No Experience Needed - Addressing the Global Cybersecurity Workforce Gap by Expanding Career Pathways

I am Claire Raso. I'm the CEO of IC two. We are world's largest association, certified cyber, sorry, I almost said we were CPAs. I used to work with the finance and accounting sector. So we are the, we are the world's largest association of certified cybersecurity professionals. We have over 600,000 over, it says nearly there. It's over 600,000 members, associates, and candidates around the globe. We are best known for C-I-S-S-P. All right. So every year we look at the workforce gap and basically what we're trying to do is we are trying to improve the cyber defense posture of the whole world.

And we know that people are a big part of that. So we look at how big is the workforce? How many fil positions do we have? That's our starting point. So the good news is we expanded the size of the workforce globally in 2023 to 5.5 million professionals. And we count anyone as a cybersecurity professional who spends 25% or more of their time doing the work of cybersecurity. And this is actually really important for organizations so that they can think of how they solve their problems differently than I always have to hire a full-time person.

However, at the same time, our unfilled demand for cybersecurity professionals has gone up to 4 million people globally, which means globally we have to increase the workforce by 73% just to meet current demand. And so I do see the demand increase is a little bit of a good news thing because it means that organizations are willing to invest in their cybersecurity professionals. And just with our malicious insider talk from earlier, 50% of cybersecurity professionals tell us they have had first or secondhand exposure to a malicious insider in the past 12 months.

And 20% or one in five of those 5.5 million have told us that they have been offered money to be the malicious insider. So just something to think about the scale of what we just heard in the past two presentations. So bringing it a little bit closer to home, the gap. So unfilled demand in the UK is about 274,000 went up 5.4% year over year over all in the EU and specifically in Germany. The gap is just over a hundred thousand and just slightly increased year over year. We're also seeing a lot of economic contraction across the globe.

57% say that workforce shortages puts their organization at extreme or moderate risk and 49%. And this was one of the shocking findings in this year's survey. 49% of the survey participants tell us that they expect their size of their teams to reduce in the next 12 months. So as much as the c-suite tells us they think cybersecurity is important to their business, their actions are not matching their words.

And so what doesn't happen because we don't have enough cybersecurity professionals, and this is really key, and this in a way is also key to making the case of why cyber professionals are so important to your team. Keep forgetting, I could just look at this one. 50% don't spend enough time on proper risk management. 45% say we're rushing too fast. So we have oversights and processes and procedures. We're slow to patch critical systems. We misconfigure our systems. We're not training ourselves, we're not training our staff and we're not actively managing our threats.

These are all the reasons we have breaches. So basically the basics don't get done because we don't have enough people. So what are we gonna do this about it? And what we have found is while we used to talk about the workforce gap and the skills gap is almost one and the same, they are uniquely different. And that there's some opportunity that if we focus on skills, maybe we can address our problems more quickly. So 92% of respondents globally say we have one or more skills gaps within our organization. Like we don't have the right skills on our team to do the work that needs to be done.

And 67% say, look, I have both workforce shortage and a skills gap, but I think most importantly on this slide is 59% say that they think the skills gap is actually worse than the worker shortages. So where are those areas where we have the gap?

Frankly, I'm a little disappointed in number one because we've been talking about it for so many years. You know when the pandemic hit and the whole world went remote, organizations woke up and said, wow, we don't know how to manage and secure our cloud ecosystem. Well four years later we're still saying that cloud security is our number one concern. But there's the emergence of other kind of skills too. Communication skills, risk assessment analysis, security analysis. I really important and not actually on this list that I'm showing you.

Well, I'll tell you on one of the other lists, these are the skills that people are hiring for. So that's what people hire for. When we ask professionals what is missing? The other thing that comes up very, that has skyrocketed onto the list is the understanding of artificial intelligence and machine learning. So what should the industry be doing about this? So we first ask, what are you doing about it? And so what people are doing to try to shrink their skills and workforce gap is they're working with recruiting agencies.

'cause they're not being able to hire people direct, they're looking to certification organizations. And what that means in the trend that we see globally is we see more employers hiring based on somebody's certification than say their university degree. So they're looking for that before they look for university degrees, but they are starting to look more at university degrees. And we are seeing globally universities paying more attention to what the marketplace is saying, working with us, other certification bodies to actually embed certifications in their degree programs.

And then you can see apprenticeships, internships are on that list too. And we're starting to see some change. I joined ISC two three years ago and basically the only people anybody wanted to hire, even if it was entry level, was I want somebody who's worked in it. I want 'em to be A-C-I-S-S-P and that's all I'll take. Well that's ridiculous because C-I-S-S-P first of all has to have five years experience and you don't need that for an entry level job. And we've seen over the past three years a shift in perspective of thinking about how I hire.

And while I might prefer to hire someone who has an IT background, there's a greater willingness of employers to look across their business and across people's experience backgrounds to hire people with the right non-technical skills and then train for the technical linked in. I was at an event at the White House last week where we were looking at data on the, on the cybersecurity workforce. And somebody from LinkedIn was there and he said, 'cause you know, people in their job descriptions say, I want you to have had this cybersecurity role in the past.

He said, if you actually hired on a skills basis, your pool would expand by six times because there are six times as many people li that list cybersecurity related skills on their LinkedIn profile then list jobs in cybersecurity. So something to think about and why employers really need to move. I can't see the slides anymore, but you can to skills-based hiring, again, I mentioned that people are starting to think about hiring based on the non-technical and then training for the technical. This is what we're seeing.

