Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

3/15/2018
09:40 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity

While the average US security salary is $122,000, the average salary for people of color is $115,000, with men identifying as minorities making $6000 more than minority women.

Minority cybersecurity professionals in the US hold higher academic degrees than their Caucasian counterparts, yet make less money and hold fewer managerial and leadership positions.

Such is the state of diversity in the industry today, according to a first-ever study of the topic by the (ISC)2. Minority representation is actually slightly higher in cybersecurity – 26% - than in the US workforce overall, which is 21%. But disparity in salaries and management roles for underrepresented groups remains a common theme, even for an industry that faces a shortfall of some 1.8 million unfilled security positions worldwide by 2020, according to data from Frost & Sullivan.

While the average US cybersecurity professional earns a salary of $122,000, the average salary for people of color is $115,000, the study shows. Men identifying as minorities make more than women on average: $121,000, versus $115,000 for women of color; Caucasian women make $6,000 more than women of color.

The average Caucasian male earns $124,000 on average, and most of those professionals had received a raise in the past year while their minority counterparts had not, according to the study.

Less than a quarter of minority cybersecurity professionals hold job titles of director and above, which is 7% under the overall US job average and below the number of Caucasian cybersecurity pros with such management-level titles (30%). Of those minorities in leadership roles, 62% hold Master's degrees or higher, while just half of Caucasian cybersecurity pros do.

This disparity in salary and education reflects the hurdles and challenges minority groups and women face in the cybersecurity field: they often "educate up" to boost their resumes. "I hear from a lot of members … What happens when you get an underrepresented group – gender or ethnic – they tend to feel that they have it that much harder to maybe break, or break into that glass ceiling," so they pursue higher educational degrees, says David Shearer, CEO of (ISC)2. "They take nothing to chance."

Of the 9,500 US respondents in the (ISC)2 study, 9% identify as African American or black; 4% as Hispanic; 8% as Asian; 1% as American Indian, Alaskan Native/Native Hawaiian/Pacific Islander, while 4% classified their ethnicity as "other." And 17% of minority cybersecurity professionals are female, which is higher than the overall representation of women in the industry, 14%. The study was based in part on data from (ISC)2's larger Global Information Security Workforce Study (GISWS).

International Consortium of Minority Cybersecurity Professionals (ICMCP) president Aric Perminter, whose organization co-authored the "Innovation Through Inclusion: The Multicultural Cybersecurity Workforce report" with (ISC)2, says the disparity data reflects several issues minorities face today. Some aren't provided the support to navigate their career paths toward senior positions, he says. "That can stem from what college or university they went to," Perminter says, noting that if it's not the "right schools" that offer them that access and preparation, they may face challenges.

The other issue, he says, "is unconscious bias that exists despite the different [diversity] programs that companies have stood up to fight" against that bias, which can influence a minority professional's career advancement options.

The report points to a recent McKinsey & Co. study of 180 publicly traded companies that found diversity in leadership can help the bottom line. "The findings were startlingly consistent: for companies ranking in the top quartile of executive-board diversity, Returns on Equity were 53 percent higher, on average, than they were for those in the bottom quartile. At the same time, Earnings Before Tax and Interest margins at the most diverse companies were 14 percent higher, on average, than those of the least diverse companies," the McKinsey study said.

Diversity advocates point to the cultural benefits of an organization with professionals from various ethnicities, backgrounds, and experiences.

Even so, discrimination still haunts many organizations. Some 32% of minorities say they have experienced discrimination at work, a number that Perminter says is likely higher for professionals not in leadership positions. The survey did not poll the types of discrimination those workers experienced.

"We … have to continue to raise awareness through reports like this. People may have hiring biases subconsciously they are not even aware of," (ISC)2's Shearer says.

Related Content:

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Araedon
50%
50%
Araedon,
User Rank: Apprentice
3/20/2018 | 7:44:36 PM
Re: ISC2 Rpt - Response
I fully agree with you that the industry is difficult to get into in most cases. Especially if you go from helpdesk straight to cybersecurity. What most are looking for is a transition from helpdesk to system administration and then to cybersecurity. If you aren't performing security-related activities, it's hard to progress. Some see helpdesk as a phone representative answering calls. In some organizations helpdesk is actually system or network administration. To earn the full CISSP certification you have to have five years of work in at least two security-related domains. The only place where I've seen relatively easy transition is government positions. There really is no cybersecurity internship or entry-level positions. You're either middle or upper management. 
bwilkes8@gmail.com
100%
0%
[email protected],
User Rank: Moderator
3/19/2018 | 1:36:39 PM
ISC2 Rpt - Response
I'm not commenting on the diversity issue as much as I am the inability to get into the field.  Last year I embarked on a quest to transition from the Help Desk into CyberSecurity.  I completed the Sec+ certification the CISA course.  After nine months of no responses I decided the $600 for the CISA exam on top of $1200 for the course were no longer worth the hassle.

Prospective Employer:  So I see you don't have a lot of experience in CyberSecurity.

Response:  Correct, which is why I'm willing to start out at associate level to work my way up and to prove I can do it.

Prospective Employer:  Okay, thanks we'll let you our decision.

After nine months of those type responses, out of pockets expenses for Sec+ course, cert exam, CISA course and ISACA membership, I decided enough was enough.

Maybe if employers were willing hire people with demonstrated abilities and the motivation to do the job some of those vacancies could be filled.  Just a thought.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...