How to land a career in cyber
By Georgios Depastas and Kathy Liu
A Montreal-based project takes an inclusive approach to new talent, exploring the value of non-technical backgrounds for future cybersecurity professionals
By Georgios Depastas and Kathy Liu
In Canada, cybersecurity is positioned to be the fastest adopted technology, and top 5 emerging job.
Yet we have all seen the numbers: an approximate 3.5 million global cyber talent shortage. But, is this gap really about a shortage of sufficiently skilled people, or are we not tapping into the right talent and investing in upskilling?
There is a perception that cybersecurity is arduous to break into for the non-technically initiated. The equivalence between cyber and IT is reinforced by pop culture, and even self-inflicted. The accepted dogma is that one has to enter cybersecurity job-ready, with the alphabet-soup of certifications indexed in most job posts.
In reality, job posts often profile a non-existent candidate. By 2022, core skills required to perform most roles will, on average, change by 42 per cent. We must therefore recognize the potential of transferable skills from non-technical disciplines, and fortify cross-training and upskilling.
In this article, we showcase our Montreal-based award-winning project that is combating these perceptions, and the real-life journeys of six political sciences graduates thriving in cyber roles.
Cybersecurity is a career that offers job security (no pun intended), but is also incredibly meaningful. It is as much about the people and processes interacting in the ecosystem as it is about the technology. Cyber roles are also astonishingly diverse; as you will see, our political science graduates work across a mosaic of jobs. So how do we communicate this face of cybersecurity to the general public?
Inclusive Cyber project
Our Inclusive Cyber project started as a gritty grassroots effort with an audacious ambition for systems change. The project is underpinned by the singular belief that we can no longer limit our cyber recruitment to individuals with technical backgrounds, because in doing so, we leave behind talent that are traditionally underrepresented in IT, namely women and immigrants.
The project’s secret sauce, our transferable skills mapping, charts skills from 15+ education disciplines (e.g.,
finance, English) to best-fit cybersecurity roles, benchmarked to the internationally-recognized NIST industry framework. These mappings empower non-IT and marginalized talent’s transition to cybersecurity, through igniting confidence in the value of their existing skills. Our project was recently selected as one of Canada’s Top 100 Recovery Projects by Future of Good.
We are trailblazing the project through the Global Shapers Montreal Hub, which is part of the Global Shapers Community, an initiative of the World Economic Forum. We are a global network of 10,000+ young leaders driving change in more than 200 countries.
Our grassroots approach leverages local knowledge and networks to reach students within universities, cyber recruiters, cyber curriculum instructional designers and community organizers. We have impacted over 600 community members and students through our #CYBERWOMEN International Women’s Day panel, workshops at McGill University and the University of Toronto, and collaborations with The Refugee Centre.
Going forward, we look to automate our skills mappings with the use of Artificial Intelligence, by tapping into career-related data. We envision this toolkit to empower hiring managers and recruiters to identify cyber roles’ essential skills, beyond the technical. Additionally, we expect it to continue to offer key insights to non-technical graduates and university career services, in determining the best-fit cyber roles for one’s transferable skills. However important this framework approach is, we know change and passion are often kindled by real-life stories.
Case study: political science graduates
We spoke to six political science graduates about their journeys to cybersecurity and the roadblocks along the way.
These journeys parallel patterns we gleaned from other non- technical graduates. Their first brushes with cybersecurity began in distinct and often inadvertent ways, underlying that there is no guaranteed path to discover cybersecurity.
Rachel Babins, a cyber threat intelligence (CTI) analyst at a financial institution first learned about cybersecurity through lectures on counter-terrorism. James Tay, a senior threat researcher at HYAS satisfied a childhood curiosity on global information flows through lectures at The Citizen Lab. For Farah Ng, a cyber awareness manager at a financial institution, and co-author Kathy Liu, a cyber consultant, external data breaches first spotlighted cybersecurity attacks. A chat with a political science graduate in cybersecurity illuminated the possibility of a cyber career pivot for Josh Darby MacLellan, senior CTI analyst.
