Threat Intelligence

8/18/2016
04:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail vvv
0%
100%

How Diversity Can Bridge The Talent Gap

Women and minorities in the security industry share some hard truths about the security industry's hiring traditions and practices.

The dirty little secret about most security job openings today is that they often inadvertently preclude women and minorities.

Employers typically have a specific type of person in mind for the job, and the job description is written accordingly, requiring several years of experience, a computer science degree or background, and other technical skills such as certifications or hands-on hacking tool expertise.

That’s not typically a diversity-friendly job description – training and tool costs are often out of range for inner-city and small-town candidates. A panel of diverse and accomplished female security professionals at Black Hat USA earlier this month shared their insight on this and other ways the industry is doing it wrong – and how to encourage more diversity.

I served as moderator of the “Removing Roadblocks to Diversity” panel, which featured Jamesha Fisher, Security Operations Engineer at GitHub; Chenxi Wang, Chief Strategy Officer of Twistlock; Rebekah Brown, Threat Intelligence Lead at Rapid7; and Angie Leifson, Security Operations Center (SOC) Analyst at Insight Enterprises.

Source: Black Hat USA
Source: Black Hat USA

The lack of diversity in security is a topic I’ve researched plenty this year, but listening to these women share what they see in the trenches every day, the firsthand lessons they’ve learned, and advice the give to other women and minorities, was enlightening. To be honest, it was a bit frustrating, too, since the number of women in the security industry has remained at about 10% for at least three years now. African-American women represent just 3% of computer-related jobs, and Latina women, 1%.  

There’s also a glaring disconnect today between many job openings in cybersecurity and the types of skills the field now demands. The panelists pointed to the importance and need in security for non-technical skills and backgrounds in psychology, linguistics, communications, for example. Yet those skills aren’t the norm in a typical job opening.

Take Wang, whose career path came via the traditional route of a computer science degree and graduate school. She said it’s time for a rewrite of inherently biased job descriptions:  “If you had somebody coaching them on writing a job description that is more inclusive, they would have gotten more candidates. I try to do that myself,” Wang said during the panel.

Fisher, who is African-American, said there are few if any junior security positions, which makes it tough for anyone to break into the industry. Minorities have a disadvantage up front. “They may not have the money to buy the training needed to do security to get that competitive edge. Where does this leave people who don’t have the money?” Fisher said.

Rapid7’s Brown, whose military career as a linguist in Mandarin ultimately led her to cybersecurity threat intelligence, said the cookie-cutter job description doesn’t cut it today’s world. Having security staff with diverse backgrounds, educations, outlooks, and mindsets is key, Brown said. “If you just put one job description out, you’re never going to be successful,” she said.

There’s a mindset problem here as well. Studies and anecdotal data show that women are less likely to apply for a job if they don’t fit all of the listed qualifications, whereas men apply even if they don’t have all of the listed skills. But that’s a trend that can be broken, the panelists said.

On the flip side, women and minorities often aren’t given the benefit of the doubt like their counterparts when it comes to missing qualifications, Fisher said. White men, for instance, she said, are often given “reasonable doubt” that they will learn the skills they lack on the job. She urged large companies to use their resources to train and attract more minorities and women to security jobs.

Leifson, who graduated from college in December and is now a SOC analyst, had a refreshing view on this:  even when she doesn’t meet all of the qualifications listed in a job opening, she still applies for it. “I still feel confident in my skills,” she said. “Don’t be afraid” to put yourself out there and apply, she said.

The social impact of security is also an element that needs to be touted more, the panelists said. “So many people are about the hacking aspect, but nobody is about the defensive aspect. That has the social impact” that appeals to a broader talent pool, Fisher said.

Diversity is one thing, but inclusiveness is another, the panelists said. Hiring more women and minorities is the first step to a truly diverse workforce – organizations then also need to ensure they respect and embrace their workers’ different backgrounds.

