Yesterday, the Aspen Cybersecurity Group announced an effort to reduce the recruiting red tape that prevents capable workers from entering the cybersecurity talent pipeline. Specifically, 15 major employers – including Apple, IBM, and Facebook – announced they would trim requirements from cybersecurity job descriptions that unnecessarily reduce the candidate pool and deter workers from diverse backgrounds from applying.
For the past six years, Burning Glass Technologies has been tracking the cybersecurity talent shortage. We have found one of the biggest barriers to building the cybersecurity workforce is that employers are asking too much, requesting education, experience, and credential requirements that few candidates possess. Therefore, having some of the world’s largest, most prestigious employers step back from such heightened requirements is a tremendous step in the right direction.
To underscore the issue, our recent report on the cybersecurity workforce found that over 80% of cybersecurity job openings request at least a bachelor’s degree, and over 80% of cybersecurity job openings request at least 3-5 years of previous experience. The Aspen Cybersecurity Group argues that the bachelor’s degree requirements disqualify up to 50% of the available talent pool.
Similarly, CyberSeek.org – which Burning Glass developed in partnership with CompTIA and the National Initiative for Cybersecurity Education (NICE) – shows that many of the major cybersecurity certifications are requested in more job openings than there are workers possessing those credentials in the entire country. Requirements such as these reduce the cybersecurity candidate pool, increase hiring difficulty and cost, and severely limit our ability to counter the already overwhelming threats to our most sensitive digital information.
While this initiative is indeed positive, it doesn’t come without risks. The desire to hire the best people to protect our most valuable data rests on sound logic, so standards will always be necessary. The trick, in our view, is to use a scalpel, not a sledgehammer. If these firms can pinpoint the specific skills, and credentials that lead to the least benefits and greatest hiring headaches, they can more effectively prioritize which requirements to strike.
For example, CISSP is the most required cybersecurity certification in the market, with close to 80,000 openings calling for it every year. However, there are only about 75,000 CISSP holders in the entire country, so it is mathematically impossible to fill all these jobs. CISSP also comes with an average salary premium of over $15,000, so employers can dramatically reduce their hiring difficulty and cost by removing it from their requirements.
Once employers also identify the skillsets and credentials that are hardest and most expensive to fill, they can then more effectively build targeted training programs to support the growth of internal workers into their hardest to fill cybersecurity positions. Some of the best cybersecurity candidates may be right under an employer’s nose, hiding in plain sight within their organization. If more employers map the skill overlaps and gaps between cybersecurity jobs and skill-adjacent jobs, they can fill these jobs with internal hires, increasing workers’ time-to-competency as well as internal mobility and retention.
Now that major employers are embracing the need to build smarter, more targeted job descriptions, our hope is that their peers will follow suit. We also hope that these firms are able to effectively track the impact of these new initiatives – through metrics such as reduced time to fill, growth in job applicants, and increased retention – to make the case for these changes even more compelling. Building our cybersecurity talent pipeline by reducing unnecessary barriers to entry and making the field more inclusive of new populations is not only commendable, but necessary. The lack of cybersecurity talent is one of the greatest threats facing our personal and national security as we enter the digital economy. We look forward to seeing more companies develop innovative solutions to this challenge.
Will Markow is the Manager of Client Strategy and Analytics at Burning Glass Technologies where he leads Burning Glass’s research into emerging job market trends, skill gaps, and workforce development opportunities. Will is also an internationally recognized commentator on the cybersecurity talent shortage and, in partnership with CompTIA and the National Initiative for Cybersecurity Education, leads the development of Cyberseek.org, an interactive online tool providing definitive data on the cybersecurity workforce across the United States.