National Security

In Cybersecurity, Diversity is Part of the Mission

February 26, 2020  • Vivian Schiller & John Carlin

We’re excited today to announce some new, major steps toward improving diversity and access to cybersecurity jobs. Unfortunately, businesses across the economy are struggling to hire for thousands of open cybersecurity roles. As a result, too many of the functions crucial to protecting our democracy, our government, our companies, and our digital lives are going unfilled. And this jobs gap is only going to increase.

A growing coalition of businesses is committing to recruiting methods that feature a focus on hiring from communities that are underrepresented in the cybersecurity field. In November 2018, the Aspen Cybersecurity Group released its Principles for Growing and Sustaining the Nation’s Cybersecurity Workforce. Under the leadership of co-chair and IBM CEO Ginni Rometty, the Group assembled and announced a coalition of 15 employers who committed to changing  job qualifications, job descriptions, and career ladders to widen the net for potential cybersecurity talent. Now we are welcoming 16 new businesses who are also committing to key principles for building a stronger cybersecurity talent pipeline: Bank of America, Accenture, Casey’s General Stores, CenturyLink, FireEye, Intel, Malwarebytes, McAfee, Proofpoint, Rapid7, Raytheon, Recorded Future, Target, Tenable, U.S. Bank, and VMware.

Together, these 31 companies represent billions of dollars in annual IT and cybersecurity spending, and their joint commitment will help reshape the landscape of this growing field. They are now vital partners for our next phase of work, which will concentrate on hiring from underrepresented groups, thereby improving diversity and security at the same time.

A core conclusion of the Aspen Cybersecurity Group’s research is that real-world skills, and not just four-year degrees, should be a primary means for measuring cyber talent. For too long, the traditional lens for cybersecurity workers has focused on college-educated candidates—a group that is predominately white and male. With the demand for cybersecurity expertise only expected to increase, it is essential to rethink outdated requirements and build connections with communities of potential talent that traditional hiring assumptions might overlook.

Consider education. Over 90 percent of open cybersecurity positions currently require a four-year degree, a baseline credential that many companies use as a litmus test for qualification. Yet cybersecurity is an industry where over 80 percent of self-described hackers are self-taught, and where IT managers disfavor degrees as the primary means for assessing cybersecurity skills. This practice means that companies are automatically filtering out skilled individuals without ever talking to them, while simultaneously frustrating their own desire to enhance workforce diversity. Only 42 percent of white individuals, 23 percent of African Americans, and 18.5 percent of those who identify as Hispanic possess bachelor’s degrees. Companies across the economy are increasingly willing to accept candidates without traditional college degrees, and the cybersecurity industry should follow suit. After all, the National Security Agency is already a champion for new pathways to hire candidates directly from designated two-year schools.

The language in job postings can also have a significant impact on the candidates who apply. Simple wording changes in the job description that have no meaningful effect on the job itself can open up access to a broader base of cybersecurity talent. For example, companies can replace specific terms that tend to attract males and deter female candidates (aggressive, confident, independent, adventurous) with gender-neutral terms (loyal, supportive, dedicated, interpersonal). By remedying biased language in job descriptions, Cisco was able to boost its rate of female applicants by 10 percent. Under IBM CEO Ginni Rometty, the company’s own efforts to review job qualifications and change job descriptions for cybersecurity positions led to a double-digit increase in both the applicant mix and hiring mix of groups who are underrepresented in technology roles. Pursuing gender and ethnic diversity is important for moral and social reasons, but it is also essential to closing the cyber jobs gap.

Diversity of experience is also important. More employers view cybersecurity as multidisciplinary and are valuing more than just computer science backgrounds—which often means looking inward. Upskilling on the job can widen the search. Twelve years ago, Northrop Grumman launched an internal Cyber Academy to train and certify employees for cybersecurity roles. Raytheon has also established its own internal Cyber Academy training program that develops full-blown, mission-ready cyber operators. This allows employees like mechanical engineer Cedric Fletcher to shift into leadership roles in the field.

With a coalition of committed employers assembled, The Aspen Institute will now embark on the next phase of its workforce initiative to build a more robust cybersecurity and technology talent pipeline.

  1. Data collection: In cybersecurity, there is no reliable data indicating the most effective hiring and retention practices. We simply don’t know the best measures for growing a diverse, qualified team. Over the next year, The Aspen Institute will work with companies across industry verticals and other partners to gather objective data—as well as persuasive stories—that illustrate which on-the-ground programs are most effective in strengthening the cybersecurity talent pipeline for employers.
  2. Implementation toolkit: Some large technology companies have teams who are dedicated to building out innovative cyber workforce development strategies. Not all employers, however, can afford to dedicate staff full-time to that endeavor. The Aspen Institute will work with its assembled coalition of employers and other partners to create an interactive toolkit that all employers can use to minimize security risks while maximizing diversity and inclusion.
  3. Convening in underrepresented communities: A key part of growing the cybersecurity talent pool is ensuring that more people see cybersecurity as a career option. We believe that through the shared principles outlined by the Aspen Cyber Group and targeted outreach to underrepresented communities we can grow the ranks of potential recruits who think of themselves as “cyber-ready.”
  4. Cyber Talent Working Group: Since its inception, the Aspen Cybersecurity Group centered its work on cybersecurity talent in a working group led by IBM CEO Ginni Rometty. With the initiative entering its next phase, The Aspen Institute will expand this working group to encompass a broader range of employers, nonprofits, educational institutions, government agencies, and researchers to support this ambitious, nationwide effort.

The Aspen Cybersecurity Group invites other employers, including federal, state, and local government agencies, to join this effort. Interested organizations should contact David Forscey, Managing Director of the Aspen Cybersecurity Group, at [email protected].