Cybersecurity teams need to fill jobs and improve diversity. They’ll need entry-level roles to get there.

As employers continue to grapple with the massive shortage in cybersecurity talent while also looking to increase diversity, a number of industry leaders said entry-level jobs are the missing piece.

Nicholas McLaren (left) and AJ Yawn (right), the founder and CEO of ByteChek.
After struggling to land a cybersecurity job, Nicholas McLaren (left) got his breakthrough after connecting with AJ Yawn (right), the founder and CEO of ByteChek. McLaren landed a job in cloud security at the startup and went on to earn a master's degree in cybersecurity.
Photo courtesy of AJ Yawn

Nicholas McLaren was starting to doubt he had a future in cybersecurity.

After receiving his bachelor's degree in information security from Georgia State University in the fall of 2019, McLaren was eager to land his first job. He had a passion for cybersecurity, and also wanted to show the opportunities that were available in the field to younger members of the Black community.

But accessing the opportunities himself was proving to be a challenge. And it didn't make sense. McLaren had heard so much about the cybersecurity talent shortage, and also about the need to increase the diversity and representation in the industry. But after applying to one cybersecurity job after another and getting no offers, "I kind of felt like I'd gotten played," he said.

The problem: Every employer was looking for someone with years of experience in security. True "entry-level" jobs were elusive.

McLaren was on the verge of giving up on cybersecurity and pursuing a career in personal training, another interest of his. But a LinkedIn message to a security startup founder led to his breakthrough. McLaren connected with AJ Yawn, the founder and CEO of compliance software firm ByteChek, who agreed to mentor him. The relationship led to McLaren landing an internship at the company and then, in late 2020, a job as a cloud security engineer.

Yawn “was willing to train me. And he was also willing to give me an opportunity to learn on the job," McLaren said.

That made all the difference. Following a productive stint at ByteChek, McLaren moved on and is now a senior cloud security engineer at Truist, one of the largest banks in the U.S. McLaren "quickly just turned into a monster on cloud security," Yawn said.

"There are so many people out there that are just like that — that have the baseline skills, that are willing and ready, but just are not getting the opportunity," he said.

There were a stunning 2.7 million unfilled jobs worldwide in information security as of 2021, according to cybersecurity professional organization (ISC)2. That's actually an improvement over 2020, when 3.1 million cybersecurity jobs were open. But it's also a sign that there still aren't nearly enough people to properly defend against intensifying cyber threats.

As employers continue to grapple with a massive shortage of cybersecurity talent, while also looking to increase the number of women and underrepresented minorities on their teams, a number of industry leaders told Protocol that entry-level jobs are the biggest missing piece.

The talent gap lives entirely in the minds of hiring managers in cybersecurity.

Too many employers still put their energy into poaching talent from the same pool of the most-experienced people, rather than widening the pool, they said.

"The talent gap lives entirely in the minds of hiring managers in cybersecurity," said Naomi Buckwalter, a cybersecurity professional for two decades. She is now the founder and executive director of the Cybersecurity Gatebreakers Foundation, a nonprofit focused on helping to change hiring practices in the cybersecurity field.

"I've met so many high-potential candidates that just give up," Buckwalter said. "It's just demoralizing to get 'no' after 'no' after 'no.'"

Rethinking the approach

To see real change, employers need to rethink their cybersecurity staffing and hiring process, according to industry executives and nonprofit leaders.

In the U.S., the military is one of the only environments that will bring aboard people who lack real-world experience in cybersecurity and provide training in preparation for a role in the area.

Larry Whiteside Jr. says that if it wasn't for his background as an officer in the U.S. Air Force focused on cybersecurity, sticking it out as a security professional in the private sector would’ve been tough. After leaving the service in 2002 and joining the industry, "I had to go on my own for my first 10 years. I didn't have mentors. I didn't see anybody that looked like me," he said.

