Though diversifying the cybersecurity workforce is an issue the industry is trying to address, "it's too late," said Dr. Alissa Johnson, VP and CISO of Xerox, while speaking at a Forrester event in Washington Wednesday. Johnson came to this conclusion because the industry is looking to solve a problem for the immediate future when there hasn't been effective focus on where to find diverse candidates.
By the time young students who are encouraged to pursue a career in security are old enough to enter the workforce, cybersecurity will be "passé," Johnson said.
By 2020 there will be about 1.2 million open cybersecurity jobs, said Stephanie Balaouras, VP and research director at Forrester, speaking at the same event. CISOs complain there is a staffing problem, but Forrester doesn't see the same issue when half the population is excluded from recruitment, according to Balaouras.
A lack of diversity in the workplace can be attributed to many factors, including the inability to find candidates with the desired skill set. Johnson and other security experts agreed that hiring in security goes beyond a formal education.
Because there is "artistry" and critical thinking involved in security, employers want someone who can demonstrate skills that may not be evident on a college degree, said Johnson. Creativity and curiosity are foundational skills employers want in security and those are not things "that can be taught."
Nearly 90% of CISOs in Fortune 500 companies are men, according to Forrester. "I am the representative of diversity in a lot of meetings," said Johnson.
But Johnson said that diversifying the cybersecurity workforce is too late because it goes beyond recruitment. Training should be put in place. While training cannot completely close the gap, it can be used to offset it.
As for school children, the industry needs "to make cybersecurity cool" because the current approach is proving ineffective, according to Johnson. Young students now are consumed by information and data, primarily accessed through smartphones. Learning that someone could breach their phones in a matter of seconds could get them "salivating" to learn more.