Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

8/18/2016
04:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail vvv
0%
100%

How Diversity Can Bridge The Talent Gap

Women and minorities in the security industry share some hard truths about the security industry's hiring traditions and practices.

The dirty little secret about most security job openings today is that they often inadvertently preclude women and minorities.

Employers typically have a specific type of person in mind for the job, and the job description is written accordingly, requiring several years of experience, a computer science degree or background, and other technical skills such as certifications or hands-on hacking tool expertise.

That’s not typically a diversity-friendly job description – training and tool costs are often out of range for inner-city and small-town candidates. A panel of diverse and accomplished female security professionals at Black Hat USA earlier this month shared their insight on this and other ways the industry is doing it wrong – and how to encourage more diversity.

I served as moderator of the “Removing Roadblocks to Diversity” panel, which featured Jamesha Fisher, Security Operations Engineer at GitHub; Chenxi Wang, Chief Strategy Officer of Twistlock; Rebekah Brown, Threat Intelligence Lead at Rapid7; and Angie Leifson, Security Operations Center (SOC) Analyst at Insight Enterprises.

Source: Black Hat USA
Source: Black Hat USA

The lack of diversity in security is a topic I’ve researched plenty this year, but listening to these women share what they see in the trenches every day, the firsthand lessons they’ve learned, and advice the give to other women and minorities, was enlightening. To be honest, it was a bit frustrating, too, since the number of women in the security industry has remained at about 10% for at least three years now. African-American women represent just 3% of computer-related jobs, and Latina women, 1%.  

There’s also a glaring disconnect today between many job openings in cybersecurity and the types of skills the field now demands. The panelists pointed to the importance and need in security for non-technical skills and backgrounds in psychology, linguistics, communications, for example. Yet those skills aren’t the norm in a typical job opening.

Take Wang, whose career path came via the traditional route of a computer science degree and graduate school. She said it’s time for a rewrite of inherently biased job descriptions:  “If you had somebody coaching them on writing a job description that is more inclusive, they would have gotten more candidates. I try to do that myself,” Wang said during the panel.

Fisher, who is African-American, said there are few if any junior security positions, which makes it tough for anyone to break into the industry. Minorities have a disadvantage up front. “They may not have the money to buy the training needed to do security to get that competitive edge. Where does this leave people who don’t have the money?” Fisher said.

Rapid7’s Brown, whose military career as a linguist in Mandarin ultimately led her to cybersecurity threat intelligence, said the cookie-cutter job description doesn’t cut it today’s world. Having security staff with diverse backgrounds, educations, outlooks, and mindsets is key, Brown said. “If you just put one job description out, you’re never going to be successful,” she said.

There’s a mindset problem here as well. Studies and anecdotal data show that women are less likely to apply for a job if they don’t fit all of the listed qualifications, whereas men apply even if they don’t have all of the listed skills. But that’s a trend that can be broken, the panelists said.

On the flip side, women and minorities often aren’t given the benefit of the doubt like their counterparts when it comes to missing qualifications, Fisher said. White men, for instance, she said, are often given “reasonable doubt” that they will learn the skills they lack on the job. She urged large companies to use their resources to train and attract more minorities and women to security jobs.

Leifson, who graduated from college in December and is now a SOC analyst, had a refreshing view on this:  even when she doesn’t meet all of the qualifications listed in a job opening, she still applies for it. “I still feel confident in my skills,” she said. “Don’t be afraid” to put yourself out there and apply, she said.

The social impact of security is also an element that needs to be touted more, the panelists said. “So many people are about the hacking aspect, but nobody is about the defensive aspect. That has the social impact” that appeals to a broader talent pool, Fisher said.

Diversity is one thing, but inclusiveness is another, the panelists said. Hiring more women and minorities is the first step to a truly diverse workforce – organizations then also need to ensure they respect and embrace their workers’ different backgrounds.

To view the entire panel discussion and Q&A, check out the video recording here.

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 11:55:41 AM
Re: Additional exacerbation
"... Mindset is definitely an issue, ..."

That makes sense. We just need to educate our female students and make them aware of IT a little bit better I guess.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 11:53:53 AM
Re: Additional exacerbation
"... That men are generally/on average willing to apply for jobs if they meet only 60% of the stated "qualifications," whereas women are generally only willing to apply for jobs if they meet 100% of the stated "qualifications." ..."

This may be one reason why we do not get many female applicants

 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
8/31/2016 | 11:51:33 AM
Lack of diversity
 

Not only women but there is real diversity problem not only in security but across the IT. High well paying positions are held white male. A few high tack companies run by other races simply because they 
InReality01
100%
0%
InReality01,
User Rank: Strategist
8/30/2016 | 10:00:35 AM
By the way...
There is nothing inheirently "good" about diversity in the workforce based on gender, race or ethnicity.

Diversity of thought that is expressed through a variety of skills, talents, visions and ideas are important.

