Report: Fostering a diverse cybersecurity workforce

Experts at an Aspen Institute event explained some roadblocks to cultivating a diverse cybersecurity workforce and offered potential solutions, including putting less reliance on formal certification.

cyber volunteers

The range of backgrounds and experiences among the workforce directly impacts the mission in cybersecurity, experts said during an event focused on the diversity of the cybersecurity workforce hosted by the Aspen Institute's Tech Policy Hub and Aspen Digital on Sept. 9.

A report released the same day offers recommendations for how to foster a diverse cybersecurity workforce, a remaining area for growth in an industry also characterized by a notoriously tight labor market.

The report found lagging levels of participation on the cybersecurity workforce among Hispanics, Blacks and women, as compared to their share of the overall population.

The Biden White House has set its eye on diversity and inclusion in the federal workforce writ large already. A sweeping executive order issued in June lists priorities spanning the lifecycle of an employee from hiring to retirement.

The new report, created with cyber and workforce experts with the goal of listing out best practices for improving diversity and inclusion in the cyber industry, addresses issues from criminal background checks to accountability for executives. The authors recommend a reassessment of the usefulness of certifications to gauge ability for cyber jobs.

Expensive certifications can represent a barrier of entry into the field, panelists said.

"We find that a lot of people learn through working with one another on certain kinds of key topics," said Karyn McMullen Harker, Global HR Business Partner in Cybersecurity at Accenture. "So I think providing the opportunity for certifications is an excellent thing for organizations to do, but requiring it just shuts people out of the game too early on in their careers."

Without alternative pathways into the field, certifications can limit the diversity of the overall workforce, said Camille Steward, global head of product security strategy at Google.

"Certifications have become a tool for excluding people because we're requiring them early in peoples' careers when many of these certifications require five years of experience," she said. "It becomes a hard barrier for folks, rather than one pathway into an organization, and then there aren't a lot of support for folks who cannot financially meet the burden of paying for these heavy certifications."

The panelists offered up as an example of an alternative in an apprenticeship initiative called the Cybersecurity Education Diversity Initiative between the Department of Defense and The National Security Agency. It matches students at minority-serving institutions with paid internships at private sector security companies.

Also on the job requirements front, panelists said it can be difficult for applicants to meet requirements for several years of prior experience for an entry level job, said Ron Ford, cybersecurity advisor at the Cybersecurity Infrastructure Agency.

Ford also spoke briefly about the Department of Homeland Security's new personnel system, the Cybersecurity Talent Management System, that's gearing up this fall after years in the making.

Generally, the hope is that it will "really open up the job field to understand how current employees are meeting those standards, as well as continuing to open up paths for career involvement and escalation," he said. It's "there to provide that support for those future employees who we really want to bring on board and try to meet them in a place where we typically haven't met them."

Ford and other panelists also flagged the NICE framework for job descriptions developed by the National Initiative for Cybersecurity Careers and Studies as a helpful tool to create cybersecurity job descriptions focused specifically on the skillsets needed for jobs.

Either way, diversity directly affects cybersecurity, said Rep. Lauren Underwood (D-Ill.), who spoke at the event.

Opening up the field can help fill in talent gaps in the tight market, and having a diverse set of perspectives in a room also decreases blind spots in threat assessments and increases the number of creative ideas, she said.

"A diverse security workforce keeps us safer," she said. "Probably the most obvious reason for this is we want to recruit top talent. Our nation faces evolving threats that require a whole of government and whole of society response ... A homogenous workforce can be a major red flag that we're failing to recruit all the available talent."