Technology companies are at a crossroads as talented people are leaving their jobs in droves. People are searching for a high order purpose, values they can be proud of and the opportunity to change the world. This dynamic presents an opportunity for the security industry to become a talent importer. Collectively, the fall of social media gives rise to the soulfulness of cybersecurity.
>> SPEAKER: Please welcome Chief Executive Officer, Trellix, Bryan Palma.
>> BRYAN PALMA: Social media has become a destructive force in our lives. It is tearing people apart, sowing division between families, friends, and associates. It is fueling a rise in hate speech and disinformation, sparking a surge in online harassment and real-life violence. It is wreaking havoc on our children's self-esteem, triggering an increase in anxiety, depression, and other serious social disorders. But worst of all, today's social media companies are taking little action. Driven by greed, stricken with apathy, they have revealed themselves as soulless.
Take a look at these recent headlines. The moral bankruptcy of Facebook. How Instagram is hurting teen girls. Outrage spreads faster on Twitter. Their users, you and I, we have had enough. We recognize the enormous negative impact social media is having on our society, not to mention our mental health. According to a 2021 Quinnipiac University poll, 70% of people say social media does more harm than good – 70%. People are worried about what is going on. Clearly, these social media companies have lost their way.
Founded on the promise of bringing the world closer together and fostering community, these companies attracted countless smart, talented people who wanted to be part of that very mission. But today, many of these employees have come to the realization that social media often does more to sever than unite. Working for these companies no longer aligns with their values. And as a result, they are leaving their jobs in droves. They are in search of more soulful work, work they can be proud of, work that offers them a higher purpose, work providing a chance to change the world, work like cybersecurity. Honestly, what is more soulful than protecting people, than stopping hackers from trying to take down insulin machines in hospitals, than preventing bad actors from limiting access to clean water in Ukraine? This movement from soulless to soulful work presents an incredible opportunity for our industry.
Imagine if we could turn this unraveling of social media into a watershed moment for us in cybersecurity. Imagine if we could come together to create a home for talented technologists seeking a more fulfilling future. With all of us singing the same tune, there is no limit to the number of hearts and minds we could win. We could inspire ten thousand, a hundred thousand, maybe even a million people to find their true calling in cybersecurity with us.
Normally, at RSA, we discuss important topics like artificial intelligence, anti-ransomware, and automation. But today, I only want to talk about people. For 20 years now, we have dealt with the same problem. Our demand for security analysts, engineers, researchers, and consultants far exceeds our supply. And every single day, that gap continues to grow. I have long personally been frustrated by the talent shortages plaguing our industry. I remember the frustration I had early in my career while at the Secret Service. And now, 20 years later, I have the exact same feelings as the CEO of Trellix.
The most troubling aspect of all this is how little progress we have made as an industry. For decades, we have relied on the same tactics to close the talent gap. We refuse to do anything different to solve this problem. It is the very definition of insanity. In the U.S. and many other countries, we have not made the investments required to develop a national cybersecurity talent pipeline. Meanwhile, the very nation states attacking our private corporations, they have already made those investments. For years, they have been training attackers to assault our businesses. And because we are behind when it comes to talent, we struggle to defend ourselves. Even though I am fed up, I am far from defeated. I will stop at nothing to make sure our industry develops the diverse talent pipeline necessary to address our supply shortage.
Now, let's take a look at the problem. Last month at Trellix, we partnered with a global market research firm to survey 1,000 cybersecurity professionals. We had a simple goal. Understand the data to help us better diagnose the problem and design solutions. Here is what we found – 78% identified as male, 64% identified as white, 89% identified as straight. No surprise there, right? Straight white males dominate our industry. We are largely a homogenized group. But there is a serious problem with that. Our lack of diversity is holding us back in two important ways. First, we are turning away great people and doing our industry a significant disservice. By failing to cultivate a more inclusive environment and neglecting to provide pathways for more female and non-binary people, people of color, and people from the LGBTQ+ community, we are only widening our already enormous talent gap. We are all better when we benefit from the diverse perspectives of others. Second, simply put, it is bad for business. I learned this decades ago from Indra Nooyi, the former PepsiCo CEO. We do not look like our customers and our lack of diversity restricts our ingenuity, innovation, and ability to recruit the next generation of talent. Hell, the hackers are more diverse than we are. Even they understand the importance of having a bigger tent.
