cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Overcoming Cybersecurity Professional Stereotypes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Overcoming Cybersecurity Professional Stereotypes

Re: Overcoming Cybersecurity Professional Stereotypes

AndreaMoore
Community Manager

Perception-Study-Web-Banner-1120x300-20200921.jpg

 

 

The most positive finding of the recently released (ISC)2 2020 Cybersecurity Perception Study is that the stereotype of loners working in dark spaces is disappearing. However, a new one is replacing it and although it’s a more positive crimefighter image, it remains problematic because people view the cybersecurity field as being beyond their reach.

 

Check out this blog post for an overview of the findings:

Positive View of Cybersecurity Professionals and How to Attract People to the Field

 

There are a lot of misconceptions in the public about the requirements to join the field, namely that one needs to obtain more education and superior technical skills just to get their foot in the door. While that is true for some more technical positions, it’s not the full picture, since cybersecurity also requires risk awareness, investigative and communications skills, among many others.

 

Some of the questions that came up in the open-ended part of the Perception Study indicate just how little the general public knows about the profession. Perhaps more than any other comment from respondents, this one says it all: “How do you even go about getting a job in this field? Who hires you?”

 

It suggests the industry could do a much better job of explaining what it does to draw interest in the field. Other revealing questions from respondents included:

 

  • What is the best temperament for this profession?
  • What is the workweek like?
  • What are the upfront costs to into the field?

 

Where to Start?

It’s clear that respondents are curious about the profession, but as the study reveals, not enough to want to join. It’s important to point out that the study intentionally filtered out people who have never worked in the field because the goal was to learn what keeps people from pursuing such a great profession.

 

It’s likely that most people don’t even consider working in cybersecurity largely because they do not view themselves as having the required skills. Asked where they would begin if they planned to join the field, respondents said:

 

Go back to school

26%

Earn a certification

22%

Inquire with the IT or cybersecurity team at my employer

14%

Teach myself (i.e., online courses)

13%

 

Food for Thought

In order to draw more talent to the field, the Perception Study makes three recommendations that can help overcome cybersecurity stereotypes:

 

  1. Focus on non-technical aspects. In job descriptions, stress attributes such as communication skills, problem-solving and creativity to widen the candidate pool. Emphasize that creative approaches to problems and an ability to handle ambiguities can be just as vital as technical knowhow.

 

  1. Focus recruitment efforts. Aim recruiting efforts at jobseekers with complementary experience in areas such as communications, law enforcement, data flow, process development and regulatory compliance. These experiences develop and require skills that are transferrable to cybersecurity, and help create a more balanced, diverse cybersecurity team.

 

  1. Address education. Co-develop cybersecurity programs with school districts and higher learning institutions to spur interest in the field. The earlier, you can get their attention, the more likely they are to consider a cybersecurity career – and help close the cybersecurity skills gap.

 

Are there other recommendations you would make to encourage more people to at least investigate cybersecurity as a potential career path?

5 Comments
tmekelburg1
Community Champion

I can't disagree with anything they said. When I searched for 'Cyber' on Indeed, most of the jobs I reviewed came up as very technical and none were entry level into the IT profession as a whole. Their target audience was for current Cyber professionals or IT professionals looking to make a transition. If we could find the number of people working in technology and divide that by the number of working age people in the U.S or other countries, it would probably be a really small percentage that we're trying to fill roles from. The equation is probably more complicated than that but not the point lol!

 

I only looked at about four job descriptions but none of them referenced training being provided if they couldn't check all of the boxes for the 'Basic' or 'Minimum' requirements. I say we need to take a hard look at those minimum requirements if we're going to find talent outside of the industry. Maybe the soft skills as being required and anything technology related can be taught while on the job, for entry level Cyber roles?      

rslade
Influencer II
> tmekelburg1 (Contributor I) posted a new comment in Blog on 10-09-2020 11:50 AM

> When I searched for 'Cyber' on Indeed,
> most of the jobs I reviewed came up as very technical and none were entry level
> into the IT profession as a whole. Their target audience was for current Cyber
> professionals or IT professionals looking to make a transition.

CRC Press decided to call my new book "Cybersecurity Lessons from CoVID-19."
So I added a paragraph:

"Nowadays, there is a new term being bandied about: cybersecurity. Some feel that
infosec, with its triad, is incomplete, since it doesn’t, overtly, address the extent
and increasing importance of communications and networking in the modern
world. Many of us old dinosaurs feel that a) the term “cybersecurity” is a poorly
defined marketing phrase, b) the “domains” of security, as defined by the
International Information Systems Security Certification Consortium (or (ISC)2),
have always had a networking component, and c) cybersecurity doesn’t, yet, have
any structure to distinguish itself from infosec, and so can’t be used to create a
structure for a book, chapter, or course."

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
This post is a natural product. The slight variations in spelling
and grammar enhance its individual character and beauty and in no
way are to be considered flaws or defects.
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413
tmekelburg1
Community Champion

Thanks for that rabbit hole @rslade . Some articles say Info Security is a subset within Cybersecurity and others state Cybersecurity is a subset within Info Security. Most agree with Network Security being within Cybersecurity. I didn't look at any (ISC)2 resources but I'm sure they have a stance as well. It seems like there needs to be something that encapsulates both Info Sec and Cybersecurity since there is a difference. 

 

 

CraginS
Defender I

Grandpa Rob @rslade said, 

"...Many of us old dinosaurs feel that a) the term “cybersecurity” is a poorly defined marketing phrase..."

 

For years, when giving career talks to undergrad and grad students in the field, I have told them our field moved through a number of names:

computer security (compsec), network security (netsec, information security (infosec), information assurance (IA), and most recently cybersecurity (cybersec).

I would then explain that as the field matured, more nuances of the meanings have accrued, that in my mind the most accurately descriptive name is IA, but that is also the least informative to outsiders. Cybersec, on the other hand is the latest hot name, giving the least information about what we do, but capturing the market attention.

Finally, I would tell them that they should consider all of those names synonymous when evaluating what we do, and what sub-specialties to consider. Don't let any of those names prevent you from applying for a position to do what you want.

 

Craig

 

 

canLG0501
Newcomer III

I wholeheartedly agree @CraginS "Don't let any of those names prevent you from applying for a position to do what you want".  We must encourage employers and recruiters to focus on the details of the job opportunity.  The job description should outline the types of projects and overall environment.  Potential candidates should not be left in the dark.  Education should be addressed as an ongoing stimulant that is expected. Allowing new candidates a time period to certify (i.e. 90 days) is always a sound investment.