Cyber Workforce Development/Alignment: Results of a Qualitative Study — by Dr. Michael Saylor

CYBER WORKFORCE DEVELOPMENT QUANTITATIVE STUDY_THUMBNAILDOWNLOAD PDF OF DR. SAYLOR’S STUDY

OVERVIEW

The rising risk of cybersecurity threats in U.S. organizations is worsened by a global shortage of qualified professionals. The results of Dr. Mike Saylor’s study detail how hiring practices and qualification requirements contribute to the workforce gap using the National Initiative for Cybersecurity Education (NICE) framework.

Through interviews and questionnaires with hiring organizations and job applicants, Dr. Saylor identified two key issues: (1) the need for standardized job role definitions aligned with higher education, and (2) the importance of mentorships, internships, and career pathway planning. Addressing these gaps is essential to strengthening the cybersecurity workforce.

FINDINGS

  1. Absence of a standard for defining cybersecurity job role descriptions and KSA criteria found in 100% of the responses from participants.
  2. Lack of a standard for defining job roles is also complicit in the misalignment of job-related qualifications, specifically years of job-related experience -80% of participants.
  3. 100% of participating hiring organizations’ entry-level job postings required at least two years of experience, reportedly because they thought it was standard not because it was an accurate qualification.
  4. 0% of participants were familiar with a cybersecurity workforce standard or framework.
  5. 80% of hiring organization felt their education and experience requirements were inaccurate or misaligned due to improper role definition.
  6. 80% of hiring organizations felt that cybersecurity job experience was more valuable and qualifying than education and certification. (ISC2 study found that < 30% found value in Cyber degrees).
  7. 90% of all participants felt that cybersecurity degree programs are inconsistent in design and lack a standard for ensuring consistent requirements for fundamentals that apply to cybersecurity in general.
  8. 0% of hiring organizations used an alternate method for screening applicants that do not match posted qualifications.
  9. 100% of hiring organizations felt the screening process for cybersecurity jobs in their organization was ineffective at finding the right resource for the job.
  10. 80% of hiring organizations felt their cybersecurity job postings contained inaccurate and or misaligned job role descriptions and qualifications, resulting in overlooking an otherwise qualified candidate.
  11. 100% of hiring organizations stated that they primarily rely on automated filters to screen applicants.
  12. 0% of hiring organizations used an alternate method for screening applicants that do not match posted qualifications.
  13. 100% of hiring organizations felt the screening process for cybersecurity jobs in their organization was ineffective at finding the right resource for the job.
  14. 80% of hiring organizations felt their cybersecurity job postings contained inaccurate and or misaligned job role descriptions and qualifications, resulting in overlooking an otherwise qualified candidate.
  15. 100% of hiring organizations stated that they primarily rely on automated filters to screen applicants.
  16. 100% of job applicants stated they did not receive feedback from hiring organizations with regard totheir application to a cybersecurity position.
  17. 100% of job seeker participants did not feel confident in the hiring process, specifically the screening process where their credentials are scanned for alignment with what is commonly a misaligned job description and minimum qualifications.
  18. 80% of participants’ hiring process did not include a formal analysis of internal need and or the process did not seek to align the role objectives submitted by hiring managers with a standard cybersecurity job role definition.

IMPLICATIONS

  1. The relationship between the level of experience required by hiring organizations and the level of experience reported by job applicants was found to be both inconsistent and misaligned, as well as overwhelmingly viewed as an inaccurate attribute of an ineffective hiring process.
  2. Cybersecurity-related job experience was valued significantly higher than cybersecurity-related education, yet both were typically defined as minimum requirements for entry-level cybersecurity jobs.
  3. Hiring organizations did not have an alternative screening process to further evaluate job applicants that did not meet the posted minimum qualifications for cybersecurity jobs.
  4. There is a lack of confidence in the hiring process for cybersecurity jobs, beginning with a hiring organization’s understanding and definition of the needed role and associated qualifications and extending to the screening and interviewing of job seeker candidates.

RECOMMENDATIONS

1. Implement a standard for defining the cybersecurity workforce, using a common language to define job roles and Knowledge-Skills-Abilities (KSAs), and establishing continuity between hiring organizations and job candidates in how they describe their respective expectations and qualifications.

A. Hiring organizations must first implement the standard within their hiring procedures to define the job role, objectives, and KSAs (the demand), resulting in:
i. Alignment of job needs with standard role definitions and KSAs.
ii. Improved applicant screening process
iii. Support for internal career development programs
iv. Demand-based influence on higher education to implement a standards-based curriculum

B. Job seekers must become familiar with the standard
i. Raising awareness of cybersecurity job roles and specialties and related KSAs
ii. Aids in career path planning and progression
iii. Aligns applicant KSAs with job postings

2. Establish an alignment of the standard among hiring organizations, education and training programs, and opportunities for internships or apprenticeships.

A. Higher-education degree objectives and outcomes must align with the standard for roles and KSAs that translate directly to the jobs at hiring organizations .
i. Creating clarity for job seekers and students regarding cybersecurity jobs and careers.

B. Higher-education degree programs must create opportunities for students to apply their knowledge through internships and apprenticeship programs established with community organizations.
i. Obtaining referenceable experience towards entry-level employment.
ii. Opportunities to demonstrate the application of knowledge and skills obtained.

C. Establish mentorship programs through cybersecurity industry associations, based on the NICE framework,
i. Aid job seekers in career path awareness and design, goal setting, and professional development

CONCLUSIONS

The primary, root cause, and most impactful factor contributing to the cybersecurity workforce deficiency was the absence of a standard from which the workforce can be consistently defined, qualified, and measured across all stakeholders.

Gaps in the literature
Most of the literature presented pointed solutions without recommendations or reference to an integrated approach. Studies focused on training & education, diversity staff development, competency, and hiring requirements with little observation to their interconnectedness or the application of a more holistic solution.

The takeaway message from this study is that the widely publicized message of a lack of cybersecurity talent cannot be verified because of the known and significantly misaligned, inconsistent, and inaccurate definition of job roles and qualifications that discount otherwise qualified workers.

Categories

CONTACT US