The dirty little secret about most security job openings today is that they often inadvertently preclude women and minorities.
Employers typically have a specific type of person in mind for the job, and the job description is written accordingly, requiring several years of experience, a computer science degree or background, and other technical skills such as certifications or hands-on hacking tool expertise.
That’s not typically a diversity-friendly job description – training and tool costs are often out of range for inner-city and small-town candidates. A panel of diverse and accomplished female security professionals at Black Hat USA earlier this month shared their insight on this and other ways the industry is doing it wrong – and how to encourage more diversity.
I served as moderator of the “Removing Roadblocks to Diversity” panel, which featured Jamesha Fisher, Security Operations Engineer at GitHub; Chenxi Wang, Chief Strategy Officer of Twistlock; Rebekah Brown, Threat Intelligence Lead at Rapid7; and Angie Leifson, Security Operations Center (SOC) Analyst at Insight Enterprises.
The lack of diversity in security is a topic I’ve researched plenty this year, but listening to these women share what they see in the trenches every day, the firsthand lessons they’ve learned, and advice the give to other women and minorities, was enlightening. To be honest, it was a bit frustrating, too, since the number of women in the security industry has remained at about 10% for at least three years now. African-American women represent just 3% of computer-related jobs, and Latina women, 1%.
There’s also a glaring disconnect today between many job openings in cybersecurity and the types of skills the field now demands. The panelists pointed to the importance and need in security for non-technical skills and backgrounds in psychology, linguistics, communications, for example. Yet those skills aren’t the norm in a typical job opening.
Take Wang, whose career path came via the traditional route of a computer science degree and graduate school. She said it’s time for a rewrite of inherently biased job descriptions: “If you had somebody coaching them on writing a job description that is more inclusive, they would have gotten more candidates. I try to do that myself,” Wang said during the panel.
Fisher, who is African-American, said there are few if any junior security positions, which makes it tough for anyone to break into the industry. Minorities have a disadvantage up front. “They may not have the money to buy the training needed to do security to get that competitive edge. Where does this leave people who don’t have the money?” Fisher said.
Rapid7’s Brown, whose military career as a linguist in Mandarin ultimately led her to cybersecurity threat intelligence, said the cookie-cutter job description doesn’t cut it today’s world. Having security staff with diverse backgrounds, educations, outlooks, and mindsets is key, Brown said. “If you just put one job description out, you’re never going to be successful,” she said.
There’s a mindset problem here as well. Studies and anecdotal data show that women are less likely to apply for a job if they don’t fit all of the listed qualifications, whereas men apply even if they don’t have all of the listed skills. But that’s a trend that can be broken, the panelists said.
On the flip side, women and minorities often aren’t given the benefit of the doubt like their counterparts when it comes to missing qualifications, Fisher said. White men, for instance, she said, are often given “reasonable doubt” that they will learn the skills they lack on the job. She urged large companies to use their resources to train and attract more minorities and women to security jobs.
Leifson, who graduated from college in December and is now a SOC analyst, had a refreshing view on this: even when she doesn’t meet all of the qualifications listed in a job opening, she still applies for it. “I still feel confident in my skills,” she said. “Don’t be afraid” to put yourself out there and apply, she said.
The social impact of security is also an element that needs to be touted more, the panelists said. “So many people are about the hacking aspect, but nobody is about the defensive aspect. That has the social impact” that appeals to a broader talent pool, Fisher said.
Diversity is one thing, but inclusiveness is another, the panelists said. Hiring more women and minorities is the first step to a truly diverse workforce – organizations then also need to ensure they respect and embrace their workers’ different backgrounds.
To view the entire panel discussion and Q&A, check out the video recording here.