Unrealistic entry-level job requirements, black-hoodie hacker image problems are among the 'uncomfortable conversations' needed to remedy cybersecurity's diversity gap.

Something shifted last week in the cybersecurity diversity gap conversation.

A rare representation of several speakers of color, gender, and various cultures took the stage in San Francisco both at the RSA Conference and related events. They shared not only their security and privacy expertise, insight, and research - but also their firsthand experiences as minorities and their recommendations for creating a more diverse and inclusive industry.

The glaring lack of diversity in the industry's workforce is well-documented: women make up just 11% of the industry, while Hispanic and African-Americans overall comprise 12%. But the numbers have mostly remained static, despite an increasingly diverse US and global population. 

Backlash a few weeks ago over a relative lack of women represented in the RSA Conference's initial slate of keynote speakers led renowned executives from Facebook, Google, and members of other tech firms to organize a rival one-day conference called Our Security Advocates (OURSA). The April 17 event featured talks by security and privacy experts from underrepresented backgrounds and sectors of society.

Just across the street, the day before, the RSA Conference held its own event called Securing Diversity, with a lineup of women and minority speakers in the industry discussing how to hack the security diversity gap. The RSA Conference keynote slate the following day featured a Q&A with US Department of Homeland Secretary Kirstjen Nielsen, in addition to several women speakers in the session tracks.

But it was the combination of mounting frustration over the industry's seeming inability to recruit and retain a more diverse workforce and the OURSA conference's protest that ultimately made diversity one of the key industry themes during the industry's largest annual conference week.

"It's more important than ever that security and privacy platforms are built to reflect the diversity of our users, employees, and administrators of the world," Parisa Tabriz, Google's director of engineering, told attendees at OURSA.

Minorities and women in the industry often find they are constantly battling for equal treatment. "We've got a ways to go here, for women and people who look like me. We have to work twice as hard to make ourselves credible and to be heard," Devon Bryan, founder and president of the International Consortium of Minority Cybersecurity Professionals (ICMCP), said at an event sponsored by the Cybersecurity Diversity Foundation.

Bryan, who is also executive vice president and CISO of the Federal Reserve System, points out that minorities don't want to be hired just because they are minorities. "They don't want to be hired because of what they look like, they want to be hired because they are good at what they do. They want to be valued and contributing," he said. "Diversity is not about the numbers."

Diversity isn't just about the cybersecurity talent gap, either, according to Kim Jones, director of the Cybersecurity Education Consortium at Arizona State University and a former CISO and intelligence professional. Jones, who spoke at RSA Conference's Securing Diversity summit, argues that getting serious about fostering a more diverse industry requires looking at things differently.

"We need to separate diversity from the talent gap issue. Before there was a talent shortage, there was a diversity problem," Jones said, noting that security itself doesn't care about race, creed, color, or sexual orientation, so there shouldn't be a diversity gap.

"For some reason, we are not attracting or resonating or giving an opportunity" for minorities to work in the industry, he said. Some of that is the image cybersecurity often projects, with black hoodies or "bad boy" attitudes that don't resonate among underrepresented groups: "That's not the way to recruit," he said. "When I talk to students, I say if you want to be someone who helps defend people … and make a difference," come work with me."  

Minorities and women already in the industry also need to step up and serve as role models. "If you don't have a role model, be one. I've been the sole African-American executive" of companies before, he said. "Being the 'only one' is hard, but equip the people behind you."

It's not just about hiring: it's about the inclusion of those diverse employees, said Mischel Kwon, founder and CEO of MKACyber and creator of the Cybersecurity Diversity Foundation. That means ensuring minorities and women get their voices and input heard at work and in meetings; and it can take time to hack through implicit biases that prevent that. "You have to have the uncomfortable conversations," Kwon told Dark Reading in an interview.

Corporate diversity initiatives also require a little soul-searching. "My question is how serious are you? Are you doing something just to make the numbers get better or [because] it feels good to say you're talking about" diversity, Jones said. "Or are you truly and honestly making a difference not because the numbers say we need to, but because it's the right thing to do."

United on Diversity

Christine Izuakor, senior manager of global security strategy and awareness at United Airlines, said the airline has a diverse cybersecurity team made up of 40% women and various ethnicities and sexual orientation. "For that we are a much stronger team," she said. "But it's not about color or gender. It's the unique perspective each brings."

She said United's diverse security team grew organically. "I don't know if it was intentional" originally to build such a diverse team, she told Dark Reading in an interview. "There's a more deliberate focus on that today."

Among United's initiatives to foster diversity are its cybersecurity rotation program, which includes providing internships to students in underrepresented communities. "We need to ignite that spark to [attract] people in all walks of life," she said.

Recruiting a more diverse team also means busting a few myths that hold back the industry from attracting a wider range of people, including making technology solutions that are inclusive by design so that people from all backgrounds get access to the same opportunities in the field, and help remove any barriers to them. "I'm a first generation Nigerian in America, and my culture didn't support" an IT security field, she said. "I was raised to believe that success is a doctor or an engineer, and nothing in between."

Izuakor said the "spark" that drew her to cybersecurity wasn't a role model - there weren't any for her at the time - but an elective cybersecurity course she took in college.

She believes companies should scrap the minimum degree and experience requirements for new job candidates. "Being an expert is absolutely important, but it's not years of experience alone that determine the value of contributions," she said. "We need to focus more on creating opportunities for entry" level applicants, and provide them a career "line of sight," she said.

The Year Up organization, for example, trains young urban adults for six months and then offers a six-month internship with participating organizations as a career path. "Fresh perspective works wonders," she said. "It takes that cross-generational knowledge and sharing and collaboration."

Coding and technical experience aren't the only skills needed in cybersecurity jobs, according to Izuakor, noting that the image of a coding expert wearing a black hoodie presents an image problem. "Our industry needs an extreme makeover," she said. "Our images are one of the greatest barriers to the industry, especially for minorities … We need to make sure we are positioning ourselves more inclusively."

Meantime, several speakers in the diversity sessions acknowledged that they were mostly preaching to the choir. "People who need to hear this are not here. That's the biggest problem," Jones said. "You need to bring conversations like this to the main hall [of RSAC] and make people a little uncomfortable to hear about it."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights