Vulnerabilities / Threats

4/25/2018
09:30 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Diversity: It's About Inclusion

Unrealistic entry-level job requirements, black-hoodie hacker image problems are among the 'uncomfortable conversations' needed to remedy cybersecurity's diversity gap.

Something shifted last week in the cybersecurity diversity gap conversation.

A rare representation of several speakers of color, gender, and various cultures took the stage in San Francisco both at the RSA Conference and related events. They shared not only their security and privacy expertise, insight, and research - but also their firsthand experiences as minorities and their recommendations for creating a more diverse and inclusive industry.

The glaring lack of diversity in the industry's workforce is well-documented: women make up just 11% of the industry, while Hispanic and African-Americans overall comprise 12%. But the numbers have mostly remained static, despite an increasingly diverse US and global population. 

Backlash a few weeks ago over a relative lack of women represented in the RSA Conference's initial slate of keynote speakers led renowned executives from Facebook, Google, and members of other tech firms to organize a rival one-day conference called Our Security Advocates (OURSA). The April 17 event featured talks by security and privacy experts from underrepresented backgrounds and sectors of society.

Just across the street, the day before, the RSA Conference held its own event called Securing Diversity, with a lineup of women and minority speakers in the industry discussing how to hack the security diversity gap. The RSA Conference keynote slate the following day featured a Q&A with US Department of Homeland Secretary Kirstjen Nielsen, in addition to several women speakers in the session tracks.

But it was the combination of mounting frustration over the industry's seeming inability to recruit and retain a more diverse workforce and the OURSA conference's protest that ultimately made diversity one of the key industry themes during the industry's largest annual conference week.

"It's more important than ever that security and privacy platforms are built to reflect the diversity of our users, employees, and administrators of the world," Parisa Tabriz, Google's director of engineering, told attendees at OURSA.

Minorities and women in the industry often find they are constantly battling for equal treatment. "We've got a ways to go here, for women and people who look like me. We have to work twice as hard to make ourselves credible and to be heard," Devon Bryan, founder and president of the International Consortium of Minority Cybersecurity Professionals (ICMCP), said at an event sponsored by the Cybersecurity Diversity Foundation.

Bryan, who is also executive vice president and CISO of the Federal Reserve System, points out that minorities don't want to be hired just because they are minorities. "They don't want to be hired because of what they look like, they want to be hired because they are good at what they do. They want to be valued and contributing," he said. "Diversity is not about the numbers."

Diversity isn't just about the cybersecurity talent gap, either, according to Kim Jones, director of the Cybersecurity Education Consortium at Arizona State University and a former CISO and intelligence professional. Jones, who spoke at RSA Conference's Securing Diversity summit, argues that getting serious about fostering a more diverse industry requires looking at things differently.

"We need to separate diversity from the talent gap issue. Before there was a talent shortage, there was a diversity problem," Jones said, noting that security itself doesn't care about race, creed, color, or sexual orientation, so there shouldn't be a diversity gap.

"For some reason, we are not attracting or resonating or giving an opportunity" for minorities to work in the industry, he said. Some of that is the image cybersecurity often projects, with black hoodies or "bad boy" attitudes that don't resonate among underrepresented groups: "That's not the way to recruit," he said. "When I talk to students, I say if you want to be someone who helps defend people … and make a difference," come work with me."  

Minorities and women already in the industry also need to step up and serve as role models. "If you don't have a role model, be one. I've been the sole African-American executive" of companies before, he said. "Being the 'only one' is hard, but equip the people behind you."

It's not just about hiring: it's about the inclusion of those diverse employees, said Mischel Kwon, founder and CEO of MKACyber and creator of the Cybersecurity Diversity Foundation. That means ensuring minorities and women get their voices and input heard at work and in meetings; and it can take time to hack through implicit biases that prevent that. "You have to have the uncomfortable conversations," Kwon told Dark Reading in an interview.

Corporate diversity initiatives also require a little soul-searching. "My question is how serious are you? Are you doing something just to make the numbers get better or [because] it feels good to say you're talking about" diversity, Jones said. "Or are you truly and honestly making a difference not because the numbers say we need to, but because it's the right thing to do."

United on Diversity

Christine Izuakor, senior manager of global security strategy and awareness at United Airlines, said the airline has a diverse cybersecurity team made up of 40% women and various ethnicities and sexual orientation. "For that we are a much stronger team," she said. "But it's not about color or gender. It's the unique perspective each brings."

She said United's diverse security team grew organically. "I don't know if it was intentional" originally to build such a diverse team, she told Dark Reading in an interview. "There's a more deliberate focus on that today."

Among United's initiatives to foster diversity are its cybersecurity rotation program, which includes providing internships to students in underrepresented communities. "We need to ignite that spark to [attract] people in all walks of life," she said.

Recruiting a more diverse team also means busting a few myths that hold back the industry from attracting a wider range of people, including making technology solutions that are inclusive by design so that people from all backgrounds get access to the same opportunities in the field, and help remove any barriers to them. "I'm a first generation Nigerian in America, and my culture didn't support" an IT security field, she said. "I was raised to believe that success is a doctor or an engineer, and nothing in between."

Izuakor said the "spark" that drew her to cybersecurity wasn't a role model - there weren't any for her at the time - but an elective cybersecurity course she took in college.

