Aptitude Assessments and Diversity in Cybersecurity as a “Natural Byproduct”

This is the third post in a series on the Executive Order on America’s Cybersecurity Workforce. The first post in the series is available here, and the second is here.

While announcing the release of the new executive order on cybersecurity workforce development, administration officials indicated that they hoped diversifying the cybersecurity workforce would be a “natural byproduct” of the changes prescribed in the order. The document itself does say that the “cybersecurity workforce is a diverse group of practitioners,” but does not explicitly undertake any measures to promote demographic diversity as such. In fact, if implemented without diversity in mind, some tools mandated by the order—particularly the aptitude assessment—could be very damaging.

We start here with two givens: diversity strengthens cybersecurity, and the cybersecurity workforce struggles on this front. For more on either of these topics, see our prior work here, here, and here.

Diversity can certainly be baked into workforce development efforts. Current hiring relies heavily on applicants with bachelor’s degrees in computer science or similar. That population is predominantly white and male. By finding ways to identify candidates from different backgrounds—community colleges, different fields of study, career changers, parents returning to the workforce as their children enter school, etc.—employers stand a good chance of increasing diversity. But that is more of what you might think of as “diversity by design” rather than a “natural byproduct.”

The EO calls for the deployment of an aptitude assessment to identify talent hidden among the general federal workforce. This could be a very positive or a very negative tool for increasing diversity depending on how it is implemented. The trouble is that there is not a lot of publicly available data within the cybersecurity context to inform that implementation.

Such tests do currently exist, but they are generally paid products or the “secret sauce” of a training program. The SANS Institute, for example, has an aptitude test available for purchase for $150 per individual test, or $3,750 for a pack of 25. Tests like this are typically proprietary, and they take on a “black box” quality because of this characteristic, which means that we do not know exactly how these tests define cybersecurity aptitude.

Intuitively, a test designer might frame “aptitude” as a set of characteristics displayed by current workers who are successful in cybersecurity jobs. But that methodology seems like a great way to identify candidates that have backgrounds and experiences akin to those reflected in the existing cybersecurity workforce.

In other words, the danger is that we might implement a test that identifies candidates that resemble the workforce we already have. It is also worth noting that this methodology would be a great way to find ourselves unprepared for future changes in the practice of cybersecurity. The ideal cybersecurity workforce of the future is likely to need much more familiarity with machine learning tools than the current workforce.

With all this said, diversity is—and has been for years—an enormous part of the conversation in cybersecurity workforce development. It is hard to overlook the fact that it was not discussed explicitly in this executive order. Unless agency leaders are significantly more concerned about cybersecurity workforce diversity than the White House, the Administration’s hope that diversity will just happen is not confidence-inspiring. Diversity should be a feature, not a byproduct.