Including gender balance in security: The Journey of a CSO team

Over 40 percent of personnel on the Akamai InfoSec team are women. That’s in an industry where, depending on who you ask and how you measure, somewhere between 10percent and 15percent of entry-level positions are filled by women.

And while I’d like to say that my team has always been this balanced in representation, it hasn’t.

Two years ago, only 28 percent of our team members were women, and we’d started to notice, mostly via anecdata (the plural of anecdote, used by management to justify a decision, and is often abbreviated to “data”), that our hiring wasn’t as gender-balanced as we felt it could be. Hiring isn’t the only area that needs management attention, of course; fostering a healthy, productive, and inclusive environment is also essential. But looking at how people come into your organization is critical.

As a piece of evidence for us, MIT was graduating women at a greater rate than we were hiring women, so it couldn’t just be an absence of a candidate pool. So we started to think about exploring different ways of operating. The first, and always, step: challenge hiring managers. They’re our front line, and own most of the day-to-day actions.

I asked my team to work on it, starting with a single question to guide them: "What does your hiring pipeline look like?" It’s not that I assumed that was the only issue, but it would let us question our recruiting process end-to-end. That was a harder question to answer than you might suppose, but most managers tackled it -- tracking demographics with our Talent Acquisition team across the hiring process, through screening and into interviews. A short answer was simple: we weren’t getting enough balance in our resumes.

We tried several things. I’m reluctant to call them experiments, because we had neither a rigorous process, control group, nor an Independent Review Board to oversee us. Almost all of them appeared to be successful. Our goal was to hire great people who would both fit into and help improve Akamai and InfoSec culture, while also driving our vision: to be a helpful and sustainable guide into a safer destiny -- for Akamai, our customers, and the Internet community. My hope was to hire those great people, and have a demographic more reflective of the wider population.

We challenged our recruiter partners to source us resumes from a wider population. That isn’t as easy for them as it seems; in many ways, recruiters have to passively accept the candidates that apply. So our task became more subtle: how do we get a wider variety of people to apply?  Better marketing seemed like an answer, and our core marketing artifact was the job description.

Improving the job descriptions was both easier, and harder, than you might expect. One step was to reduce the number of required qualifications on positions; there is an increasing belief that unnecessary qualifications correlate with fewer women applying for a position. Some of those requirements, regrettably, you can’t easily just eliminate (for instance, degree requirements), because those are tied to criteria for visa eligibility for certain job families. But the language in the job descriptions can also be challenging, so some of our managers experimented with looking for subtle, gender-coded language to alter.

But those are passive steps. We wanted to be more active. One step was to open up our pipeline into new environments. We could take advantage of the Akamai Technical Academy (ATA) program, which generally produces a more women/minority/veteran population of candidates. I committed to our Talent Acquisition team, that for any ATA class that graduated people where I had staff, we’d hire at least one person.

Another area we pivoted was to look outside the security industry. A challenge that many security teams have is that when they’re small, they have to hire people who can do anything and everything. For a three or five-person team, that makes sense -- you absolutely need an architect who can engage deeply about distributed systems design with principal engineers, then pivot to program manage across multiple engineering leaders a safety initiative, and then walk into a customer executive meeting, and manage a team on the side. But as a team grows, that breadth and depth isn’t necessary across the board (although it might be a career aspiration). What was interesting to realize is that often the needed depth in a position isn’t in a traditional “security” skill.

InfoSec has positions that look more like “librarian” or “journalist”. Rather than hiring deep security experts, and trying to teach them those skills, we’ve hired actual librarians and journalists. Those are shrinking career fields, so there are skilled professionals available.  Targeting those folks, directly and indirectly, has given us access to new populations.

I’ve written here mostly about the hiring pipeline, but please don’t think that’s the only area to work on! Building an inclusive culture to improve retention, developing your existing staff, and having a flexible and accommodating environment are all important areas to pay attention to.

But we’ve made it past 40 percent, which means we’re within striking distance of the basic human demographic for gender. And that’s great progress.

By Andy Ellis, Chief Security Officer, Akamai

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.