Cybersecurity teams need to fill jobs and improve diversity. They’ll need entry-level roles to get there.

As employers continue to grapple with the massive shortage in cybersecurity talent while also looking to increase diversity, a number of industry leaders said entry-level jobs are the missing piece.

Nicholas McLaren (left) and AJ Yawn (right), the founder and CEO of ByteChek.
After struggling to land a cybersecurity job, Nicholas McLaren (left) got his breakthrough after connecting with AJ Yawn (right), the founder and CEO of ByteChek. McLaren landed a job in cloud security at the startup and went on to earn a master's degree in cybersecurity.
Photo courtesy of AJ Yawn

Nicholas McLaren was starting to doubt he had a future in cybersecurity.

After receiving his bachelor's degree in information security from Georgia State University in the fall of 2019, McLaren was eager to land his first job. He had a passion for cybersecurity, and also wanted to show the opportunities that were available in the field to younger members of the Black community.

But accessing the opportunities himself was proving to be a challenge. And it didn't make sense. McLaren had heard so much about the cybersecurity talent shortage, and also about the need to increase the diversity and representation in the industry. But after applying to one cybersecurity job after another and getting no offers, "I kind of felt like I'd gotten played," he said.

The problem: Every employer was looking for someone with years of experience in security. True "entry-level" jobs were elusive.

McLaren was on the verge of giving up on cybersecurity and pursuing a career in personal training, another interest of his. But a LinkedIn message to a security startup founder led to his breakthrough. McLaren connected with AJ Yawn, the founder and CEO of compliance software firm ByteChek, who agreed to mentor him. The relationship led to McLaren landing an internship at the company and then, in late 2020, a job as a cloud security engineer.

Yawn “was willing to train me. And he was also willing to give me an opportunity to learn on the job," McLaren said.

That made all the difference. Following a productive stint at ByteChek, McLaren moved on and is now a senior cloud security engineer at Truist, one of the largest banks in the U.S. McLaren "quickly just turned into a monster on cloud security," Yawn said.

"There are so many people out there that are just like that — that have the baseline skills, that are willing and ready, but just are not getting the opportunity," he said.

There were a stunning 2.7 million unfilled jobs worldwide in information security as of 2021, according to cybersecurity professional organization (ISC)2. That's actually an improvement over 2020, when 3.1 million cybersecurity jobs were open. But it's also a sign that there still aren't nearly enough people to properly defend against intensifying cyber threats.

As employers continue to grapple with a massive shortage of cybersecurity talent, while also looking to increase the number of women and underrepresented minorities on their teams, a number of industry leaders told Protocol that entry-level jobs are the biggest missing piece.

The talent gap lives entirely in the minds of hiring managers in cybersecurity.

Too many employers still put their energy into poaching talent from the same pool of the most-experienced people, rather than widening the pool, they said.

"The talent gap lives entirely in the minds of hiring managers in cybersecurity," said Naomi Buckwalter, a cybersecurity professional for two decades. She is now the founder and executive director of the Cybersecurity Gatebreakers Foundation, a nonprofit focused on helping to change hiring practices in the cybersecurity field.

"I've met so many high-potential candidates that just give up," Buckwalter said. "It's just demoralizing to get 'no' after 'no' after 'no.'"

Rethinking the approach

To see real change, employers need to rethink their cybersecurity staffing and hiring process, according to industry executives and nonprofit leaders.

In the U.S., the military is one of the only environments that will bring aboard people who lack real-world experience in cybersecurity and provide training in preparation for a role in the area.

Larry Whiteside Jr. says that if it wasn't for his background as an officer in the U.S. Air Force focused on cybersecurity, sticking it out as a security professional in the private sector would’ve been tough. After leaving the service in 2002 and joining the industry, "I had to go on my own for my first 10 years. I didn't have mentors. I didn't see anybody that looked like me," he said.

Today, after a private-sector cybersecurity career spanning two decades that's included numerous CISO roles, Whiteside is working to ensure that members of diverse communities don't need to have the same experience when entering the security field today. He's now the co-founder and president of Cyversity, a nonprofit that offers programs aimed at improving representation for women and underrepresented minorities in cybersecurity.

