by Kyle F. Kennedy

When you search for images under the key word “cybersecurity,” a familiar shot always turns up: a guy wearing a hoodie, operating in a dark room, fingers on a keyboard.

I’d like to replace that image with…anything. To be a cybersecurity professional, you can be anything. And anyone.

We’ve heard the statistics. There is currently a human capital crisis, with 1.5 million cybersecurity jobs available and no takers. The number is projected to balloon to 3.2 million by 2021.

But who exactly are these cybersecurity professionals we are looking for?

For so long, we have had our own definition of who can fit that talent. A good cybersecurity professional has to have a computer science degree. They must have solid professional background. They have to be male. This pattern of defining success has led us to the shortage we are experiencing today. It’s kind of like insanity, really: Doing the same thing over and over and expecting different results.

What really makes up a good professional? Every human being brings a different experience. You need critical thinking and creative thinking, both. A variety of educational, ethnic, geographical, backgrounds.

For example, cybersecurity is not the obvious career path for someone with a biology degree; however, a biology major might help throw a new perspective on cybersecurity given that advancements of technology will eventually interface with the human body organically creating a scary threat landscape.

Often too we talk about cybersecurity in the context of oil and gas, or transport, or finance. Cybersecurity today and going forward, is a horizontal across every industry, as opposed to just being by itself.

Every industry needs cybersecurity professionals. People from other disciplines could provide their own perspectives and add value to how the job is done. For example, some of the best cybersecurity communicators otherwise known as “Social Engineers”, I know are drama majors, communication majors and liberal arts majors.

Why are soft skills critical? The risks here are complex. If these risks are not articulated in a business language, such that executives are not able to grasp their importance, then what you will have as a result are cyber policies, created from the ivory tower, which everyone must follow, and which would inhibit the business instead of enabling it.

If cybersecurity becomes more inclusive instead of exclusive, then we will be all the more superior to the attackers. As it is, it’s the enemy who are inclusive. They don’t have any requirement that hackers should have this or that degree or should have attended an Ivy League school. Most hackers are self-taught, and when something sparks their interest, they go online. They read. Nobody tells them they could not do it because they are not a good fit.

Initial strides

Foremost, before anything can be done, there must be an acknowledgment of the current situation and the need to be more welcoming. Business leaders and decision-makers must recognize the unconscious bias that they have. They have to understand that creating positive disruption and changing patterns are a business differentiator.

My organization is active in our advocacy for inclusion in cybersecurity, specifically for women. We have been speaking to organizations on positive disruption. A good way to create action is through regional events and grassroots involvement. We bring the community together, and it is these communities that conduct classes and organize meet-ups and training courses.

We did this in reaction to the more established cybersecurity conferences that present numerous barriers to entry, and which are more for senior professionals. Women may not have the luxury of being able to spring for the travel, or leave their homes for days at a time, and perhaps find childcare for the time they are away.

ISC2 also now has an associate certification, where an individual can take the certification examination without the work experience; providing an opportunity for employers to recognize & support candidates entering or transitioning to the cybersecurity industry.

Personal reasons

My passion for diversity in cybersecurity is driven by several things.

First, given my degree in sociology, I must have had a hundred interviews before landing on a job in technology, even though I knew a lot about it – it had been a hobby for years — and it was clear I was keenly interested and willing to learn. They said I was not the right fit because I did not have a technology degree; specifically, a computer science degree. Didn’t matter that I could code in Assembler, BASIC, C, Cobol, Comal, Forth, Fortran, Logo, Pascal, PL/1 or Algol.

And I thought, if this could happen to me, a white male, think of all the others who could not break the barriers!

I ended up leading the engineering department of the first company that hired me.

And then I met my wife, who herself had to break barriers in IT because she was a woman. For example, during meetings, she was seen as more of an assistant rather than a peer, even though she was very technical.

My male colleagues initially said I was just on the bandwagon with my advocacy for women in cybersecurity. I said no. Men have to recognize that we have to be part of the solution, since many of the positions of senior leadership are occupied by men.

‘This is not my coffee’

I have a good analogy for all this. Suppose you went to a Starbucks, and when your coffee is given to you, you see that it was not what you asked for.

For a moment you might think you might as well take it, because the barista probably knows what is good for you, more than you do.

But no – you renegotiate. The barista does not know any better. You then look for the manager to explain the mistake and to get the drink you want.

Empathy is what can truly enable us to understand that we need to change the status quo. Yes, I am male, I am white, but I know that my background is a lot different from that of my peers. Because of this, I am very empathetic in that I know there are institutionalized barriers. I should know – I have spent the past 25 years in security.

What should really matter is that there are many talented individuals capable of both critical and creative thinking. They may not come in the shape and size we have traditionally expected them to be, but they are interested. They are intelligent.

In the end, only three questions should matter to organizations when they decide on investing in somebody for a cybersecurity role: Do you have the brain? Are you passionate? Can you learn?

Kyle F. Kennedy is a social cybersecurity expert and president of His organization provides foundational soft-skills training for a small fee (supported by corporation donations) and plans to launch soft-skill Masterclasses in 2019.They helped organize an event called Day of Shecurity, for women of diverse backgrounds to have one day of learning: tech/ hard skills, soft skills. They had opportunities for mentorship and guidance. Day of Shecurity was FREE to attendees!