Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/20/2020
02:00 PM
Maxine Holt
Maxine Holt
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

It's Time to Break the 'Rule of Steve'

Today, in a room full of cybersecurity professionals, there are still more people called Steve than there are women.

Discussions about recruitment trends and how people can further their careers in cybersecurity are common topics at industry conferences these days. Recently, at Black Hat Europe, one of the most striking career discussions revolved around audience demographics, which reminded me of a point I'd heard earlier in the week: the "Rule of Steve," a concept originally introduced by Dawn-Marie Hutchinson, chief information security officer for pharmaceuticals and R&D at GSK.

This rule is easy enough to explain: In a room full of cybersecurity professionals, there are usually more people called Steve than there are females. Yes, this is a tongue-in-cheek observation, but it illustrates how far our industry has to go in encouraging not only women but other diverse groups into the workforce.

The security industry needs more people. Globally, (ISC)² estimates the workforce shortage to be over 4 million. That's a lot of people, with the biggest shortage of around 2.6 million reported in Asia-Pacific. The shortfall in North America stands around 560,000, in Latin America around 600,000, and in Europe just shy of 300,000.

It is time to think beyond the usual confines of building a specialized workforce. Often, roles are advertised requiring a master's degree in information security or a Certified Information Systems Security Professional (CISSP) or Certified Ethical Hacker (CEH) qualification. Without doubt, these qualifications are highly valued and sought after, but they probably can only cover a very small percentage of the 4 million workforce shortage — not to mention that individuals with these qualifications are likely already working in the industry anyway.

To build the workforce we need to encourage diversity. We need more women. We need more ethnic diversity. We need more neurodiversity. We need more men. We need more people from a whole range of "groups" who have the right aptitude and attitude to work in information and cybersecurity.

Does everyone who works in the industry need to be technical? No! Here's an example. Business information security officers (BISO) need to be able to speak to the business and speak to the IT and information security functions. They do not need to be able to trace alerts through a SOC to identify potential security incidents and breaches. So instead of looking for a BISO with a Certified Information Security Manager (CISM) qualification, which arguably is the closest professional qualification for a BISO, the net should be spread wider.

For example, don't limit potential candidates to the around 27,000 people with CISM (according to ISACA). Rather, look within the organization for individuals who are perhaps security ambassadors or champions, or others who have expressed an interest to join the group. Even if there are no direct expressions of interest then start with "lunch and learn" sessions to stimulate interest. Don't be dry — make it exciting — and in this way organizations can start to build the next generation of security professionals.

Does everyone who works in the industry need to be in an office? No to this question, too. Remote working significantly expands the pool of candidates, which in turn brings access to better and diverse resource groups. A disparate and global workforce thinks more broadly, has different ideas, and can drive faster business outcomes than centrally located groups.

Some people in the industry do need to be technical, shown again at Black Hat Europe, and finding people with the right technical skills and expertise is also a challenge. However, at the event there was a cohort of technical people — DBAs, for example — who were desperate to make their way in the world of cybersecurity but couldn't find an opening because they didn't have the CISSP qualification. Is the industry limiting itself to that extent? According to (ISC)² there were fewer than 140,000 CISSP qualified individuals globally at the end of May 2019. Surely, we can see a way to bring in these individuals with an aptitude for technology and an enthusiasm for security, and train them into the roles so desperately needed?

There are initiatives around the globe, such as Vietnam's Project DARE (Data Analytics Raising Employment) developing workplace-ready competencies for employers. The US National Institute of Standards and Technology (NIST) Cybersecurity Framework is fast becoming a globally recognized approach for cybersecurity and is being used to develop employee competencies. Look for these in your country or region and take advantage of them — they are there to help build the security workforce.

Many of the people I spoke with at Black Hat Europe were not called Steve and would make fantastic additions to the global information security workforce. It's time to break the "Rule of Steve" and think outside the box.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12777
PUBLISHED: 2020-08-10
A function in Combodo iTop contains a vulnerability of Broken Access Control, which allows unauthorized attacker to inject command and disclose system information.
CVE-2020-12778
PUBLISHED: 2020-08-10
Combodo iTop does not validate inputted parameters, attackers can inject malicious commands and launch XSS attack.
CVE-2020-12779
PUBLISHED: 2020-08-10
Combodo iTop contains a stored Cross-site Scripting vulnerability, which can be attacked by uploading file with malicious script.
CVE-2020-12780
PUBLISHED: 2020-08-10
A security misconfiguration exists in Combodo iTop, which can expose sensitive information.
CVE-2020-12781
PUBLISHED: 2020-08-10
Combodo iTop contains a cross-site request forgery (CSRF) vulnerability, attackers can execute specific commands via malicious site request forgery.