How to create a more diverse cybersecurity workforce
Introduction
Some people reading this will probably think, oh no, not another article about diversity in the workplace. But what is diversity?
Cybersecurity threats are now as much about the human factor as the technological. It makes sense to have as many different eyes and voices within a team looking to mitigate threats, as there are threat vectors. Diversity in cybersecurity is about creating a group of people to reflect the real-world; diverse people to give a perspective on a diverse problem.
What should you learn next?
But what does it take to create a diverse workforce in cybersecurity when the field has a reputation of being anything but?
The current landscape for diversity in cybersecurity
A typical IT security team would be composed of around 24% female staff or around 26%
ethnic minority staff, the latter tending to hold non-managerial positions. Parity of salary is a serious issue for minority groups, especially female minorities. Women of color earn almost $10K less than their white male counterparts.
I haven’t included anyone who is from the LGBTQ community or disabled, as I don’t have recent figures for cybersecurity, but you can probably extrapolate from the above that their representation is pretty low.
There will be exceptions to the above “typical” team, but those exceptions only serve to prove the rule.
We build what we are
I will start by showing a recent tweet from Lisa LeVasseur. Lisa is a founder of the Me2B Alliance and has a long history of working in the tech sector.
“We build what we are.” This is the crucial message I want to use in this article.
Cybersecurity is about human beings as much as it is about technology. We have seen this time and again. Verizon’s 2019 Data Breach Investigations Report (DBIR) pointed out that human factors are adding a layer of complexity to security threat mitigation. Kaspersky found that around 90% of data breaches are caused by human beings tricked using social engineering.
The humans that are tricked or conned, or who make errors that lead to data breaches, are a diverse lot. The cybercriminal does not tend to care what the sex or ethnicity of the target is, as long as they get the intended result.
A diverse team brings new ways of looking at things and we need new ways to see the convoluted matrix of modern cybersecurity threats: if you have a different experience of life, you bring different ways of looking at a problem.
The management and mitigation of cybersecurity issues is not getting easier. Individual attack types like cryptomining bots may be suppressed for a while, but they resurface as new forms of threat. And new social engineering tricks pop up regularly or morph into ever-more sophisticated ones. Good minds from every part of life need to be involved to sort out the never-ending challenges we are facing in the security arena.
In a related community, national intelligence and security, a 2015 report from the UK’s Intelligence and Security Committee stated on the subject of recruiting diverse candidates:
“This is not just an ethical issue: it is vitally important from an intelligence perspective. Both the public and private sectors increasingly realise that organisations benefit from a diverse workforce. This is not in order to meet targets or tick boxes, but because diversity provides a competitive advantage: different people approach the same problem in different ways and find different solutions, and this competition, collaboration and challenge is essential to making progress.”
As Lisa said, “we build what we are.” We take our mindset, our experiences, our person into our work. This is true in any technology sector, including cybersecurity.
How to build and retain a diverse cybersecurity team
It’s all well and good to be shouting for change and bringing in work colleagues from a variety of backgrounds, but how do you create a representative security team? It isn’t easy. I offer three core suggestions below:
Reaching out to diverse people for your security team
The first step is to find the women and ethnic minorities who want to work in cybersecurity roles. This is definitely easier than it was ten years ago, but it still requires effort.
In a recent podcast interview by Infosec's own Chris Sienko with Dark Reading's Kelly Sheridan, Chris asked: “Does the cybersecurity industry have a marketing problem when it comes to attracting diverse candidates?” Kelly replied that the industry is so male-dominated that this sets up a “red flag for women looking for a community and mentors.” She focused on a lack of role models in the industry.
Kelly also pointed out that this is slowly changing, and more women are taking up posts. It may be that if your team already has a female or ethnic minority person onboard, it will be easier to encourage more people from those backgrounds to join.
You can also look to the various industry groups set up to support women and ethnic minorities in cybersecurity. Consider reaching out to organizations like Women in Cybersecurity (WiCys) and the International Consortium of Minority Cybersecurity Professionals (ICMCP).
Boys will be boys
Culture is created even in the microcosm environment of a company. The IT security sector has built up a particular culture over the last 20 or so years that is reflected in everything from language to the way conferences are still male-dominated. Even the conference swag often has a male element to it (e.g., make sure your conference t-shirts come in female sizes and shaped for a woman’s body).
Simply put, “bro culture” doesn’t encourage people who do not come from the same type of background. This is fine if you want to continue to have white male-dominated teams. But if you want to have a team that is more representative of the wider community and world, build your corporate culture to reflect this.
Parity is power
Make sure you have pay parity. I know this is a bone of contention with many folks who feel it isn’t real, but believe me, it happens. Pew Research found that in 2018, women were paid around 85% of their male counterparts.
And it isn’t just women who experience unequal pay conditions. I have witnessed it happen to white men, as well as minority groups, and I have personally experienced it in three roles spanning two areas (science and technology). It does happen, and it causes division and anger. Pay people their worth and you will be rewarded with commitment and loyalty.
The melting pot of cybersecurity
According to the latest research from the National Initiative for Cybersecurity Education (NICE), there is going to be a shortfall of around 314,000 cybersecurity professionals in the USA. This fits the McAfee/CSIS figures which found that 82% of employers reported a shortage of cybersecurity skills.
With growing and more complex cybersecurity threats, we cannot afford to turn good candidates away from jobs in the sector. Creating a culture that encourages diverse candidates into cybersecurity will benefit everyone. Diversity, after all, isn’t about tolerance; it’s about embracing difference. Vive la difference.
What should you learn next?
Sources
- (ISC)² Cybersecurity Workforce Study: Women in Cybersecurity, (ISC)²
- (ISC)² Study Finds U.S. Minority Cybersecurity Professionals Underrepresented in Senior Roles, (ISC)²
- 2019 Data Breach Investigations Report, Verizon
- Understanding Security of the Cloud: from Adoption Benefits to Threats and Concerns, Kaspersky
- Women in the UK Intelligence Community, Intelligence and Security Committee of Parliament
- The narrowing, but persistent, gender gap in pay, Factank
- Cybersecurity Supply/Demand Heat Map, CyberSeek
- Hacking the Skills Shortage, McAfee
In this Series
- How to create a more diverse cybersecurity workforce
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity