Fifteen major companies, including the Apple, Facebook, Google, IBM, and PwC, announced Wednesday they are joining together to change their cybersecurity job descriptions and requirements to attract more talent to the 3 million cybersecurity job openings that are expected to be available over the next two years.
Specifically, the companies — which are part of the Aspen Cybersecurity Group — are focused on nixing requirements that candidates have four-year bachelor’s degrees and gender-biased job descriptions.
“A bachelors degree is actually not a good proxy for whether you have the talent,” Chair of the Aspen Institute’s Cyber & Technology Program John Carlin told CyberScoop. “There’s plenty of talented people out there but we need to figure out better ways to identify them and train them.”
The group, which also includes AIG, Cloudflare, the Cyber Threat Alliance, Duke Energy, IronNet, Johnson & Johnson, Northrop Grumman, Symantec, Unisys, and Verizon, came together over the past year to address the cybersecurity skills gap, which Carlin believes is the actual dilemma facing the cybersecurity workforce — not a talent gap.
The group has agreed, for instance, to change job postings to reflect the core requirements of the role instead of focusing on a full-blown recruiters’ wish list. The fear is that a long set of requirements in job postings can turn off applicants who may very well qualify based on the basic requirements of the role.
This concern is especially prescient when it comes to hiring women in cybersecurity, who currently represent less than 25% of the cybersecurity workforce. According to a Hewlett Packard internal report, women feel they need to meet 100% of job requirements in order to apply to jobs, whereas men apply when they only meet 60% of the requirements.
The group is also working to cut certain words that may unnecessarily keep some applicants from feeling they would fit in the role. The list includes: ninja, dominate, competitive, confident, determined, decisive, outspoken, strong, hacker, and rockstar.
One other way companies may be limiting their applicant pool to men is by requiring applicants to have certain certifications for cybersecurity roles, such as the Certified Information Systems Security Professional (CISSP) certification, Carlin explained.
“Using the [CISSP] certifications cut people off,” Carlin, a former Assistant Attorney General for National Security at the Department of Justice, said. “That pipeline is already gendered. That’s another way we’ve artificially cut people out of the workforce.”
In order to decrease the requirements, the companies are in some cases reworking their internal career development paths as well so employees can work on their skills through mentorship, apprenticeship, and training throughout their job, Carlin said.
IBM has been running internal technology-focused apprenticeships for two years now, and has found them to be quite effective, IBM Vice President of Compensation, Benefits & HR Business Development Joanna Daly tells CyberScoop.
“We’ve proven that it does [work],” Daly said. “We’re on our third cohort of cybersecurity apprentices. In IBM 90% have been hired in full time cybersecurity roles when they finish.”
While some of the companies announcing these pledges are still in the process of adopting the principles, Daly hopes that this collective pledge can push others interested in tweaking their cybersecurity talent recruitment tactics, too.
“This is something practical. All employers can do this today. While the skills gap is a big problem in cybersecurity … there are things we can start doing today to make a difference,” Daly said. “If other employers join us in this we can start to … close the skills gap.”