On May 21, (ISC)² COO Wesley Simpson was invited to join a panel of experts for testimony in front of the U.S. House of Representatives Committee on Homeland Security. The hearing, titled “Growing and Diversifying the Cyber Talent Pipeline” was a forum for committee members to ask witnesses for their observations and input on methods for growing the U.S. cybersecurity workforce and also for encouraging more minorities to join the profession. Mr. Simpson was joined on the panel by three other witnesses representing Grambling State University, The National Cybersecurity Institute at Excelsior College and McAfee.
(ISC)² was approached by the committee in part because of the association’s published findings of several related research studies on the cybersecurity workforce. This led to submitted written testimony covering the levels of involvement from underrepresented groups such as women and non-Caucasians, as well as Mr. Simpson’s personal attendance and participation in Washington, D.C.
The full hearing can be viewed here: https://youtu.be/g45upEriGjY (content starts at 17:01, and resumes at 1:19:22 after a recess for Congressional voting). Following is a transcript of Mr. Simpson’s opening statement to the committee.
“Mr. Chairman and esteemed members of the committee, thank you for inviting me here today to testify on behalf of (ISC)² regarding the goal of a more inclusive and diverse cybersecurity workforce. My name is Wesley Simpson, and I am the Chief Operating Officer for (ISC)². Headquartered right here in the United States, (ISC)² is the world’s largest nonprofit membership association of certified cybersecurity professionals. We function as an advocate for the cybersecurity profession and as a training and certification body. Our certifications are approved by the American National Standards Institute (ANSI), which is the primary organization for fostering the development of technology standards in the United States.
As part of our association’s stated mission to inspire a safe and secure cyber world, we regularly commission market research on a host of relevant industry topics that help to inform our global base of more than 140,000 certified members across more than 170 countries, as well as influence policy discussions, corporate programs and educational opportunities. In the course of doing so, we have issued research related to the size of the cybersecurity “workforce gap” since 2004. The state of the industry has changed quite a bit over that time, and (ISC)² is constantly identifying ways to improve its research methodology to keep up with the evolution of the market.
As part and parcel of our workforce research, we are in a position to be able to identify the demographic make-up of the cybersecurity workforce as it changes, and I’m pleased to share some of those findings with you today, as well as some conclusions we might draw from them.
Our most recent round of workforce research was conducted in 2018 and reveals a cybersecurity workforce shortage of 498,000 skilled professionals in the United States alone, and 2.93 million globally. This points to a growing gap in the amount of cybersecurity staff that private sector and government bodies indicate they need to maintain optimal security, and the amount of skilled professionals currently available. As a point of clarification, this is not meant to indicate that there are currently one half million open or unfilled jobs.
As we collectively explore ways in which the talent pool can be increased, it’s important to recognize the clear under-representation of women in the cybersecurity workforce. While Department of Labor statistics1 indicate that women make up 47% of the overall U.S. labor force, our research shows that they only constitute 22% of U.S. cybersecurity staff, and only 24% of global staff. To be more specific, that figure includes anyone for whom at least 25% of their daily job tasks consist of security-related activities, not just those with cybersecurity titles. This expands our view to include those with IT roles, for example, who have some cybersecurity responsibilities. This change to our methodology was made in 2018 to more closely mirror the reality of how cybersecurity is executed at the ground level, and more importantly, by who. We also found that pay inequality between genders remains an issue and is something that could affect a woman’s decision to pursue a career in our field.
If we can find more ways to attract women to cybersecurity and make it a welcoming profession, we may be able to decrease the cybersecurity workforce gap to a large degree. There are more findings specific to our “2019 Women in Cybersecurity Report” found in my written testimony, but I wanted to highlight the obvious under-representation as the key data point for discussion here today.
Another under-represented group identified through our research is ethnic and racial minorities. Our 2018 study titled, “Innovation Through Inclusion: The Multicultural Cybersecurity Workforce,” showed that just 26% of the U.S. cybersecurity workforce identifies as non-Caucasian. While this compares favorably to Department of Labor statistics that show only 22% of the overall U.S. labor force is made up of minorities2, this is still a low ratio that could be improved by creating programs that specifically market the path to a cybersecurity career to a wider talent pool.
Furthermore, employment among cybersecurity professionals who identify as racial or ethnic minorities tends to be concentrated in non-management positions, with fewer occupying leadership roles, despite being highly educated. And here as well, our research showed that an inequity in pay exists. Despite higher levels of education, a cybersecurity professional of color earns less than their Caucasian counterparts on average.
Under-participation in cybersecurity by large segments of our potential workforce, be it women or minorities, represents a loss of opportunity for individuals and a loss of collective creativity in solving the problems we face in the field. Not only is this an issue of inequity, it is a threat to our global economic viability as a nation. The major opportunities as we see them are a stronger focus on equal pay for women and minorities in cybersecurity, more advancement and leadership opportunities for deserving professionals, formalized mentorship programs to help unearth untapped potential and hidden talents, and more programs that expose young women and minorities to technical skills earlier in their educational lives.
I thank you for your time today and look forward to answering any questions you may have to the best of my ability.”