To Improve Workforce Diversity, Widen The Search, Feed Infosec Talent Pipeline
RSA Conference 2016: Session panelists offered practical tips on how to attract more women and minorities, and challenged attendees to do some soul-searching.
SAN FRANCISCO, RSA Conference, Monday Feb. 29 -- Overlapping themes arose today in sessions about improving the cybersecurity workforce's ethnic and gender diversity, at the RSA Conference.
Panelists for "Bridging the Great Minority Cyber Divide--Social and Cultural Dynamics" and "Should I Stay or Should I Go? How to Attract/Retain Women in the Industry" gave some similar advice to attendees on how to improve diversity within their own infosec teams and within the industry at large.
From a practical standpoint, panelists spoke of the importance of widening the applicant pool of qualified job applicants and supporting a more robust pipline of young talent -- from elementary school, straight through college, without losing them. They also spoke more deeply, about looking inward to recognize one's own biases and the uncomfortable role of being "the only one in the room," (as in the only minority person, or the only woman).
"That feeling of being the only one in the room is very real," said Yonesy Núñez, moderator of the Bridging the Minority Cyber Divide session and membership programs co-chair of the International Consortium of Minority Cybersecurity Professionals.
Núñez asked the panelists whether corporate "inclusion" efforts were effective. Panelist Devon Bryan, vice president and Global CISO of ADP LLC said that the business case for diversity has definitely been made, and focused on the importance -- now -- of improving the diversity of the talent pipeline. Yet, panelist Cecily Joseph, vice president of corporate responsibility and chief diversity officer for Symantec, said "In a lot of cases, the business case [for workforce diversity] really hasn't been made ... I would shudder to think where we'd be if those [inclusion] programs didn't exist."
One of the troubles Joseph and other panelists throughout the day said they face is that the argument used against diversity initiatives is "but we want the best candidates."
"Yes, we all want the best candidates," says Joseph, "but broaden the pool." She suggests actively recruiting women and people of color, by going to them instead of waiting for them to find you through the same old channels.
Panelist Kevin McKenzie, CISO of Clemson University, also suggested a general rule for meeting more qualified applicants was to move items out of "required skills" into "preferred skills," on the job description so they wouldn't be so quickly rejected by the HR vetting process.
"Be an advocate," Matre suggests. "If you see someone say something inappropriate, immediately say [so]," instead of waiting to comment about it later.
Matre said that although she has never left a job because of a gender or diversity issue, there are times she has come home from an industry conference feeling ready to leave cybersecurity because of interactions that happened there. With that in mind, she challenged the audience to practice being an advocate right away. "I guarantee you, you will hear something inappropriate between now and the time you go to sleep tonight."
Panelist Ping Look, director of security for Optiv, also referenced the inappropriate behavior of men towards her at industry events, particularly early in her career. Other women asked her why she stayed in the cybersecurity industry, enduring that behavior. "I kind of wanted to stay because I was the only woman" Someone has to be first, she said, and if she stayed, she knew other women would come.
When asked about how to retain the women on your team, Gurdeep Kaur, chief security architect at AIG, and panelist on the "Should I Stay or Should I Go" panel recommended, "Don't treat me differently" for being a woman; just an individual. She also suggests to men having trouble engaging their female coworkers: "Don't rule her out. It might not be that she doesn't have things to say, but she doesn't know how to break into that boy's club."
Panel moderator and ISC2 director of business development Elise Yacobellis recommended to the women in the audience, "Be your authentic self," and not just try to fit into the "boy's club."
Matre said that people need to talk more about diversity within their organizations every day, so it becomes a normal conversation, instead of an awkward workshop from time to time. Joseph said diversity needs to be part of the entire business; not just during hiring, but during procurement, philanthropy, and more.
Panelist on the "Should I Stay Or Should I Go Panel" Angela Messer, executive vice-president at Booz Allen Hamilton, said, "We all have our own biases. Take a step back and ask 'Am I giving people opportunities to grow' ... and if not, why not?"
Find out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
Published: 2015-10-15 The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...
Published: 2015-10-15 Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.
Published: 2015-10-15 Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.
The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.
So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?
Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?
Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.