To Improve Workforce Diversity, Widen The Search, Feed Infosec Talent Pipeline
RSA Conference 2016: Session panelists offered practical tips on how to attract more women and minorities, and challenged attendees to do some soul-searching.
SAN FRANCISCO, RSA Conference, Monday Feb. 29 -- Overlapping themes arose today in sessions about improving the cybersecurity workforce's ethnic and gender diversity, at the RSA Conference.
Panelists for "Bridging the Great Minority Cyber Divide--Social and Cultural Dynamics" and "Should I Stay or Should I Go? How to Attract/Retain Women in the Industry" gave some similar advice to attendees on how to improve diversity within their own infosec teams and within the industry at large.
From a practical standpoint, panelists spoke of the importance of widening the applicant pool of qualified job applicants and supporting a more robust pipline of young talent -- from elementary school, straight through college, without losing them. They also spoke more deeply, about looking inward to recognize one's own biases and the uncomfortable role of being "the only one in the room," (as in the only minority person, or the only woman).
"That feeling of being the only one in the room is very real," said Yonesy Núñez, moderator of the Bridging the Minority Cyber Divide session and membership programs co-chair of the International Consortium of Minority Cybersecurity Professionals.
Núñez asked the panelists whether corporate "inclusion" efforts were effective. Panelist Devon Bryan, vice president and Global CISO of ADP LLC said that the business case for diversity has definitely been made, and focused on the importance -- now -- of improving the diversity of the talent pipeline. Yet, panelist Cecily Joseph, vice president of corporate responsibility and chief diversity officer for Symantec, said "In a lot of cases, the business case [for workforce diversity] really hasn't been made ... I would shudder to think where we'd be if those [inclusion] programs didn't exist."
One of the troubles Joseph and other panelists throughout the day said they face is that the argument used against diversity initiatives is "but we want the best candidates."
"Yes, we all want the best candidates," says Joseph, "but broaden the pool." She suggests actively recruiting women and people of color, by going to them instead of waiting for them to find you through the same old channels.
Panelist Kevin McKenzie, CISO of Clemson University, also suggested a general rule for meeting more qualified applicants was to move items out of "required skills" into "preferred skills," on the job description so they wouldn't be so quickly rejected by the HR vetting process.
"Be an advocate," Matre suggests. "If you see someone say something inappropriate, immediately say [so]," instead of waiting to comment about it later.
Matre said that although she has never left a job because of a gender or diversity issue, there are times she has come home from an industry conference feeling ready to leave cybersecurity because of interactions that happened there. With that in mind, she challenged the audience to practice being an advocate right away. "I guarantee you, you will hear something inappropriate between now and the time you go to sleep tonight."
Panelist Ping Look, director of security for Optiv, also referenced the inappropriate behavior of men towards her at industry events, particularly early in her career. Other women asked her why she stayed in the cybersecurity industry, enduring that behavior. "I kind of wanted to stay because I was the only woman" Someone has to be first, she said, and if she stayed, she knew other women would come.
When asked about how to retain the women on your team, Gurdeep Kaur, chief security architect at AIG, and panelist on the "Should I Stay or Should I Go" panel recommended, "Don't treat me differently" for being a woman; just an individual. She also suggests to men having trouble engaging their female coworkers: "Don't rule her out. It might not be that she doesn't have things to say, but she doesn't know how to break into that boy's club."
Panel moderator and ISC2 director of business development Elise Yacobellis recommended to the women in the audience, "Be your authentic self," and not just try to fit into the "boy's club."
Matre said that people need to talk more about diversity within their organizations every day, so it becomes a normal conversation, instead of an awkward workshop from time to time. Joseph said diversity needs to be part of the entire business; not just during hiring, but during procurement, philanthropy, and more.
Panelist on the "Should I Stay Or Should I Go Panel" Angela Messer, executive vice-president at Booz Allen Hamilton, said, "We all have our own biases. Take a step back and ask 'Am I giving people opportunities to grow' ... and if not, why not?"
Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
Surviving the IT Security Skills ShortageCybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Enterprise Vulnerabilities From DHS/US-CERT's National Vulnerability DatabaseCVE-2018-10839 PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.