But the talent and diversity gaps in security have a common root cause: Many hiring managers are still advertising open roles in the same places and in the same ways that they always have, Whiteside said. And then they wonder why they can't fill positions. "In essence, they are doing the same things and expecting different results," he said.

Ultimately, “when you look at [the talent gap], we've enabled this," Whiteside said. "We've created our own problem."

According to (ISC)2 findings, just 24% of cybersecurity jobs today are held by women. And in the U.S., 9% of roles in the cybersecurity workforce are held by workers who identify as Black or African American, while 4% of jobs in the field are held by workers who identify as Hispanic, (ISC)2 says — below the representation of those communities in the U.S. overall.

However, the pipeline of security talent coming out of universities today looks a lot more like the general population in terms of diversity, said Jim Alkove, formerly the chief trust officer at Salesforce.

Moving forward, "a significant part of addressing the talent gap is going to be about bringing in more people from diverse backgrounds, and then maintaining an equitable and inclusive environment," said Alkove, who is now providing independent advisory services around information security.

Companies such as Microsoft have also been aggressively expanding efforts in cybersecurity skilling, with the goal of helping to address both the talent and diversity gaps.

And yet, when it comes to the hiring process itself, many hiring managers continue to focus on job postings looking for "rock stars" in the cybersecurity field, said Ian McShane, vice president of strategy at cybersecurity firm Arctic Wolf.

"They're really not thinking about how they're advertising, or how they're going about looking for the right people," he said. "People need to stop to think about what they're doing."

For instance, it's common for postings to ask for 10 years of experience — suggesting that employers are focused on luring a candidate who is comparable to the person who just left, rather than hiring someone with the potential to reach that level over time, McShane said.

Many hiring managers are also just copying cybersecurity job descriptions from other postings they see online, which perpetuates the issue, Buckwalter said. "It's the blind leading the blind," she said.

At the same time, those cybersecurity hiring managers need more guidance and more training resources, Buckwalter said.

Tapping the potential

But there's no way to bring in new, diverse cybersecurity talent without an entry-level path at more organizations. And for many employers, the needs of the moment — for security pros who can hit the ground running — take priority over hires who are promising, but green.

Some companies are showing that it can be done, however.

On the larger end of the business spectrum, Walmart has brought in numerous associates from other parts of the company to join its cybersecurity team over the years, said Rob Duhart Jr., vice president and deputy CISO at Walmart. And many have come from diverse backgrounds, as well as from a range of initial positions, from stocking shelves to working as a pharmacist, Duhart said.

While Walmart is not your typical company, many organizations do have employees with transferable skills working in other areas that could fill an entry-level cybersecurity role that came with training, according to Duhart.

"You can't have job descriptions that require 10 years of experience and a CISSP [certification] and a master's degree," he said. "You've got to be able to meet people where they are — and teach, coach and grow them."

Duhart said he encourages his peers to recognize that "to solve this problem in your organization, you have to start taking these risks — and you'll find that they really aren't risks at all. People are ready and passionate, and they understand what to do."

Smaller companies have found success with a similar approach. Cybersecurity firm Code42 has moved multiple employees from other parts of the business into cybersecurity, said Jadee Hanson, CISO and CIO at the company. Code42 has sponsored those employees, a group that has included both women and men, to get their CISSP certifications, Hanson said.

"If you find those people who show interest, and are really going to put in the time to understand the foundation of the space, they can absolutely be successful," she said.

Cybersecurity firm Cobalt has sought to bring in entry-level talent from multiple directions, meanwhile. Last year, a manager of a customer success team, Elle Johns, expressed an interest in cybersecurity and the company ended up moving her into a security program manager role, said Cobalt Chief Strategy Officer Caroline Wong. Johns is now a security staff project manager at Gong, a maker of sales acceleration software.

Cobalt also recently worked with Spark Mindset, which provides cybersecurity training for students from historically disadvantaged communities, to place an individual into an apprenticeship role at the company — with the goal of transitioning the person into a full-time role after a year, Wong said.

The notion that the cybersecurity talent gap is a supply problem is a myth, she said. Wong says her LinkedIn inbox is flooded with messages from people interested in the field and expressing a readiness to get the training and certifications they need.

