There is a major skills gap in cybersecurity. This isn’t news — research from the Center for Cyber Safety and Education puts the figure at 1.8 million fewer workers than jobs by 2022. The same group found that the industry is only made up of 11% women. A few years ago, I was shocked to be speaking at an event where about 30% of the room admitted to having never worked on a team with a woman. It’s worth noting that most of the room were shocked to find that percentage was so low.
Fixing the skills gap and addressing the gender imbalance are not small issues. There are already many fantastic initiatives aiming to address both. The great work of the Women in CyberSecurity and the Women in International Security are worth mentioning. In the U.K., there are a number of government-backed apprenticeships for cybersecurity that target those leaving high school. And I can confirm that the graduates of these programs are in high demand. If they have a good technical understanding, they aren’t going to stay on the job market very long, weeks at most. But these solutions aren’t going to fix either problem — not in the next four years, or perhaps ever.
More Committed Employees
The most overlooked group is also the group of people who are likely to offer a company more commitment once they are in their roles: professionals returning to the workforce after an absence. While this could be men or women, according to Telegraph, 90% of those who undertook a return-to-work program in 2016 were women. Often having been out of the workforce to raise children, this group have gained soft skills and business acumen in their first career. Taking people from related disciplines and retraining them to have the necessary cybersecurity skills would cost as much as training a new graduate. Given that returners are more likely to be settled in a location, once they are up to speed, they are far less likely to move on, unlike others at an earlier stage in their career. This isn’t a nice thing to do; it’s a smart thing to do.
Returnships are not new. Goldman Sachs introduced them in the U.S. 10 years ago and several investment banks and consulting firms offer similar programs in the U.S. and U.K. However, many of these programs are three- or six-month trials and not entirely suited to the world of cybersecurity, which may require a longer training period and greater investment.
The uptake of this idea has been slow, but there is a compelling case to make — this the time to take action. Rhetoric from companies about the importance of more women in their teams is not always being backed up with innovative action. I’ve personally discussed this with a number of large organizations and their general response is to ask me to send them more female candidates. There is a limit to the changes many leaders are prepared to make to their own training and attraction strategies. Making the investment now could fix that problem.
The Remaining Risks
There are some obvious risks. Hiring anyone when they are making a life change can be risky. Returning to work might not work out for some. Just because they are returning to work doesn’t mean they are less ambitious — they might still end up going to work for your competitor across the street. If they still have the responsibilities that kept them out of work before, professional travel might be a problem. That will mean they are not suited to every type of role within the industry.
But the potential benefits far outweigh these risks. The risk of the skills gap, and continuing to fail to attract women to the sector, seems to be a bigger risk.
Establish Your Organization’s Commitment To Returners
If uptake from companies is slow, what would the uptake from candidates look like? Research from PwC shows that there are 427,000 women in the U.K. currently returning from a career break, and three in five of these women may re-enter the workforce into lower-level or lower-paid positions. Attracting some of these women to the high-growth and well-paid area of cybersecurity would help address the skills gap we face.
There is also some work to do on the image of cybersecurity if we want the industry to attract more women in general. Cybersecurity is a business issue, as well as a technical one, and as an industry player, much can be done to portray that to potential candidates. You might incorporate the following strategies:
1. Consider your image: Show women in senior roles, talk about what flexibility you can offer — particularly on travel — and highlight how low your gender pay gap is. (Or, at least what you are doing to rectify it.)
2. Update your job descriptions: Research suggests that a common barrier to entry for women in the workforce is that they don’t apply for jobs for which they don’t meet all the indicated qualifications. Remove requirements that aren’t truly necessary for the role and consider changing the language to be more inclusive. Do we really need to talk about kill chains?
3. Check your training program is suitable for returners: The training program you have in place for grads or apprentices will likely include the technical skills. But don’t forget that refreshing business knowledge, rather than teaching the basics, is important to success in any workplace.