One interviewee, a chief information security officer (CISO), noted the emergence of the cybersecurity threat landscape as a distinct battlespace.
For all, when they encountered cybersecurity, there was a distinguishable “aha” lightbulb moment, yet they struggled with internal doubts concerning the feasibility of entering the industry without formal training. As Darby MacLellan put it, “I held the misconception that unless you studied IT or cybersecurity in school, your chances of being laughed out of a cybersecurity interview were extremely high.”
The barriers extend beyond lack of awareness and perceptions of technical shortcomings. In fact, we validated our hypothesis that a prevailing catalyst for this “confidence gap” is the way cyber companies hire today, due to HR departments becoming more clerical and check-list oriented. Although there is merit in standardizing a procedure, when this process becomes rigid “[employers] miss out on very talented individuals who could do the same job, if not better; for instance by analyzing beyond the ‘ones and zeros’ to understand cybersecurity through socio-political contexts,” as Tay states. Another interviewee further worries that “with the emergence of cybersecurity diplomas, there is now a new misunderstanding that these courses cover 100 per cent of cybersecurity knowledge.” For a wide range of cyber roles, technical elements can and should be constantly learned on-the- job and through personal study because the knowledge-base evolves rapidly.
Finally, the lack of representation in one’s environment is critical. Many interviewees lamented not knowing fellow- political science students in cybersecurity, therefore networking was imperative. Most reached out to countless cyber professionals for coffee meetings. Internal networking in one’s current workplace is also an option, and one can more easily access an organization’s cybersecurity activities. Cultivating such networks allows most non-IT professionals to land their first cybersecurity job. Babins urges, “Don’t wait for a job posting to come up that matches your skillset exactly. Cold email, cold message and cold call.”
Beyond networking, our findings also show one should heavily invest in learning. Familiarizing oneself with basic cyber terminologies is a fundamental first step before graduating to complex concepts. Certifications and formal training is another way to further understand the topic area, but also to signify subject matter engagement. There is a growth mindset that permeates the industry: “Passionate cybersecurity professionals are usually pretty excited to talk about their work with someone willing to learn,” as Ng highlights.
These learnings should be built upon one’s transferable skills, which constitute the cornerstone of our very project. We start each skills mapping by asking individuals to map their self-reported skills and knowledge gained from their field of study. When it comes to political science, we found three primary transferable skills: communications, strategic thinking and analytical thinking.
Communications consistently came up as the top transferable skill. Political science graduates process large amounts of information and translate complex concepts into understandable language for decision-makers in various media forms. They are also big picture strategic thinkers who understand organizations, whether a state, society or a business, and their institutions and power, and are therefore able to identify the decision-makers and evaluate the impact of cybersecurity on the larger organization.
Analytical thinking can also be measured by their research skills. They know how to conduct original practical research and analyze the “so what” from a broad range of resources, distilling what is coherent and actionable in business-ready terms. Of course, these transferable skills are not sufficient by themselves. Being a successful cyber professional also requires “an inherent interest and drive in learning about cyber,” as an interviewee notes.
The COVID-19 pandemic accelerated digital transformations worldwide, widening the cybersecurity risks, which can only be addressed by an equally diverse workforce. The cyberskills challenge will remain until there is a mindset shift in recruitment. In this article, we explored the barriers that people passionate about cyber faced in the absence of an IT degree, and how they overcame them. If you are from a non- technical background and curious about cybersecurity, or want to contribute to our project, feel free to get in touch with the Global Shapers Montreal on social media.
Kathy Liu is a cybersecurity consultant, and the founder of the Inclusive Cyber Talent project (www.weforum.org/agenda/authors/kathy-liu). Georgios Depastas is a data privacy and security entrepreneur, and drives product efforts at the Inclusive Cyber Talent project (www.linkedin.com/in/gdepastas).