They're hiring for problem solving skills, communication skills, curiosity, eagerness to learn because we know that with a ever evolving threat landscape, we need people who are constantly learning and staying on top of what is new. You can see that relevant. IT experience is still in there. And I think what's sort of interesting is, and you can just look at the list of what they say is least relevant in terms of what people are hiring for. And that goes back to the degrees. And that's because there's a disconnect between cybersecurity degrees in some parts of the globe and what employers want.

So what are organizations doing? What else are organizations doing to recruit and retain their staff? 'cause the one thing that we talk a lot about recruiting staff, almost a bigger issue is retaining staff because staff is feeling very burned out because competition is fierce. Over the past probably 18 months, the salaries of cybersecurity professionals have started to significantly rise. So what are they doing? They're investing in training for their, their people providing more flexible working conditions, investing in diversity, equity and inclusion initiatives.

And I wanna just talk about this for half a second. So employers who have diversity equity inclusion initiatives and you can, you can define diversity any way you want. It could be a different work experience background, it could be, it could be neurodiversity, it could be gender, but it could be lots of different things. But people who create an environment in their workplace where everybody has a seat at the table and all voices are heard, those organizations have about 45% less worker shortages than organizations that don't. And that is significant.

And we see younger generations coming into the workforce who are saying, this is important to us and this is something we're looking for with our employers. And that was what, what my next slide was. The other thing that we found is that if you are gonna bring people into your organizations who don't come from the traditional background, so people haven't hopped the wall over from the tech side of the business, it's really important to be very intentional about providing people tools to be supported when they enter your workforce.

And that is providing them training, connecting them with a mentor. And a mentor doesn't have to be a formal program. It could be just assigning a buddy to somebody, somebody that they can talk to and ask questions of that turns out to be tremendously helpful and just really providing a lot of opportunities for people to learn and have exposure to what's happening in the business. And that can go miles in terms of increasing engagement and having folks wanna stay within their jobs. All right. And so what one of the things that ISC two has done about this.

So we can't go around the world saying, you know, hire for the technical and train or hire for the non-technical and train for the technical and not give you something to help support that. So we actually created a certification called certified in cybersecurity. It crosses all the core technical domains of cyber and it is designed and was designed by the profession for employers to assess someone's capability to learn the technical side of cyber. So the idea is that an individual takes this, if they can pass this exam, they, they are trainable in the technical side of cyber.

And then for an individual who maybe comes from a different background, gives them a chance to see what that technical side of cyber is 'cause they might be a good problem solver and analytical thinker. But we want, we want them to be comfortable with what they're getting into on the technical side too. So it gives the employee a chance to see what is the technical side of cyber we're all about. And this is really starting to make a difference for us.

We launched an initiative 1 million certified in cybersecurity where we are giving away the, the education and the exam for this program for free over however long it takes. We thought it was gonna take five years.

We, we enrolled I think 375,000 people in the program in the first year. We've only certified, we're just about to hit 40,000. If we were gonna be together next week, I'd do a little pool with you to pick the day that we're gonna hit 40,000 that we've certified in just over a year. But it's really having an impact.

We're seeing students who've taken this and they have moved into cyber jobs where people, seeing people in cyber jobs already who've taken it but maybe may not be part of the certification community that they have either leveled up in their job, they've been offered more pay in their jobs. We're really seeing it have an impact for the community. We've also seen people who are maybe a little more experienced taking it and then immediately moving on to their next certification. Alright, so what can you do?

And this is just, this is my last slide, so just to sort of, oh, but apparently I'm going to click a lot. So what are some of the key things that we're seeing that can make a difference, hire for skills and simplify those dang job descriptions. Maybe in Germany this doesn't happen. The phenomenon that happens in everywhere else in the world with cybersecurity job descriptions, but they are highly technical and anything anyone could ever think of that someone might at some point come across during their job, they put it all on the job description.

Well, you exclude a whole lot of applicants when you do that. So simplify and think really about what are those core skills that I need for someone to be successful in this role? Be inclusive. I go back to being inclusive and thinking about giving people a seat at the table, asking what they asking people, what they think. We are solving complex problems in the world of cybersecurity. And the more ideas we have, the better we're gonna be at rapidly solving the problems that we face. Invest in your team. Retention is critical.

And in cyber, the great news is most cyber security professionals are very purpose driven. They wanna do good, they wanna be problem solvers. So things like investing in somebody's professional development can go much further to keeping them in their jobs than just the money, although the money is helpful as well. And that way when the person comes to them and offers to pay them a whole bunch of money to steal the database, they might not do it. And then prioritize a culture, prioritize culture and wellbeing.

One of the other things that, there's so much data in our workforce study, but one of the other things that we have realized over the past two years when we're particularly looking at retention is the culture of the workplace really matters. And making sure that your employees are not stressed out and burned out.

I've, I'm running into more and more cyber professionals who are saying, I want my next job to be project based work. I wanna know that if I'm gonna work 24 7 that you're gonna make me do that for say six weeks, but then maybe I can do something else for a while and they'll come back to the 24 7 kind of work that just like little things like that can make a huge difference. And that if you do have an all remote workforce, make sure you're intentional about team building in connection with your teams. But that's what I got. And anybody have any questions I'd be happy to answer.

We have one minute and 19 seconds left.