You’re an aspiring professional seeking a lucrative career in cybersecurity. Or perhaps you’re an older member of the workforce considering cyber as a second act. What’s the right approach? Internships and apprenticeships? Training and certification? Higher education?
A panel of industry thought leaders who sat down with SC Media at the RSA Conference agreed that there is no one absolute pathway toward cyber professional development. These are all valid avenues — and in many cases they work well in combination, with each bringing certain advantages and opportunities to the table.
And all three options are still very much needed as the cyber industry continues to contend with a large skills gap.
Representing internships, mentorship and apprenticeships within the panel was Lynn Dohm, executive director of the nonprofit organization Women in CyberSecurity (WiCyS). Clar Rosso, CEO of (ISC)², offered perspectives on training and certification options. And Rick Trilling, professor and curriculum developer at the Wentworth Institute of Technology in Boston, presented higher education’s point of view. Here’s what they had to say.
SC Media: A lot has changed since the last RSA Conference, including the rise of the remote/hybrid workforce and virtual CISO services. With that considered, where do you think things stand right now in terms of employment trends, the cyber skills gap and professional development opportunities?
Lynn Dohm (LD): WiCyS originally started as a conference back in 2014 because women comprised 11% of the cyber workforce. And as things have progressed… we're now at roughly 20% to 24% in the workforce. So although things have shifted ever so slightly, there's still lots more work to be done. Because right now… there’s projected to be 3.5 million unfilled jobs in 2023 [according to Cybersecurity Ventures]. And that's an alarming statistic.
So what we do as … a 501(c)(3) nonprofit [is], we work on the recruitment, retention and advancement of women in cyber. … We're a community comprised of over 5,700 men, women, allies and advocates that have all a strong mission and passion of fulfilling that workforce need — and we do so by filling the void, by bringing women into the workforce.
Really, the retention piece is a critical component here. Some studies have shown that the average woman steps out of her tech career at the age of 35.
Clar Rosso (CR): In our 2021 workforce study, we saw the cybersecurity workforce top 4 million individuals globally, but what we also saw is that, except in Asia Pacific, demand for cybersecurity professionals increased. And that's not surprising, because the whole world went to work remotely, which just increased the threat landscape for everyone.
So we've been seeing a shift with employers. We have seen cybersecurity jobs becoming more valued. We're seeing salaries go up. And … we've seen people increasingly look to individuals who don't come from traditional [IT] backgrounds … [and] help train them on the technical skills and move them into cybersecurity roles. We're seeing people looking for non-technical skills like analytical thinking, critical thinking, the ability to work alone or in a team, and problem solving that [will help people] be successful in cybersecurity careers.
To help, [we’ve been] very committed to attracting more diverse individuals into the profession. And we're talking about all kinds of diversity — gender diversity, race, ethnicity, but also educational background and work experience diversity. Because we've found in some research we did that those are two of the biggest barriers to entry and advancement within the profession.
And then the other thing that we have done over the past year is … we … asked our members, individuals, employers: “What is the baseline that you need someone to understand to give you comfort that from a technical perspective, they will be successful in a cybersecurity career?”
Employers need something to help them feel comfort that the individual they're going to hire is going to be successful in a cybersecurity role and be worth the investment. …
So we created an entry-level cybersecurity certification … (ISC)² Certified in Cybersecurity. … So far we've had about 10,000 people globally sign up for it. … We are seeing high interest with minority organizations in the U.S. to adopt it to help jumpstart their customer base and then we have had huge pickup in the United Kingdom for the program, too.
Rick Trilling (RT): In our particular area, we discovered five, seven years ago that there was a shortage of technology schools, but … we’re beginning to [catch up on] the technology side of cyber. But as we were told from those in the industry and from the military and government, there were lots of people who were being promoted from technology-based backgrounds into managerial positions with neither the experience nor the expertise, nor the training to be able to understand how to manage in cyber. And that has been a really fascinating area for us to begin to pioneer over the last several years.
When you go to employers, and you say, “What is it that you would like?” … some of what the employers have told us is, “It's wonderful if you can get students straight out of high school to be able to come into college and [give] them an undergraduate and then a graduate degree. But we have a lot of people in the industry already, who we would like to be able to increase their skill sets in cyber, both technological and managerial. [But] we can’t send them to four years, plus one or two additional years.” [So] we learned early on … that we [also] needed to be able to come up with alternatives like certifications … shorter degree offerings, and things like that.
