Nicholas McLaren was starting to doubt he had a future in cybersecurity.
After receiving his bachelor's degree in information security from Georgia State University in the fall of 2019, McLaren was eager to land his first job. He had a passion for cybersecurity, and also wanted to show the opportunities that were available in the field to younger members of the Black community.
But accessing the opportunities himself was proving to be a challenge. And it didn't make sense. McLaren had heard so much about the cybersecurity talent shortage, and also about the need to increase the diversity and representation in the industry. But after applying to one cybersecurity job after another and getting no offers, "I kind of felt like I'd gotten played," he said.
The problem: Every employer was looking for someone with years of experience in security. True "entry-level" jobs were elusive.
McLaren was on the verge of giving up on cybersecurity and pursuing a career in personal training, another interest of his. But a LinkedIn message to a security startup founder led to his breakthrough. McLaren connected with AJ Yawn, the founder and CEO of compliance software firm ByteChek, who agreed to mentor him. The relationship led to McLaren landing an internship at the company and then, in late 2020, a job as a cloud security engineer.
Yawn “was willing to train me. And he was also willing to give me an opportunity to learn on the job," McLaren said.
That made all the difference. Following a productive stint at ByteChek, McLaren moved on and is now a senior cloud security engineer at Truist, one of the largest banks in the U.S. McLaren "quickly just turned into a monster on cloud security," Yawn said.
"There are so many people out there that are just like that — that have the baseline skills, that are willing and ready, but just are not getting the opportunity," he said.
There were a stunning 2.7 million unfilled jobs worldwide in information security as of 2021, according to cybersecurity professional organization (ISC)2. That's actually an improvement over 2020, when 3.1 million cybersecurity jobs were open. But it's also a sign that there still aren't nearly enough people to properly defend against intensifying cyber threats.
As employers continue to grapple with a massive shortage of cybersecurity talent, while also looking to increase the number of women and underrepresented minorities on their teams, a number of industry leaders told Protocol that entry-level jobs are the biggest missing piece.
The talent gap lives entirely in the minds of hiring managers in cybersecurity.
Too many employers still put their energy into poaching talent from the same pool of the most-experienced people, rather than widening the pool, they said.
"The talent gap lives entirely in the minds of hiring managers in cybersecurity," said Naomi Buckwalter, a cybersecurity professional for two decades. She is now the founder and executive director of the Cybersecurity Gatebreakers Foundation, a nonprofit focused on helping to change hiring practices in the cybersecurity field.
"I've met so many high-potential candidates that just give up," Buckwalter said. "It's just demoralizing to get 'no' after 'no' after 'no.'"
Rethinking the approach
To see real change, employers need to rethink their cybersecurity staffing and hiring process, according to industry executives and nonprofit leaders.
In the U.S., the military is one of the only environments that will bring aboard people who lack real-world experience in cybersecurity and provide training in preparation for a role in the area.
Larry Whiteside Jr. says that if it wasn't for his background as an officer in the U.S. Air Force focused on cybersecurity, sticking it out as a security professional in the private sector would’ve been tough. After leaving the service in 2002 and joining the industry, "I had to go on my own for my first 10 years. I didn't have mentors. I didn't see anybody that looked like me," he said.
Today, after a private-sector cybersecurity career spanning two decades that's included numerous CISO roles, Whiteside is working to ensure that members of diverse communities don't need to have the same experience when entering the security field today. He's now the co-founder and president of Cyversity, a nonprofit that offers programs aimed at improving representation for women and underrepresented minorities in cybersecurity.
But the talent and diversity gaps in security have a common root cause: Many hiring managers are still advertising open roles in the same places and in the same ways that they always have, Whiteside said. And then they wonder why they can't fill positions. "In essence, they are doing the same things and expecting different results," he said.
Ultimately, “when you look at [the talent gap], we've enabled this," Whiteside said. "We've created our own problem."
According to (ISC)2 findings, just 24% of cybersecurity jobs today are held by women. And in the U.S., 9% of roles in the cybersecurity workforce are held by workers who identify as Black or African American, while 4% of jobs in the field are held by workers who identify as Hispanic, (ISC)2 says — below the representation of those communities in the U.S. overall.
However, the pipeline of security talent coming out of universities today looks a lot more like the general population in terms of diversity, said Jim Alkove, formerly the chief trust officer at Salesforce.
Moving forward, "a significant part of addressing the talent gap is going to be about bringing in more people from diverse backgrounds, and then maintaining an equitable and inclusive environment," said Alkove, who is now providing independent advisory services around information security.
Companies such as Microsoft have also been aggressively expanding efforts in cybersecurity skilling, with the goal of helping to address both the talent and diversity gaps.
And yet, when it comes to the hiring process itself, many hiring managers continue to focus on job postings looking for "rock stars" in the cybersecurity field, said Ian McShane, vice president of strategy at cybersecurity firm Arctic Wolf.
"They're really not thinking about how they're advertising, or how they're going about looking for the right people," he said. "People need to stop to think about what they're doing."
For instance, it's common for postings to ask for 10 years of experience — suggesting that employers are focused on luring a candidate who is comparable to the person who just left, rather than hiring someone with the potential to reach that level over time, McShane said.
Many hiring managers are also just copying cybersecurity job descriptions from other postings they see online, which perpetuates the issue, Buckwalter said. "It's the blind leading the blind," she said.
At the same time, those cybersecurity hiring managers need more guidance and more training resources, Buckwalter said.
Tapping the potential
But there's no way to bring in new, diverse cybersecurity talent without an entry-level path at more organizations. And for many employers, the needs of the moment — for security pros who can hit the ground running — take priority over hires who are promising, but green.