She believes companies should scrap the minimum degree and experience requirements for new job candidates. "Being an expert is absolutely important, but it's not years of experience alone that determine the value of contributions," she said. "We need to focus more on creating opportunities for entry" level applicants, and provide them a career "line of sight," she said.

The Year Up organization, for example, trains young urban adults for six months and then offers a six-month internship with participating organizations as a career path. "Fresh perspective works wonders," she said. "It takes that cross-generational knowledge and sharing and collaboration."

Coding and technical experience aren't the only skills needed in cybersecurity jobs, according to Izuakor, noting that the image of a coding expert wearing a black hoodie presents an image problem. "Our industry needs an extreme makeover," she said. "Our images are one of the greatest barriers to the industry, especially for minorities … We need to make sure we are positioning ourselves more inclusively."

Meantime, several speakers in the diversity sessions acknowledged that they were mostly preaching to the choir. "People who need to hear this are not here. That's the biggest problem," Jones said. "You need to bring conversations like this to the main hall [of RSAC] and make people a little uncomfortable to hear about it."

Related Content:

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/26/2018 | 1:13:51 PM
Re: Best job candidate description EVER
Quite correct --- I am all for gender diversity and in many areas women are far better analysts than men will ever be (have us beat on a whole bunch of fronts).  BUT what we really have is an INTELLIGENCE DIVERSITY issue which is entirely different.  (I say nothing about Bangalore - enough said there).   That is different from KNOWLEDGE DIVERSITY which is a very good thing.  INTELLIGENCE div goes up through the ranks to so that, as at IBM, you have management strata lines of people who know nothing but got there because they knew something earlier in their life and lower down on management ladder.  Remember FUMU?   
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/26/2018 | 5:22:58 AM
Re: Best job candidate description EVER
@REISEN: I remember seeing Andy Ellis, CSO of Akamai, speak once on the subject of how these types of purple-squirrel hiring tactics actually diminish gender diversity in the workplace.

Ellis: "If you have a [gender] diversity problem, this is why... [Men] are totally willing to lie and say, 'Yeah, I've got 12 years' experience in Windows 8.'"

Incidentally, here's my writeup for one of Dark Reading's sister sites on this subject, in which Ellis is quoted: networkcomputing.com/careers/tech-talent-shortage-myth/1360165050
notthereatall
50%
50%
notthereatall,
User Rank: Apprentice
4/25/2018 | 12:31:11 PM
A parallel discussion: "inclusion" is an empty buzzword - from a side event
During RSA conference Peerlyst held a side event. The outcome of one of the sessions was a vivid discussion:  ""inclusion" is an empty buzzword".

Here are some interesting and relevant quotes:

By Kim Krawley:

"Employers need to stop having rigid hiring criteria. All of that "culture fit" stuff also excludes people who are demographically different from the people who already work at the company. I work for several different cybersecurity vendors. You know what they looked at? The blog content I've written for other companies and my Twitter following. That's it.

By Andrew Commons:

"We are all different, very different. We have developed a culture that highlights differences and provides the technology for the collective persecution of those considered different. It has become a sport, 'shaming' is the new black.

We have legislation that requires "affirmative action". In some jurisdictions it's been around for 60 years. In large corporations we see (very) senior positions being created specifically to address 'Diversity'. As we see in the case of James Damore (and let's ignore his views for now) and Google, such environments actually do not tolerate diversity they are intent in promoting uniformity and will highlight and shame those who dare differ.

It's this bigger global cultural issue that needs to be addressed before any change can be expected in corporate culture."

By Molly Payne:

"Companies hopefully are seeing that diversity drives creative thought and problem solving. As a community in a company we can create social enclaves for ourselves as a place to recharge and brainstorm solutions for problems we observe. In hiring opportunities reaching back can be a method for those of us outside the majority to change the stats; if you have a say in hiring reach out to those people in your community who you know are qualified and get their resume seen. Volunteer and share your skills. I feel a lot of analyst work and security work can be taught much like a trade you just have to have the passion. I've often thought of organizing a club at a local high school or middle school to build excitement about this field. I think about this quite a lot, and love these discussions thanks for bringing it up!"

 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/25/2018 | 9:46:06 AM
Re: Best job candidate description EVER
=) 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/25/2018 | 9:25:29 AM
Best job candidate description EVER
Needed - YOUNG enthusiastic Millenial (age 22) with 32 years of experience. 
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why Password Management and Security Strategies Fall Short
Steve Zurier, Freelance Writer,  11/7/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Online Malware and Threats: A Profile of Today's Security Posture
Online Malware and Threats: A Profile of Today's Security Posture
This report offers insight on how security professionals plan to invest in cybersecurity, and how they are prioritizing their resources. Find out what your peers have planned today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19186
PUBLISHED: 2018-11-14
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the route.php paymentMethod parameter.
CVE-2018-19187
PUBLISHED: 2018-11-14
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in a success.php echo statement.
CVE-2018-19188
PUBLISHED: 2018-11-14
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the success.php fort_id parameter.
CVE-2018-19189
PUBLISHED: 2018-11-14
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via an arbitrary parameter name or value that is mishandled in an error.php echo statement.
CVE-2018-19190
PUBLISHED: 2018-11-14
The Amazon PAYFORT payfort-php-SDK payment gateway SDK through 2018-04-26 has XSS via the error.php error_msg parameter.