To view the entire panel discussion and Q&A, check out the video recording here.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/31/2016 | 9:22:15 PM
Re: Additional exacerbation
@Dr.T: So what is your company like in that respect?  What is the process for drafting a job description and job requirements for postings?
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/31/2016 | 12:31:13 PM
Re: By the way...
To clarify, DiGiovanni's findings are for his training effort--to tap those inherent skillsets for trainees, who obviously get the hands-on hacking training via the DoD program.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
8/31/2016 | 12:28:49 PM
Re: By the way...

Although I agree that STEM skills are just part of qualifiers, the notion that STEM is not one of the top skills should not be a universal principle. I can see how the DoD would feel that way, since that is a very large organization. Smaller outfits though do not have the luxury of hiring many people for their InfoSec (or just IT period) teams. These organizations are the ones who will look at IT skills first, and then soft skills, during their hiring process. This is why encouragement at a young age and mentoring really is critical in expanding the IT workforce to include women and minorities.

Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/31/2016 | 12:16:03 PM
Re: By the way...
I disagree, @InReality01. Diversity brings more perspective, insight, and a broader range of skills. When you have people of different backgrounds, socioeconomic roots, and life experiences, you have a more balanced and insightful organization. I agree that hires must be qualified--no one is saying otherwise--but sometimes there are skills that employers aren't considering that are extremely valuable. 

Here's a good example of how skills are more than STEM: a DoD official, Frank DiGiovanni, director of force training in DoD's Office of the Assistant Secretary of Defense for Readiness, has been researching what makes a great white-hat hacker. He has been interviewing folks at DEF CON the past two years.

From a recent Dark Reading article on his efforts:

The big takeaway from DiGiovanni's DEF CON research: STEM, aka science, technology, engineering, and mathematics, was not one of the top skills organizations look for in their cyber-Jedis. "Almost no one talked about technical capabilities or technical chops," he says. "That was the biggest revelation for me."

http://www.darkreading.com/threat-intelligence/dod-taps-def-con-hacker-traits-for-cybersecurity-training-program/d/d-id/1326763?

When you open up jobs to these broader skillsets, you're more likely to get a more diverse pool of applicants.

Of course, there's also the issue of educating and encouraging women and people of color that this industry is wide open and full of opportunity.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 12:09:27 PM
Re: By the way...
"... There is nothing inheirently "good" about diversity in the workforce based on gender, race or ethnicity. ..."

I hear you, the way I look at it, having different genders will lead to different view points, when you leave women out in IT, you do not get their perspective with the remaining skills in your workforce.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/31/2016 | 12:07:17 PM
Re: Additional exacerbation
I hear ya, @MistyMorn. That first bar is the big issue in this industry. Have you thought of joining some local cybersecurity meetups? That is one way to meet, network, and get connected with local security events, hackathons, etc. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 12:04:43 PM
Re: The phantom issue in security...
"... women don't go into technical fields at nearly the same rate as men do. ..."

That is a good point, I was just mentioning this in my other post.  When we post a position, we normally do not get any female applicants.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 12:03:02 PM
Hiring more women
 

"... Hiring more women and minorities ..."

There is another issue here, when we post a IT position we do not get any female applicants, I am not sure if this is the same for all others but, the other end of this letting female students having interest in IT.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 12:01:37 PM
Re: Additional exacerbation
"... Entry level should be an on the job training position but I still struggle with being underqualified due to my lack of enterprise IT experience. ..."

This is really a good point. IT is a fast pace sector, there is no day that you do not learn new things, it requires life-long learning strategy.

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 11:58:48 AM
Re: Additional exacerbation
"... It is my personal goal to spread STEM awareness in young kids, especially girls. ..."

This is great to hear. Thank you for doing it. I would assume female studens now realize that technology is not something they need to avoid but embrace, since everything and everting else involves it any more.
Page 1 / 2   >   >>
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.