand that there is a person at a store who fixes computers, that a programmer writes games, and that the cable company provides Internet accessibility, they rarely understand that there are other job opportunities or that different people provide these services. However, when considering college options, high school seniors often mistakenly believe that there is a requirement that cybersecurity students must already know how to write code, and thus they self-select out of the field.

The Labor Pool Exists – It’s Time to Tap Into It

Current cybersecurity professionals and educators can change this narrative, but only if we take individual responsibility to engage with others and be visible members of our communities – the issue of a lack of diversity in the field won’t address itself.

Too often, we lecture about the benefits of careers in cybersecurity to audiences with different backgrounds that do not relate to the presentation. We must provide context in our presentations and talks while highlighting the importance of cybersecurity as a profession and the benefits of working in the industry.

For example, consider a high school assembly, where a speaker narrates a series of PowerPoint slides about the value of OSINT. Depending on their presentation style and the quality of their slides, a small subset of the attendees may find the topic interesting, though these are likely those students already in a computer science class. This isn’t helping to expand the potential labor pool.

Now consider starting a school assembly by asking for a volunteer or two from the audience and having them perform a series of simple OSINT tasks on an agreed-upon local public or national figure that the students probably know. This changes the dynamic and the narrative. It’s no longer a dry, dull person droning on; it’s someone they know, from their school, who is now “a hacker.”

To further diversify, our field needs better to present the career options and benefits to young people. Most new people in cybersecurity quickly learn that this is a collaborative, team-oriented job. Not everyone needs to write code; there are project managers, analysts, trainers, consultants, and marketing professionals. Our jobs pay a middle-class salary and are generally recession-proof.

While improving diversity in cybersecurity may appear daunting, if existing cybersecurity professionals and educators are committed to conducting outreach that will encourage young people to consider careers in the field, change can be made.

Consider that if 10% of the readership of Security magazine were to take the initial step of speaking at one high school per year, the industry would collectively reach nearly 2,000,000 potential cybersecurity professionals.

If we genuinely want to change the dynamic in cybersecurity and better position ourselves for the future, we must each commit to an outreach effort that will encourage young people to consider careers in the field.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

Many of the security screening standards in use today were put in place decades ago. They addressed the threats at the time and employed the security screening equipment that was available.