Careers & People

3/15/2018
09:40 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity

While the average US security salary is $122,000, the average salary for people of color is $115,000, with men identifying as minorities making $6000 more than minority women.

Minority cybersecurity professionals in the US hold higher academic degrees than their Caucasian counterparts, yet make less money and hold fewer managerial and leadership positions.

Such is the state of diversity in the industry today, according to a first-ever study of the topic by the (ISC)2. Minority representation is actually slightly higher in cybersecurity – 26% - than in the US workforce overall, which is 21%. But disparity in salaries and management roles for underrepresented groups remains a common theme, even for an industry that faces a shortfall of some 1.8 million unfilled security positions worldwide by 2020, according to data from Frost & Sullivan.

While the average US cybersecurity professional earns a salary of $122,000, the average salary for people of color is $115,000, the study shows. Men identifying as minorities make more than women on average: $121,000, versus $115,000 for women of color; Caucasian women make $6,000 more than women of color.

The average Caucasian male earns $124,000 on average, and most of those professionals had received a raise in the past year while their minority counterparts had not, according to the study.

Less than a quarter of minority cybersecurity professionals hold job titles of director and above, which is 7% under the overall US job average and below the number of Caucasian cybersecurity pros with such management-level titles (30%). Of those minorities in leadership roles, 62% hold Master's degrees or higher, while just half of Caucasian cybersecurity pros do.

This disparity in salary and education reflects the hurdles and challenges minority groups and women face in the cybersecurity field: they often "educate up" to boost their resumes. "I hear from a lot of members … What happens when you get an underrepresented group – gender or ethnic – they tend to feel that they have it that much harder to maybe break, or break into that glass ceiling," so they pursue higher educational degrees, says David Shearer, CEO of (ISC)2. "They take nothing to chance."

Of the 9,500 US respondents in the (ISC)2 study, 9% identify as African American or black; 4% as Hispanic; 8% as Asian; 1% as American Indian, Alaskan Native/Native Hawaiian/Pacific Islander, while 4% classified their ethnicity as "other." And 17% of minority cybersecurity professionals are female, which is higher than the overall representation of women in the industry, 14%. The study was based in part on data from (ISC)2's larger Global Information Security Workforce Study (GISWS).

International Consortium of Minority Cybersecurity Professionals (ICMCP) president Aric Perminter, whose organization co-authored the "Innovation Through Inclusion: The Multicultural Cybersecurity Workforce report" with (ISC)2, says the disparity data reflects several issues minorities face today. Some aren't provided the support to navigate their career paths toward senior positions, he says. "That can stem from what college or university they went to," Perminter says, noting that if it's not the "right schools" that offer them that access and preparation, they may face challenges.

The other issue, he says, "is unconscious bias that exists despite the different [diversity] programs that companies have stood up to fight" against that bias, which can influence a minority professional's career advancement options.

The report points to a recent McKinsey & Co. study of 180 publicly traded companies that found diversity in leadership can help the bottom line. "The findings were startlingly consistent: for companies ranking in the top quartile of executive-board diversity, Returns on Equity were 53 percent higher, on average, than they were for those in the bottom quartile. At the same time, Earnings Before Tax and Interest margins at the most diverse companies were 14 percent higher, on average, than those of the least diverse companies," the McKinsey study said.

Diversity advocates point to the cultural benefits of an organization with professionals from various ethnicities, backgrounds, and experiences.

Even so, discrimination still haunts many organizations. Some 32% of minorities say they have experienced discrimination at work, a number that Perminter says is likely higher for professionals not in leadership positions. The survey did not poll the types of discrimination those workers experienced.

"We … have to continue to raise awareness through reports like this. People may have hiring biases subconsciously they are not even aware of," (ISC)2's Shearer says.

Related Content:

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Araedon
50%
50%
Araedon,
User Rank: Apprentice
3/20/2018 | 7:44:36 PM
Re: ISC2 Rpt - Response
I fully agree with you that the industry is difficult to get into in most cases. Especially if you go from helpdesk straight to cybersecurity. What most are looking for is a transition from helpdesk to system administration and then to cybersecurity. If you aren't performing security-related activities, it's hard to progress. Some see helpdesk as a phone representative answering calls. In some organizations helpdesk is actually system or network administration. To earn the full CISSP certification you have to have five years of work in at least two security-related domains. The only place where I've seen relatively easy transition is government positions. There really is no cybersecurity internship or entry-level positions. You're either middle or upper management. 
bwilkes8@gmail.com
100%
0%
[email protected],
User Rank: Apprentice
3/19/2018 | 1:36:39 PM
ISC2 Rpt - Response
I'm not commenting on the diversity issue as much as I am the inability to get into the field.  Last year I embarked on a quest to transition from the Help Desk into CyberSecurity.  I completed the Sec+ certification the CISA course.  After nine months of no responses I decided the $600 for the CISA exam on top of $1200 for the course were no longer worth the hassle.

Prospective Employer:  So I see you don't have a lot of experience in CyberSecurity.

Response:  Correct, which is why I'm willing to start out at associate level to work my way up and to prove I can do it.

Prospective Employer:  Okay, thanks we'll let you our decision.

After nine months of those type responses, out of pockets expenses for Sec+ course, cert exam, CISA course and ISACA membership, I decided enough was enough.

Maybe if employers were willing hire people with demonstrated abilities and the motivation to do the job some of those vacancies could be filled.  Just a thought.
Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
White Hat to Black Hat: What Motivates the Switch to Cybercrime
Kelly Sheridan, Staff Editor, Dark Reading,  8/8/2018
PGA of America Struck By Ransomware
Dark Reading Staff 8/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Now about that mortgage refinance offer from Wells Fargo .....
Current Issue
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-6970
PUBLISHED: 2018-08-13
VMware Horizon 6 (6.x.x before 6.2.7), Horizon 7 (7.x.x before 7.5.1), and Horizon Client (4.x.x and prior before 4.8.1) contain an out-of-bounds read vulnerability in the Message Framework library. Successfully exploiting this issue may allow a less-privileged user to leak information from a privil...
CVE-2018-14781
PUBLISHED: 2018-08-13
Medtronic MMT 508 MiniMed insulin pump, 522 / MMT - 722 Paradigm REAL-TIME, 523 / MMT - 723 Paradigm Revel, 523K / MMT - 723K Paradigm Revel, and 551 / MMT - 751 MiniMed 530G The models identified above, when paired with a remote controller and having the "easy bolus" and "remote bolu...
CVE-2018-15123
PUBLISHED: 2018-08-13
Insecure configuration storage in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows remote attacker perform new attack vectors and take under control device and smart home.
CVE-2018-15124
PUBLISHED: 2018-08-13
Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker extract clear text passwords and get root access on the device.
CVE-2018-15125
PUBLISHED: 2018-08-13
Sensitive Information Disclosure in Zipato Zipabox Smart Home Controller allows remote attacker get sensitive information that expands attack surface.