Building a Cybersecurity Talent Pipeline
While prominent companies and healthcare institutions around the world were reacting to a ransomware attack known as WanaCryptor 2.0, or WannaCry, a young man working for a cybersecurity firm in southeast England landed on a solution that cost just $10.69. He found the so-called “kill switch” in the malware’s code that involved the simple purchase of an unregistered domain name. He promptly registered the domain, halting WannaCry’s spread. The identity of this cyberknight remains anonymous, but one notable fact about his background has emerged: he’s only 22 years old.
According to a 2015 study by the Center for Cyber Safety and Education, the average age of security practitioners is 45 years old. Many security professionals will leave the workforce within the next 20 years, but younger professionals are not seeking careers in cybersecurity at a pace sufficient to keep up with companies’ demands. Developing a workforce that will be prepared to meet companies’ increasingly complex cybersecurity needs means companies—and educators—will need to build a bigger, more inclusive talent pipeline for people interested in the practice.
When I spoke with cybersecurity expert Summer C. Fowler for the cover story of the May/June 2017 issue of NACD Directorship magazine, I asked about her work at Carnegie Mellon University to recruit diverse candidates to the programs she leads at the CERT Division of the Software Engineering Institute. One look at her Twitter profile illustrates that she’s a passionate supporter of the Cyburgh, PA Initiative, a program developed in partnership between Carnegie Mellon and the Pittsburgh Technology Council to advance the city’s status as a leader in cybersecurity technology. The initiative could not be successful without being inclusive.
“The issue of building a talent pipeline is such a challenge because of what we’re offering by way of schooling,” Fowler said about the role of university-level education in developing the cybersecurity talent pipeline. She then drew a parallel between the education and training of doctors in the 1970s to the challenges the cybersecurity sector has with finding diverse candidates. “When you look back to the early 1970s, the medical field was exactly the same. Only about 11 percent of doctors were women. There also were not many minority doctors in this country. We’re investigating what changes in the medical community were made to bring in more women and underrepresented minorities, so that we can do the exact same thing with computer science and engineering fields.”
Fowler pointed out that there needs to be further delineation of roles in the cybersecurity industry to clarify the hierarchy of talent desired. “When we talk about cybersecurity, we all think about a Ph.D. from Carnegie Mellon or from Stanford,” Fowler said. “We need to get better at differentiating the roles and what training requirements are. When we get there, I think that striation of roles will naturally open a pipeline to more people who are interested in the field because it would be seen as this daunting job that requires a Ph.D.”
Still another challenge exists: getting diverse talent interested in the topic to begin with. I shared with Fowler an anecdote from my own high school experience. My path diverged from that of a male friend who was interested in white-hat hacking, which is the technology industry term for the benevolent hacking of systems to detect vulnerabilities. While I was curious about the world of professionals who were defending against cyberattacks, I had no outlet for learning about programming at the time. No one at my public high school in inner-city Memphis was engaging young women in learning about computer science in 2004, and my friend had family who supported and encouraged his interest.
Fast forward nearly 13 years later, and my friend is a practicing white-hat hacker for a Fortune 500 company. I, on the other hand, earned my bachelor’s degree in creative writing, and have since revived my interest in the topic and write about it from a governance perspective. Could I have been working at the same company with the helpful nudges of invested educators, or with after school programs for young women like Girls Who Code that are sponsored by interested corporations? Fowler seems to think the answer is “yes.”
She suggests that the solution now will not be to bring girls and young women to technology, but to bring discussions of technology to them within contexts that interest them. “Instead of saying to girls, ‘You need to belong to the computer science club,’ talk to them about what computer science might mean to ballet, or to whatever program they’re involved in.” She suggested discussing breaches to the entertainment industry with young people interested in acting or movies, for instance, as a way to pique their interest in a field they might not have considered before.
Ultimately, one of the greatest challenges to building the cybersecurity pipeline will involve developing aptitude tests, then encouraging promising young people to pursue a career down that pipeline. “It’s also a matter of figuring out what the specific competencies are. We’ve done a really good job for lots of different types of jobs at being able to say, ‘Let’s perform an assessment to see what your skills are and what you’d like to be doing.’ That process enables us to say, ‘Wow, you would make a great attorney, or you would make a really good financial analyst.’ We don’t have that in the realm of cybersecurity.
Building out more roles in cybersecurity and advocating for the inclusion of the role into other career aptitude tests would help young people—and perhaps even more women—to get excited to join the ranks of cyberkinghts in the future.
Katie Swafford is assistant editor of NACD Directorship magazine and also serves as editor of NACD’s Board Leaders’ Blog.