How we protect our data is more important than ever. Attacks on high-value entities, including big businesses and federal government agencies, regularly make headlines. Schools are increasingly targeted as well. Just last month, the FBI, CISA and MS-ISAC issued a joint warning about attacks on educational institutions.
Cybercrime damages will cost the world an estimated $10.5 trillion annually by 2025, and spending on cybersecurity is expected to exceed $170 billion by 2022. Beyond just buying technology to combat threats, however, we also need people who can actually deploy those tools effectively.
The problem is that we don’t have enough cyber talent. Across the world, there is an estimated shortage of 3.1 million cybersecurity workers.
It’s a problem that has made cybersecurity a topic of growing interest among investors, especially those focused on the future of work and helping people reskill into new careers. Cybersecurity is an attractive job industry, offering a pathway for upward mobility and long-term job stability, with reportedly zero unemployment rate and an average salary of nearly $90,000 in the U.S.
With these figures, one might expect the sector to attract more people. So why is there still such a huge gap between cyber talent supply and demand?
The answer involves a host of complex issues. Among them: a lack of shared language to describe the skills, roles and responsibilities, in spite of initiatives to standardize the lexicon such as the NICE Framework. Also, a host of required certifications, skills and experience make it difficult to enter the industry. As a result, prospective workers struggle to find their footing, and employers have a hard time finding talent (when in fact there are many interested and qualified candidates).
So what does it take to close the talent gap and train the much-needed cyber workforce?
What It Takes to Get Hired in Cyber
Burning Glass (one of our portfolio companies at Rethink Education) has compiled detailed data on hiring trends in the cybersecurity industry. Currently, it takes the trifecta of a degree, certifications, and work experience to get a job—a pretty high bar that creates structural barriers to career pathways.
Eighty-eight percent of cybersecurity job postings require at least a bachelor’s degree. As one chief information security officer (CISO) puts it: cybersecurity is a “hybrid job,” requiring not only technical and domain knowledge but also an understanding of human issues in business. More so than most general IT roles, these jobs require a lot more “soft” or “power” skills: critical thinking and problem-solving, understanding how to pre-empt threats, communicating effectively across different teams, and project management.
CISOs prioritize hiring for these skills over technical ones because they are harder to train for, and therefore tend to hire based on degrees as a signal of these “intangible” qualities.
Certifications are a key part of cybersecurity careers, but many believe some certifications are actually “far more useful in getting a job than doing a job.” Historically, employers have overburdened job postings with certifications, creating labor market inefficiencies. There are more job postings requiring certifications than there are people certified.
One CISO described to me that because of the lack of a common lexicon for describing desired skills and roles, the technical team members in this industry often have a hard time communicating with hiring managers exactly which skills they need to hire for. Thus, certifications have become a standard way to screen and filter candidates based on keywords in HR applicant tracking systems.
In reality, jobs may only need select skills but not the entire certification. And while credential attainment is fantastic for a job seeker’s marketability and career advancement and can help get a foot in the door, it is not a substitute for competency in the eyes of most hiring managers.
This is the classic chicken-and-egg problem. Cyber hiring managers greatly prioritize job experience, with 85 percent of cybersecurity job postings requiring at least three years of work experience. But how does one get any experience in the first place?
For now, a common pathway often begins with a general “cyber-adjacent” IT job which then transitions into more of a “cyber-core” role. Yet that is a long journey that doesn’t need to be so.
Where Edtech Can Help
Re-imagining Cyber Bootcamps Into Cyber Apprenticeships
There are a number of cyber bootcamps today. The next step would reimagine that model into an apprenticeship or work-integrated learning model. In addition to the technical skills that traditional bootcamps confer, these programs should provide students with opportunities to work on real-world projects, develop their soft skills as they collaborate across teams, and better understand what it means to be a cyber professional. (Day one on the job does not involve super-hacking!)
This model can provide work experience and certification, and help overcome the degree hurdle by allowing employers to observe (and help train) a potential hire’s skills. They can also help with career navigation: cyber roles are constantly evolving and tricky to navigate, which may be intimidating to new entrants.
