Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

3/15/2018
09:40 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity

While the average US security salary is $122,000, the average salary for people of color is $115,000, with men identifying as minorities making $6000 more than minority women.

Minority cybersecurity professionals in the US hold higher academic degrees than their Caucasian counterparts, yet make less money and hold fewer managerial and leadership positions.

Such is the state of diversity in the industry today, according to a first-ever study of the topic by the (ISC)2. Minority representation is actually slightly higher in cybersecurity – 26% - than in the US workforce overall, which is 21%. But disparity in salaries and management roles for underrepresented groups remains a common theme, even for an industry that faces a shortfall of some 1.8 million unfilled security positions worldwide by 2020, according to data from Frost & Sullivan.

While the average US cybersecurity professional earns a salary of $122,000, the average salary for people of color is $115,000, the study shows. Men identifying as minorities make more than women on average: $121,000, versus $115,000 for women of color; Caucasian women make $6,000 more than women of color.

The average Caucasian male earns $124,000 on average, and most of those professionals had received a raise in the past year while their minority counterparts had not, according to the study.

Less than a quarter of minority cybersecurity professionals hold job titles of director and above, which is 7% under the overall US job average and below the number of Caucasian cybersecurity pros with such management-level titles (30%). Of those minorities in leadership roles, 62% hold Master's degrees or higher, while just half of Caucasian cybersecurity pros do.

This disparity in salary and education reflects the hurdles and challenges minority groups and women face in the cybersecurity field: they often "educate up" to boost their resumes. "I hear from a lot of members … What happens when you get an underrepresented group – gender or ethnic – they tend to feel that they have it that much harder to maybe break, or break into that glass ceiling," so they pursue higher educational degrees, says David Shearer, CEO of (ISC)2. "They take nothing to chance."

Of the 9,500 US respondents in the (ISC)2 study, 9% identify as African American or black; 4% as Hispanic; 8% as Asian; 1% as American Indian, Alaskan Native/Native Hawaiian/Pacific Islander, while 4% classified their ethnicity as "other." And 17% of minority cybersecurity professionals are female, which is higher than the overall representation of women in the industry, 14%. The study was based in part on data from (ISC)2's larger Global Information Security Workforce Study (GISWS).

International Consortium of Minority Cybersecurity Professionals (ICMCP) president Aric Perminter, whose organization co-authored the "Innovation Through Inclusion: The Multicultural Cybersecurity Workforce report" with (ISC)2, says the disparity data reflects several issues minorities face today. Some aren't provided the support to navigate their career paths toward senior positions, he says. "That can stem from what college or university they went to," Perminter says, noting that if it's not the "right schools" that offer them that access and preparation, they may face challenges.

The other issue, he says, "is unconscious bias that exists despite the different [diversity] programs that companies have stood up to fight" against that bias, which can influence a minority professional's career advancement options.

The report points to a recent McKinsey & Co. study of 180 publicly traded companies that found diversity in leadership can help the bottom line. "The findings were startlingly consistent: for companies ranking in the top quartile of executive-board diversity, Returns on Equity were 53 percent higher, on average, than they were for those in the bottom quartile. At the same time, Earnings Before Tax and Interest margins at the most diverse companies were 14 percent higher, on average, than those of the least diverse companies," the McKinsey study said.

Diversity advocates point to the cultural benefits of an organization with professionals from various ethnicities, backgrounds, and experiences.

Even so, discrimination still haunts many organizations. Some 32% of minorities say they have experienced discrimination at work, a number that Perminter says is likely higher for professionals not in leadership positions. The survey did not poll the types of discrimination those workers experienced.

"We … have to continue to raise awareness through reports like this. People may have hiring biases subconsciously they are not even aware of," (ISC)2's Shearer says.

Related Content:

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Araedon
50%
50%
Araedon,
User Rank: Apprentice
3/20/2018 | 7:44:36 PM
Re: ISC2 Rpt - Response
I fully agree with you that the industry is difficult to get into in most cases. Especially if you go from helpdesk straight to cybersecurity. What most are looking for is a transition from helpdesk to system administration and then to cybersecurity. If you aren't performing security-related activities, it's hard to progress. Some see helpdesk as a phone representative answering calls. In some organizations helpdesk is actually system or network administration. To earn the full CISSP certification you have to have five years of work in at least two security-related domains. The only place where I've seen relatively easy transition is government positions. There really is no cybersecurity internship or entry-level positions. You're either middle or upper management. 
bwilkes8@gmail.com
100%
0%
[email protected],
User Rank: Moderator
3/19/2018 | 1:36:39 PM
ISC2 Rpt - Response
I'm not commenting on the diversity issue as much as I am the inability to get into the field.  Last year I embarked on a quest to transition from the Help Desk into CyberSecurity.  I completed the Sec+ certification the CISA course.  After nine months of no responses I decided the $600 for the CISA exam on top of $1200 for the course were no longer worth the hassle.

Prospective Employer:  So I see you don't have a lot of experience in CyberSecurity.

Response:  Correct, which is why I'm willing to start out at associate level to work my way up and to prove I can do it.

Prospective Employer:  Okay, thanks we'll let you our decision.

After nine months of those type responses, out of pockets expenses for Sec+ course, cert exam, CISA course and ISACA membership, I decided enough was enough.

Maybe if employers were willing hire people with demonstrated abilities and the motivation to do the job some of those vacancies could be filled.  Just a thought.
AI Is Everywhere, but Don't Ignore the Basics
Howie Xu, Vice President of AI and Machine Learning at Zscaler,  9/10/2019
Fed Kaspersky Ban Made Permanent by New Rules
Dark Reading Staff 9/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16319
PUBLISHED: 2019-09-15
In Wireshark 3.0.0 to 3.0.3 and 2.6.0 to 2.6.10, the Gryphon dissector could go into an infinite loop. This was addressed in plugins/epan/gryphon/packet-gryphon.c by checking for a message length of zero.
CVE-2019-16320
PUBLISHED: 2019-09-15
Cobham Sea Tel v170 224521 through v194 225444 devices allow attackers to obtain potentially sensitive information, such as a vessel's latitude and longitude, via the public SNMP community.
CVE-2019-16321
PUBLISHED: 2019-09-15
ScadaBR 1.0CE, and 1.1.x through 1.1.0-RC, has XSS via a request for a nonexistent resource, as demonstrated by the dwr/test/ PATH_INFO.
CVE-2019-16317
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can trigger execution of a .phar file via a phar:// URL in a filename parameter, because PHAR uploads are not blocked and are reachable within the phar://../../../../../../../../var/www/html/web/var/assets/ directory, a different vulnerabi...
CVE-2019-16318
PUBLISHED: 2019-09-14
In Pimcore before 5.7.1, an attacker with limited privileges can bypass file-extension restrictions via a 256-character filename, as demonstrated by the failure of automatic renaming of .php to .php.txt for long filenames, a different vulnerability than CVE-2019-10867 and CVE-2019-16317.