Cybersecurity Jobs, Career Paths and Diversity Hiring Get a Closer Look at BlackHat 2021

• By Jeff Steuart
• Aug 02, 2021

Depending on who you talk to, there are 50,000 to 60,000 open jobs available for cybersecurity professionals in the United States – add risk management professionals, and the number climbs much higher. The rub is how to match the perfect candidates to the perfect job because it’s as easy as it sounds.

Corporate recruiters and human resources professionals still struggle with issues of making the right hires and encouraging diversity candidates to apply.

Women in Security and Privacy (WISP) will address this issue in an August 4 virtual session at BlackHat with an all-star panel of cybersecurity professionals including Dr. Chenxi Wang, the Founder and General Partner of Rain Capital, an early-stage venture fund focused on Cybersecurity and Aleada Consulting Advisor; Lauren Zabierek, the Executive Director of the Cyber Project at Harvard Kennedy School’s Belfer Center; Rich Noguera, the Chief Information Security Officer at AppDynamics; and, Deepti Hemwani, Head of Product at Dasera. The session is moderated by Elena Elkina of Aleada Consulting, a San Francisco-based Privacy consultancy and a co-founder of WISP.

“It is common to see a massive under-representation of women, people of color, and those with visible and hidden disabilities in the infosec and privacy field,” said Elkina. “We know diversity is a topic of discussion when recruiting and hiring infosec and privacy professionals, but there is often little guidance available to those recruiting for these positions. We want to talk about ways to overcome obstacles and this panel has strong ideas on strategies to recruit for diversity.”

For cybersecurity pros struggling to find the next great opportunity and organizations seeking to make the next great cybersecurity hire, there’s a new platform that helps everyone. CyberSN, a leading cybersecurity career and staffing firm, has launched the CyberSN Marketplace, a dedicated resource that provides cybersecurity professionals no-cost access to jobs, career resources, salary information and job matching needed to successfully accelerate and manage their career success.

The Marketplace complements CyberSN’s well established Agency staffing services, which are also accessible to hiring firms at CyberSN.com and offers access to every available cybersecurity job posted.

The Marketplace builds on the CyberSN Job Taxonomy, a model that organizes open jobs based on tasks and projects into 10 categories and 45 functional roles via a confidential public profile so they can be found by employers without sharing their identity on a public platform. The CyberSN platform then matches professionals to these jobs based on their confidential profile, and allows them to connect at their choice with jobs that match. Professional members can also take advantage of CyberSN’s career planning and pathing tools, salary and industry data and training and educational resources.

“The cybersecurity job search process is alarmingly broken. Generic job sites don’t work in this highly specialized and growing field. And cyber professionals often don’t join public networks due to confidentiality and security concerns,” said Deidre Diamond, Founder and CEO, CyberSN. “Most job descriptions stink, professionals can’t find jobs that fit their needs and experience and the results speak for themselves. Data shows that 41 percent of cyber professionals want to leave their current employer, but it takes CISOs an average of eight months to find a new position, and at least four months for a security engineer. Our platform fixes this, and getting professionals into jobs that fit isn’t just good for them and their employers, it’s good for the industry.”

“CyberSN’s team understands this constantly changing industry and discipline,” said Bill Pelletier, an Information and Product Security Leader in Boston, MA just placed by CyberSN. “They understand the language, and they care for job candidates as individuals and not just a means to an end. This means that when you’re scheduled for an interview, you’re not talking to just any random company, but one whose needs closely match your abilities and goals. The result is targeted, realistic, and a perfect fit of function, position and -- very important in my personal case -- mission. I cannot say enough positive things about CyberSN and their extended team."

CyberSN invites every cybersecurity professionals to create a confidential profile and browse the jobs that match at the CyberSN Marketplace at https://www.cybersn.com.

For organization seeking that needle in a haystack, Haystack Solutions offers a means of predicting a successful hire with new precision. For example, the US Department of Defense was able to identify elite cyber talent with 95 percent accuracy using the core of Haystack Solutions’ Cyber Aptitude and Talent Assessment (CATA), the first commercially available solution scientifically designed to identify the natural cognitive abilities of individuals entering or upskilling in cybersecurity.

“As the 10th Fleet Commander, I was compelled by the need for identifying and retaining our best talent,” said Vice Admiral Jan Tighe. “I wanted an Armed Services Vocational Aptitude Battery (ASVAB) standard assessment for Cyber. I thought if we can create an aptitude determiner to best align our computer network operations workforce with their optimal work roles, we would boost retention by putting team members in challenging, satisfying roles best suited to their interests and aptitude. The University of Maryland was investigating a similar approach, and we capitalized on some work.”

“A tool like CATA would have saved our team countless hours by driving up retention, reducing retraining costs, and increasing mission effectiveness,” Tighe added.