Ultimately, we need more solutions with greater coordination with employers’ needs and a focus on actual job placement. There are already edtech startups innovating around work-integrated learning models (not specific to cyber) that partner closely with employers and higher-ed institutions, including Forage, Paragon One, Parker Dewey, and WhiteHat.
A skills-based assessment tool could help employers better identify cyber talent without over-relying on certifications. While there are some performance-based tests out there (i.e. virtual battlefield simulators), usually developed by the armed forces, there are few commercial players in this space, especially ones with inexpensive offerings that enterprises could purchase and adopt.
One of our portfolio companies, Correlation One, has developed a solution for data science that could be applied to cybersecurity. In this model, a candidate enters a data science hackathon challenge and, by analyzing real public and private datasets, solves open-ended problems to today’s social challenges, from healthcare to income inequality. This competition format allows the candidate to exhibit the full extent of their data skills and ingenuity through relevant, real-world tasks and allows employers to assess through demonstration and hire based on performance, not just traditional credentials.
Employers have used this solution because it is hard to not only measure great data science talent, but also find ways to discover diverse candidates that don’t check the traditional boxes. It would be intriguing to apply a similar model to cybersecurity. Inside a cyber range environment resembling a video game, candidates could compete in teams and demonstrate to employers how they might problem solve in real-life scenarios using their skills, critical thinking, teamwork and creativity. The data collected from the candidates’ processes and outcomes in the competition could then inform a skills-based assessment engine, to gauge one’s competency regardless of his or her degrees or credentials. (And as it turns out, gamers make great cyber candidates, so a game-based simulation can also help expose younger learners to cyber careers in a fun way earlier on.)
It is important to note that there are regulations in the U.S. around hiring assessments. They can be one aspect of the hiring process but cannot be the sole reason for hiring, and should be tested for validity to prove no adverse impact to any populations.
Soft / Power Skill Assessments
A college degree is often considered as a signal of possessing soft or power skills. But that isn’t necessarily true, and such a requirement often poses an expensive hurdle.
However, there are a lack of inexpensive, effective solutions for assessing soft skills broadly, not only in cyber.
One potential solution could be based on another portfolio company, Imbellus (recently acquired by Roblox), which has developed a sophisticated tool that can help measure how one thinks. Through a game-based assessment adopted by McKinsey, candidates enter a virtual simulation in the natural world where they solve a problem such as protecting native plants against invader species. The technology can measure not just what solution candidates arrived at, but also their process for how they arrived at it, by tracking actions, mouse movements and time spent on solving the challenge. In this way, Imbellus can measure the critical 21st century skills that cross over with the power skills CISOs are interested in, such as problem-solving, thinking critically, managing ambiguity, and adaptability.
Skill-Based Workforce Planning and Career Navigation
Build, don’t buy, cyber talent. It is hard and expensive to hire a great candidate in a high-demand market. For a large employer, the better solution may be to build capacity internally. Burning Glass and EMSI have both advocated for this strategy and identified which career fields transition well into cybersecurity roles.
What the industry needs is a talent platform that can track employees’ skills, identify candidates who could transition well into cybersecurity roles, map which additional skills they need, and provide the targeted training to help them get there. Workforce planning platforms, including Faethm and SkyHive, or learning platforms with skills analytics capabilities, such as our portfolio company Degreed, have potential to offer a mix of recommended educational content for enterprise companies, with the aim of identifying and building talent internally.
Navigating career paths in cybersecurity can also be tricky, with many learners confused by the large number of certifying bodies and certification options to choose from. But there is promise from initiatives such as CyberSeek and My Cyber Path, which have begun to outline career pathways so that they are less daunting for candidates seeking to enter the cyber workforce.
Cybersecurity will only become increasingly critical in the coming years as our digital economy evolves. The pandemic has accelerated this need, elevating our exposure to cyber risks as we use new digital tools to support remote work and learning. To keep pace with ever-emerging cyber threats, we must invest in solutions that can help overcome the high barriers to this industry, to nurture and grow our cyber talent and ensure the future security of our schools, enterprises and governments.