Addressing the cybersecurity talent gap: New programs from (ISC)2

Cyberattacks, breaches, hacks and ransomware are on the rise — that should come as no news. 

And, according to many experts, one of the significant reasons behind this is a long-lamented cybersecurity talent shortage. 

To help address this workforce gap — and to also combat burnout of existing talent and enable businesses to stay ahead of hackers — the global cybersecurity nonprofit, (ISC)2, this week announced three significant new initiatives.

“The cybersecurity profession is at a critical inflection point in its evolution,” said Clar Rosso, CEO of (ISC)2. “The field is poised for rapid growth and expansion, and it will take people from all backgrounds all across the world to help build a safe and secure cyber world.”

Supporting candidate growth

According to the most recent Cybersecurity Workforce Study from (ISC)2, the global cybersecurity workforce needs to grow 65% to effectively defend organizations’ critical assets.

To help combat a workforce gap of more than 2.7 million people, the nonprofit’s three new initiatives include:

• (ISC)2 Certified in Cybersecurity: This entry-level certification exam evaluates candidates in the areas of security principles; business continuity, disaster recovery and incident response concepts; access controls concepts; network security; and security operations.
  More than 1,500 pilot participants who passed the exam are on their way to full ISC2 certification and membership, said Rosso. As members, they gain access to continuing education, thought leadership, peer support, industry events and other professional development opportunities — ultimately allowing them to expand their experience and work toward more advanced and specialized certifications. 
• (ISC)2 One Million Certified in Cybersecurity is now open for enrollment. This follows the nonprofit’s recent announcement at the White House pledging to provide free entry-level cybersecurity certification exams and self-paced courses to one million new cybersecurity professionals. 
• (ISC)2 Candidate Program: Individuals considering a career in cybersecurity will have free access to exclusive resources and benefits and discounts on all certification education courses. 

Barriers to entry, identifying candidates

(ISC)2 has been developing these programs for almost a year, said Rosso. They supplement its well-known Certified Information Systems Security Professional (CISSP) certification and work through its charitable foundation Center for Cyber Safety and Education. The nonprofit has 168,00 members — professionals from all areas of the cybersecurity field. 

Rosso pointed out that one of the most persistent cybersecurity staffing challenges is identifying entry-level and junior-level candidates with the right skills and aptitude to learn and grow on the job. 

“At the same time, early career hopefuls are unable to demonstrate their understanding of cybersecurity concepts and gain the attention of hiring managers,” said Rosso. 

In a 2021 survey from Champlain College Online, for instance, cybersecurity professionals identified their top barriers to entry as high expectations for prior training or work experience and lack of diversity and inclusion.

And, (ISC)2 research suggests that organizations that focus on recruiting and developing entry-level cybersecurity staff — including those with little or no technical experience — helps accelerate the “invaluable hands-on training” that the next generation of professionals need, said Rosso. 

Ultimately, “to build resilient teams at all levels, we believe creating more opportunities for entry and junior-level practitioners is one solution we can employ to help address the workforce gap,” she said. 

Increased breaches — yet lack of action

The new initiatives come amidst, and are largely prompted by, growing cyberattacks — and increasingly sophisticated and costly ones at that. By one estimate, the average cost of a data breach is up to $4.35 million this year. 

“Cyber breaches are escalating at an alarming trajectory for all sizes of organizations and governments across the globe,” said Rosso. 

She pointed out that many organizations fall victim to cyberattacks due to vulnerabilities and inadequacies in their defenses — issues that professionals say they could more effectively address if they had enough people.

“It really is that simple,” she said. “We need more people in the roles of defending organizations.”

So, why aren’t organizations doing more?

“While the most apparent factor is simply demand outstripping supply of qualified individuals, there are more nuanced reasons for the gap,” said Rosso.

Notably, organizations are failing to address cybersecurity needs as a “strategic imperative” — many, at their own peril, still consider cybersecurity to be a back office, optional expense. When money for staffing is limited, organizations tend to look for the most highly qualified individuals with years of hands-on experience. But these are in short supply. 

The majority of work to be done is well-suited for entry or junior-level staff, said Rosso, but organizations are sometimes unwilling to invest the necessary six to eight months of on-the-job training that is required to bring newcomers up to speed.

“Decades of cybersecurity being a small but mighty club of individuals with very similar education and work experience has led to a build up of unconscious bias that impedes hiring or advancing diverse individuals,” said Rosso. 

Organizations must step up

Still, these initiatives, while significant, are just one way to combat the growing problem.

Organizations must invest in people, hire entry and junior level staff and upskill them, said Rosso. They have to “raise the cyber literacy of all,” she said, while encouraging a new generation of individuals from all backgrounds to consider careers in the field. 

(ISC)2 is taking a broad perspective on the issue: Focusing on increasing diversity in the profession and encouraging more women and minorities to consider cybersecurity as a career — and one that can be very rewarding, said Ross. In fact, half of the nonprofit’s one million pledge will be through partner organizations that actively serve under-represented groups.

“We encourage employers and governments to prioritize cybersecurity as a strategic imperative,” said Rosso. “We encourage shattering the notion of who would be good at cyber, and instead start with looking at an individual’s non-technical skills and motivations, and then train for the technical.”