There is undoubtedly a substantial gap in available cybersecurity personnel to fill the existing open positions, and most researchers believe this gap is only going to grow without a significant change in how personnel are recruited into and retained within the field. With the growing challenges of finding suitable cyberworkforce recruits, organizations must analyze and understand the current workforce composition. Minorities comprise 26 percent of the cybersecurity workforce and only 21 percent of the overall workforce.1 This is a key demographic that warrants further research to develop methods to recruit more minorities into the field. Much of the existing body of research also fails to explore the effective sources of cybersecurity personnel or what skills other than technical are good indicators of success. The US workforce does not mirror the adult population at large, as neurodiverse US citizens are underrepresented in the workforce and, specifically, in cybersecurity.
The term “neurodiversity” acknowledges that humans have neurological differences and, rather than categorize people into normal and not normal groupings, it is more appropriate to think of the differences as being along a spectrum. Just as autism is typically discussed in this fashion, all cognitive abilities are on a similar scale or spectrum. Why does the workforce appear so noninclusive of the full spectrum of neuroabilities that exist in the real world?
Literature Review
There is a plethora of information on the technical skill sets that effective cybersecurity workforce members should possess; however, these technical skill sets often omit other factors that make a person a good candidate even if they do not possess the technical skill set. Neurodiversity is a competitive advantage that should be leveraged by the cybersecurity field.2 Among the top reasons for the lack of neurodiversity is a cultural gap rather than a skills gap. Someone on the autism spectrum could be just as capable at filling cybersecurity roles as anyone else, however, it is the stigma that prevents them from obtaining positions.
Several core social theories have been assessed on how they could be applied to the cybersecurity workforce.3 These types of studies can be used to help focus recruitment efforts and assist in developing the type of incentive programs that are best to recruit, retain and train the cybersecurity workforce. A study on gender inequality in science, technology, engineering and mathematics (STEM) education reported that in most countries reviewed, boys scored higher than girls in these academic areas. The study also found that boys reported higher interest and enjoyment in STEM-related educational courses.4
Research on computational design explains that although system architects are empathetic toward the needs of others, they do not understand the needs of a neurodiverse user base. This effectively creates barriers and exclusionary systems for those with neurodivergent minds.5
Women and Minority Representation
The United States has a rapidly expanding minority population, yet these minorities are often underrepresented in key aspects of the workforce. Although women comprise approximately 50 percent of the US population and approximately the same percentage of college students, they only make up 33 percent of STEM educational programs.6 Women make up a smaller percentage of STEM college programs, while boys express more interest in STEM education and eventually score better in STEM courses and have higher representation in college programs.7 This alone might lead one to believe that there is little reason to increase the recruitment of women in cybersecurity, but that is not the case. However, it also implies that earlier engagement with young girls to increase their interest in STEM will likely increase their affinity and, subsequently, increase their participation.
Although African American and Hispanic people make up approximately 13 percent and 17 percent of the US population respectively, their representation in STEM fields is less than 10 percent and has remained relatively constant for nearly a decade. Approximately 30 percent of African Americans with STEM doctoral degrees in the United States received their bachelor’s degree from a historically black college or university (HBCU). This point is further accentuated by the fact that only about 9 percent of African Americans attend HBCUs.8 Similar to the discussion of young girls’ lack of interest in STEM, the concentration of African Americans in STEM while in the more accommodating environment of an HBCU offers some opportunities to develop programs to encourage minority participation in cybersecurity.
Neurodiversity
Research indicates that many organizations have started programs to develop a more diverse workplace that is inclusive of neurocapabilities across a larger portion of the spectrum; however, most have failed.9 Failures are often due to a lack of training, education and understanding from managers and enterprise cultures. One researcher developed a program to recruit neurodiverse workers for hard-to-fill positions such as IT quality controls, software testing and analytics.10 The program has been extremely successful, and one of the keys to success has been the education of the existing staff on communications. The results from one pilot program indicated that autistic employees who participated were 48 percent more productive than other employees.11 Subsequent programs showed even more promising results, possibly because, often, people on the autism spectrum are naturally able to see things logically and identify patterns.
Neurodivergent individuals such as those on the autism spectrum can be affected by an environment that fluctuates.12 In essence, those on the autism spectrum are more capable of noticing changing environmental factors, while those who are not frequently are less aware. This theory might explain why neurodivergent individuals are able to identify anomalies more easily than the general population.