Today, after a private-sector cybersecurity career spanning two decades that's included numerous CISO roles, Whiteside is working to ensure that members of diverse communities don't need to have the same experience when entering the security field today. He's now the co-founder and president of Cyversity, a nonprofit that offers programs aimed at improving representation for women and underrepresented minorities in cybersecurity.

But the talent and diversity gaps in security have a common root cause: Many hiring managers are still advertising open roles in the same places and in the same ways that they always have, Whiteside said. And then they wonder why they can't fill positions. "In essence, they are doing the same things and expecting different results," he said.

Ultimately, “when you look at [the talent gap], we've enabled this," Whiteside said. "We've created our own problem."

According to (ISC)2 findings, just 24% of cybersecurity jobs today are held by women. And in the U.S., 9% of roles in the cybersecurity workforce are held by workers who identify as Black or African American, while 4% of jobs in the field are held by workers who identify as Hispanic, (ISC)2 says — below the representation of those communities in the U.S. overall.

However, the pipeline of security talent coming out of universities today looks a lot more like the general population in terms of diversity, said Jim Alkove, formerly the chief trust officer at Salesforce.

Moving forward, "a significant part of addressing the talent gap is going to be about bringing in more people from diverse backgrounds, and then maintaining an equitable and inclusive environment," said Alkove, who is now providing independent advisory services around information security.

Companies such as Microsoft have also been aggressively expanding efforts in cybersecurity skilling, with the goal of helping to address both the talent and diversity gaps.

And yet, when it comes to the hiring process itself, many hiring managers continue to focus on job postings looking for "rock stars" in the cybersecurity field, said Ian McShane, vice president of strategy at cybersecurity firm Arctic Wolf.

"They're really not thinking about how they're advertising, or how they're going about looking for the right people," he said. "People need to stop to think about what they're doing."

For instance, it's common for postings to ask for 10 years of experience — suggesting that employers are focused on luring a candidate who is comparable to the person who just left, rather than hiring someone with the potential to reach that level over time, McShane said.

Many hiring managers are also just copying cybersecurity job descriptions from other postings they see online, which perpetuates the issue, Buckwalter said. "It's the blind leading the blind," she said.

At the same time, those cybersecurity hiring managers need more guidance and more training resources, Buckwalter said.

Tapping the potential

But there's no way to bring in new, diverse cybersecurity talent without an entry-level path at more organizations. And for many employers, the needs of the moment — for security pros who can hit the ground running — take priority over hires who are promising, but green.

Some companies are showing that it can be done, however.

On the larger end of the business spectrum, Walmart has brought in numerous associates from other parts of the company to join its cybersecurity team over the years, said Rob Duhart Jr., vice president and deputy CISO at Walmart. And many have come from diverse backgrounds, as well as from a range of initial positions, from stocking shelves to working as a pharmacist, Duhart said.

While Walmart is not your typical company, many organizations do have employees with transferable skills working in other areas that could fill an entry-level cybersecurity role that came with training, according to Duhart.

"You can't have job descriptions that require 10 years of experience and a CISSP [certification] and a master's degree," he said. "You've got to be able to meet people where they are — and teach, coach and grow them."

Duhart said he encourages his peers to recognize that "to solve this problem in your organization, you have to start taking these risks — and you'll find that they really aren't risks at all. People are ready and passionate, and they understand what to do."

Smaller companies have found success with a similar approach. Cybersecurity firm Code42 has moved multiple employees from other parts of the business into cybersecurity, said Jadee Hanson, CISO and CIO at the company. Code42 has sponsored those employees, a group that has included both women and men, to get their CISSP certifications, Hanson said.

"If you find those people who show interest, and are really going to put in the time to understand the foundation of the space, they can absolutely be successful," she said.

Cybersecurity firm Cobalt has sought to bring in entry-level talent from multiple directions, meanwhile. Last year, a manager of a customer success team, Elle Johns, expressed an interest in cybersecurity and the company ended up moving her into a security program manager role, said Cobalt Chief Strategy Officer Caroline Wong. Johns is now a security staff project manager at Gong, a maker of sales acceleration software.

