NICE eNewsletter Winter 2020-21 Industry Spotlight

Steps for Strengthening the Talent Pipeline in 2021 

By David Forscey, Managing Director, Aspen Cybersecurity Group  

In the United States, cybersecurity workforce demand continues to outpace supply despite steady growth in the workforce. From 2018 to 2020, the number of employees in cybersecurity roles grew 29 percent, from 715,715 to 922,720, while unfilled positions grew by 62 percent.  

As the country enters a period of significant transition, the time is ripe for industry and government to rethink our approach. The United States boasts over 212 million citizens of working age. It would take just over 0.2 percent of our workforce to supply the 520,000 open cybersecurity roles we have today. But outdated concepts of what constitutes “cybersecurity talent” are preventing thousands of employers from taking advantage of this enormous talent pool. 

An excellent source for the sort of new ideas this nation needs can be found at the Aspen Cybersecurity Group. The group is a standing, public-private forum, established to bridge the gap between government, industry, and civil society by operationalizing consensus solutions to the hardest cybersecurity problems. In 2018, the Aspen Cybersecurity Group issued the Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce. This report offered employers fresh ideas for hiring, retaining, and upskilling cybersecurity workers in ways that can expand the talent aperture and lift artificial restrictions on the pool of talent from which employers draw. Key among its findings were recommendations that employers: 

• Reassess job qualifications to eliminate unnecessary barriers to entry-level or mid-career talent. Over 90 percent of open cybersecurity positions require a four-year degree in a field where most self-described hackers are self-taught and where IT managers prefer skills over degrees. Many entry-level positions require a CISSP, which is a mid-level career certification. Unnecessary job qualifications cut out whole swaths of the talent supply. 
• Rewrite position descriptions leveraging the NICE Framework and eliminate jargon and company-specific phrases. The words that hiring managers use in job descriptions can dissuade significant numbers of potential candidates. Cisco boosted its rate of female applicants by 10 percent after reviewing biased language.  
• Create clear career roadmaps and advertise them. Companies should show candidates that cybersecurity is not just a job—it is a career. They should clearly illustrate career progression between roles as well as parallel or adjacent roles that feed into that progression. These models should be public so any job seeker can understand the potential to advance. The Career Pathways map on CyberSeek.org is a great place to draw inspiration. 

These ideas are not controversial. It should not be surprising that the Aspen Cybersecurity Group was able to assemble a growing coalition of over 32 employers, from big tech firms to retailers and defense companies, who have committed to implementing these principles.  

The changes are evident to anyone curious to look. Just as an example, these two open cybersecurity positions from member Bank of America showcase needed skills and experience without mentions of degrees and certifications: Cyber Intrusion Analyst and Cyber Threat Hunter Information Security Engineer.  

Leidos also took degree requirements out of job postings recently. Lynsey Caldwell, Leidos Cyber Workforce Sr. Manager, said: “At Leidos, we know there are uncovered gems just waiting to be found who lack traditional credentials or experience.  We removed degree requirements from our job requisitions, standardized job descriptions, and focused on diversity hiring via partnerships in underserved communities.  We are confident that we can teach candidates who have technical skill gaps, if they have the soft-skills and security mind-set. In fact, some of our most talented employees do not have a cyber-background at all.  This year we graduated 14 candidates from our Cyber Academy, some with no IT background, breaking down barriers to career agility in cyber.  In a fiercely competitive environment, talent profiles are changing.” 

Even when employers do expand their sources for talent, many Americans do not recognize their own potential to enter the cybersecurity field. Changing that perception will require federal leadership. In December 2020, the Aspen Cybersecurity Group released A National Cybersecurity Agenda for Resilient Digital Infrastructure, centered on five priority themes for the next administration and Congress. Its chapter on cybersecurity education and workforce development outlined several practical steps for policymakers in Washington to scale demonstrated successes, including: 

• Appropriating new grant funding for organizations dedicated to growing the representation of communities of color in the cybersecurity field. 
• Funding a new national repository of K-12 cybersecurity resources. 
• Creating and scaling a pipeline of private sector volunteers to serve as part-time instructors in schools that cannot find cybersecurity teachers.  
• Elevating and scaling cybersecurity apprenticeships—a model that has gained significant traction across industry and academia in the past two years. 

We encourage more companies to join this important initiative. There’s a lot of work ahead to socialize these ideas in every sector of business and in every part of the country. The cybersecurity community might be surprised by how much and how quickly we can close the jobs gap simply be changing how employers define and recruit cybersecurity talent. 

NICE eNewsletter Winter 2020-21