Opportunity for All

Driving Diversity and Meeting the Labour Market Shortage in Canadian Cybersecurity

The Canadian cybersecurity sector faces two critical challenges: a talent supply that is failing to keep up with market demand, and a lack of diverse talent within that supply.

The problems were at the centre of “Opportunity for All: Driving Diversity and Meeting the Labour Market Shortage in Canadian Cybersecurity,” a panel discussion hosted by the Rogers Cybersecure Catalyst on March 3. The panel brought together women experts from the Canadian Centre for Cyber Security, Cybersecurity Research Lab — Toronto Metropolitan University and Mastercard to identify the conditions that have led to systemic imbalances, and discuss strategies to make the sector more welcoming and diverse.

Michèle Mullen (Director General of Partnerships and Risk Mitigation, Canadian Centre for Cyber Security) reported some alarming statistics: 82 per cent of employers in Canada have reported a shortage in qualified talent, and 71 per cent believe that this shortage has already caused measurable damage to their organization’s security posture. In 2020, there were 5,000 new positions that needed to be filled by cybersecurity professionals in Canada — and that number grew to over 8,000 in 2021.

For Mullen, the greatest factor contributing to both the workforce and diversity shortages has been a widespread lack of familiarity with the range of cybersecurity careers. “Lots of parents are used to saying to their sons and daughters, ‘I want you to be a doctor, a lawyer, a firefighter,’ because those are longstanding known professions that are either lucrative or seen as noble. We need to change the thought process of parents, teachers and youth to ensure that careers in cybersecurity make that list.”

To do that, said Mullen, “We need to develop and provide tools for guidance and career counselors to increase the understanding of the various technical and non-technical jobs involved in cybersecurity occupations, and a greater comprehension of the actual nature of the work so that they can orient young people with the right aptitudes towards this career path.”

Mullen also identified the industry’s “hostile lexicon” as a major barrier to access. “The language we use in describing cybersecurity jobs is actually a neurolinguistic deterrent for women and minorities. So we need to include a more inclusive language in our job postings.” Words like “attack” and “defend” and imagery like faceless, hoodie-clad cyberterrorists “are actually detractors for many young women and minorities when considering career options in high school.” Mullen advocated for softer words like “problem-solving” and “risk calculus” in postings instead.

A recurring theme of the discussion was the common misconception that a career in cybersecurity means training for a highly technical role. Cybersecurity is also “for creative people — people who can apply contextual understanding of organizations, communities and the people that they are going to protect,” said Harsimran Kapoor (Director, People Business Partner, Identity Solutions, C&I; Global Intelligence & Cyber Centre, Mastercard). “It isn’t a narrow field. To build a team, it’s not enough to only have world-class technologists. We also need artists. We need writers. We need policy thinkers.”

“There’s still a stereotype about what cybersecurity really is, and what a successful cybersecurity career looks like,” said Atefeh Mashatan, Canada Research Chair and Director of Cybersecurity Research Lab, Toronto Metropolitan University. “It’s not the nerd in a hoodie who cracks a password, but unfortunately we’re still fighting that stereotype.” Mashatan noted that in a large cybersecurity organization (like a bank or a government office), only 20 to 30 per cent of cybersecurity roles are strictly technical. “The remaining roles require more business and organizational context and knowledge. Technology risk assessment, cybersecurity governance, compliance, audits, threat and incident management, disaster recovery, business continuity — they all need business [expertise] more than technology.”

Kapoor added, “The customers and the consumers are communities that we protect. They’re dynamic, they’re diverse, and that diversity informs their uniqueness. So we need teams that are representative of that diversity to be able to understand and deliver solutions that will work for everyone.”

The panelists agreed that combating the stereotypes and fostering diversity requires active, tangible efforts from the sector to promote a new image to future generations. “Let’s go to schools, let’s use inclusive language, let’s use gamification for the girls who are going to be the cybersecurity professionals of the future to be more excited about cybersecurity as a profession,” said Mashatan. “Start early and continue to foster EDI as they continue to grow through high school and university. Mentor them and have EDI champions at those steps.”

The panel discussion was preceded by the announcement of a major new initiative from Mastercard and Rogers Cybersecure Catalyst to foster inclusion and diversity in the Canadian cybersecurity sector. With funding from Mastercard, the Catalyst will launch two new training programs designed to foster inclusion and diversity within the sector. Learn more about the programs here.