The cybersecurity industry aspires to create a diverse workforce, but the number of women and people of color among the ranks – and particularly in leadership – remains unjustifiably low.
As Black History Month drew to a close and Women’s Month began, BlackGirlsHack founder Tennisha Martin discussed with SC Media the barriers to diversity in the cybersecurity workforce and how a recent partnership with RangeForce will help the non-profit contribute to change.
What was the motivation behind creating Black Girls Hack?
Martin: I'm literally trying to change what the next generation of cybersecurity looks like, so there's more parity, there's more diversity. When you see numbers like 3% of African Americans are in the field, and I think maybe 17% of women in the field, it's kind of disheartening. I want people to be able to see more black and brown faces and women in cybersecurity so that at conferences, for example, you're not just seeing a whole bunch of the same older white males who have been dominating the industry.
Why have the strides toward diversity been so modest, despite declarations of support by cybersecurity companies and the industry on whole?
Martin: One of the soapboxes that I tend to get on is that there's a lot of bias and discrimination that's built into algorithms and machine learning, based on the data that it has, which is based on the scientific engineers who are in the room. Until we start to see more people of color, more women in those rooms, the data is going to be biased toward what is given. So, I'm really hoping that within the next generation or so we'll start to see a lot more women in cybersecurity.
How do you motivate and engage the up-and-coming next generation of cybersecurity?
Martin: They need to see examples of what that looks like, to see people like them. I was reposting a Medium article that I read by a black ethical hacker that I follow – she was talking about some of the things that people have said to her. She's a penetration tester, certified in her field. Yet people will say things like “hey do you know how to configure a router,” or other pretty basic things. Why do you feel like you need to dumb it down or take it back to the basics? Is it because she's a woman or is it because she's a black woman? Would you say this to one of your white male peers? So just being able to point out instances of that.
And then the other problem Black Girls Hack tries to address is just representation. We [did] Feature Fridays – featuring men, women and children over Black History Month who've made contributions to STEM and what early access does for kids. If you can see people who are like you, who are in these positions, then you can know that it's possible for you to get there. The same way you say, "hey, I want to be like Mike or, you know, I want to be like Tyler Perry." You should be able to see those same type of high-profile figures within cybersecurity. For me, one of my favorite hackers is Marcus J. Carey. He's a black guy, he's part of the tribe of hackers. I want people to have high-profile people that they can look to and say, “you know, hey that's a goal for me.”
That’s a good draw, especially when you’re young.
Martin: That's so important, especially when you're young. It may not be a conscious thought that there's no one that looks like you in the mix or maybe you notice as you get older. But to be able to have those people in front of you that are doing great things and commendable things and interesting and fun. A lot of this stuff in cyber is so exciting. In general, some young people don't even realize how much fun it is, what the opportunities are.
What are some of the programs and activities you’ve implemented to evoke change?
Martin: We try to structure our programs based on the issues that we see as barriers to entry for the industry. Some of those include not having hands-on skills. So, we teach lab skills classes on Friday nights. We teach an intro to capture the flag class. How do you get involved, because a lot of people see these national competitions, and they feel intimidated. “I'm not good enough to get involved, I don't know enough to get involved, I'm just a beginner.” I take them back to the foundation levels and say, “hey, we're going to talk about the approach to do these types of problems." I think the capture the flags are absolutely amazing, providing exposure to the different domains within cybersecurity.
Some of the other things we do is our 30-plus study groups and Certified Ethical Hacking study groups. We offer the main certifications that people who are getting into cybersecurity are getting. We offer those study groups to try to help them get those certifications.
You recently struck a deal with RangeForce to gain affordable access to its learning modules so members of your squad can acquire real world skills and realize careers in cybersecurity. What does that mean for BGH’s goals?
Martin: RangeForce has been absolutely amazing. They reached out and said that they had a training platform. It has a lot of different domains within cybersecurity. They've got a lot of blue team-type training opportunities as well as some purple and they've got some things that they call yellow as well. If you look at the leader board, we have some people who've completed 20-something modules. We have some people who are still making their way. It’s self paced, so it's easy for them to get through the work. It provides visuals and information for you to be able to learn. Because we have a wide range of [RangeForce] offerings [members] choose what they want to work on. Not everybody is blue team, not everybody is red team. Some people want to work at the intersection of a couple of different domains. I like that RangeForce gives you a lot of that versatility. And I absolutely love the fact that they are donating it to us so that the squad could be able to use it. They're getting it at no cost, and it's absolutely amazing to me, the generosity, because this is definitely something that we need – more training.
I'm not very blue team at all, I’m very red team. If they just learned from me, we're going to have like a whole slew of red team leading hackers out there. But with RangeForce, we'll have more balance.
Do you see relationships with other companies similar to the one you’ve forged with RangeForce?
Martin: I hope more organizations follow their lead. My goal is to partner with a lot more amazing companiess. RangeForce gave us the training that we're doing in a lot of blue team [scenarios]. But there are a lot of other areas in cybersecurity as well, so I'd like to be able to, for example, partner with some of the providers of some of the certifications, to be able to help reduce some of the financial barriers. The ethical hacking field exam is $1,300. Security Plus, which is definitely a foundation level for everyone in cybersecurity no matter what their domain, is going to be almost $400. For people who may be underemployed or not be employed or switching careers, having families in the middle of the pandemic, spending maybe $1,500 to $2,000 just to get into the door is sometimes a big hurdle.
I'm hoping that through other partnerships we can help to reduce some of these barriers to entry so that the only thing standing in the way of the squad – which is what I call the people within our organization – and their goals is themselves. You just have to put forth the motivation, we've got the training, we've got the certifications. We've got the mentoring. We've got the mock interviews. We're providing those services so the only thing you need to do is to study and work hard and go get your job.
There’s something like 500,000 open positions in the United States alone for cybersecurity, and I've got hundreds of people who are trying to get cybersecurity jobs. So, how are we going to get those people into those jobs? We need to figure out what the barriers are for them, the gatekeepers. I can't go in and change algorithms for talent systems. I can't go in and change bias from large data for machine learning. But helping to structure your resume to get through those ETL systems, that is something that I can help the squad do to get careers in cybersecurity.
With so many unfilled cybersecurity jobs and companies claiming that they’re trying to diversify their ranks, what other factors are keeping the numbers so low?
Martin: So, a couple of things I think tie into this. I feel like it has to do with some of the ways that society whispers unconscious things into the ears of those coming up. For example, I'm on a couple of advisory boards and some of them are working on resume review criteria. Women, a lot of the time look at a job requisition and they'll say, "I'm only hitting maybe 60% to 70% of these requirements for this job. I'm not going to apply because I'm not 100%." And then you'll have men who look at them and say, “hey, I meet 60% to 70%, I'm going to apply.” It’s a level of confidence. It's a little bit of imposter syndrome, because I feel like when you apply for a job, you meet 100% of the criteria for the position.
You believe meeting 100% of the criteria for a position might not be a positive. Why is that?
Martin: You’re bringing everything to that position, so of course you can complete the duties but how are you going to grow as an individual and be able to add value to the organization? You know you already know everything that’s going on for that position. So, I try to tell people, especially those within the squad, to apply for things where you feel you're a good fit and can bring value. Then when looking at their resumes, we work to point out those value-adds that they bring to the organization and what they brought to their last organization. Focus on hard facts and figures. People want to see that you're bringing efficiency and they want to see that you bring excitement and new ideas to the position. If you come in and you know everything, I don't think that's necessarily going to help you grow or necessarily the company.
We need to convince women and all people who are lacking in confidence to should just go ahead and apply. Then use it as an opportunity to work on interview skills, to work on some of the soft skills that you need in order to be able to compete so that the next interview will go that much better. You’ll understand the types of questions you're going to have and you'll be able to respond to them. And you can make your case to the hiring manager because you've gotten through the tracking system. I really think it just comes down to a matter of confidence, believing in your skills, so that you can express that to someone who is asking what you bring to the organization.
Are you working with economic development councils and cities, communities and businesses to bring qualified candidates to the forefront?
Martin: I definitely realize it's something that needs to be done. We need to work with the diversity and inclusion folks at all the organizations everywhere to try to get a more diverse talent pool into the organizations. A lot of what you're talking about involves networks and knowing the right people. I've been trying to use, for example, the networks that I get from Clubhouse or other folks that I interface with to say, "If you feel like there's something that we need to be doing, can you help introduce me to people who can make this happen?" I don't want to just sit in their inbox waiting for them to accept my LinkedIn request so that I can send them a message.
There’s a lot of talk about diversity and the intentions are good, but it seems that efforts sometimes fall short.
Martin: There's a difference between having just nice words and then actually being able to follow through. It’s one thing to say you want to try to increase diversity, to try to help people, and it's another thing for a RangeForce to come through and say they’re going to donate a whole bunch of training platforms to people. So, people need to actually follow through.
For me personally, I've been trying to get into a 100% cybersecurity role for four years now, with several master's degrees. And when I tell people I'm looking for a job, they're like, “we would hire you.” But I send my resume and then I don't hear anything. People are available to do the work, who've got certifications and degrees and still cannot find a job. I'm not getting responses back. Part of that is my name is Tennisha, so you see me coming. I may not be getting through a system, just based on some bias that's built in. Let’s remove some of the gatekeepers, let's remove some of the barriers and make it more available.
Recently it was in the news that one of the big name companies had some memo released that said they didn't want to do recruiting at [historically black colleges and universities] because they didn't feel like the candidates were up to their standards. Those type of biases, eliminating an entire like group or class of people, just seems absolutely ridiculous to me because, regardless of your skin color, if you've got the qualifications and skills to get into the job then you should be able to get into a job and prove that you can do the work.