Last year, Cybersecurity Ventures predicted that by 2021, 3.5 million cybersecurity positions will be unfilled. The shortage of skilled cybersecurity professionals, along with the well-known diversity problems in the tech industry, have led several organizations to develop diversity initiatives to encourage more women and other underrepresented groups to explore cybersecurity as a career.
InfoSec Institute, for example, recently launched a scholarship program offering scholarships for cybersecurity students and aspiring cybersecurity professionals to gain free enrollment into cybersecurity training bootcamps. Four different opportunities are available: one for women; one for African-Americans, Hispanics or Native North Americans; one for active U.S. military personnel or veterans; and one for college seniors.
Women’s representation in the cybersecurity workforce, according to a Frost & Sullivan’s 2017 report, ranges from 5 percent in the Middle East to 14 percent in North America. Another Frost & Sullivan report found that 26 percent of the cybersecurity workforce are minorities. According to Data USA, almost three-fourths of information security analysts are white.
Kirsten Ward and Saher Naumann, threat intelligence analysts at BAE Systems who created a cybersecurity conference for women this month, argue that female experts in cybersecurity “exist in abundance” but don’t receive the exposure that their male counterparts do, particularly when it comes to speaking engagements at conferences.
What’s the Solution?
Recent research by Training Industry, Inc. has found that across industries, training is key to shrinking the gender gap in leadership. This is true of the gender gap in cybersecurity, and likely for diversifying in other ways as well. For instance, Hewlett Packard Enterprise has found success hiring and training adults with autism as analysts testers in cybersecurity, and training can improve employment opportunities for veterans and the performance of the companies they work for.
Ward says offering unconscious bias training and creating an inclusive environment is important. “We need to change the perception that people in cyber security are men wearing hoodies working in a dark room.” Similarly, Jack Koziol, CEO and founder of InfoSec Institute, says, “Changing [the] imbalance requires a shift in company culture and recruiting efforts, as well as changing how our society views security practitioners generally.” He also references the “white men in hoodies” image, saying it discourages “women and people of color from pursuing a career in security, because they simply don’t see the field as a viable option for them.”
A large volume of research has shown that diversity of perspective, often through diversity of gender, race, ethnicity, ability and experience, is critical for innovation and effective decision-making. Koziol says this is true of cybersecurity, where “perspective and experience are as important … as technical skills. Cybersecurity needs good managers, strategists, problem-solvers and critical thinkers.” Organizations can train employees in technical skills; they can’t conjure diversity.
Building an inclusive culture is key to supporting diversity, as employees must feel valued in order to contribute their best work. Koziol recommends developing a mentoring program to build trust and ensure the organization is benefiting “from the perspectives and experiences a diverse workforce provides.” Mentors or “buddies” can also help employees with autism and other disabilities navigate the workplace.
Before embarking on any new strategies or programs, Koziol says, it’s important to measure where you are now and set goals for where you want to go. “As a learning and development leader, you might find your recruitment efforts are strong, but retention of minority and women staff is low,” he says as an example. “This could point to a lack of mentorship opportunities for minority staff, or even systemic issues at your organization like bias and racism.” Knowing where the problem is will inform your solution. Then, determine the metrics you’ll use to measure success. They might include earnings, seniority level, and voluntary and involuntary attrition rates.
Cybercrime is rising, and the cybersecurity workforce isn’t growing accordingly. To make sure our organizations – and our people – are safe, we need to find new ways to develop that workforce. Breaking down systemic barriers to diversify the workforce is an important first step.