When it comes to bringing diversity into the cybersecurity industry, let’s start by acknowledging that while the term “minority” may have served to characterize racially or ethnically diverse populations among the majority, it has evolved and can serve as a cringe-worthy elicitation of marginalization for those branded by the label.
So in our journey towards social awakening, we replaced the term “minority” with “underrepresented,” as a way to more subtly highlight “otherness.” In the Harvard Business Review, N.Chole Nwangwu argued that the term “underrepresented” suggests that the “solution to inequity is for leaders to place marginalized social groups into very visible positions while simultaneously failing to give them the tools needed to overcome individual and systemic biases.” Instead, Nwangwu writes that the behavior contributing to underrepresentation is the lack of recognition, or a term she calls “underrecognized.” that must be addressed by majority groups being intentional with leveling the playing field.
For too long, the cybersecurity industry has failed to recognize that the next generation of geniuses may not be forged from the same fire as existing practitioners. If we are honest with ourselves, we realize that some of the best level-one tech support comes from our young people, not the 20-year IT practitioner. Our industry has a unique opportunity to recognize that diverse perspectives representative of our global community has become critical in our journey to a more digitally-forward and securely accessible society.
But, how do we attract and even retain the diverse pool of women and minorities needed to make this shift? Here are some ways we can make a difference:
- Recognize: The industry needs diversity, not just minorities.
The recently-published National Cyber Workforce and Education Strategy by the Biden administration says that one of the most effective ways to grow our supply of cyber talent is to attract people of all ages and all demographics. All ages and all demographics contribute to diversity of thought and experience that’s critical to supporting innovation, critical thinking, and the evolution of industry norms. As practitioners, we can help by encouraging our recruiting teams to seek talent outside of computer science programs at four-year universities by recruiting for talent or skills that we can effectively translate into cybersecurity. An example: A detail-oriented and organized person could become a great project manager.
We can also leverage the NICE Framework from NIST to update and rework job descriptions to fit the roles and don’t post entry-level positions that require CISSPs. Helping to attract new talent requires expanding the talent pool, being open to new gifts and skills, and retooling roles to reduce friction and give opportunity for possibility.
- Prepare: Organizations must be ready before accepting differences.
Often organizations begin recruiting for diverse talent before they’re able to appreciate the difference it can bring. The Women in the Workplace Study by McKinsey and Company identified that women with traditionally marginalized identities often have a worse experience at work. These experiences include lack of manager support, lack of sponsorship and allyship, and concerns with psychological safety. Opportunities exist for companies to ensure diversity, equity, and inclusion (DEI) topics such as bias and microaggressions are proactively addressed so that each person can fully and successfully bring their talent to the environment.
- Partner: Identify organizations that can help people navigate through the journey.
Many organizations are clueless on where to go to source diverse talent and have turned to historically black colleges and universities as a first step. While these efforts seemingly address the issue of diverse talent and align to company DEI strategies, only 16% of companies with a DEI strategy have race representation goals. As a result, while students are academically competent, a gap still exist with converting talent into open jobs: Black Americans make up 12% of the workforce, but only 8% of those in tech occupations. To address these issues, a greater opportunity exists to enhance the cyber ecosystem through partnerships that bring non-profit organizations, academic institutions, government and industry together to model cyber education and workforce development. Organizations like Cyversity are already modeling these opportunities to partner with training providers, diverse talent and industry partners to upskill, reskill and drive higher conversion for diverse talent into available jobs.
- Participate: Contribute to the ecosystem, don’t just take from it.
Security practitioners are not born, they are built. In our disposable society, it feels like our industry forgot that we weren’t born practitioners, but we were developed. Cornell University’s School of Industrial and Labor Relations found that mentoring programs dramatically improved promotion and retention rates for minorities and women — 15% to 38% as compared to non-mentored employees. Everyone can mentor and be mentored and it’s a cycle that’s critical to the diversification of the future talent pools. As practitioners we can offer newbies a chance to invest in their growth and grant them grace as they learn.
The journey to diversify the cyber industry will require intentionality and participation by all to realize. Each person, whether existing practitioners or not, can play a role in helping to attract, develop, and retain diverse talent.
Sherron Burgess, vice chair, board of directors, Cyversity