Cobalt also recently worked with Spark Mindset, which provides cybersecurity training for students from historically disadvantaged communities, to place an individual into an apprenticeship role at the company — with the goal of transitioning the person into a full-time role after a year, Wong said.

The notion that the cybersecurity talent gap is a supply problem is a myth, she said. Wong says her LinkedIn inbox is flooded with messages from people interested in the field and expressing a readiness to get the training and certifications they need.

"There are thousands of folks knocking at the door, willing to do anything" to get into cybersecurity, she said. But after getting the certifications they think they need, "they're applying to dozens of jobs and they're just getting rejected."

NextGen Cyber Talent, a nonprofit that provides cybersecurity training programs to underprivileged and underserved students, has been working to build out the pipeline of diverse candidates into cybersecurity. Of the 250 people that went through the program last year, 18% identified as African American and 12% identified as Hispanic or Latinx, said Krishnan Chellakarai, founder and chairman of NextGen Cyber Talent.

But when it comes to getting program graduates placed into jobs, the organization is running into the roadblock of a lack of entry-level roles. Just 20 of last year's graduates were placed into jobs or internships — a rate that NextGen Cyber Talent aims to improve for the 2022 class of graduates.

Hiring managers "still haven't changed their mindset" about requiring real-world experience for cybersecurity roles, said Chellakarai, who is also CISO at Gilead Sciences. To truly solve the security talent shortage, employers need to allocate a percentage of jobs that don't require experience or a college degree, he said.

"It doesn't need to be 5% or 10% — it could be 1%," Chellakarai said.

Breaking the barriers

Other programs for building the cybersecurity talent pipeline involve getting participants real-world experience. Ann Cleaveland, executive director of the Center for Long-Term Cybersecurity at UC Berkeley, said that the cybersecurity clinic model pioneered at the university gives students experience with providing security to under-resourced nonprofits.

"It does give those students the hands-on training," Cleaveland said. And for the students who've taken part in one of the clinics and gone on to a job in cybersecurity, "the clinic was seen as work experience," she said.

Technology could have a role to play in addressing the talent and diversity gap in cybersecurity, as well.

For instance, a better digital marketplace for matching prospective employees and employers in cybersecurity — something akin to a “Bumble for cyber” — could “change the dynamics,” said Dave DeWalt, the former CEO of FireEye and McAfee. DeWalt, who is now the founder and managing director of venture firm NightDragon, said work is underway on the idea at one of his firm’s portfolio companies, which is not being disclosed for now.

No matter what, much will still come down to the willingness of employers to create entry-level roles in cybersecurity.

But organizations that don't provide such roles are missing out in numerous ways, according to ByteChek's Yawn.

For one thing, achieving greater diversity and representation on a cybersecurity team through the addition of entry-level positions ultimately leads to better security outcomes, he said.

"You want diverse perspectives in this field," Yawn said. "When I'm in the room with people that have all come from different backgrounds, even though we're working on the same thing, the ideas that come out of that are next-level."

Employers that don't provide entry-level roles are also missing the opportunity to bring aboard hard-working talent like McLaren, who made major contributions to ByteChek's cloud security posture during his time at the startup, Yawn said.

Companies that open their doors to entry-level talent, he said, are "getting someone that's extremely hungry and extremely interested in this field — which is a really key part of being good at cybersecurity. You've got to actually care about this stuff."

Looking back on his experience, McLaren said it’s clear to him that to solve the cybersecurity talent gap, employers need to change their approach to staffing and hiring.

"I think within every cybersecurity budget there's enough room to hire an intern fresh out of school, pay them $20 an hour, where they can learn over the next three to six months how to do a particular task," McLaren said. "With how lucrative some of these [cybersecurity] positions are, that has to be within every budget."

But during his search, "that was not out there for me," he said. "And I felt [it was] by the grace of God that AJ was there for me, so I could get that from him."

Without that, McLaren said, "I'd probably be training people at LA Fitness."


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories