As individuals and organizations put increasing amounts of sensitive data on connected networks, the frequency and impact of cybersecurity breaches grow. The Global Risks Report 2022 from the World Economic Forum reported that in 2020, malware and ransomware attacks increased by 358% and 435% respectively. The cybersecurity sector is expanding exponentially to keep up with the demand for its services, with revenues projected to reach US$298.70bn by 2027. Yet the sector faces a critical talent shortage — a problem that has serious implications on our ability to secure the systems we rely on for business and in our personal lives.

Cybersecurity Ventures, a leading US-based research organization and publisher of Cybercrime Magazine, has been tracking the cyber talent problem for several years now. Over an eight-year period, it found that the number of unfilled cybersecurity jobs globally grew by 350 percent — from one million positions in 2013 to 3.5 million in 2021. The dearth of cyber talent poses serious implications for both public and private sectors, as well as our ability to maintain a cybersecure society.

One important solution to address this acute labour market shortage is to increase equity and diversity within the cybersecurity sector. The lack of diversity is even more pronounced in cybersecurity than in other tech and STEM fields. There are significant barriers that traditionally underrepresented groups have been facing when both entering and advancing within cyber roles.  Without equal opportunities for these groups to advance, the cybersecurity sector stands to lose the contributions of a huge portion of the population.

With so many open and available positions, why is it that the sector hasn’t been able to attract a more diverse workforce?

Perhaps it is because there are still misconceptions about what cybersecurity really is and what a successful career in the profession looks like. For example, cybersecurity is not exclusively for nerds wearing hoodies behind a computer — it’s critically important to correct this and similar stereotypes. If you actually look at a modern, healthy cybersecurity department, only about 20-30 percent of roles are strictly technical. The remaining roles have more to do with business and organizational context than purely the cybersecurity technology itself. Roles that take account of things like technology risk assessment, cybersecurity governance, compliance and audit, threat and incident management, disaster recovery, and business continuity. These roles are critical and they require business acumen and crisis management skills; not necessarily programming know-how. Positioning cyber roles in this broader context is likely to attract candidates with more diverse personal and professional backgrounds.

Further, given the stereotypes about cybersecurity, the sector has traditionally drawn its workforce from technical disciplines such as mathematics, computer science and computer engineering, which are disciplines known to attract fewer women. So there are fewer women in the pool of candidates to begin with. Then, when against all the obstacles put in front of them, women do enter the cyber sector, they don’t advance as much or as quickly as their peers who are men. The percentage of women in management and executive positions is much lower than the percentage of women at entry or mid-level positions throughout the sector.

So how can we fill these necessary and available roles with the best candidates, and build a pipeline of cybersecurity talent for the future? Starting early is important. Several great initiatives already exist that introduce cybersecurity to kids as early as elementary or middle school. We should have more of them! Several equity, diversity, and inclusion initiatives have also been introducing more women and diverse people to cybersecurity. We should have more of these too!

What is also desperately needed is targeted programming that helps high-performing women and members of other underrepresented groups break the glass ceiling and advance into cybersecurity management and leadership positions. One such program is the Emerging Leaders Cyber Initiative at the Rogers Cybersecure Catalyst at Toronto Metropolitan University in Canada, which is specifically designed to empower women and non-binary people with opportunities for enhancing their leadership skills while also giving them access to a supportive, high-impact professional network.

Cybersecurity Ventures projects that there will still be 3.5 million cybersecurity openings in 2025. In other words, if we don’t change the ways in which we attract, train and advance cybersecurity talent, we will remain in the dire situation of not having enough cybersecurity experts to protect the information systems that a modern, healthy society depends on. It’s time to ramp up our efforts.

Dr. Atefeh (Atty) Mashatan is a Canada Research Chair, an Associate Professor, and the founder and director of the Cybersecurity Research Lab (CRL) at Toronto Metropolitan University (TMU), and a member of the board of Rogers Cybersecure Catalyst.