The cybersecurity workforce is becoming less white, but there's still a ways to go to attract minority workers to the field and keep them there.

Why it matters: White men have historically dominated the cybersecurity industry, and the U.S. has enough cybersecurity workers to fill only 69% of available jobs, according to government data.

• Attracting more women and people of color has become a top priority as employers struggle to find candidates who can help keep their networks safe from cyberattacks.

By the numbers: 66% of cyber professionals who joined the field in the last 12 months across Canada, the U.K., the U.S. and Ireland aren't white, Clar Rosso, chief executive officer of cyber certification and training company (ISC)², told Axios.

• The cybersecurity workforce also grew by roughly 10% in the last year — but that growth still wasn't enough to keep pace with the rapid demand for cybersecurity workers, Rosso said.
• Rosso shared these statistics with Axios during a recent interview teeing up (ISC)²'s 2023 cyber workforce survey coming this fall.

What they're saying: "There is absolutely a demand for bodies, but the other thing that we're starting to find is that there's a skills gap," Rosso told Axios on the sidelines of the (ISC)² Global DEI Summit in Arlington, Virginia, last week.

• "Even if we have the bodies, we may not have the specific skills we need to do the work that we need to do," she added.

Zoom out: Demand has been growing for cybersecurity workers in recent years as more companies start to face a deluge of ransomware and other cyberattacks.

• This growing demand has left recruiters and new entrants to the workforce moving at breakneck speed to either fill positions or get the training they need to enter the field.
• And that fast-paced energy has come with some pitfalls: It's pretty common for recruiters to require unnecessary, high-level cybersecurity certifications for entry-level jobs — and for job candidates to spend money and time on unnecessary degree programs because they're misinformed about the education needed.

Between the lines: Many companies are now finding success attracting diverse candidates through simple tactics, Rosso said.

• (ISC)²'s data now reflects that companies that mention internal diversity, equity and inclusion programs in job descriptions are having an easier time hiring, she said.
• And companies that take the time to tailor their job listings to include only the trainings and skills needed for the role have an easier time attracting workers too, Rosso added.

The intrigue: Not all new entrants to the cybersecurity workforce are young, according to (ISC)²'s data.

• "We are seeing the career change, so that reinforces that point that if you have the right nontechnical and mindset skills, then you can be trained on the technical," Rosso said.
• (ISC)² is also starting to see an uptick in people from tech backgrounds coming into cybersecurity, suggesting some of those new entrants are trading in their IT know-how for security.

Yes, but: Cybersecurity workers are facing massive burnout right now, which could make it difficult to keep new entrants in the field.

• 61% of cybersecurity workers say they're burned out, according to a survey released earlier this year by Cobalt.

What's next: All eyes are on the White House's forthcoming cybersecurity workforce strategy, which could help signal to the private sector how best to attract and retain talent.

Cloud IT provider JumpCloud confirmed Thursday that North Korean state-backed hackers broke into its systems last month.

Driving the news: Security researchers and a Reuters report warned ahead of JumpCloud's confirmation that North Korea was behind the attack, which started in late June.

• JumpCloud said in a statement that fewer than five customers were impacted across fewer than 10 devices. The company serves more than 200,000 organizations.
• Tom Hegel, a researcher at SentinelOne, and CrowdStrike, which has been working with JumpCloud, both concluded that a North Korean hacking group was likely behind the intrusion.
• Reuters also reported — and incident responders at Mandiant concurred in an emailed statement — that the North Korean hackers likely targeted JumpCloud as a way of reaching its cryptocurrency customers.

Why it matters: The incident marks a departure from North Korea's direct attacks on crypto firms toward stealthier, more-advanced supply chain attacks.

• Earlier this year, North Korean hackers also targeted video conferencing tool 3CX in a double supply chain attack to get to a handful of cryptocurrency firms.

The big picture: It's pretty common for North Korea to target cryptocurrency firms in an attempt to fund its regime.

• However, previous attacks typically targeted cryptocurrency firms directly.

Yes, but: So far, North Korea's supply chain attacks have failed to reach the same scale and impact as other, more notable attacks, like the Russian cyber-espionage campaign that targeted IT firm SolarWinds and affected roughly 100 companies.

• Even the 3CX attack is believed to have affected only a handful of crypto firms.

The cybersecurity community is mourning the loss of "the world's most famous hacker" this week.

What's happening: Kevin Mitnick, best known for his skillful use of social engineering to hack companies in the 1980s and 1990s, died Sunday at 59 after a 14-month battle with pancreatic cancer.

• "Kevin will always remain 'the world’s most famous hacker' and was renowned for his intelligence, humor and extraordinary skill with technology, surpassed only by his talent as the original 'social engineer,'" his family and the company KnowBe4, where Mitnick was chief hacking officer, said in a statement Thursday.

The big picture: Mitnick gained notoriety after breaking into several high-profile companies around the globe — including Motorola, Nokia and Sun Microsystems — just as the world was learning what the internet was.

• Following a yearslong manhunt, the FBI arrested Mitnick in 1995. The book "Takedown," which later got its own movie, is based on the pursuit.
• After his release, Mitnick became a polarizing but prominent figure in the cybersecurity industry. He'd go on to testify before Congress, write several books and build his own consulting business.

What they're saying: "There are genuinely bad people, genuinely evil people, genuinely dangerous on the web right now," Mark Rasch, the former prosecutor who investigated Mitnick, told the Washington Post. "I would not put Kevin Mitnick in that category."

• "I am grateful we have so many friends all over the world who will teach our son how to hack and more importantly who the real Kevin Mitnick was," Kimberley Mitnick, Kevin's wife, wrote in a tweet.

Go deeper: Pioneering hacker Kevin Mitnick, FBI-wanted felon turned security guru, dead at 59 (Associated Press).

@ D.C.

🏛️ The White House says seven companies have agreed to voluntary "commitments" to make AI products safer, including investments in cybersecurity. (Axios)

📧 Suspected Chinese hackers accessed email accounts belonging to the U.S. ambassador to China and the assistant secretary of state for East Asia in the recent Microsoft breach. (Wall Street Journal)

👨🏻‍💻 Rob Joyce, director of cybersecurity at the National Security Agency, described last week's Microsoft cloud hack as an example of traditional espionage. (New York Times)

@ Industry

🪵 Microsoft will expand access to security logs in September for lower-cost cloud customers after the suspected China-backed breach. (Axios)

🍎 Apple is threatening to remove FaceTime and iMessage in the U.K. if lawmakers pass an update to the Investigatory Powers Act requiring messaging services to get government approval for new security features. (BBC)

👀 Google claims an Apple employee discovered a zero-day vulnerability in Chrome and didn't report it. (TechCrunch)

@ Hackers and hacks

🇷🇺 Russian state-sponsored hacking group Turla is believed to be targeting the defense sector across Ukraine and Eastern Europe in a new malware campaign. (BleepingComputer)

🙅🏻‍♂️ U.K. regulator Ofcom says it will not make a ransom payment as it responds to a data breach tied to a MOVEit vulnerability. (TechCrunch)

Shoutout to the kind Codebook readers who sent in tips this week for harness training one of my adventure-seeking cats. 🐈🚶🏻‍♀️

• Place the new leash or harness in "familiar surroundings" and rub it in catnip, reader Ken Briers wrote in.
• "Try walks on a lawn to see if Lola also has an adventurous hunting streak," reader Dan Flaherty advised.
• But don't forget, "no matter what the cat whisperers on TV say about their cat powers, the secret sauce to training is treats, treats, treats, ha," Dan added in a follow-up message.