DISS ONE AND 2

(ISC)2 Congressional Testimony – May 21, 2019 - 1

Mr. Wesley Simpson

Chief Operating Officer

(ISC) 2

(ISC) 2 Congressional Testimony

The Subcommittee on Cybersecurity, Infrastructure Protection and Innovation of the

Committee on Homeland Security

Tuesday, May 21, 2019

310 Cannon House Office Building

Mr. Chairman and esteemed members of the committee, thank you for inviting me here today to

testify on behalf of (ISC) 2 regarding the goal of a more inclusive and diverse cybersecurity

workforce. My name is Wesley Simpson, and I am the Chief Operating Officer for (ISC) 2 .

Headquartered right here in the United States, (ISC) 2 is the world’s largest nonprofit

membership association of certified cybersecurity professionals. We function as an advocate for

the cybersecurity profession and as a training and certification body. Our certifications are

approved by the American National Standards Institute (ANSI), which is the primary organization

for fostering the development of technology standards in the United States.

As part of our association’s stated mission to inspire a safe and secure cyber world, we regularly

commission market research on a host of relevant industry topics that help to inform our global

base of more than 140,000 certified members across more than 170 countries, as well as influence

policy discussions, corporate programs and educational opportunities. In the course of doing so,

we have issued research related to the size of the cybersecurity “workforce gap” since 2004. The

state of the industry has changed quite a bit over that time, and (ISC) 2 is constantly identifying ways

to improve its research methodology to keep up with the evolution of the market.

As part and parcel of our workforce research, we are in a position to be able to identify the

demographic make-up of the cybersecurity workforce as it changes, and I’m pleased to share some

of those findings with you today, as well as some conclusions we might draw from them.

Our most recent round of workforce research was conducted in 2018 and reveals a cybersecurity

workforce shortage of 498,000 skilled professionals in the United States alone, and 2.93 million

globally. This points to a growing gap in the amount of cybersecurity staff that private sector and

government bodies indicate they need to maintain optimal security, and the amount of skilled

professionals currently available. As a point of clarification, this is not meant to indicate that there

are currently one half million open or unfilled jobs.

As we collectively explore ways in which the talent pool can be increased, it’s important to

recognize the clear under-representation of women in the cybersecurity workforce. While

Department of Labor statistics 1 indicate that women make up 47% of the overall U.S. labor force,

our research shows that they only constitute 22% of U.S. cybersecurity staff, and only 24% of

global staff. To be more specific, that figure includes anyone for whom at least 25% of their daily

job tasks consist of security-related activities, not just those with cybersecurity titles. This expands

our view to include those with IT roles, for example, who have some cybersecurity responsibilities.

This change to our methodology was made in 2018 to more closely mirror the reality of how

cybersecurity is executed at the ground level, and more importantly, by who. We also found that

pay inequality between genders remains an issue and is something that could affect a woman’s

decision to pursue a career in our field.

If we can find more ways to attract women to cybersecurity and make it a welcoming profession,

we may be able to decrease the cybersecurity workforce gap to a large degree. There are more

(ISC)2 Congressional Testimony – May 21, 2019 - 2

findings specific to our “2019 Women in Cybersecurity Report” found in my written testimony,

but I wanted to highlight the obvious under-representation as the key data point for discussion

here today.

Another under-represented group identified through our research is ethnic and racial minorities.

Our 2018 study titled, “Innovation Through Inclusion: The Multicultural Cybersecurity

Workforce,” showed that just 26% of the U.S. cybersecurity workforce identifies as non-

Caucasian. While this compares favorably to Department of Labor statistics that show only 22%

of the overall U.S. labor force is made up of minorities 2 , this is still a low ratio that could be

improved by creating programs that specifically market the path to a cybersecurity career to a

wider talent pool.

Furthermore, employment among cybersecurity professionals who identify as racial or ethnic

minorities tends to be concentrated in non-management positions, with fewer occupying

leadership roles, despite being highly educated. And here as well, our research showed that an

inequity in pay exists. Despite higher levels of education, a cybersecurity professional of color

earns less than their Caucasian counterparts on average.

Under-participation in cybersecurity by large segments of our potential workforce, be it women

or minorities, represents a loss of opportunity for individuals and a loss of collective creativity in

solving the problems we face in the field. Not only is this an issue of inequity, it is a threat to our

global economic viability as a nation. The major opportunities as we see them are a stronger

focus on equal pay for women and minorities in cybersecurity, more advancement and leadership

opportunities for deserving professionals, formalized mentorship programs to help unearth

untapped potential and hidden talents, and more programs that expose young women and

minorities to technical skills earlier in their educational lives.

I thank you for your time today and look forward to answering any questions you may have to

the best of my ability.

[End of Opening Oral Statement]