Written by Simone Petrella
The Aspen Institute’s September 2021 report addresses diversity, equity, and inclusion in the field of cybersecurity. Recommendations focus on education, recruiting and hiring, retention, mentorship, and the narrative of diversity in cybersecurity, with key findings in each area outlined as “actions that can be taken now” and “actions requiring additional institutional support.”
As the leader of a training provider and workforce development organization, I wanted to take a deeper look into the interrelated recommendations around education and recruiting.
My first reaction? We’re still missing the biggest piece of the equation. In a well-researched and comprehensive working group like this, what strikes me the most is that organizations are still struggling to develop actionable game plans to not only increase diversity in cyber, but how to bring more talent into the field overall. As a whole, the key takeaway from my (somewhat biased) perspective is that training can become an avenue to address both issues of cybersecurity talent shortage, as well as supporting diversity, equity, and inclusion initiatives industry-wide.
The Certification Barrier
One Aspen Institute recommendation is to “organize a coalition to assess the value of certifications in developing quality candidates for cybersecurity jobs.” This is something I’ve advocated for before (after all, what do they really tell us about someone’s true ability to do a job?). The findings support this viewpoint in stating that “there is little evidence about whether these [certification] programs have been effective.” Moreover, the financial cost associated with studying for and obtaining these certifications can pose a barrier to underrepresented individuals.
But a gaping hole exists when faced with having to replace them with something—especially as it pertains to achieving greater diversity in the industry. I’d like to see recommendations like this come with more scalable examples of replacement strategies. For instance, firms can commit to “hire to train” programs that focus on bringing in ambitious and hard-working entry-level talent that can be molded and upskilled into these critical roles. When we present these types of models for identifying unlikely sources of talent, we are 1) opening the aperture to more diverse candidates, and 2) could track that success through real data and metrics.
Committed Training Initiatives
While removing the certification barrier is one step to increase the talent pipeline, and ostensibly vis a vis increase diversity, it’s unlikely this step alone in regard to education will move the needle sufficiently to level the playing field. The working group looks to couple this recommendation with surveys of successful programs that do work to identify diverse cyber talent. I’ve worked with many of these initiatives and am incredibly proud of the work they do and their accomplishments, but none have been able to scale sufficiently to make a material dent in the numbers. This leaves employers scrambling to patch together a hodgepodge of initiatives hoping it can at least have an incremental effect in their own ecosystem.
Underlying the heart of the problem is the ability to have valuable and substantive data. Employers lament their inability to truly quantify the skill level of the talent they have, let alone use a benchmark to identify new potential talent (and if you can’t do that, how do you even begin to layer in diversity considerations?). To me, the next step towards an implementable solution is to encourage companies to develop a baseline of the skills they need to do certain types of cyber work and then apply that baseline to both existing and potential talent. If you have a starting point of technical knowledge or skills from which to measure improvement, you can then make strategic hiring decisions, prioritize and execute training or upskilling, and develop talent—and tap into more diverse talent at that.
The Impact on Diversity, Equity, and Inclusion Initiatives
Not only can data collection on technical skills be quantified (again, I’m biased, but we do this through assessments mapped to the NICE Framework), but if you add an additional layer of demographics data, like title/role, years of experience, gender, degree, race or ethnicity, we can also start to view our initiatives through a different lens that not only provides a more informed starting point to bring more qualified talent into the field, but also can help companies make diversity a priority in their cyber talent strategies as well.
How to Take a Data-Driven Approach to Talent Development
Training and talent development, when rooted in data, has the potential to uncover key insights on your workforce and greater opportunities for your organization.
CyberVista’s NICE Workforce Diagnostic helps cybersecurity leaders make more strategic training and workforce development decisions. It’s an assessment that generates employee skill profiles demonstrating areas of strength and weakness within a particular role or topic. Provided with your own dashboard, you can filter the data and reveal potential trends by demographics, job function, experience, and the seven categories of the NICE Framework.
Simply put: The insights gathered from the NICE Workforce Diagnostic allows you to target the exact needs of your employees and invest your resources more efficiently.
We’re here to help drive your workforce development strategy forward. Click on this link to request a free demo.