Some companies are showing that it can be done, however.
On the larger end of the business spectrum, Walmart has brought in numerous associates from other parts of the company to join its cybersecurity team over the years, said Rob Duhart Jr., vice president and deputy CISO at Walmart. And many have come from diverse backgrounds, as well as from a range of initial positions, from stocking shelves to working as a pharmacist, Duhart said.
While Walmart is not your typical company, many organizations do have employees with transferable skills working in other areas that could fill an entry-level cybersecurity role that came with training, according to Duhart.
"You can't have job descriptions that require 10 years of experience and a CISSP [certification] and a master's degree," he said. "You've got to be able to meet people where they are — and teach, coach and grow them."
Duhart said he encourages his peers to recognize that "to solve this problem in your organization, you have to start taking these risks — and you'll find that they really aren't risks at all. People are ready and passionate, and they understand what to do."
Smaller companies have found success with a similar approach. Cybersecurity firm Code42 has moved multiple employees from other parts of the business into cybersecurity, said Jadee Hanson, CISO and CIO at the company. Code42 has sponsored those employees, a group that has included both women and men, to get their CISSP certifications, Hanson said.
"If you find those people who show interest, and are really going to put in the time to understand the foundation of the space, they can absolutely be successful," she said.
Cybersecurity firm Cobalt has sought to bring in entry-level talent from multiple directions, meanwhile. Last year, a manager of a customer success team, Elle Johns, expressed an interest in cybersecurity and the company ended up moving her into a security program manager role, said Cobalt Chief Strategy Officer Caroline Wong. Johns is now a security staff project manager at Gong, a maker of sales acceleration software.
Cobalt also recently worked with Spark Mindset, which provides cybersecurity training for students from historically disadvantaged communities, to place an individual into an apprenticeship role at the company — with the goal of transitioning the person into a full-time role after a year, Wong said.
The notion that the cybersecurity talent gap is a supply problem is a myth, she said. Wong says her LinkedIn inbox is flooded with messages from people interested in the field and expressing a readiness to get the training and certifications they need.
"There are thousands of folks knocking at the door, willing to do anything" to get into cybersecurity, she said. But after getting the certifications they think they need, "they're applying to dozens of jobs and they're just getting rejected."
NextGen Cyber Talent, a nonprofit that provides cybersecurity training programs to underprivileged and underserved students, has been working to build out the pipeline of diverse candidates into cybersecurity. Of the 250 people that went through the program last year, 18% identified as African American and 12% identified as Hispanic or Latinx, said Krishnan Chellakarai, founder and chairman of NextGen Cyber Talent.
But when it comes to getting program graduates placed into jobs, the organization is running into the roadblock of a lack of entry-level roles. Just 20 of last year's graduates were placed into jobs or internships — a rate that NextGen Cyber Talent aims to improve for the 2022 class of graduates.
Hiring managers "still haven't changed their mindset" about requiring real-world experience for cybersecurity roles, said Chellakarai, who is also CISO at Gilead Sciences. To truly solve the security talent shortage, employers need to allocate a percentage of jobs that don't require experience or a college degree, he said.
"It doesn't need to be 5% or 10% — it could be 1%," Chellakarai said.
Breaking the barriers
Other programs for building the cybersecurity talent pipeline involve getting participants real-world experience. Ann Cleaveland, executive director of the Center for Long-Term Cybersecurity at UC Berkeley, said that the cybersecurity clinic model pioneered at the university gives students experience with providing security to under-resourced nonprofits.
"It does give those students the hands-on training," Cleaveland said. And for the students who've taken part in one of the clinics and gone on to a job in cybersecurity, "the clinic was seen as work experience," she said.
Technology could have a role to play in addressing the talent and diversity gap in cybersecurity, as well.
For instance, a better digital marketplace for matching prospective employees and employers in cybersecurity — something akin to a “Bumble for cyber” — could “change the dynamics,” said Dave DeWalt, the former CEO of FireEye and McAfee. DeWalt, who is now the founder and managing director of venture firm NightDragon, said work is underway on the idea at one of his firm’s portfolio companies, which is not being disclosed for now.
No matter what, much will still come down to the willingness of employers to create entry-level roles in cybersecurity.
But organizations that don't provide such roles are missing out in numerous ways, according to ByteChek's Yawn.
For one thing, achieving greater diversity and representation on a cybersecurity team through the addition of entry-level positions ultimately leads to better security outcomes, he said.
"You want diverse perspectives in this field," Yawn said. "When I'm in the room with people that have all come from different backgrounds, even though we're working on the same thing, the ideas that come out of that are next-level."
Employers that don't provide entry-level roles are also missing the opportunity to bring aboard hard-working talent like McLaren, who made major contributions to ByteChek's cloud security posture during his time at the startup, Yawn said.
Companies that open their doors to entry-level talent, he said, are "getting someone that's extremely hungry and extremely interested in this field — which is a really key part of being good at cybersecurity. You've got to actually care about this stuff."
Looking back on his experience, McLaren said it’s clear to him that to solve the cybersecurity talent gap, employers need to change their approach to staffing and hiring.
"I think within every cybersecurity budget there's enough room to hire an intern fresh out of school, pay them $20 an hour, where they can learn over the next three to six months how to do a particular task," McLaren said. "With how lucrative some of these [cybersecurity] positions are, that has to be within every budget."
But during his search, "that was not out there for me," he said. "And I felt [it was] by the grace of God that AJ was there for me, so I could get that from him."
Without that, McLaren said, "I'd probably be training people at LA Fitness."