Careers & People
3/1/2016
01:44 AM
Connect Directly
Twitter
RSS
E-Mail
0%
100%

To Improve Workforce Diversity, Widen The Search, Feed Infosec Talent Pipeline

RSA Conference 2016: Session panelists offered practical tips on how to attract more women and minorities, and challenged attendees to do some soul-searching.

SAN FRANCISCO, RSA Conference, Monday Feb. 29 -- Overlapping themes arose today in sessions about improving the cybersecurity workforce's ethnic and gender diversity, at the RSA Conference.

Panelists for "Bridging the Great Minority Cyber Divide--Social and Cultural Dynamics" and "Should I Stay or Should I Go? How to Attract/Retain Women in the Industry" gave some similar advice to attendees on how to improve diversity within their own infosec teams and within the industry at large.

From a practical standpoint, panelists spoke of the importance of widening the applicant pool of qualified job applicants and supporting a more robust pipline of young talent -- from elementary school, straight through college, without losing them. They also spoke more deeply, about looking inward to recognize one's own biases and the uncomfortable role of being "the only one in the room," (as in the only minority person, or the only woman).

"That feeling of being the only one in the room is very real," said Yonesy Núñez, moderator of the Bridging the Minority Cyber Divide session and membership programs co-chair of the International Consortium of Minority Cybersecurity Professionals.

Núñez asked the panelists whether corporate "inclusion" efforts were effective. Panelist Devon Bryan, vice president and Global CISO of ADP LLC said that the business case for diversity has definitely been made, and focused on the importance -- now -- of improving the diversity of the talent pipeline. Yet, panelist Cecily Joseph, vice president of corporate responsibility and chief diversity officer for Symantec, said "In a lot of cases, the business case [for workforce diversity] really hasn't been made ... I would shudder to think where we'd be if those [inclusion] programs didn't exist."

One of the troubles Joseph and other panelists throughout the day said they face is that the argument used against diversity initiatives is "but we want the best candidates."

"Yes, we all want the best candidates," says Joseph, "but broaden the pool." She suggests actively recruiting women and people of color, by going to them instead of waiting for them to find you through the same old channels.

Panelist Kevin McKenzie, CISO of Clemson University, also suggested a general rule for meeting more qualified applicants was to move items out of "required skills" into "preferred skills," on the job description so they wouldn't be so quickly rejected by the HR vetting process.

Kerry Matre, a member of the women in security panel, and Hewlett Packard Enterprise's security services team, suggested using some resources from the National Center for Women and Information Technology, like their tips for conducting inclusive searches for job candidates and their "Male Allies and Advocates Toolkit."  

"Be an advocate," Matre suggests. "If you see someone say something inappropriate, immediately say [so]," instead of waiting to comment about it later.

Matre said that although she has never left a job because of a gender or diversity issue, there are times she has come home from an industry conference feeling ready to leave cybersecurity because of interactions that happened there. With that in mind, she challenged the audience to practice being an advocate right away. "I guarantee you, you will hear something inappropriate between now and the time you go to sleep tonight."

Panelist Ping Look, director of security for Optiv, also referenced the inappropriate behavior of men towards her at industry events, particularly early in her career. Other women asked her why she stayed in the cybersecurity industry, enduring that behavior. "I kind of wanted to stay because I was the only woman" Someone has to be first, she said, and if she stayed, she knew other women would come.

When asked about how to retain the women on your team, Gurdeep Kaur, chief security architect at AIG, and panelist on the "Should I Stay or Should I Go" panel recommended, "Don't treat me differently" for being a woman; just an individual. She also suggests to men having trouble engaging their female coworkers: "Don't rule her out. It might not be that she doesn't have things to say, but she doesn't know how to break into that boy's club."

Panel moderator and ISC2 director of business development Elise Yacobellis recommended to the women in the audience, "Be your authentic self," and not just try to fit into the "boy's club."

Matre said that people need to talk more about diversity within their organizations every day, so it becomes a normal conversation, instead of an awkward workshop from time to time. Joseph said diversity needs to be part of the entire business; not just during hiring, but during procurement, philanthropy, and more.

Panelist on the "Should I Stay Or Should I Go Panel" Angela Messer, executive vice-president at Booz Allen Hamilton, said, "We all have our own biases. Take a step back and ask 'Am I giving people opportunities to grow' ... and if not, why not?"

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DorisG987
50%
50%
DorisG987,
User Rank: Strategist
3/12/2016 | 5:54:10 AM
To improve diversity, train the top
Edgar Perez teaches a 3 Day Masterclass in Cybersecurity designed for C-level executives and senior managers. Furthermore, he is offering cyber security workshops for boards of directors and CEOs worldwide. He is the author of The Speed Traders and Knightmare on Wall Street, and his comprehensive training programs have been widely recognized by the media for his independent and non-biased approach.
syntax_attack
100%
0%
syntax_attack,
User Rank: Strategist
3/11/2016 | 1:03:05 PM
Re: "Sweetie, those toys are meant for boys!"
Thank you for providing more information.  I certainly cannot speak to the cultural atmosphere regarding women and STEM careers in Columbia.  I do hope things continue to improve for women down there.
CamiloD
50%
50%
CamiloD,
User Rank: Apprentice
3/10/2016 | 10:44:51 PM
Re: "Sweetie, those toys are meant for boys!"
Thanks for your comments, and it's great to hear about those activities taking place near you.

I apologize for not giving first a bit of context - My country (Colombia) is a developing nation with a kinda-sexist society. Sure, lots of improvements have been made in the last few years, but even today you can hear and "feel" certain sexist conducts against women. A small example - Girls who decide not to have kids are usually met with heavy social backslash. Their families and friends constantly nag them for "not contributing to society", "being selfish", "aiming to become a lonely person", and other ridiculous statements. But back to our topic: As I mentioned, women in my country are sometimes met with social backslash for showing interest in science & IT subjects and careers.

I absolutely agree with you - It's not like "girls can't be scientists or IT professionals" around here in Colombia. If a girl wants to do so, she'll make it like any other person. What I meant was that those girls will sometimes be seen as "awkward", "weird", "not very feminine", and (again) other ridiculous statements.
syntax_attack
100%
0%
syntax_attack,
User Rank: Strategist
3/10/2016 | 3:45:16 PM
Re: "Sweetie, those toys are meant for boys!"
What are you talking about?  My children's school has engineering and STEM fairs held only for girls.  Our local community college holds STEM days for the females in the local high schools.  I have seen numerous commercials for women in stem fields as well.  Girls are being shoved towards these fields and they simply don't want to enter them.  In fact, the more egalitarian a society the less likely women are to enter STEM fields, it is only when STEM jobs are the only option for a decent salary (like in many developing nations) that women flock to them.  The more choices a woman has the less likely she is to choose STEM.  Please tell me the last time you heard a girl told that she couldn't be a scientist or an IT professional.  I haven't heard that in at least 25 years.  
CamiloD
50%
50%
CamiloD,
User Rank: Apprentice
3/9/2016 | 3:46:14 PM
"Sweetie, those toys are meant for boys!"
Although it's true companies have to "broaden the pool", I believe another important factor is how science and IT topics are shown to kids. Specifically, girls in some cultures are discouraged of getting in touch with tech & science subjects, hobbies, and toys because "those things are meant for men" and "they aren't feminine". Even worse, that social scolding is done by both men and women.

Of course it's not the sole reason of the whole "diversity gap". But societies need to further evolve and to put past them all those sexist and racist ideas. I can only hope I live long enough to see it with my own eyes =)
syntax_attack
100%
0%
syntax_attack,
User Rank: Strategist
3/3/2016 | 11:00:17 AM
Broaden the pool
"Yes, we all want the best candidates," says Joseph, "but broaden the pool." She suggests actively recruiting women and people of color, by going to them instead of waiting for them to find you through the same old channels.

 

If you want to "broaden the pool" then you should be trying to get as many poeple as possible to apply, not just as many "people of color" or "women" as possible.  The fact of the matter is the pool already consists of the majority of people, almost anybody who wants to become an IT security professional can self educate (serveral ivy league colleges have their class materials online for free).  If someone is too poor to even have a computer at home they can use the public library.  In fact the largest demographic that is probably truely cut off from the profession would be those who live in poor rural areas (often there is no public transportation to take them to a public library that could be 50 miles away.  If you truely want to broaden the pool then the best way to do it is to help that demographic regardless of the racial or gender makeup of the population that needs access to these programs.  

 

I really tire of the "we must have diversity" crowd.  This is the same group of people who will tell you that race or gender don't matter and then turn around and demand racial or gender quotas.  How about we hire based upon merit and recruit those that have a desire to learn and leave it at that!
DarwinC123
100%
0%
DarwinC123,
User Rank: Strategist
3/2/2016 | 10:43:36 AM
can lead a horse to water
While I was able to brainwash my daughters to love Dr Who, computer gaming and the science genre, they were still more captivated by human drama in customer support and education fields.   They are smart and 'workaholic' (lol), but, they have told me that due to their gender and race, they have been able to go whereever they wanted in IT. They are were they want to be and only limit themselves. So, when, I see my employer advertise only in minority associations and such schemes to increase diversity, I wonder if we are looking for the best candidates or wanting to checkbox a statistic.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: So...are we supposed to be the elves or the reindeer?
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.