Lynn, make your best case as to why internships and apprenticeships arranged through WyCiS might be one's ideal avenue for professional growth in the cyber industry.
LD: There are so many different ways of navigating through your cybersecurity career pathway. [Whatever your choice,] WiCyS is here … to help streamline the process and make those connections a little faster.
An example of this is our internship program. … I think we're at 57 strategic partners that partner with us on a nonprofit, year-round basis. Well, our student chapter presidents came to us last October saying that they were going from strategic partner portal to strategic partner portal and … they felt like all the applications had the same questions, the same type of requests.
And so they came to WiCyS saying, “How can we streamline the process and bridge the gap from our members right to those strategic partner internship opportunities?” … The strategic partners … said … this was a pain point for them as well. They needed to identify WiCyS members quicker in their portal to be able to create the opportunities, to bring up the diverse set of talent within the organization that they're partnering with. And so we piloted a program in February: the WiCyS Student Intern Program. We had employer partners that agreed to join forces with the pilot program. It was a great success.
We took all the applications for the job reqs [requisitions] and we combined them, put them in one application, layered it on top of that with … cybersecurity aptitude assessment, and then we opened applications for our members. … They filled out one application, we parsed everything out based on the criteria of the employer partners and then we shortlisted all the WiCyS members that fit the bill and fit the job posting, particularly for each partner.
So it's just one example of how we at WiCyS do active listening and engage with our community continually. That’s how we’ve done our internship program, our apprenticeship program, and the many different security training scholarships that we offer.
To follow up, I assume a major advantage of taking the internship, mentorship or apprenticeship approach is the hands-on experience you gain in a real-life working environment.
Exactly. … It gives an opportunity to be front and center with cybersecurity teams. We recently had Target launch a Cyber Defense Challenge with us — and all [the participants] have been working with the Target cybersecurity team, one-on-one, throughout this entire four-month experience. It's really phenomenal and they're able to [work closely with] with an incredible team of experts that are coaching them and encouraging them every step of the way. So every program that we have comes from the heart and soul of the strategic partners, how they want to pay it forward to the next generation, [while also recruiting] the talent that rises to the top.
Clar and Rick, same question: Make your best case for why prospective cybersecurity professionals would want to consider the certification route or higher education route to develop their skills? Or is the best bet to pursue a combination of all three approaches represented here today?
CR: We would make a very lovely Venn diagram. I think there is a beautiful intersection, and I think the answer is all of the above. … There's not one pathway.
The value of certification is really the validation of skills, experience and education that the marketplace wants in certain areas. So … there is a place for us. And for some people who can't maybe afford to go to university — and we see this even more so outside the U.S. — the path of certification is a pathway into a job. … Maybe they come back and get a formal education later, but certification helps them get a job.
When we're talking to employers … and universities … we hear all the time, “We need ways for our students to get experience.” And so I just love the fact that WiCyS has internship programs, because that's tremendously valuable. But we [also] have universities that embed certifications in their degree programs, so you end with both [a degree and certification]. Actually, I think that's the most beautiful win-win because they get that deeper dive. They actually learn the content. And then we give the industry validation of what they have learned in university.
The perfect marriage is the degree program with the certification. That’s really powerful because industry certifications [are] not very old in cybersecurity. We’re only 30-something years old, but we have proven over time to employers what they can expect when they hire someone who holds a certification — and that holds a certain value.
[With that said,] in my 20 months [at (ISC)²] I have noticed a shift in the willingness of employers to start to look beyond to that entry-level person with a CISSP that doesn't exist and start to hire different folks. … We've [also] done some other research that shows that women and other minorities are more likely to enter cybersecurity through a degree. And so that's why we feel so strongly that the degree pathway offers a really nice entry into the professional as well.
RT: You beat me to it when you when you spoke about a Venn diagram. The term I would use is “complementary.”
What you have are three different opportunities. In the best of all worlds, if you have them together, you're going to have … the most well-rounded individual you can find in cyber. We in higher education will have internships, we will have cooperative programs. Our school, for example, has two semesters of cooperative education. We are looking at having certifications for those programs, where we get older students who are already in the workforce. They want to be able to move up in the organization where they're already working. They see cybersecurity as an opportunity that dovetails perfectly with some skill set that they already have. And for higher education, I just don't think that it's a question of either or. I think that is absolutely a complementary situation between all three opportunities.