"THE UNITED STATES HAS A RAPIDLY EXPANDING MINORITY POPULATION, YET THESE MINORITIES ARE OFTEN UNDERREPRESENTED IN KEY ASPECTS OF THE WORKFORCE."
Other industries are also seeing the immense value of a neurodiverse workforce. Ernst and Young (EY), an accounting firm, has five Neurodiversity Centers of Excellence worldwide.13 EY’s Nashville, Tennessee, USA, program opened in 2019, and the director emphasizes that it is not a philanthropy program but rather a business-driven program that helps the company recruit and retain talent who are able to approach technological programs in a different manner. A Canadian report suggests that one in 68 children born in the country are on the autism spectrum, 80 percent of whom are unemployed or underemployed in adulthood.14
Personality of Cybersecurity
The Big Five Personality Traits model, or five-factor model (FFM), (figure 1) contends that there are five key characteristics that can help align specific personality types with cybersecurity workforce roles. The five characteristics are extroversion, agreeableness, conscientiousness, emotional stability and openness to experience. Together these factors may be able to help identify specific personality types that tend to excel in cybersecurity.15
The RIASEC model (figure 2) is used to evaluate organizations and consists of six work or environmental types: realistic, investigative, artistic, social, enterprising and conventional.16
Realistic individuals thrive in positions where there is systematic manipulation of machines, tools and animals, while investigative types are people who are naturally curious and methodical and excel when precision is required. Artistic individuals are most successful in organizations that allow creativity and expression, and social individuals thrive in organizations with high degrees of helping others and few systematic activities. Enterprising individuals excel at the use of persuasion, and conventional individuals excel at systematic manipulation of data rather than of machines, as in the case of realist personality types.17
Researchers propose six specific traits that could be used to select personnel within the cyberdomain:18
- Systemic thinkers—People who can see beyond what is immediately in front of them. The cyberdomain is extremely complex and involves understanding how actions in one area can affect activities in another.
- Team players—Those with the ability to work with a diverse group of cybersecurity personnel to achieve shared objectives. No one person can truly be an expert in all areas, so having the ability to work well with others as part of a team is a key trait that organizations should recruit and foster within their workforce.
- Technical and social skills—Those with the ability to understand cybersecurity topics from the perspective of the standard user and the capability to communicate in a manner that can be understood by laymen is an extremely beneficial skill set. Technical and social skills are areas that have extensive research; however, it is more heavily focused on the technical skills.
- Civic duty—This trait has long been understood by the US military, but it is not as common in enterprise settings. Cybersecurity workforce personnel need to have a strong sense of loyalty to the organization and to the country..
- Continued learning—People with this trait acknowledge the rapid change in the cyberdomain and understand the need to constantly stay current on the latest vulnerabilities and technologies.
- Communication—Much like the social trait, people with this trait have the ability to translate highly technical information into a format that is easily understood by nontechnical staff and senior leadership.19
"THE INTERNATIONAL DEMAND FOR CYBERSECURITY PERSONNEL CONTINUES TO GROW, AND ANY COMPETITIVE EDGE IN SELECTION AND RECRUITING COULD HELP AN ORGANIZATION COMPETE FOR A SMALL POOL OF ELIGIBLE CANDIDATES."
One expansive study of participants in a cybersecurity competition was conducted to profile the group for recruitment purposes. The study found that the participants scored highest in categories such as openness, investigative interests and rational decision-making.20 Another demonstration of the use of the FFM for the identification of ideal cybersecurity personalities can be found by researchers who set out to prove several hypotheses related to FFM personality types and their correlation to cybersecurity top performers. The key hypotheses researched were if top cybersecurity personnel had higher levels of conscientiousness, openness and agreeability. The team also hypothesized that the cybersecurity top performers would have lower levels of extroversion and neuroticism and would place less emphasis on social and political values. The results of the study were mixed, indicating that the correlation for top performers with higher levels of conscientiousness and openness was supported by the evidence, though the hypotheses for lower extroversion and agreeableness were not.21 Although the results in no way indicate a perfect selection process for cybersecurity personnel, it does show a strong correlation between FFM personality types and successful cybersecurity professionals. The international demand for cybersecurity personnel continues to grow, and any competitive edge in selection and recruiting could help an organization compete for a small pool of eligible candidates.