Unfortunately, the survey data related to people's educational experience is equally predictable – 95% obtained their bachelor's degree, 85% majored in IT, computer science, or technology, 75% specialized in cybersecurity. These statistics tell me we are falling short when it comes to identifying talent with a two-year degree or no degree at all. We are overlooking qualified candidates who lack the schooling but have earned certifications or completed other vocational training. This bias is a huge mistake and again restricts instead of expands our talent pool.
There is an industry-wide perception, especially among recruiters, that our people need a college education to be successful, but many of the cybersecurity professionals we surveyed do not agree; ninety-three percent report the ability to develop their own skills and learn in their own spare time. On the positive side, our research revealed pathways from other professions already exist. Forty-five percent previously spent time in another profession. Considering a large majority of the people we surveyed had a concentration in cybersecurity, this finding was eye-opening. Now, granted, many of these respondents held positions in fields closely related to cybersecurity, like IT, computer science, or software development, but others came from industries as diverse as finance, retail, and manufacturing.
Here is what excited me the most, though. More than a handful of people made the move from social media to cybersecurity. For years, we have been focused on hiring the same types of people with the same types of educational experiences and professional backgrounds. But as Adam, our Chief Revenue Officer, often says with a distinctly British accent, we need some fresh water in our pond. He is right. We need to start making inroads into new communities. We need to tap into more diverse groups. We need to rethink who we view as talent. Over the past two decades, we have given the talent and diversity gap lots of lip service, yet we still lack any scalable programs to close that gap.
I know from implementing programs at Trellix, there are three discrete populations we must nurture and develop. First, we have to transform the current K-12 educational system both at home and abroad. According to our research, 94% of people agree we should do more to raise awareness of cybersecurity at an earlier age. Beginning in kindergarten, we should infuse cybersecurity into students' existing curriculum. As kids advance through school, they would have the opportunity to take standalone classes, join clubs, attend day camps, or participate in competitions focused on cybersecurity. This K-12 plan is a long-term investment, but one that will surely pay dividends, especially when it comes to breaking down social, economic, and diversity barriers.
Second, we have to better nurture and train college students and early in career professionals. With an increase in scholarship funding and internship programs, we would enable more people to pursue academic opportunities in cybersecurity. And by extending program participation to include more Historically Black Universities, liberal arts schools, and community colleges, we could achieve an even larger, more diverse talent pool. In our survey, 92% of respondents agreed more internships would encourage more people from diverse backgrounds to enter into cybersecurity. For young adults who lack education, we could provide entryways to cybersecurity through the establishment of federal programs, offering cybersecurity training coupled with grants and tax breaks.
Third, we have to create avenues for mid-career professionals seeking to make the move into cybersecurity. Whether they come looking for more meaningful work from a Silicon Valley tech company or a small-town restaurant in Middle America, we need to ease the transition for them. As an industry, we have to provide better access to courses, so people can adequately reskill. We have to promote quality certification programs, so potential candidates can enhance their knowledge. And we need to launch more apprenticeships, so prospective employees can acquire tangible skills directly from our experts.
At the end of the day, success does not depend on a degree. Don't believe me? More than half the people in our survey agreed with that statement. We should be at the front line recruiting capable technologists, whether or not they have a college degree. The reality is this: Our industry is best served by people with tenacity, will, and determination, people who refuse to settle, people who seek a higher purpose, people like Raphael and Noelle.
Raphael was in high school when he first learned about cybersecurity. As a sophomore, he took a class on the subject. Later, while studying electrical engineering in college, he got a call about taking on a security contract in Afghanistan. Today, he is living his dream as a principal cybersecurity architect. As a 14-year-old kid, Raphael had no idea that one high school class would change the course of his entire life.
Noelle was a bartender in 2005 when she started building websites for her friends’ businesses. With a couple young kids in diapers, this work perfectly suited her needs as she could work while her children slept at night. She cared about the websites she built and wanted nothing more than to learn how to protect them. This inquisitive nature led her on the path to IT.
