To Improve Workforce Diversity, Widen The Search, Feed Infosec Talent Pipeline
RSA Conference 2016: Session panelists offered practical tips on how to attract more women and minorities, and challenged attendees to do some soul-searching.
SAN FRANCISCO, RSA Conference, Monday Feb. 29 -- Overlapping themes arose today in sessions about improving the cybersecurity workforce's ethnic and gender diversity, at the RSA Conference.
Panelists for "Bridging the Great Minority Cyber Divide--Social and Cultural Dynamics" and "Should I Stay or Should I Go? How to Attract/Retain Women in the Industry" gave some similar advice to attendees on how to improve diversity within their own infosec teams and within the industry at large.
From a practical standpoint, panelists spoke of the importance of widening the applicant pool of qualified job applicants and supporting a more robust pipline of young talent -- from elementary school, straight through college, without losing them. They also spoke more deeply, about looking inward to recognize one's own biases and the uncomfortable role of being "the only one in the room," (as in the only minority person, or the only woman).
"That feeling of being the only one in the room is very real," said Yonesy Núñez, moderator of the Bridging the Minority Cyber Divide session and membership programs co-chair of the International Consortium of Minority Cybersecurity Professionals.
Núñez asked the panelists whether corporate "inclusion" efforts were effective. Panelist Devon Bryan, vice president and Global CISO of ADP LLC said that the business case for diversity has definitely been made, and focused on the importance -- now -- of improving the diversity of the talent pipeline. Yet, panelist Cecily Joseph, vice president of corporate responsibility and chief diversity officer for Symantec, said "In a lot of cases, the business case [for workforce diversity] really hasn't been made ... I would shudder to think where we'd be if those [inclusion] programs didn't exist."
One of the troubles Joseph and other panelists throughout the day said they face is that the argument used against diversity initiatives is "but we want the best candidates."
"Yes, we all want the best candidates," says Joseph, "but broaden the pool." She suggests actively recruiting women and people of color, by going to them instead of waiting for them to find you through the same old channels.
Panelist Kevin McKenzie, CISO of Clemson University, also suggested a general rule for meeting more qualified applicants was to move items out of "required skills" into "preferred skills," on the job description so they wouldn't be so quickly rejected by the HR vetting process.
"Be an advocate," Matre suggests. "If you see someone say something inappropriate, immediately say [so]," instead of waiting to comment about it later.
Matre said that although she has never left a job because of a gender or diversity issue, there are times she has come home from an industry conference feeling ready to leave cybersecurity because of interactions that happened there. With that in mind, she challenged the audience to practice being an advocate right away. "I guarantee you, you will hear something inappropriate between now and the time you go to sleep tonight."
Panelist Ping Look, director of security for Optiv, also referenced the inappropriate behavior of men towards her at industry events, particularly early in her career. Other women asked her why she stayed in the cybersecurity industry, enduring that behavior. "I kind of wanted to stay because I was the only woman" Someone has to be first, she said, and if she stayed, she knew other women would come.
When asked about how to retain the women on your team, Gurdeep Kaur, chief security architect at AIG, and panelist on the "Should I Stay or Should I Go" panel recommended, "Don't treat me differently" for being a woman; just an individual. She also suggests to men having trouble engaging their female coworkers: "Don't rule her out. It might not be that she doesn't have things to say, but she doesn't know how to break into that boy's club."
Panel moderator and ISC2 director of business development Elise Yacobellis recommended to the women in the audience, "Be your authentic self," and not just try to fit into the "boy's club."
Matre said that people need to talk more about diversity within their organizations every day, so it becomes a normal conversation, instead of an awkward workshop from time to time. Joseph said diversity needs to be part of the entire business; not just during hiring, but during procurement, philanthropy, and more.
Panelist on the "Should I Stay Or Should I Go Panel" Angela Messer, executive vice-president at Booz Allen Hamilton, said, "We all have our own biases. Take a step back and ask 'Am I giving people opportunities to grow' ... and if not, why not?"
Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
The Year in Security: 2017A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Surviving the IT Security Skills ShortageCybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Published: 2017-05-08 unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).
Published: 2017-05-08 A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...
Published: 2017-05-08 Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.
Published: 2017-05-08 Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.