Diversity, Equity and Inclusion Challenges in Cybersecurity(ISC)2 Report: Fixing Underrepresentation of People of Color and Women in Cyber
Even as the workforce skills gap is becoming "more pronounced in cybersecurity" than in any other sector, companies in the space have a unique opportunity to bridge the gap while also diversifying their workforce and promoting inclusion.
In a report published earlier this week, (ISC)² - the international nonprofit association that certifies cybersecurity professionals - says minority security practitioners, including people of color and women, are underrepresented in the field and offers practical steps to address the issues.
The study, titled In Their Own Words: Women and People of Color Detail Experiences Working in Cybersecurity, was released at the ongoing (ISC)² Security Congress. Countries represented in the research, according to the report, include the United States, the United Kingdom, Germany, Croatia, Serbia, Singapore, Malaysia, South Africa and Canada.
In addition to being understaffed, cybersecurity has an imbalanced workforce that does not fairly and equally represent women, people of color and many other minority groups, (ISC)² tells Information Security Media Group.
The unique diversity, equity and inclusion - or DEI - challenges in cybersecurity, (ISC)² says, are embedded in some of the things that are most loved about the profession. "It is fast-paced and ever-changing, and therefore, pathways aren’t clear. We are not evangelizing effectively enough that this is a meaningful option for a broad set of diverse individuals," the organization says.
Unconscious Biases and Other Roadblocks
According to the report, women are "still very underrepresented in the cybersecurity industry across all countries."
"There is an overarching perception that professionals in the cybersecurity industry have a very homogeneous profile: white, middle-aged males, who have more than eight years of experience in an IT- or Computer Science-related field," the report says.
“Convincing the majority of cybersecurity professionals (white, middle-aged men) that diversity and inclusion is not a threat to their jobs or their companies, but an asset, is not going to be easy. There are many unconscious biases that are deeply ingrained in our system," an unidentified respondent in the study says.
Salaries for white men, according to the study's participants, were higher than those for women and minority ethnic professionals, even if they worked doing the same job.
According to the (ISC)² 2020 Cybersecurity Workforce Study, women of all experience levels earn significantly less than their male counterparts globally in cybersecurity roles.
Men with less than one year of experience earned $26,836 more in 2020, compared to women with the same experience, the company's latest DEI report says. "And those shortfalls don’t disappear further into a career. At the C-level, the differential between women’s and men’s salaries was $42,890 last year," according to the report.
Jennifer Tisdale, principal of cyber-physical systems security at cybersecurity company GRIMM, says she has witnessed gender disparity firsthand.
"The excerpt [in the report] that states that women are graded on proven experience while men are evaluated on their potential - I have witnessed this in my career. I have participated in interview panels, and heard the disparity in conversations once the candidate leaves the room. The evaluation of a women’s experience was always more focused on her accomplishments while the male candidates were measured by what he could bring to the organization," she says.
The primary issue that comes with a lack of gender, race, and neutral standpoint diversity is a lack of divergence in views and opinions when it comes to making decisions, Erkang Zheng, founder and CEO of cyber asset management platform JupiterOne, tells ISMG.
"Every person comes from their own unique background and history. The ability to empathize in different and deeper ways creates a well-rounded discussion for problems facing the cybersecurity team and the overall business," he adds.
In fact, according to Chloé Messdaghi, cybersecurity disruption consultant and researcher, recent examples of the deployment of facial recognition-based security and identity products show that when a product is developed solely by a white male product development team, inherent biases are often instituted into products at a fundamental level, causing "catastrophic harm for individuals and society."
Several participants from minority groups who shared their experiences in the (ISC)² report say that they have been "bypassed for advancement opportunities, particularly into leadership positions, even when their experience is comparable to that of a white male in the same position." The lack of diversity, they add, is "particularly significant in leadership positions."
According to Messdaghi, DEI cannot happen solely from the bottom.
"Candidates who see that an organization’s C-suite and board of directors are populated solely by white males may think twice about accepting a position, because it will be too hard a climb to succeed," she tells ISMG.
Teddy Phillips, a senior security program manager at Microsoft who assists people of color with their careers, says he routinely sees "many highly qualified people of color passed over for jobs that they were overqualified for."
He says he witnesses highly experienced individuals, even those with 10 to 15 years of experience, enter tech companies at a lower level than their experience commands.
"Many people of color are willing to accept a lower salary and position just to get their foot in the door at a major company. We have to change our mindset and understand that our value matters and we should not give companies discounts on our worth to gain acceptance," he says.
Cybersecurity, GRIMM's Tisdale adds, is a "rich kid’s game."
"If one is not fortunate enough to attend a K-12 district with a robust technology program, is not exposed to cybersecurity early in their education, they are less likely to choose cyber or tech as a career patch," she says.
Poor internet availability is also a deterrent. "There are pockets in every state where broadband accessibility is limited, either because of affordability or limited availability. Often, these areas have poorer, financially struggling communities without basic access to internet, and fewer opportunities to learn technology or cybersecurity," Tisdale notes.
Q4: The field of cybersecurity is diverse and requires a diverse talent pool. How can the cyber industry encourage diversity in its hiring practices? #CyberCareerChat #BeCyberSmart pic.twitter.com/aW4ruvhJWi— National Cybersecurity Alliance (@StaySafeOnline) October 19, 2021
Companies can partner with organizations such as the Black Cybersecurity Association, the International Consortium of Minority Cybersecurity Professionals, Women in Cybersecurity and BlackGirlsHack, which offer training to make cybersecurity more accessible, the (ISC)² report says.
Companies must ensure purposeful inclusion and have individuals across ethnicities in all levels of the company, including in leadership roles, according to the report.
A participant in the (ISC)² study says that "many companies are still seeing DEI practices as an extracurricular or voluntary activity, and therefore not a lot of people make it a priority. Whenever there is a DEI meeting or workshop in my company it’s only us, (the Black and Hispanic folks) who show up. It’s like preaching to the choir."
Mandatory cultural sensitivity training - which includes recognizing common workplace biases and combating them with mindful exercises - will help mitigate unconscious bias, the (ISC)² report says. A respondent said that their company also "introduced diverse hiring panels for recruiting for both technical and nontechnical roles."
Jane Frankland, the author of "IN Security: Why a Failure to Attract and Retain Women in Cybersecurity Is Making Us All Less Safe," has nearly two decades of experience in cybersecurity. She says that within the sector, women are a minority and constantly need to prove their worth, especially their technical ability. "The system needs to change, and it can with better leadership, training, support and hiring processes," she says.
Frankland runs a mentorship platform for women in security, called The Source, which delivers master classes, matches women with mentors, and unites other women’s networks and training groups globally.
Job descriptions and hiring managers, according to an unidentified participant in the (ISC)² study, still "operate within a box" that is "designed by non-diverse individuals who set the bar too high and want to hire people who look different to them, but who they expect to think and act the same way as them."
Frankland says she advises companies to push back against conventional hiring that perpetuates systemic biases, and to use anonymous, skill-based assessments to find the best candidates. "As a result, they have the opportunity to uncover 60% of candidates who would have otherwise been overlooked and to increase their female hires from 30% to 45%," she adds.
There are also tools, such as those provided by U.S-based company Jobvite, that allow organizations and their employees to be more inclusive. For instance, Jobvite's job description grader is an analytical tool that can be used to review job descriptions and highlight areas that can be improved to create more inclusive job postings, according to a Jobvite spokesperson.
The tool, the company tells ISMG, allows professionals to target the areas where gender and racial bias appear in job postings, enabling them to adjust and present more inclusive descriptions for cybersecurity jobs and beyond. The company says the tool uses AI, data analytics and benchmarks - combined with current diversity and inclusion, or D&I, best practices - to analyze job descriptions and identify requirements, experiences and language that may restrict an applicant pool during screening and evaluation.
According to Meredith Patton, director of cyber operations at digital risk services provider Protection Group International, the disparity problem needs to be solved on multiple fronts -starting much earlier in the education system.
"In the U.K, the government is putting in place initiatives like CyberFirst and apprenticeships as well as working to certify university degrees," she says.
According to Courses Online, a U.K-based edtech platform, the U.K had 61% male learners and 39% females on its platform between January 2020 and Oct. 20, 2021, for its cybersecurity courses, the company tells ISMG. Among its U.S. learners, 58% were male and 42% female, it adds.
But while university degrees in cyber-related subjects are increasing in quality and availability, more apprenticeships and entry-level positions are needed to attract a more diverse field of candidates, including people from low-income backgrounds, Patton says.
In technical cybersecurity careers such as penetration testing and incident response/forensics, the scarcity of role models and mentors for women and other minority groups reflects a wider and well-documented diversity problem within STEM subjects and technology-related fields in education, Patton says.
"One of the answers is for cybersecurity providers to create more jobs that focus on training and re-skilling and to use those roles as an opportunity to bring more diversity into the team," she says.
Commercial cybersecurity providers, she adds, largely continue to insist on or search for fully qualified people who can "hit the ground running" rather than people who represent a longer-term investment for the company, she says. This tends to exclude people more likely to come from a DEI category and does nothing to level the playing field for people wanting to break into the industry with good skills but few formal qualifications, she adds.
Addressing the diversity challenge doesn’t mean altering the roles of the profession that are already being filled, but rather addressing the sector’s shortfalls through positive growth and much-needed expansion, (ISC)² tells ISMG. "There are few sectors in society that have such a profound opportunity to make a positive long-term change," it adds.
According to the organization's latest cybersecurity workforce study research, younger women are joining the cybersecurity profession at a higher rate than men. "So, slowly but surely, we are attracting and welcoming more diversity, which will add up over time," (ISC)² says.
Limitations of the Study
On the flip side, the (ISC)² report itself perhaps could have been more inclusive in its research and representation, Messdaghi says.
The report contained nothing about LGBTQ+ and the spectrum of gender diversity, Messdaghi tells ISMG. "It appears to focus solely on women and men. We have people who are nonbinary and deserve representation too. The strong membership of groups such as We Open Tech shows this," she says.
The report doesn’t explore intersectionality, she says. "Overall, I’m glad this report is opening these issues up. But as a reminder: Gender diversity doesn’t mean just women and men - it means equal opportunities and equity for all genders."