How to create a more diverse cybersecurity workforce
Some people reading this will probably think, oh no, not another article about diversity in the workplace. But what is diversity?
Cybersecurity threats are now as much about the human factor as the technological. It makes sense to have as many different eyes and voices within a team looking to mitigate threats, as there are threat vectors. Diversity in cybersecurity is about creating a group of people to reflect the real-world; diverse people to give a perspective on a diverse problem.
But what does it take to create a diverse workforce in cybersecurity when the field has a reputation of being anything but?
The current landscape for diversity in cybersecurity
A typical IT security team would be composed of around 24% female staff or around 26%
ethnic minority staff, the latter tending to hold non-managerial positions. Parity of salary is a serious issue for minority groups, especially female minorities. Women of color earn almost $10K less than their white male counterparts.
I haven’t included anyone who is from the LGBTQ community or disabled, as I don’t have recent figures for cybersecurity, but you can probably extrapolate from the above that their representation is pretty low.
There will be exceptions to the above “typical” team, but those exceptions only serve to prove the rule.
We build what we are
I will start by showing a recent tweet from Lisa LeVasseur. Lisa is a founder of the Me2B Alliance and has a long history of working in the tech sector.
“We build what we are.” This is the crucial message I want to use in this article.
Cybersecurity is about human beings as much as it is about technology. We have seen this time and again. Verizon’s 2019 Data Breach Investigations Report (DBIR) pointed out that human factors are adding a layer of complexity to security threat mitigation. Kaspersky found that around 90% of data breaches are caused by human beings tricked using social engineering.
The humans that are tricked or conned, or who make errors that lead to data breaches, are a diverse lot. The cybercriminal does not tend to care what the sex or ethnicity of the target is, as long as they get the intended result.
A diverse team brings new ways of looking at things and we need new ways to see the convoluted matrix of modern cybersecurity threats: if you have a different experience of life, you bring different ways of looking at a problem.
The management and mitigation of cybersecurity issues is not getting easier. Individual attack types like cryptomining bots may be suppressed for a while, but they resurface as new forms of threat. And new social engineering tricks pop up regularly or morph into ever-more sophisticated ones. Good minds from every part of life need to be involved to sort out the never-ending challenges we are facing in the security arena.
In a related community, national intelligence and security, a 2015 report from the UK’s Intelligence and Security Committee stated on the subject of recruiting diverse candidates:
“This is not just an ethical issue: it is vitally important from an intelligence perspective. Both the public and private sectors increasingly realise that organisations benefit from a diverse workforce. This is not in order to meet targets or tick boxes, but because diversity provides a competitive advantage: different people approach the same problem in different ways and find different solutions, and this competition, collaboration and challenge is essential to making progress.”
As Lisa said, “we build what we are.” We take our mindset, our experiences, our person into our work. This is true in any technology sector, including cybersecurity.
How to build and retain a diverse cybersecurity team
It’s all well and good to be shouting for change and bringing in work colleagues from a variety of backgrounds, but how do you create a representative security team? It isn’t easy. I offer three core suggestions below:
Reaching out to diverse people for your security team
The first step is to find the women and ethnic minorities who want to work in cybersecurity roles. This is definitely easier than it was ten years ago, but it still requires effort.
In a recent podcast interview by Infosec’s own Chris Sienko with Dark Reading’s Kelly Sheridan, Chris asked: “Does the cybersecurity industry have a marketing problem when it comes to attracting diverse candidates?” Kelly replied that the industry is so male-dominated that this sets up a “red flag for women looking for a community and mentors.” She focused on a lack of role models in the industry.
Kelly also pointed out that this is slowly changing, and more women are taking up posts. It may be that if your team already has a female or ethnic minority person onboard, it will be easier to encourage more people from those backgrounds to join.
You can also look to the various industry groups set up to support women and ethnic minorities in cybersecurity. Consider reaching out to organizations like Women in Cybersecurity (WiCys) and the International Consortium of Minority Cybersecurity Professionals (ICMCP).
Boys will be boys
Culture is created even in the microcosm environment of a company. The IT security sector has built up a particular culture over the last 20 or so years that is reflected in everything from language to the way conferences are still male-dominated. Even the conference swag often has a male element to it (e.g., make sure your conference t-shirts come in female sizes and shaped for a woman’s body).
Simply put, “bro culture” doesn’t encourage people who do not come from the same type of background. This is fine if you want to continue to have white male-dominated teams. But if you want to have a team that is more representative of the wider community and world, build your corporate culture to reflect this.
Parity is power
Make sure you have pay parity. I know this is a bone of contention with many folks who feel it isn’t real, but believe me, it happens. Pew Research found that in 2018, women were paid around 85% of their male counterparts.
And it isn’t just women who experience unequal pay conditions. I have witnessed it happen to white men, as well as minority groups, and I have personally experienced it in three roles spanning two areas (science and technology). It does happen, and it causes division and anger. Pay people their worth and you will be rewarded with commitment and loyalty.
The melting pot of cybersecurity
According to the latest research from the National Initiative for Cybersecurity Education (NICE), there is going to be a shortfall of around 314,000 cybersecurity professionals in the USA. This fits the McAfee/CSIS figures which found that 82% of employers reported a shortage of cybersecurity skills.
With growing and more complex cybersecurity threats, we cannot afford to turn good candidates away from jobs in the sector. Creating a culture that encourages diverse candidates into cybersecurity will benefit everyone. Diversity, after all, isn’t about tolerance; it’s about embracing difference. Vive la difference.
- (ISC)² Cybersecurity Workforce Study: Women in Cybersecurity, (ISC)²
- (ISC)² Study Finds U.S. Minority Cybersecurity Professionals Underrepresented in Senior Roles, (ISC)²
- 2019 Data Breach Investigations Report, Verizon
- Understanding Security of the Cloud: from Adoption Benefits to Threats and Concerns, Kaspersky
- Women in the UK Intelligence Community, Intelligence and Security Committee of Parliament
- The narrowing, but persistent, gender gap in pay, Factank
- Cybersecurity Supply/Demand Heat Map, CyberSeek
- Hacking the Skills Shortage, McAfee