Breaking down barriers: How to make cybersecurity more inclusive and diverse
The need for more cybersecurity workers is clear. (ISC)² reports that more than 3.4 million people are needed to fill the global cybersecurity workforce gap. But when it comes to filling those roles, some of the numbers are startling.
According to Cybersecurity Ventures, the percentage of women in cybersecurity roles has doubled in the past decade, yet women still fill just 25% of security jobs. In addition, various studies have shown that:
- Those who identify as a racial or ethnic minority tend to be concentrated in non-management positions.
- That same group also reports receiving far more workforce harassment than their peers.
- Women of color received the lowest average salary; Caucasian men received the highest.
“Every day, this data seems to be more depressing,” said Gene Yoo, founder of Resecurity and someone who has worked in cybersecurity for Warner Brothers, Sony and more.
Yoo said we need to ask, “Why do we have a diversity problem in the first place?”
Moving beyond the “firsts”
BIPOC and underrepresented people are often firsts, said Vic Malloy, the Education Ambassador for the CyberTexas Foundation. He was the first African American to be a squadron commander and IT Director for the National Security Agency in San Antonio, Texas. He was the only person of color in high school taking computer courses.
“It’s always been, I walk in the room, and I’m the only one,” Malloy said. “Why are there not more folks like myself?”
Malloy said some of it boils down to choice, but some of it is the ecosystem of America. He was only one month old when Martin Luther King Jr. gave the “I Have a Dream” speech. That wasn’t long ago.
“If women are 50% of the population, then it should be at least 50% or more in the workspace and in positions of leadership — and the same thing with people of color,” Malloy said.
Mari Galloway, CEO and founding board member for the Women’s Society of Cyberjutsu, found herself in a similar position in her first job in 2009: the only woman on the team.
What should you learn next?
“I was really hungry for that technical stuff, that hands-on — getting in there, the router and switches, and run the cables and getting dirty,” she said. “It sucked because I couldn’t. My team wouldn’t let me. At that time, I didn’t know if it was because I was a woman, if it was because I was new or if it was because I was a minority. I had no clue because I wasn’t thinking in those terms. [I didn't understand] until I went to my next job and I had the same experience.”
How to make cybersecurity more inclusive
Change starts with education. People in power and those who have the means need to reach out to the younger generation and let them know cybersecurity is a career option.
“It requires the digital immigrants, like myself, to reach out to the digital natives, and that’s those who were born after The Matrix came out,” Malloy said. “Let’s make sure that they don’t have to relive those same old lines from the past.
Malloy said that Blacks in Cybersecurity is reaching out to minorities to help them broaden the scope of their career opportunities.
For Galloway, she looks to leadership to find true diversity.
“You say you’re about diversity as an organization. You say you’re about equity, but what does that really look like in the makeup of your senior leadership?” Galloway said, adding that if people can’t see themselves in leadership, they will not pursue a spot at that table. It's a perception that needs to change.
Growing the DEI talent pipeline
“There's a shift going on right now to attract, retain and grow resources,” said Lisa Tetrault of Arctic Wolf. “Attracting new talent into cyberspace, that is happening. And I think companies and organizations are now finding candidates that historically didn't exist or they didn't have.”
Tetrault works with Women in Cyber and CyberX to help bring diverse cybersecurity professionals into the industry. She said these organizations bring awareness and develop programs and pathways to support diverse talent trying to get into cybersecurity. This is different from when she grew up when nobody visited her school and told girls to be in STEM.
But hiring is only the beginning; there must be a path for underrepresented groups and a path forward within the organization to succeed.
“Many companies have started to develop programs for up-and-coming diverse and underrepresented talent,” Tetrault said. “Companies have executive coaching and mentorship and training programs to shore up this gap. And I think there's a strong desire for change and visible action by many companies on this front.”
Overcoming hurdles and imposter syndrome
One of the challenges is job descriptions — and it's systemic, as Peter Dornheim and Dr. Thorsten Weber from SAP SE demonstrated at RSA Conference 2023. They prompted ChatGPT to write an entry-level cybersecurity job description, and the description included requirements for two years of experience and familiarity with multiple frameworks and technical tools.
“That is just completely useless because you’re not hiring somebody’s experience,” Yoo said. “You’re hiring somebody’s desire and passion.” Yoo thinks job requirements, or the ticking of checkboxes, shouldn’t matter.
He added: “It’s really about are you inquisitive. Are you here to solve a problem?”
What should you learn next?
Studies have shown that those overwritten job description lead less women to apply. Galloway said this happened to her: not applying to a job due to thinking she didn't fit enough requirements. But she said you have nothing to lose in applying. “Apply for the job, and then go out and find the recruiter and talk to the recruiter,” Galloway added. “Talk to folks at the company, right? Use your network to get your foot in the door?”
Malloy agrees: “We need more women and more minorities to stop with the imposter syndrome. You see something out there, and you’ve got a passion for it, and you’ve got an interest, and you’re willing to commit yourself to it. Raise your hand. Put your hat in the ring, and hopefully, someone will acknowledge that and sponsor you.”
The industry isn’t quite where it needs to be yet, but it is improving, Tetrault said.
“At the end of the day, if we come from a place of belonging and inclusion and diversity, this whole ecosystem of cyber talent, it's going to get better, it's going to get stronger, and nothing's going to stop us. We're going to get this.”
In this Series
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cyber security hiring: Tips and best practices
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
- I failed my CREST Certified Infrastructure Tester exam: Here’s my story
Get free resources in your inbox!
Sign up for our newsletter and get free cybersecurity resources in your inbox every week. Prepare for your next cert, learn new skills, increase your salary and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity