Taavi Must is Founder and CEO at RangeForce, which provides a scalable, cloud-based and interactive cybersecurity training platform.
Source: Forbes.com Apr 23, 2021,08:30am
All movements that have shaken up social order in recent years appear to have made little impact on the diversity in cybersecurity ranks. Among all the hashtags — #SeeHer, #BlackLivesMatter and the rest — maybe we should add #InfoSecSoWhite.
It’s not just an image problem; as the International Consortium of Minority Cybersecurity Professionals (ICMCP) points out, women are barely 14% of the information security ranks, while women make up 51% of the U.S. population. The U.S. Labor Department says African Americans make up a scant 3% of infosec analysts in the U.S. today. And yet, at the same time, the cybersecurity industry complains about a persistent talent shortage.
What Are The Biggest Barriers To Diversity?
Some of this disparity may be due to a lack of knowledge among these diverse populations. A survey from (ISC)², the international association of certified cybersecurity professionals, found 77% of cyber pros polled said cybersecurity was not offered as part of their educational curriculum. That made it hard for them to get a clear picture of what is involved in a career in cybersecurity or how to build one for themselves.
But we can’t lay all the blame on a failure to communicate. As anyone who saw Hidden Figuresknows, the early ranks of computer programmers included many women of color. Somewhere in the adolescence of the Computer Era in the 1980s, young men flooded into programming and coding became a boy’s club that only recently has been challenged by organizations like Girls Who Code and Black Girls Code.
As cybersecurity became an established discipline, it picked up some of the more worrisome traits from STEM: It’s heavily white and male. The pipeline doesn’t have enough diversity to begin with; ICMCP points out that the ranks of STEM workers are only 6% African American and 7% Hispanic, while the total U.S. workforce is 11% Black and 15% Latinx by comparison.
Granted, cybersecurity is not the flashiest discipline in the STEM portfolio, so it’s hard to promote it to underrepresented groups as a juicy career path. It sadly suffers from a reputation as a world of dimly-lit cubicles where nerds enforce password hygiene. More than two-thirds of technology professionals think cybersecurity is a good career path — for someone else. Generation Z had the worst opinions of cybersecurity professionals — bad news for future prospects.
The pipeline is problematic, to start. While enrollment in STEM programs is becoming more diverse, it’s still so overwhelmingly white and male that disparities should continue for a while. A recent report from the Institute for Critical Infrastructure Technology quoted National Security Agency cybersecurity advisor Rob Joyce, who concluded, “If the computer science outlook looked like the demographics of our country, we would up those numbers [in the pipeline] significantly.”
How To Build More Diversity In Cybersecurity
The industry has to take proactive steps to reduce and eventually eliminate the disparity in representation. In India, government initiatives to recruit women into STEM education programs have expanded their representation in cybersecurity to34% of staff— not quite parity, but more than twice their participation rate in the U.S.
We need to put a stronger emphasis on recruitment and partnerships with educational institutions — especially at learning institutions with diverse enrollment, such as Historically Black Colleges and Universities (HBCUs), to attract more diverse enrollment into their cybersecurity programs.
Potential employers need to partner with trade groups that can connect them with networks outside the traditional pool of prospects. Organizations like Women in Cybersecurity are challenging the gender gap in information security. Another group, Blacks in Cybersecurity, began in 2018 as a series of meetups and has added conferences and other events. At my company, we’ve partnered with BlackGirlsHack to provide training resources to increase female representation and diversity in cybersecurity.
And it’s not just about recruiting cyber professionals; it’s about keeping them. The tech industry has been faulted — often correctly — for its bro-ishness and how it treats women, racial minorities, LGBTQ staff and others. The landmarkTech Leaversstudy was fairly scathing about the culture issues that drive women and minorities away, and estimated the turnover costs the tech industry $1.6 billion a year; as a part of the industry, cybersecurity loses its share.
How Can We Make This Happen?
Less representation in leadership, lower average salaries and fewer raises “seem to create a trifecta of obstacles for minorities pursuing a career in cybersecurity,” is the conclusion of (ISC)² in their research linked above. We can correct this.
Mentorship and training programs that support professional development and career advancement are effective in retaining and elevating diversity in cybersecurity staff. A report developed by (ISC)² and ICMCP found almost two-thirds of people of color considered training programs very important to help them thrive in their organization, and the study concluded that helping them move up to leadership helps push diversity along.
In the U.S. alone, the cybersecurity workforce stands at more than 879,000 at last count, but it still faces a shortage of more than 359,000 professionals, according to (ISC)². The U.S. Census Bureau says only 60% of Americans consider themselves white, so in theory, to represent other racial groups equitably, 40% of open positions should be filled with a more diverse staff.
That kind of back-of-the-envelope calculations can risk turning into quotas that can become an exercise in ticking off checkboxes. Diversity efforts need to be multilayered and crafted to both reach out to students from an early age through college, then continue to nurture talent throughout their careers.
Two-thirds of those people driven out of their jobs in theTech Leaversstudy said they would have stayed if companies had fixed their culture. The study concluded one-offs like unconscious bias training don’t have the impact of a full diversity and inclusion strategy.
Companies should set up internal metrics for community outreach and recruitment that are part of a comprehensive plan, not just put up a booth in a college job fair.