Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

How to Build a Path Toward Diversity in Information Security

Hiring women and minorities only addresses half the issue for the IT security industry -- the next step is retaining these workers.

BLACK HAT USA – Las Vegas – Some 1.8 million information security professionals will be needed in the next five years worldwide, further driving home the need to expand the pool of potential candidates by bringing more women and minorities into the mix, speakers on the "Making Diversity a Priority In Security" panel said here today at Black Hat.

Not only are companies looking to fill vacant job openings, but they are increasingly seeking to add diversity to the workforce.

When you look at diversity, it goes beyond a person's gender and race and it brings to the table the benefit of a diversity of thought, says panelist Anthony Johnson, managing director and business information security officer at JPMorgan Chase & Co.

Panelist Aubrey Blanche, global head of diversity and inclusion at Atlassian, noted that empirical research has shown that when employees are working with people who are different than they are, they process information differently. As a result, one potential benefit may be coming up with ideas and innovation by studying an issue from a different perspective, Blanche says.

It's this potential benefit that prompts some companies to hire women and people of color for information security roles, even though their level of experience is less than other candidates, the panelists noted.

"You can say hire more people, but that doesn't solve the problem. You need to have a diversity program that gets the pipeline flowing," said Johnson.

Some of the panelists said their organizations are working on initiatives to encourage high school, middle school, and even elementary school-aged students, to learn about the cybersecurity field.

Palo Alto Networks, for example, teamed up with the Girl Scouts of the USA. Palo Alto Networks announced last month it would assist in delivering a national Girl Scout Cybersecurity badge for students in kindergarten through the 12th-grade.

"We partnered with the Girl Scouts to offer cybersecurity badges to K-12 girls, so all these girls will be exposed to cybersecurity," says Rick Howard, Palo Alto Networks chief security officer.

Another way to entice hiring managers, internal recruiters, and others involved in the hiring process to reach out and interview a diverse pool of job applicants, is to tie it to performance bonuses or some form of financial reward, says Mary Chaney, vice president of the International Consortium of Minority Cybersecurity Professionals (ICMCP).

Job descriptions often present a list of must-have and want-to-have requirements that preclude women and minorities. One way to bridge that gap is to write more approachable and realistic job descriptions that open the door for entry-level applicants as well.

"Women don't apply for jobs, even if they are 80% qualified. They won't apply because they don't meet the other 20%," Chaney says.

Maintaining a Diverse IT Security Workforce

Hiring women and minorities only addresses half the issue for the IT security industry. The next step is retaining these workers, according to the panel.

The number one reason women and minorities leave is because of mistreatment, Blanche says. One way her company sought to address attrition was by eliminating the subjective portions of performance evaluations, she added.

"Sometimes if a woman's voice is silenced during a meeting, after meeting after meeting, she goes silent," Chaney explained. She adds that women likely stay where they are valued and have a good support system.

Palo Alto Network's security team has marching orders from Howard that sexist jokes and comments will not be tolerated, he noted.

In the Black Hat keynote address here earlier in the day, Alex Stamos, CISO of Facebook, noted that two male engineers were treating a female security team member with disdain and disrespect. Stamos chastised the two engineers for it and was surprised when the female employee called him over to discuss the meeting and asked Stamos not to rush to her defense in the future. She explained it would be harder for her to gain respect and credibility with the two male engineers and the team if Stamos continued to rush to her defense.

Atlassian's Blanche said one way she dealt with finding her voice to speak up in meetings - after feeling she was frequently dismissed - was to call on a peer who created "space for her." In the meetings, he would ask Blanche what she thought, and over time she began to participate in the discussions.

"Over time I could say something and didn't feel like I would die," she said.

Related Content:

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET's ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
50%
50%
RetiredUser,
User Rank: Ninja
7/31/2017 | 12:29:59 PM
Long-term Effects of Gender Diversity
I've worked over a decade in an environment of deep diversity.  At all levels of management and labor, we have vastly diverse backgrounds in education, religious beliefs, nationality and gender.  As a techie I've worked at plenty of organizations that had what has now become the stereotypical view of software company employees on comedy shows.  Not here.  And after over a decade working with, under and over female employees I can say that the long-term effects of gender diversity are, in fact, not bad at all.  As the father of two daughters, I can finally assure my girls there is a place they can thrive, be seen as potential leaders and innovators and not be restricted by gender perceptions.  I hope for that throughout the whole tech industry.  Interacting with vendors across the industry, I feel that this is slowly changing; some of the most talented hackers I've worked with are women, and it doesn't take long after working with them to reach that "gender neutral" state because, big surprise, men and women in tech are ultimately different sides of the same coin.  Go figure.  
Carter25
0%
100%
Carter25,
User Rank: Apprentice
7/28/2017 | 9:15:19 AM
In Your Shoes
Currently as a woman, as the [only] security administrator, team of all men.. I face this every day. 

"Not being able to speak up becuase of always being dismissed." portion. My last two jobs. Im young. I'm blonde. I'm not taken seriously. And I'm shut down by others consistantly, from multiple teams. This is more frequent than people know.
The Problem with Proprietary Testing: NSS Labs vs. CrowdStrike
Brian Monkman, Executive Director at NetSecOPEN,  7/19/2019
How Attackers Infiltrate the Supply Chain & What to Do About It
Shay Nahari, Head of Red-Team Services at CyberArk,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10102
PUBLISHED: 2019-07-22
The Linux Foundation ONOS 1.15.0 and ealier is affected by: Improper Input Validation. The impact is: The attacker can remotely execute any commands by sending malicious http request to the controller. The component is: Method runJavaCompiler in YangLiveCompilerManager.java. The attack vector is: ne...
CVE-2019-10102
PUBLISHED: 2019-07-22
Frog CMS 1.1 is affected by: Cross Site Scripting (XSS). The impact is: Cookie stealing, Alert pop-up on page, Redirecting to another phishing site, Executing browser exploits. The component is: Snippets.
CVE-2019-10102
PUBLISHED: 2019-07-22
Ilias 5.3 before 5.3.12; 5.2 before 5.2.21 is affected by: Cross Site Scripting (XSS) - CWE-79 Type 2: Stored XSS (or Persistent). The impact is: Execute code in the victim's browser. The component is: Assessment / TestQuestionPool. The attack vector is: Cloze Test Text gap (attacker) / Corrections ...
CVE-2019-9959
PUBLISHED: 2019-07-22
The JPXStream::init function in Poppler 0.78.0 and earlier doesn't check for negative values of stream length, leading to an Integer Overflow, thereby making it possible to allocate a large memory chunk on the heap, with a size controlled by an attacker, as demonstrated by pdftocairo.
CVE-2019-4236
PUBLISHED: 2019-07-22
A IBM Spectrum Protect 7.l client backup or archive operation running for an HP-UX VxFS object is silently skipping Access Control List (ACL) entries from backup or archive if there are more than twelve ACL entries associated with the object in total. As a result, it could allow a local attacker to ...