Petra Vukmirovic likes to fix things. That’s why she initially became an emergency room doctor. But she craved more creativity on the job, at a time during the pandemic when many people were reevaluating their life choices.
“I tried to figure out where my medical skills were the most transferable, and I landed on cybersecurity,” says Vukmirovic. She currently works as a senior cybersecurity engineer at Zava, a digital healthcare company based in London.
“In both careers, there’s a lot of troubleshooting and detective work,” she said in an interview with Endpoint. “I like to fix things, and I found that technology is the perfect place for that.”
A widening cyber talent gap is forcing the industry to seek out more career-switchers like Vukmirovic to meet an intense surge in ransomware and other cyberattacks. The labor shortage in the cybersecurity industry, long a vexing and urgent problem, has led security and technology leaders to look to nontraditional talent pools and strategies to overcome the scarcity of workers. They are also removing degree requirements and upgrading traditional hiring profiles to fill the pipeline.
“To narrow the cybersecurity workforce gap, we must widen the talent pool and break down barriers to entry by shifting away from a technology-first mindset, instead looking for strong nontechnical skills that are necessary to succeed in cybersecurity,” says Clar Rosso, CEO of the training organization International Information System Security Certification Consortium, or (ISC)². “Cybersecurity professionals believe that strong problem-solving abilities; curiosity and eagerness to learn; strong communication skills; and strategic thinking are as important as,or [even] more important than, certifications and relevant cybersecurity experience.”
Deepening the cybersecurity workforce pool
(ISC)² estimated in its latest annual workforce study that some 2.7 million additional cybersecurity workers are needed globally. The global cybersecurity workforce needs to grow 65% to effectively defend critical assets, the organization estimates.
We must widen the talent pool by looking for strong nontechnical skills that are necessary to succeed in cybersecurity.
A recent Deloitte survey provides further evidence that competition for cyber talent remains fierce, particularly in the U.S., where 31%
of surveyed executives say their organizations are often unable to recruit and retain cyber workers. Only about half as many (16%)
non-U.S. executives say they experience the same recruiting and retention challenges.
Similarly, one-third of respondents to a Tanium survey said the in-house cybersecurity skills shortage was a top security operations challenge. The problem is particularly acute in government. Even CISOs are scarce. CyberSeek has created an interactive map of the U.S. to help visualize the gaps.
Neurodiversity in the workplace
To find rich new sources of talent, companies are focusing on recruiting more nontraditional workers to the cybersecurity field, including “neurodiverse” people with conditions like autism, attention deficit hyperactivity disorder (ADHD), and dyslexia. Neurodiverse employees often excel at assessing cyber risk and analyzing suspicious online activity, owing to traits such as hyperfocus, precision, persistence, and the ability to identify patterns, researchers say.
Consulting firm Ernst & Young more than tripled its neurodivergent workforce globally during the pandemic. In 2021, EY created a neurodiverse team of 10 in Boston that focused on cybersecurity
and other areas as part of its Neuro-Diverse Centers of Excellence. The firm had more than 300 neurodiverse employees globally as of early 2022.
Another rich talent pool includes former members of the military, who often have strong technical, operational, and security backgrounds. CISOs are also retraining existing security workers, and recruiting IT workers and training them in cybersecurity. They have been drawing from fields as diverse as accounting, auditing, and quality assurance management, and reaching out to underrepresented groups like women and people of color. They sometimes seek out people like Vukmirovic, who make the switch from fields that, on the surface, may not seem related.
Creating a bigger tent for cybersecurity professionals
The cybersecurity industry has been criticized for unrealistic requirements for entry-level jobs. Some employers still insist on professional certifications and advanced degrees that take years to earn. For example, one job listing for a more junior security operations center analyst at a major bank required a bachelor’s degree, at least four years of experience in sophisticated techniques, and professional certificates.
(ISC)² told Endpoint it is piloting an entry-level cybersecurity certification meant to help cybersecurity career changers and young professionals demonstrate to employers that they have the foundational skills and personal attributes necessary for a career in cybersecurity. The certification can also be used by professionals who need to show they have an understanding of cybersecurity best practices. For example, if the SEC adopts proposed regulations that public companies must have cyber expertise on their board, the certification could verify board members’ knowledge.
Another way employers are broadening their criteria for hiring is by no longer insisting that workers be on-site. That’s been a key recruiting and retention issue during the era of hybrid work.
Cybersecurity as a community service career
Ann Cleaveland, executive director of the Center for Long-Term Cybersecurity at UC Berkeley, says that cybersecurity careers can be marketed to young workers seeking a way to make a difference in the world. “Cybersecurity is related to public service and serving communities,” she says. “It would help if the public thought of it more like a job that is, in some respects, like a healthcare worker, rather than the stereotype of a hacker in a hoodie sitting in a corner somewhere. That makes the mission resonate so much more with a lot of different kinds of people.”
[Think of it] more like a healthcare worker, rather than the stereotype of a hacker in a hoodie.
CTLC is working to establish an international network of clinics at universities that would draw from computer science departments as well as nontechnical majors to help infuse students with a sense of mission and assist them in getting cybersecurity jobs in nonprofits and other do-good organizations. “Cybersecurity has to be made more appealing to more kinds of students from more kinds of disciplines,” Cleaveland says.
Broadening the outreach of the field to more academic disciplines “means that clients get better cybersecurity and even technical assistance,” Cleaveland adds. “We’ve ended up getting students
from the law school, the policy school, public health—people who might never have seen cybersecurity as a pathway for them
Rachael Cornejo got her cybersecurity training through CTLC’s Citizen Clinic, which sees itself as a public-interest digital security effort. At UC Berkeley, Cornejo thought she wanted to pursue a career in journalism, but then discovered she was more interested in advocacy and creating change. Based on her training, after graduation she was able to secure a job as a cybersecurity consultant at Deloitte.
As a humanities and liberal arts student, Cornejo said her biggest surprise was that her cybersecurity career required less technical expertise than she’d expected. “There’s the hard science behind hacking, but that’s only a small part of cybersecurity,” she says. “It’s really a much more qualitative discipline.”
Cornejo finds herself using her soft skills to interview people about risks to help prioritize them and assemble a risk assessment. “Basically, it’s about getting inside the head of hackers,” she says. “That can be fun and satisfying.”