"There are thousands of folks knocking at the door, willing to do anything" to get into cybersecurity, she said. But after getting the certifications they think they need, "they're applying to dozens of jobs and they're just getting rejected."

NextGen Cyber Talent, a nonprofit that provides cybersecurity training programs to underprivileged and underserved students, has been working to build out the pipeline of diverse candidates into cybersecurity. Of the 250 people that went through the program last year, 18% identified as African American and 12% identified as Hispanic or Latinx, said Krishnan Chellakarai, founder and chairman of NextGen Cyber Talent.

But when it comes to getting program graduates placed into jobs, the organization is running into the roadblock of a lack of entry-level roles. Just 20 of last year's graduates were placed into jobs or internships — a rate that NextGen Cyber Talent aims to improve for the 2022 class of graduates.

Hiring managers "still haven't changed their mindset" about requiring real-world experience for cybersecurity roles, said Chellakarai, who is also CISO at Gilead Sciences. To truly solve the security talent shortage, employers need to allocate a percentage of jobs that don't require experience or a college degree, he said.

"It doesn't need to be 5% or 10% — it could be 1%," Chellakarai said.

Breaking the barriers

Other programs for building the cybersecurity talent pipeline involve getting participants real-world experience. Ann Cleaveland, executive director of the Center for Long-Term Cybersecurity at UC Berkeley, said that the cybersecurity clinic model pioneered at the university gives students experience with providing security to under-resourced nonprofits.

"It does give those students the hands-on training," Cleaveland said. And for the students who've taken part in one of the clinics and gone on to a job in cybersecurity, "the clinic was seen as work experience," she said.

Technology could have a role to play in addressing the talent and diversity gap in cybersecurity, as well.

For instance, a better digital marketplace for matching prospective employees and employers in cybersecurity — something akin to a “Bumble for cyber” — could “change the dynamics,” said Dave DeWalt, the former CEO of FireEye and McAfee. DeWalt, who is now the founder and managing director of venture firm NightDragon, said work is underway on the idea at one of his firm’s portfolio companies, which is not being disclosed for now.

No matter what, much will still come down to the willingness of employers to create entry-level roles in cybersecurity.

But organizations that don't provide such roles are missing out in numerous ways, according to ByteChek's Yawn.

For one thing, achieving greater diversity and representation on a cybersecurity team through the addition of entry-level positions ultimately leads to better security outcomes, he said.

"You want diverse perspectives in this field," Yawn said. "When I'm in the room with people that have all come from different backgrounds, even though we're working on the same thing, the ideas that come out of that are next-level."

Employers that don't provide entry-level roles are also missing the opportunity to bring aboard hard-working talent like McLaren, who made major contributions to ByteChek's cloud security posture during his time at the startup, Yawn said.

Companies that open their doors to entry-level talent, he said, are "getting someone that's extremely hungry and extremely interested in this field — which is a really key part of being good at cybersecurity. You've got to actually care about this stuff."

Looking back on his experience, McLaren said it’s clear to him that to solve the cybersecurity talent gap, employers need to change their approach to staffing and hiring.

"I think within every cybersecurity budget there's enough room to hire an intern fresh out of school, pay them $20 an hour, where they can learn over the next three to six months how to do a particular task," McLaren said. "With how lucrative some of these [cybersecurity] positions are, that has to be within every budget."

But during his search, "that was not out there for me," he said. "And I felt [it was] by the grace of God that AJ was there for me, so I could get that from him."

Without that, McLaren said, "I'd probably be training people at LA Fitness."


Google TV will gain fitness tracker support, wireless audio features

A closer integration with fitness trackers is part of the company’s goal to make TVs a key pillar of the Android ecosystem.

Making TVs more capable comes with increasing hardware and software requirements, leading Google to advise its partners to build more-capable devices.

Photo: Google

Google wants TV viewers to get off the couch: The company is working on plans to closely integrate its Android TV platform with fitness trackers, which will allow developers to build interactive workout services for the living room.

