Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/20/2020
02:00 PM
Maxine Holt
Maxine Holt
Commentary
Connect Directly
LinkedIn
Twitter
RSS
E-Mail vvv
50%
50%

It's Time to Break the 'Rule of Steve'

Today, in a room full of cybersecurity professionals, there are still more people called Steve than there are women.

Discussions about recruitment trends and how people can further their careers in cybersecurity are common topics at industry conferences these days. Recently, at Black Hat Europe, one of the most striking career discussions revolved around audience demographics, which reminded me of a point I'd heard earlier in the week: the "Rule of Steve," a concept originally introduced by Dawn-Marie Hutchinson, chief information security officer for pharmaceuticals and R&D at GSK.

This rule is easy enough to explain: In a room full of cybersecurity professionals, there are usually more people called Steve than there are females. Yes, this is a tongue-in-cheek observation, but it illustrates how far our industry has to go in encouraging not only women but other diverse groups into the workforce.

The security industry needs more people. Globally, (ISC)² estimates the workforce shortage to be over 4 million. That's a lot of people, with the biggest shortage of around 2.6 million reported in Asia-Pacific. The shortfall in North America stands around 560,000, in Latin America around 600,000, and in Europe just shy of 300,000.

It is time to think beyond the usual confines of building a specialized workforce. Often, roles are advertised requiring a master's degree in information security or a Certified Information Systems Security Professional (CISSP) or Certified Ethical Hacker (CEH) qualification. Without doubt, these qualifications are highly valued and sought after, but they probably can only cover a very small percentage of the 4 million workforce shortage — not to mention that individuals with these qualifications are likely already working in the industry anyway.

To build the workforce we need to encourage diversity. We need more women. We need more ethnic diversity. We need more neurodiversity. We need more men. We need more people from a whole range of "groups" who have the right aptitude and attitude to work in information and cybersecurity.

Does everyone who works in the industry need to be technical? No! Here's an example. Business information security officers (BISO) need to be able to speak to the business and speak to the IT and information security functions. They do not need to be able to trace alerts through a SOC to identify potential security incidents and breaches. So instead of looking for a BISO with a Certified Information Security Manager (CISM) qualification, which arguably is the closest professional qualification for a BISO, the net should be spread wider.

For example, don't limit potential candidates to the around 27,000 people with CISM (according to ISACA). Rather, look within the organization for individuals who are perhaps security ambassadors or champions, or others who have expressed an interest to join the group. Even if there are no direct expressions of interest then start with "lunch and learn" sessions to stimulate interest. Don't be dry — make it exciting — and in this way organizations can start to build the next generation of security professionals.

Does everyone who works in the industry need to be in an office? No to this question, too. Remote working significantly expands the pool of candidates, which in turn brings access to better and diverse resource groups. A disparate and global workforce thinks more broadly, has different ideas, and can drive faster business outcomes than centrally located groups.

Some people in the industry do need to be technical, shown again at Black Hat Europe, and finding people with the right technical skills and expertise is also a challenge. However, at the event there was a cohort of technical people — DBAs, for example — who were desperate to make their way in the world of cybersecurity but couldn't find an opening because they didn't have the CISSP qualification. Is the industry limiting itself to that extent? According to (ISC)² there were fewer than 140,000 CISSP qualified individuals globally at the end of May 2019. Surely, we can see a way to bring in these individuals with an aptitude for technology and an enthusiasm for security, and train them into the roles so desperately needed?

There are initiatives around the globe, such as Vietnam's Project DARE (Data Analytics Raising Employment) developing workplace-ready competencies for employers. The US National Institute of Standards and Technology (NIST) Cybersecurity Framework is fast becoming a globally recognized approach for cybersecurity and is being used to develop employee competencies. Look for these in your country or region and take advantage of them — they are there to help build the security workforce.

Many of the people I spoke with at Black Hat Europe were not called Steve and would make fantastic additions to the global information security workforce. It's time to break the "Rule of Steve" and think outside the box.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15001
PUBLISHED: 2020-07-09
An information leak was discovered on Yubico YubiKey 5 NFC devices 5.0.0 to 5.2.6 and 5.3.0 to 5.3.1. The OTP application allows a user to set optional access codes on OTP slots. This access code is intended to prevent unauthorized changes to OTP configurations. The access code is not checked when u...
CVE-2020-15092
PUBLISHED: 2020-07-09
In TimelineJS before version 3.7.0, some user data renders as HTML. An attacker could implement an XSS exploit with maliciously crafted content in a number of data fields. This risk is present whether the source data for the timeline is stored on Google Sheets or in a JSON configuration file. Most T...
CVE-2020-15093
PUBLISHED: 2020-07-09
The tough library (Rust/crates.io) prior to version 0.7.1 does not properly verify the threshold of cryptographic signatures. It allows an attacker to duplicate a valid signature in order to circumvent TUF requiring a minimum threshold of unique signatures before the metadata is considered valid. A ...
CVE-2020-15299
PUBLISHED: 2020-07-09
A reflected Cross-Site Scripting (XSS) Vulnerability in the KingComposer plugin through 2.9.4 for WordPress allows remote attackers to trick a victim into submitting an install_online_preset AJAX request containing base64-encoded JavaScript (in the kc-online-preset-data POST parameter) that is execu...
CVE-2020-4173
PUBLISHED: 2020-07-09
IBM Guardium Activity Insights 10.6 and 11.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure l...