Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/20/2020
02:00 PM
Maxine Holt
Maxine Holt
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

It's Time to Break the 'Rule of Steve'

Today, in a room full of cybersecurity professionals, there are still more people called Steve than there are women.

Discussions about recruitment trends and how people can further their careers in cybersecurity are common topics at industry conferences these days. Recently, at Black Hat Europe, one of the most striking career discussions revolved around audience demographics, which reminded me of a point I'd heard earlier in the week: the "Rule of Steve," a concept originally introduced by Dawn-Marie Hutchinson, chief information security officer for pharmaceuticals and R&D at GSK.

This rule is easy enough to explain: In a room full of cybersecurity professionals, there are usually more people called Steve than there are females. Yes, this is a tongue-in-cheek observation, but it illustrates how far our industry has to go in encouraging not only women but other diverse groups into the workforce.

The security industry needs more people. Globally, (ISC)² estimates the workforce shortage to be over 4 million. That's a lot of people, with the biggest shortage of around 2.6 million reported in Asia-Pacific. The shortfall in North America stands around 560,000, in Latin America around 600,000, and in Europe just shy of 300,000.

It is time to think beyond the usual confines of building a specialized workforce. Often, roles are advertised requiring a master's degree in information security or a Certified Information Systems Security Professional (CISSP) or Certified Ethical Hacker (CEH) qualification. Without doubt, these qualifications are highly valued and sought after, but they probably can only cover a very small percentage of the 4 million workforce shortage — not to mention that individuals with these qualifications are likely already working in the industry anyway.

To build the workforce we need to encourage diversity. We need more women. We need more ethnic diversity. We need more neurodiversity. We need more men. We need more people from a whole range of "groups" who have the right aptitude and attitude to work in information and cybersecurity.

Does everyone who works in the industry need to be technical? No! Here's an example. Business information security officers (BISO) need to be able to speak to the business and speak to the IT and information security functions. They do not need to be able to trace alerts through a SOC to identify potential security incidents and breaches. So instead of looking for a BISO with a Certified Information Security Manager (CISM) qualification, which arguably is the closest professional qualification for a BISO, the net should be spread wider.

For example, don't limit potential candidates to the around 27,000 people with CISM (according to ISACA). Rather, look within the organization for individuals who are perhaps security ambassadors or champions, or others who have expressed an interest to join the group. Even if there are no direct expressions of interest then start with "lunch and learn" sessions to stimulate interest. Don't be dry — make it exciting — and in this way organizations can start to build the next generation of security professionals.

Does everyone who works in the industry need to be in an office? No to this question, too. Remote working significantly expands the pool of candidates, which in turn brings access to better and diverse resource groups. A disparate and global workforce thinks more broadly, has different ideas, and can drive faster business outcomes than centrally located groups.

Some people in the industry do need to be technical, shown again at Black Hat Europe, and finding people with the right technical skills and expertise is also a challenge. However, at the event there was a cohort of technical people — DBAs, for example — who were desperate to make their way in the world of cybersecurity but couldn't find an opening because they didn't have the CISSP qualification. Is the industry limiting itself to that extent? According to (ISC)² there were fewer than 140,000 CISSP qualified individuals globally at the end of May 2019. Surely, we can see a way to bring in these individuals with an aptitude for technology and an enthusiasm for security, and train them into the roles so desperately needed?

There are initiatives around the globe, such as Vietnam's Project DARE (Data Analytics Raising Employment) developing workplace-ready competencies for employers. The US National Institute of Standards and Technology (NIST) Cybersecurity Framework is fast becoming a globally recognized approach for cybersecurity and is being used to develop employee competencies. Look for these in your country or region and take advantage of them — they are there to help build the security workforce.

Many of the people I spoke with at Black Hat Europe were not called Steve and would make fantastic additions to the global information security workforce. It's time to break the "Rule of Steve" and think outside the box.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Moscarelli
50%
50%
Moscarelli,
User Rank: Apprentice
3/10/2021 | 1:42:42 PM
Does the 'Rule of Steve' Still Apply? Yes.
Yes it is way past time to break the rule of Steve. Far too few IT Securuty customers in the Fortune 1000 are women.

Israeli vendors usually have a lot more non-males in senior roles compared to American vendors. At Check Point Software our CEO-Americas was Dr. Deborah Triant. Dr. Dorit Dor of Check Point is certainly one of the leading technical authorities in cyber security. She is a thought leader for sure. In the USA, at Thales eSecurity our CEO was Cindy Provin.

Silicon Valley, Austin, Boston, Reston and other centers of cyber lag behind Israel in women in security.  The CISOs I know who are women are widely respected in their roles, however there are too many Steves. 

At the ISSA President Candy Alexander and the mostly non-male board do a great job. 

Sincerely, Steve Moscarelli

 
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7270
PUBLISHED: 2021-04-15
Exposure of Sensitive Information in the web interface in McAfee Advanced Threat Defense (ATD) prior to 4.12.2 allows remote authenticated users to view sensitive unencrypted information via a carefully crafted HTTP request parameter. The risk is partially mitigated if your ATD instances are deploye...
CVE-2020-7308
PUBLISHED: 2021-04-15
Cleartext Transmission of Sensitive Information between McAfee Endpoint Security (ENS) for Windows prior to 10.7.0 February 2021 Update and McAfee Global Threat Intelligence (GTI) servers using DNS allows a remote attacker to view the requests from ENS and responses from GTI over DNS. By gaining con...
CVE-2021-23884
PUBLISHED: 2021-04-15
Cleartext Transmission of Sensitive Information vulnerability in the ePO Extension of McAfee Content Security Reporter (CSR) prior to 2.8.0 allows an ePO administrator to view the unencrypted password of the McAfee Web Gateway (MWG) or the password of the McAfee Web Gateway Cloud Server (MWGCS) read...
CVE-2021-23886
PUBLISHED: 2021-04-15
Denial of Service vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to cause a BSoD through suspending a process, modifying the processes memory and restarting it. This is triggered by the hdlphook driver reading invali...
CVE-2021-23887
PUBLISHED: 2021-04-15
Privilege Escalation vulnerability in McAfee Data Loss Prevention (DLP) Endpoint for Windows prior to 11.6.100 allows a local, low privileged, attacker to write to arbitrary controlled kernel addresses. This is achieved by launching applications, suspending them, modifying the memory and restarting ...