Breaking down barriers: How to make cybersecurity more inclusive and diverse
The need for more cybersecurity workers is clear. (ISC)² reports that more than 3.4 million people are needed to fill the global cybersecurity workforce gap. But when it comes to filling those roles, some of the numbers are startling.
According to Cybersecurity Ventures, the percentage of women in cybersecurity roles has doubled in the past decade, yet women still fill just 25% of security jobs. In addition, various studies have shown that:
- Those who identify as a racial or ethnic minority tend to be concentrated in non-management positions.
- That same group also reports receiving far more workforce harassment than their peers.
- Women of color received the lowest average salary; Caucasian men received the highest.
“Every day, this data seems to be more depressing,” said Gene Yoo, founder of Resecurity and someone who has worked in cybersecurity for Warner Brothers, Sony and more.
Yoo said we need to ask, “Why do we have a diversity problem in the first place?”
Moving beyond the “firsts”
BIPOC and underrepresented people are often firsts, said Vic Malloy, the Education Ambassador for the CyberTexas Foundation. He was the first African American to be a squadron commander and IT Director for the National Security Agency in San Antonio, Texas. He was the only person of color in high school taking computer courses.
“It’s always been, I walk in the room, and I’m the only one,” Malloy said. “Why are there not more folks like myself?”
Malloy said some of it boils down to choice, but some of it is the ecosystem of America. He was only one month old when Martin Luther King Jr. gave the “I Have a Dream” speech. That wasn’t long ago.
“If women are 50% of the population, then it should be at least 50% or more in the workspace and in positions of leadership — and the same thing with people of color,” Malloy said.
Mari Galloway, CEO and founding board member for the Women’s Society of Cyberjutsu, found herself in a similar position in her first job in 2009: the only woman on the team.
“I was really hungry for that technical stuff, that hands-on — getting in there, the router and switches, and run the cables and getting dirty,” she said. “It sucked because I couldn’t. My team wouldn’t let me. At that time, I didn’t know if it was because I was a woman, if it was because I was new or if it was because I was a minority. I had no clue because I wasn’t thinking in those terms. [I didn’t understand] until I went to my next job and I had the same experience.”
How to make cybersecurity more inclusive
Change starts with education. People in power and those who have the means need to reach out to the younger generation and let them know cybersecurity is a career option.
“It requires the digital immigrants, like myself, to reach out to the digital natives, and that’s those who were born after The Matrix came out,” Malloy said. “Let’s make sure that they don’t have to relive those same old lines from the past.
Malloy said that Blacks in Cybersecurity is reaching out to minorities to help them broaden the scope of their career opportunities.
For Galloway, she looks to leadership to find true diversity.
“You say you’re about diversity as an organization. You say you’re about equity, but what does that really look like in the makeup of your senior leadership?” Galloway said, adding that if people can’t see themselves in leadership, they will not pursue a spot at that table. It’s a perception that needs to change.
Growing the DEI talent pipeline
“There’s a shift going on right now to attract, retain and grow resources,” said Lisa Tetrault of Arctic Wolf. “Attracting new talent into cyberspace, that is happening. And I think companies and organizations are now finding candidates that historically didn’t exist or they didn’t have.”
Tips for hiring diverse talent in cybersecurity | Cyber Work Podcast
Tetrault works with Women in Cyber and CyberX to help bring diverse cybersecurity professionals into the industry. She said these organizations bring awareness and develop programs and pathways to support diverse talent trying to get into cybersecurity. This is different from when she grew up when nobody visited her school and told girls to be in STEM.
But hiring is only the beginning; there must be a path for underrepresented groups and a path forward within the organization to succeed.
“Many companies have started to develop programs for up-and-coming diverse and underrepresented talent,” Tetrault said. “Companies have executive coaching and mentorship and training programs to shore up this gap. And I think there’s a strong desire for change and visible action by many companies on this front.”
Overcoming hurdles and imposter syndrome
One of the challenges is job descriptions — and it’s systemic, as Peter Dornheim and Dr. Thorsten Weber from SAP SE demonstrated at RSA Conference 2023. They prompted ChatGPT to write an entry-level cybersecurity job description, and the description included requirements for two years of experience and familiarity with multiple frameworks and technical tools.
“That is just completely useless because you’re not hiring somebody’s experience,” Yoo said. “You’re hiring somebody’s desire and passion.” Yoo thinks job requirements, or the ticking of checkboxes, shouldn’t matter.
He added: “It’s really about are you inquisitive. Are you here to solve a problem?”
Studies have shown that those overwritten job description lead less women to apply. Galloway said this happened to her: not applying to a job due to thinking she didn’t fit enough requirements. But she said you have nothing to lose in applying. “Apply for the job, and then go out and find the recruiter and talk to the recruiter,” Galloway added. “Talk to folks at the company, right? Use your network to get your foot in the door?”
Malloy agrees: “We need more women and more minorities to stop with the imposter syndrome. You see something out there, and you’ve got a passion for it, and you’ve got an interest, and you’re willing to commit yourself to it. Raise your hand. Put your hat in the ring, and hopefully, someone will acknowledge that and sponsor you.”
The industry isn’t quite where it needs to be yet, but it is improving, Tetrault said.
“At the end of the day, if we come from a place of belonging and inclusion and diversity, this whole ecosystem of cyber talent, it’s going to get better, it’s going to get stronger, and nothing’s going to stop us. We’re going to get this.”