Conclusion
An abundance of research exists on the reasons behind the large and rapidly expanding gap in cybersecurity personnel and the vacant positions left unfilled due to the lack of qualified candidates; however, little exists in how best to quantify people that could fill the open roles. The shortage of cybersecurity personnel is not isolated to any one country or region, and the disparity among women, minorities and neurodiversity is a concern across the globe. Research shows that women and minorities should be engaged through early intervention programs to increase their representation in STEM programs. In particular, for example, STEM programs at HBCUs have a higher percentage of minorities represented than typical post-secondary institutions. There is untapped potential to create a neurodiverse workforce, including initiatives to recruit cybersecurity workforce personnel on the autism spectrum. Theories on specific traits of effective cybersecurity workforce professionals have been studied by several researchers and have proven to be an effective tool to help identify candidates with the right personality traits. These topics can assist global cybersecurity leaders with the development of workforce recruitment and retention programs as they attempt to fill the ever-growing vacant cybersecurity workforce positions and remain competitive in the rapidly growing marketplace.
Cybersecurity leaders worldwide should evaluate whether implementing some of the solutions outlined here can aid them in filling critical vacancies in their organizations. These programs should not be thought of as charity or simply methods to diversify the workforce. Any initiatives should be thought of as reaching potential workforce candidates who see problems in new ways and can help develop unique solutions to common problems.
Endnotes
1 Reed, J.; J. Acosta-Rubio; Innovation Through Inclusion: The Multicultural Cybersecurity Workforce, An (ISC)2 Global Information Security Workforce Study, Frost and Sullivan, USA, 2018, http://www.isc2.org/-/media/Files/Research/Innovation-Through-Inclusion-Report.ashx
2 Curry, S.; “Neurodiversity: A Competitive Advantage in Cybersecurity,” Forbes, 13 May 2019, http://www.forbes.com/sites/samcurry/2019/05/13/neurodiversity-a-competitive-advantage-in-cybersecurity/?sh=3495ac406265
3 Dawson, J.; R. Thomson; “The Future Cybersecurity Workforce: Going Beyond Technical Skills for Successful Cyber Performance,” Frontiers in Psychology, 2018
4 Stoet, G.; D. C. Geary; “The Gender-Equality Paradox in Science, Technology, Engineering, and Mathematics Education,” Psychological Science, vol. 29, iss. 4, 2018, p. 581–593
5 Ahlquist, S.; “Negotiating Human Engagement and the Fixity of Computational Design: Toward a Performative Design Space for the Differently-Abled Bodymind,” International Journal of Architectural Computing, vol. 18, iss. 2, 2020, 174–193
6 Burrell, D. N.; C. Nobles; Recommendations to Develop and Hire More Highly Qualified Women and Minorities Cybersecurity Professionals, International Conference on Cyber Warfare and Security, USA, 2018, http://www.proquest.com/openview/99f1a60bdad6b94a26f6d7357b879175/%201?pq-origsite=gscholar&cbl=396500
7 Op cit Stoet and Geary
8 Morris, V. R.; T. M. Washington; “The Role of Professional Societies in STEM Diversity,” Notices of the American Mathematical Society, 65, iss. 2, 2018, p. 149–155
9 Shein, E.; “Hiring From the Autism Spectrum,” Communications of the ACM, vol. 63, iss. 6, 2020, p. 17–19
10 Ibid.
11 Ibid.
12 Op cit Ahlquist
13 McGee, J.; “This Is Not Philanthropy: How EY In Nashville Is Turning to Those With Autism and Neurodiversity to Boost Innovation,” Tennessean, 5 May 2020, http://www.tennessean.com/story/money/2020/05/05/ey-boosting-innovation-neurodiversity-nashville/2968935001/
14 Simpson, C; “Autism in the Workplace,” Huffpost, 5 April 2017, http://www.huffpost.com/entry/autism-in-the-workplace_b_58e353c1e4b09dbd42f3da09
15 Op cit Dawson
16 Ibid.
17 Barrick, M. R.; M. K. Mount; R. Gupta; “Meta-Analysis of the Relationship Between the Five-Factor Model of Personality and Holland’s Occupational Types,” Personnel Psychology, vol. 56, iss. 1, 2003, p. 45–74
18 Op cit Dawson
19 Ibid.
20 Bashir, M.; C. Wee; N. D. Memon; B. Guo; “Profiling Cybersecurity Competition Participants: Self-Efficacy, Decision-Making and Interests Predict Effectiveness of Competitions as a Recruitment Tool,” Computers and Security, vol. 65, 2016, p. 153–165
21 Shropshire, J.; A. Gowan; “Identifying Traits and Values of Top-Performing Information Security Personnel,” The Journal of Computer Information Systems, vol. 57, iss. 3, 2016, p. 258-268