Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/20/2020
02:00 PM
Maxine Holt
Maxine Holt
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

It's Time to Break the 'Rule of Steve'

Today, in a room full of cybersecurity professionals, there are still more people called Steve than there are women.

Discussions about recruitment trends and how people can further their careers in cybersecurity are common topics at industry conferences these days. Recently, at Black Hat Europe, one of the most striking career discussions revolved around audience demographics, which reminded me of a point I'd heard earlier in the week: the "Rule of Steve," a concept originally introduced by Dawn-Marie Hutchinson, chief information security officer for pharmaceuticals and R&D at GSK.

This rule is easy enough to explain: In a room full of cybersecurity professionals, there are usually more people called Steve than there are females. Yes, this is a tongue-in-cheek observation, but it illustrates how far our industry has to go in encouraging not only women but other diverse groups into the workforce.

The security industry needs more people. Globally, (ISC)² estimates the workforce shortage to be over 4 million. That's a lot of people, with the biggest shortage of around 2.6 million reported in Asia-Pacific. The shortfall in North America stands around 560,000, in Latin America around 600,000, and in Europe just shy of 300,000.

It is time to think beyond the usual confines of building a specialized workforce. Often, roles are advertised requiring a master's degree in information security or a Certified Information Systems Security Professional (CISSP) or Certified Ethical Hacker (CEH) qualification. Without doubt, these qualifications are highly valued and sought after, but they probably can only cover a very small percentage of the 4 million workforce shortage — not to mention that individuals with these qualifications are likely already working in the industry anyway.

To build the workforce we need to encourage diversity. We need more women. We need more ethnic diversity. We need more neurodiversity. We need more men. We need more people from a whole range of "groups" who have the right aptitude and attitude to work in information and cybersecurity.

Does everyone who works in the industry need to be technical? No! Here's an example. Business information security officers (BISO) need to be able to speak to the business and speak to the IT and information security functions. They do not need to be able to trace alerts through a SOC to identify potential security incidents and breaches. So instead of looking for a BISO with a Certified Information Security Manager (CISM) qualification, which arguably is the closest professional qualification for a BISO, the net should be spread wider.

For example, don't limit potential candidates to the around 27,000 people with CISM (according to ISACA). Rather, look within the organization for individuals who are perhaps security ambassadors or champions, or others who have expressed an interest to join the group. Even if there are no direct expressions of interest then start with "lunch and learn" sessions to stimulate interest. Don't be dry — make it exciting — and in this way organizations can start to build the next generation of security professionals.

Does everyone who works in the industry need to be in an office? No to this question, too. Remote working significantly expands the pool of candidates, which in turn brings access to better and diverse resource groups. A disparate and global workforce thinks more broadly, has different ideas, and can drive faster business outcomes than centrally located groups.

Some people in the industry do need to be technical, shown again at Black Hat Europe, and finding people with the right technical skills and expertise is also a challenge. However, at the event there was a cohort of technical people — DBAs, for example — who were desperate to make their way in the world of cybersecurity but couldn't find an opening because they didn't have the CISSP qualification. Is the industry limiting itself to that extent? According to (ISC)² there were fewer than 140,000 CISSP qualified individuals globally at the end of May 2019. Surely, we can see a way to bring in these individuals with an aptitude for technology and an enthusiasm for security, and train them into the roles so desperately needed?

There are initiatives around the globe, such as Vietnam's Project DARE (Data Analytics Raising Employment) developing workplace-ready competencies for employers. The US National Institute of Standards and Technology (NIST) Cybersecurity Framework is fast becoming a globally recognized approach for cybersecurity and is being used to develop employee competencies. Look for these in your country or region and take advantage of them — they are there to help build the security workforce.

Many of the people I spoke with at Black Hat Europe were not called Steve and would make fantastic additions to the global information security workforce. It's time to break the "Rule of Steve" and think outside the box.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Chaos & Order: The Keys to Quantum-Proof Encryption"

Maxine leads Omdia's cybersecurity research, developing a comprehensive research program to support vendor, service provider, and enterprise clients. Having worked with enterprises across multiple industries in the world of information security, Maxine has a strong ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Moscarelli
50%
50%
Moscarelli,
User Rank: Apprentice
3/10/2021 | 1:42:42 PM
Does the 'Rule of Steve' Still Apply? Yes.
Yes it is way past time to break the rule of Steve. Far too few IT Securuty customers in the Fortune 1000 are women.

Israeli vendors usually have a lot more non-males in senior roles compared to American vendors. At Check Point Software our CEO-Americas was Dr. Deborah Triant. Dr. Dorit Dor of Check Point is certainly one of the leading technical authorities in cyber security. She is a thought leader for sure. In the USA, at Thales eSecurity our CEO was Cindy Provin.

Silicon Valley, Austin, Boston, Reston and other centers of cyber lag behind Israel in women in security.  The CISOs I know who are women are widely respected in their roles, however there are too many Steves. 

At the ISSA President Candy Alexander and the mostly non-male board do a great job. 

Sincerely, Steve Moscarelli

 
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-22168
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\change-emaild.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22169
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\appointment-history.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22170
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\get_doctor.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22171
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\registration.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.
CVE-2020-22172
PUBLISHED: 2021-06-22
PHPGurukul Hospital Management System in PHP v4.0 has a SQL injection vulnerability in \hms\get_doctor.php. Remote unauthenticated users can exploit the vulnerability to obtain database sensitive information.