Higher education is a great opportunity if you have the time and the money. Certifications are a great opportunity if you have fewer resources — one of which is the time. If you have four years to get an undergraduate degree, great. If you don't, a certification is going to be very important.
In higher education today, you'll find the industry is moving to what they call plus-ones. If you're taking a four-year degree, and then you would like a master’s in some specialization within cybersecurity instead of having to have a two-or three-year program on top of your four-year degree, it's only one additional year. So the industry is definitely recognizing the need to be able to reduce the demand on resources from the customer base.
In what specialized areas of cybersecurity do you feel you are seeing the most hunger for additional education, training and mentorship opportunities right now? And how often do you continually refresh your internship programs, training courses or course curricula to reflect the ever-changing needs of the cybersecurity space?
LD: The needs from the employer side, I really have to say are focused on cloud security. That's what our strategic partners are saying to us, and those are the programs that we're trying to build out right now. … And so the cloud security training scholarship is … a package that we have put together and we're looking to fund a training program along those lines. So it’s in the works.
We just recently sent out a survey, as well. The folks at WiCyS are putting it together to identify what would it take for mid-talent to advance to senior roles and how could WiCyS also help bridge that gap.
For us, being innovative and creative is about listening to the community's needs — and always building out programs that just kind of ebb and flow with what we're dealing with right now.
CR: I'm gonna give this to you straight from our research report that we're releasing next week. This is [a survey of] hiring managers in the U.S., UK, Canada, and India, across all-sized companies. And there’s been a little shift for us because the past two workforce surveys and all other surveys said cloud [was top priority]. They are now telling us the top five technical skills are: data security, followed by cloud security, secure software development … data analysis and security administration. So those are the ones that we see as the big technical areas.
We have lots and lots of continuing education we make available to help people up-skill in whatever is the newest, latest greatest area. But one of the other things that we've done … because cloud has been such a big thing for so long, [is] we have taken our cloud certification and broken it up into three certificate programs. So if somebody … is not ready for a full certification but wants to step-by-step work their way to it, we've now created a three-step pathway to our cloud certification.
We're looking at doing that for more of our certifications, as well — just to make them more accessible and also to give people a little bit of that education so that they can use that in their jobs. Because one of the other things we find about people in cybersecurity roles is they're often doing fractional roles. It's not “100% of my job is cybersecurity.” [It’s] “25% of my job is cybersecurity.” So we think that this will help.
RT: I think the dynamic nature of cybersecurity that you just heard Lynn and Clar refer to is such a challenge for higher education. Higher education has programs like accounting degrees that don't really change very much over the decades. Whereas with cyber, we have to reassess not even every year but on a much more constant basis.
Ethical hacking, cyber governance issues, cyber legal issues — there are so many different aspects [of cyber] that we find ourselves having to keep our finger on the pulse of what employers want and need.
And for that reason, we find ourselves … having to spin on a dime, because what may have been important two years ago in the industry will have changed. At this point, we're seeing a lot more governance issues. We're seeing some of the soft skills that were referenced earlier. We're seeing policies being an important area. … Our biggest area that we're seeing at the moment is cybersecurity planning.
SC: How would you assess the success of recent diversity, equity and inclusive efforts in this industry?
CR: We're seeing more diverse individuals entering the workforce. … However, we have learned that the biggest uniform, across-the-globe diversity barriers to advancement and retention are education and experience. If you don't have the same education and experience as your supervisor did, your chances of advancing within an organization are less. So I actually think one of the places that we really have to focus is on that retention aspect. How do we advance? How do we put equitable advancement practices in place? How do we ensure that we have pay equity within our organization?
So good signs. A lot of support … but a lot more work to do.
RT: In higher education … our institutions are trying to foster greater diversity. … We have got employers that are seeking a more diverse workforce from us at the other end of the pipeline. It’s just a great opportunity to work in the middle of creating curricula … that are going to facilitate that.
There are … [sometimes] situations where students of color will come in and they have not had the background in the education that they need to be able to successful in some of the courses — and [so] what we provide are bridge courses that will facilitate that and create a situation where there's an opportunity to succeed rather than setting somebody up to fail.
One of the most important things that we teach in most of our courses is diversity not as a politically correct idea, but as an absolute competitive advantage — and that any manager who wants three people who look, talk and act like them is never going to compete with somebody who has 30 different viewpoints at their beck and call when they have a problem to solve.