 
InReality01
100%
0%
InReality01,
User Rank: Strategist
8/30/2016 | 9:57:01 AM
The phantom issue in security...
I have been in IT / IT Security / Forensics for over 20 years and there is certainly a lack of women in these fields but it isn't because of a purposeful intent to keep them out.......... the fact is, women don't go into technical fields at nearly the same rate as men do.

I have been on many interview panels and can count on one hand the amount of women that have applied for the jobs I was involved in hiring. 

I have seen plenty of minorities hired as well......... Asians and Indians are at the top of this list but still plenty of blacks as well.  In some areas there are way more minorities working in IT.  I'm guessing this isn't the "diversity" that some people are wanting and I'm not sure "some" people will ever be satisfied unti lthere is an exact same percentage of every possible type of person in the labor force....... which, of course, is absurd and will never happen.  Some jobs/careers are dominated by men, some by women, some by specific racial or ethnic groups, it's just a fact of life because everyone has different interests, talents, skills or raised in a specific environment whereby they are more prone to go into a specific line of work.  There is nothing wrong with any of this.

I have seen the most talented / skilled / experienced individual with the best communication skills get hired in almost every instance.  There are some exceptions when it comes to government hiring where I have seen bad candidates hired because of either unwritten quotas (diversity related) or because the individual hired was known or related to someone (or recommended by a politician).  Sure, this happens in private industry as well but not nearly to the extent as in government from what I have seen.

Typically the best qualified individual gets the job although there are exceptions as I pointed out.

The only way to get more minorities or women in these highly skilled IT / IR / Forensics positions is to have more highly qualified / skilled / talented minorities and women applying for the positions.

 

 

 
MistyMorn
50%
50%
MistyMorn,
User Rank: Apprentice
8/28/2016 | 4:46:25 PM
Re: Additional exacerbation
While I agree that the "just do it" mindset is important, it can also be especially aggravating if you are in your forties and trying to change careers.  I graduated from college a few years ago and am having a difficult time trying to get my foot in the door for anything IT related.  My background is electronics and quality but my work history has very little I can relate to the IT field.  There is still this expection to have to work from the ground up.  Most companies want you start as tech support then grow from there.

My point is that IT has grown so much from just fixing computers and keeps evolving into a specialized knowledge tracks but companies do not adjust as quickly as the job market.  I grow increasingly disillusioned because I do not have thousands to spend on speciallized training and software in order to prove that I can work with it or even stay current with different releases.  Entry level should be an on the job training position but I still struggle with being underqualified due to my lack of enterprise IT experience.

 
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
8/24/2016 | 3:42:00 PM
Re: Additional exacerbation
This is where the most impact can be achieved. It is my personal goal to spread STEM awareness in young kids, especially girls. The stereotypical girl, raised and/or influenced by peers in directions diverted from STEM is something that must change. Additionally, boys tend to be more "aggressive" in pursuing results, so they take higher risks (re: 60% vs 100% qualified). This status serves to miss out of half the talent pool – women. It really is incumbent upon us, particularly in the male dominated technology sector, to address these issues and encourage/mentor women. That "just do it" mindset is critical.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/23/2016 | 2:21:39 PM
Re: Additional exacerbation
Mindset is definitely an issue, and the panelists were very frank and insightful on that issue. I still love Angie Leifson's "just do it" mindset--wise words from a millennial who has already made quite an impression in the field. 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
8/23/2016 | 2:01:34 PM
Additional exacerbation
Also exacerbating this is what was allegedly found in that oft-cited internal HP study from some years ago: That men are generally/on average willing to apply for jobs if they meet only 60% of the stated "qualifications," whereas women are generally only willing to apply for jobs if they meet 100% of the stated "qualifications."

The real issue, IMHO, is that most girls are raised and treated a certain way that is very different from how most boys are raised and treated -- consequently limiting their own self-expectations.

There was some smarmy blog post/op-ed that went semi-viral a while back about raising your sons like daughters.  I think it should be the other way around: raise your daughters like sons.
<<   <   Page 2 / 2
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0242
PUBLISHED: 2019-12-09
mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.
CVE-2015-3424
PUBLISHED: 2019-12-09
SQL injection vulnerability in Accentis Content Resource Management System before the October 2015 patch allows remote attackers to execute arbitrary SQL commands via the SIDX parameter.
CVE-2015-3425
PUBLISHED: 2019-12-09
Cross-site scripting (XSS) vulnerability in Accentis Content Resource Management System before October 2015 patch allows remote attackers to inject arbitrary web script or HTML via the ctl00$cph_content$_uig_formState parameter.
CVE-2015-7892
PUBLISHED: 2019-12-09
Stack-based buffer overflow in the m2m1shot_compat_ioctl32 function in the Samsung m2m1shot driver framework, as used in Samsung S6 Edge, allows local users to have unspecified impact via a large data.buf_out.num_planes value in an ioctl call.
CVE-2015-0841
PUBLISHED: 2019-12-09
Off-by-one error in the readBuf function in listener.cpp in libcapsinetwork and monopd before 0.9.8, allows remote attackers to cause a denial of service (crash) via a long line.