In research conducted by the University of Maryland, performance-under-pressure testing of hundreds of DoD participants from SOCOM, U.S. Navy, West Point, and USAF, identified aptitudes in key areas associated with cybersecurity excellence such as critical thinking, exhaustiveness of approach and practices, initiating behaviors, real-time effectiveness, and responding behaviors. All tests minimized language bias and allowed participants to be competitive regardless of native language, English-speaking proficiency, or prior experience with IT and cybersecurity principles. Among the DoD partners, CATA testing accurately:

- Classified 97% of all Elite (90% course average or better) performers on a USAF ITF course

- Distinguished with 84% accuracy between high-skill and untrained USAF cyber personnel

- Identified six main clusters of test participants that correlated with a variety of course performance metrics across DoD participants (e.g. SOCOM, U.S. Navy, West Point, and USAF).

• High performers in four key disciplines – who became the most successful in cyber courses
• Critical thinkers who scored well in CATA tests such as “Need for Cognition,” “Matrix Reasoning,” and “Dynamic Systems Control.” These candidates were also top performers.
• Many of the test subjects were determined to be creative thinkers who scored low on many tasks but who performed well in crucial areas such as “Need for Cognition,” “Need for Cognitive Closure,” and “Pattern Vigilance,” and so were well suited for and chosen for cybersecurity roles for which they had not previously applied.

- Developed a composite score - one number that was representative of a candidate's total aptitude

Security Mindsets Principal Charles J. Kolodgy said: “Finding the right candidates and figuring out which employees to invest in additional training are tough decisions that have far ranging impact. The right decision can lead to overall improvement of your organization's security posture, while a poor decision can erode readiness. Haystack's solution opens the ‘black box’ of the cognitive capabilities that can help identify optimal candidates who don’t just have the proper certifications but who also have aptitudes required for success. In this way it is possible to weed out those with superb qualifications but whose innate skills aren’t a fit for a specific task. Getting it right is imperative, and the costs - from delayed hires and poor retention to severe consequences such as missed warning signs - are just too high to gamble with.”

CATA focuses on five key cerebral dimensions: critical thinking, deliberate action, real-time action, proactive thinking, and reactive thinking. It includes a series of tests designed to measure cognitive abilities and map natural aptitude within four domains of cybersecurity careers in the commercial sector:

• Offensive operations: initiative and creative problem-solving skills using partial data in real time;
• Defensive operations: detecting anomalies with scans and real time, partial data, screening out distractions;
• Analytics and forensics: interpret and reconcile exhaustive amounts of often conflicting data; and,
• Design/development: abilities to programatize creative problem solving and build model programs for execution.

Much of CATA’s core was co-developed by the University of Maryland, and the cognitive assessment was originally used by the National Security Agency and the predecessor of the U.S. Cyber Command, 10th Fleet.

Michael Bunting, Ph.D., the Director of Cognitive Security and Information Operations at University of Maryland’s ARLIS center, Haystack’s CTO, and technology co-inventor, said: “CATA’s core has been used by the U.S. Intelligence Community and Department of Defense (DoD) to create some of the highest performing Cyber Teams. It has been heartening to see it adapted for the commercial sector and, in early trials, to help identify previously unexplored but inherently genius-level cyber talent in schools and universities, who are now garnering some of the most prestigious CTF awards, and who had not previously considered cybersecurity careers.”

Along with mapping to cybersecurity domains, the assessment report supports the NIST/NICE job role framework showing a path to the job roles where there is a natural fit for a more personally rewarding cybersecurity career.

“Cybersecurity is an increasingly complex domain, with a lengthy and arduous learning curve,” said Doug Britton, Haystack Solutions CEO and Founder, and co-developer of CATA. “The commercial sector has long needed insight into the problem solving, visualization, and pattern recognition capabilities of cybersecurity candidates – qualities that certifications and degrees don’t necessarily reflect. Let’s face it, the cybersecurity challenges in the commercial sector are expanding and growing more complex daily. The ability to identify those with innate talents and ensure that they’re being trained for the roles for which they’re best suited can help the commercial sector bridge the talent gap more quickly and effectively. CATA meets this urgent challenge.”

Dr. Bunting agreed: “We need to identify everyone that has the cognitive fingerprint of a cyber warrior and get them in the fight.”

The training of cyber and risk talent took on new importance and momentum during the global pandemic.

In response, the Shared Assessments Program, the member-driven leader in third party risk assurance who’s Certified Third Party Risk Professional (CTPRP) certification program is recognized as a hallmark of proficiency and competency in Third Party Risk Management (TPRM), launched a fully online certification program for the prized credential. The Online On-Demand class shares the same curriculum, body of knowledge and examination as the Web-Based instructor led class, and is delivered in an interactive self-study format.

The Program lets busy working professionals extend their capabilities and achieve advanced certification at their own pace, regardless of the time zone or work-from-home challenges, and equips them to lead complex initiatives.

Luc Levensohn, Senior Manager, Cyber Security, Information Risk Management for Staples, observed the benefits his company derives from CTPRP certification: “Having that broad but well-mapped organizational framework for all of our evidence enables us to be far nimbler and more effective when we respond to unique or tailored customer requests. We can be sensitive to those information requests without launching into an all-out fire drill, which is something you always try to avoid. We’re continually able to prioritize the areas of highest risk, which strengthens our due diligence in an efficient manner. That’s why I have the people on my team take CTPRP tests as soon as they are ready.”