Written by Simone Petrella
There’s A Better Way — We Just Don’t Know What That Is Yet
This month the Aspen Institute published a report of the results of their convening of cybersecurity professionals across industries to address increasing diversity, equity, and inclusion in the field. There are a number of recommendations across education, recruitment and hiring, retention, mentorship, and the narrative of diversity in cybersecurity. For obvious and biased reasons (I’m in cyber workforce development after all), I wanted to take a deeper look into the interrelated recommendations around education and recruiting.
My first reaction? We’re still missing the biggest piece of the equation. What strikes me the most in a well-researched and comprehensive working group like this is companies and organizations are still struggling to develop tangible and actionable game plans to not only increase diversity in cyber, but how to bring more talent into the field overall.
The recommendation to evaluate the utility of certifications is needed and I’ve advocated for that before (after all, what do they really tell us about someone’s true ability to do a job?). But a gaping hole exists when faced with having to replace them with something – especially as it pertains to achieving greater diversity in the industry. I’d like to see recommendations like this come with more scalable examples of replacement strategies. For instance, firms committed to “hire to train” programs that focus on bringing in ambitious and hard-working entry-level talent that can be molded and upskilled into these critical roles. When we present these types of models for identifying unlikely sources of talent, we are 1) opening the aperture to more diverse candidates, and 2) could track that success through real data and metrics.
While removing the certification barrier is one step to increase the talent pipeline, and ostensibly vis a vis increase diversity, it’s unlikely this step alone in regard to education will move the needle sufficiently to level the playing field. The working group looks to couple this recommendation with surveys of successful programs that do work to identify diverse cyber talent. I’ve worked with many of these initiatives and am incredibly proud of the work they do and their accomplishments: but none have been able to scale sufficiently to make a material dent in the numbers. This leaves employers scrambling to continue to patch together a hodgepodge of initiatives hoping it can at least have an incremental effect in their own ecosystem.
The ability to have valuable and substantive data underlies the heart of this problem. Employers lament their inability to truly quantify the true skill level of the talent they have, let alone use a benchmark to identify new potential talent (and if you can’t even do that, how do you even begin to layer in diversity considerations?). To me, the next step towards an implementable solution is to encourage companies to develop an actual and quantifiable baseline of the skills they need to do certain types of cyber work and then apply that baseline to both existing and potential talent that could fill those roles. If you have a starting point of technical knowledge or skill from which to measure improvement, you can then making strategic hiring decisions, prioritize and execute training or upskilling, and develop talent – and tap into more diverse talent at that.
Not only can data collection on the technical skills of talent be quantified (again, I’m biased, but we do this through assessments mapped to the NICE Framework), but if you add an additional layer of demographics data, like title/role, years of experience, gender, degree, race or ethnicity, we can also start to view our initiatives through a different lens that not only provides a more informed starting point to bring more qualified talent into the field, but also can help companies make diversity a priority in their cyber talent strategies as well.