Google representatives shared those plans at a closed-door partner event last month, where they painted them as part of the company’s “Better Together” efforts to build an ecosystem of closely integrated Android devices. As part of those efforts, Google is also looking to improve the way Android TV and Google TV devices work with third-party audio hardware. (Google launched Android TV as an Android-based smart TV platform in 2014; in 2020, it introduced Google TV as a more content-centric smart TV experience based on Android TV.)

Keep Reading Show less
Janko Roettgers

Janko Roettgers (@jank0) is a senior reporter at Protocol, reporting on the shifting power dynamics between tech, media, and entertainment, including the impact of new technologies. Previously, Janko was Variety's first-ever technology writer in San Francisco, where he covered big tech and emerging technologies. He has reported for Gigaom, Frankfurter Rundschau, Berliner Zeitung, and ORF, among others. He has written three books on consumer cord-cutting and online music and co-edited an anthology on internet subcultures. He lives with his family in Oakland.

Sponsored Content

How Global ecommerce benefits American workers and the U.S. economy

New research shows Alibaba’s ecommerce platforms positively impact U.S. employment.

The U.S. business community and Chinese consumers are a powerful combination when it comes to American job creation. In addition to more jobs, the economic connection also delivers enhanced wages and a growing GDP contribution on U.S. soil, according to a recent study produced by NDP Analytics.

Alibaba — a leading global ecommerce company — is a particularly powerful engine in helping American businesses of every size sell goods to more than 1 billion consumers on its digital marketplaces in China. In 2020, U.S. companies completed more than $54 billion of sales to consumers in China through Alibaba’s online platforms.

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.

What the fate of 9 small tokens means for the crypto industry

The SEC says nine tokens in the Coinbase insider trading case are securities, but they are similar to many other tokens that are already trading on exchanges.

While a number of pieces of crypto legislation have been introduced in Congress, the SEC’s moves in court could become precedent until any legislation is passed or broader executive actions are made.

Illustration: Christopher T. Fong/Protocol

When the SEC accused a former Coinbase employee of insider trading last month, it specifically named nine cryptocurrencies as securities, potentially opening the door to regulation for the rest of the industry.

If a judge agrees with the SEC’s argument, many other similar tokens could be deemed securities — and the companies that trade them could be forced to be regulated as securities exchanges. When Ripple was sued by the SEC in late 2020, for example, Coinbase chose to suspend trading the token rather than risk drawing scrutiny from federal regulators. In this case, however, Coinbase says the nine tokens – seven of which trade on Coinbase — aren’t securities.

Keep Reading Show less
Tomio Geron

Tomio Geron ( @tomiogeron) is a San Francisco-based reporter covering fintech. He was previously a reporter and editor at The Wall Street Journal, covering venture capital and startups. Before that, he worked as a staff writer at Forbes, covering social media and venture capital, and also edited the Midas List of top tech investors. He has also worked at newspapers covering crime, courts, health and other topics. He can be reached at tgeron@protocol.com or tgeron@protonmail.com.


Werner Vogels: Enterprises are more daring than you might think

The longtime chief technology officer talked with Protocol about the AWS customers that first flocked to serverless, how AI and ML are making life easier for developers and his “primitives, not frameworks” stance.

"We knew that if cloud would really be effective, development would change radically."

Photo: Amazon

When AWS unveiled Lambda in 2014, Werner Vogels thought the serverless compute service would be the domain of young, more tech-savvy businesses.

But it was enterprises that flocked to serverless first, Amazon’s longtime chief technology officer told Protocol in an interview last week.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.


Dark money is trying to kill the Inflation Reduction Act from the left

A new campaign is using social media to target voters in progressive districts to ask their representatives to vote against the Inflation Reduction Act. But it appears to be linked to GOP operatives.

United for Clean Power's campaign is a symptom of how quickly and easily social media allows interest groups to reach a targeted audience.

Photo: Anna Moneymaker/Getty Images

The social media feeds of progressive voters have been bombarded by a series of ads this past week telling them to urge their Democratic representatives to vote against the Inflation Reduction Act.

The ads aren’t from the Sunrise Movement or other progressive climate stalwarts, though. Instead, they’re being pushed by United for Clean Power, a murky dark money operation that appears to have connections with Republican operatives.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).

Latest Stories