Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

3/15/2018
09:40 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

(ISC)2 Report: Glaring Disparity in Diversity for US Cybersecurity

While the average US security salary is $122,000, the average salary for people of color is $115,000, with men identifying as minorities making $6000 more than minority women.

Minority cybersecurity professionals in the US hold higher academic degrees than their Caucasian counterparts, yet make less money and hold fewer managerial and leadership positions.

Such is the state of diversity in the industry today, according to a first-ever study of the topic by the (ISC)2. Minority representation is actually slightly higher in cybersecurity – 26% - than in the US workforce overall, which is 21%. But disparity in salaries and management roles for underrepresented groups remains a common theme, even for an industry that faces a shortfall of some 1.8 million unfilled security positions worldwide by 2020, according to data from Frost & Sullivan.

While the average US cybersecurity professional earns a salary of $122,000, the average salary for people of color is $115,000, the study shows. Men identifying as minorities make more than women on average: $121,000, versus $115,000 for women of color; Caucasian women make $6,000 more than women of color.

The average Caucasian male earns $124,000 on average, and most of those professionals had received a raise in the past year while their minority counterparts had not, according to the study.

Less than a quarter of minority cybersecurity professionals hold job titles of director and above, which is 7% under the overall US job average and below the number of Caucasian cybersecurity pros with such management-level titles (30%). Of those minorities in leadership roles, 62% hold Master's degrees or higher, while just half of Caucasian cybersecurity pros do.

This disparity in salary and education reflects the hurdles and challenges minority groups and women face in the cybersecurity field: they often "educate up" to boost their resumes. "I hear from a lot of members … What happens when you get an underrepresented group – gender or ethnic – they tend to feel that they have it that much harder to maybe break, or break into that glass ceiling," so they pursue higher educational degrees, says David Shearer, CEO of (ISC)2. "They take nothing to chance."

Of the 9,500 US respondents in the (ISC)2 study, 9% identify as African American or black; 4% as Hispanic; 8% as Asian; 1% as American Indian, Alaskan Native/Native Hawaiian/Pacific Islander, while 4% classified their ethnicity as "other." And 17% of minority cybersecurity professionals are female, which is higher than the overall representation of women in the industry, 14%. The study was based in part on data from (ISC)2's larger Global Information Security Workforce Study (GISWS).

International Consortium of Minority Cybersecurity Professionals (ICMCP) president Aric Perminter, whose organization co-authored the "Innovation Through Inclusion: The Multicultural Cybersecurity Workforce report" with (ISC)2, says the disparity data reflects several issues minorities face today. Some aren't provided the support to navigate their career paths toward senior positions, he says. "That can stem from what college or university they went to," Perminter says, noting that if it's not the "right schools" that offer them that access and preparation, they may face challenges.

The other issue, he says, "is unconscious bias that exists despite the different [diversity] programs that companies have stood up to fight" against that bias, which can influence a minority professional's career advancement options.

The report points to a recent McKinsey & Co. study of 180 publicly traded companies that found diversity in leadership can help the bottom line. "The findings were startlingly consistent: for companies ranking in the top quartile of executive-board diversity, Returns on Equity were 53 percent higher, on average, than they were for those in the bottom quartile. At the same time, Earnings Before Tax and Interest margins at the most diverse companies were 14 percent higher, on average, than those of the least diverse companies," the McKinsey study said.

Diversity advocates point to the cultural benefits of an organization with professionals from various ethnicities, backgrounds, and experiences.

Even so, discrimination still haunts many organizations. Some 32% of minorities say they have experienced discrimination at work, a number that Perminter says is likely higher for professionals not in leadership positions. The survey did not poll the types of discrimination those workers experienced.

"We … have to continue to raise awareness through reports like this. People may have hiring biases subconsciously they are not even aware of," (ISC)2's Shearer says.

Related Content:

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Araedon
50%
50%
Araedon,
User Rank: Apprentice
3/20/2018 | 7:44:36 PM
Re: ISC2 Rpt - Response
I fully agree with you that the industry is difficult to get into in most cases. Especially if you go from helpdesk straight to cybersecurity. What most are looking for is a transition from helpdesk to system administration and then to cybersecurity. If you aren't performing security-related activities, it's hard to progress. Some see helpdesk as a phone representative answering calls. In some organizations helpdesk is actually system or network administration. To earn the full CISSP certification you have to have five years of work in at least two security-related domains. The only place where I've seen relatively easy transition is government positions. There really is no cybersecurity internship or entry-level positions. You're either middle or upper management. 
bwilkes8@gmail.com
100%
0%
[email protected],
User Rank: Moderator
3/19/2018 | 1:36:39 PM
ISC2 Rpt - Response
I'm not commenting on the diversity issue as much as I am the inability to get into the field.  Last year I embarked on a quest to transition from the Help Desk into CyberSecurity.  I completed the Sec+ certification the CISA course.  After nine months of no responses I decided the $600 for the CISA exam on top of $1200 for the course were no longer worth the hassle.

Prospective Employer:  So I see you don't have a lot of experience in CyberSecurity.

Response:  Correct, which is why I'm willing to start out at associate level to work my way up and to prove I can do it.

Prospective Employer:  Okay, thanks we'll let you our decision.

After nine months of those type responses, out of pockets expenses for Sec+ course, cert exam, CISA course and ISACA membership, I decided enough was enough.

Maybe if employers were willing hire people with demonstrated abilities and the motivation to do the job some of those vacancies could be filled.  Just a thought.
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.