When that failed to scratch her curiosity itch, she made the switch to cybersecurity. Now, as a senior site reliability engineer, she is not only keeping websites safe; she is keeping the world safe for both her kids and ours.
What do people like Raphael and Noelle have in common? They are go-getters. They managed to achieve what they did not because we helped them, but because they had fortitude, curiosity, and passion. Today, there are maybe 10 Raphaels, 10 Noelles. But we don’t want 10, 20, or even 100. We want 100,000, and it is our job as an industry to make it happen.
I've challenged my team at Trellix to lead with action, and I'm proud of the work we are doing with Gotara to advance the careers of women in STEM. And today, I want to announce a new partnership with HACE, the Hispanic Alliance for Career Enhancement, to create a cybersecurity accelerator program for Latinos who, unfortunately, only represent 2% of the respondents in our survey. Try as we might, none of us can solve our problem alone. It is impossible for any one organization to close our current talent and diversity gap. But collectively, we can absolutely make a difference.
In trying to come up with a solution, I started looking at other industries for inspiration. What other industry understood you could both compete and collaborate? Then I remembered this: In the 1970’s, the consumption of soda, juice, and other beverages started soaring; meanwhile, milk, a staple in refrigerators everywhere since the 1950’s, was suddenly on the decline. This trend continued for 20 years. Finally, in 1993, the industry decided to come together. Dairy processors united to form the California Milk Processor Board. Their mission, to put an end to the plummeting sales of milk. The board created the iconic "Got Milk?" campaign. By the very next year, milk sales increased by 15 million gallons, saving the milk industry. We need our own campaign, one where we put aside our own self interests for the greater good of the industry. With a captivating campaign focused on our positive contributions to society, we can use our collective voice to cast a wider net to close the current talent gap.
Just like at your organization, Trellix is full of people who are passionate about the work we do. Intending to prime the pump for this campaign, I asked the Trellix team to share their stories on why working in cybersecurity gives them purpose. Introducing "I Do Soulful Work."
>> SPEAKER: With all the turmoil in the world, especially right now, there’s a lot of upheaval, a lot of chaos, a lot of cyberattacks, just moving that needle a little bit, it’s – it’s what I think we’re all in it for.
>> SPEAKER: It’s a pervasive threat. It’s something where every little action we take daily contributes to improving people’s lives.
>> SPEAKER: I live here. My kids live here. My friends live here. It doesn’t get any more personal than protecting your home.
>> SPEAKER: I realized that cybersecurity was the next battleground and that we just needed to fight the good fight.
>> SPEAKER: You’re helping someone who is a victim and is in a very bad place. Things have been stolen from them. I mean, I get excited to go to work to stop the bad guys.
>> SPEAKER: Building that next generation of talent so that we have a pipeline for our leaders of tomorrow.
>> SPEAKER: Even though I may sit behind a desk or I may not be in that battlefield, I’m really helping them protect themselves as well and protect what we do and how we live.
>> SPEAKER: Tenacity and tenaciousness, by invoking that and embracing it, you can make people’s lives much more efficient.
>> SPEAKER: I’d like for my own daughters and young women, young minorities, to feel like they belong in this space, they belong in cybersecurity or STEM.
>> SPEAKER: Legacy. All of us have a responsibility to leave the world a better place than how we found it.
>> SPEAKER: I’m excited to see where the journey takes us so that we can further help execute the mission.
>> SPEAKER: I really feel like sometimes it’s the good guys versus the bad guys, and I get to be one of the good guys.
>> BRYAN PALMA: I have this vision for the future, one that looks vastly different from the world we know today. I see organizations across our industry working hand in hand, partners, competitors. They are producing a barrage of "I Do Soulful Work" content. They are sharing their stories, inspiring others to heed a higher calling to protect the world. They are motivating people to blaze their own trail in cybersecurity. I see a kaleidoscope of people, people of color, people from the LGBTQ+ community, non-binary people. They are coming to us from two-year schools and apprenticeships. They are offering fresh perspectives. They are enriching lives. They are defending innocent people from having their information stolen in a data breach. They are warding off attacks and keeping a country's power grid up and running. They are protecting non-profits and allowing them to safely process donations. They are doing soulful work, just like you do soulful work, and I do soulful work. Thank you.
Share With Your Community