The Cybersecurity Crisis Requires Getting Serious About Diversity

Shutterstock.com

 

Connecting state and local government leaders

It is not simply a numbers game: diversity is a proven “differentiator” that research shows makes organizations better.

NATIONAL HARBOR, MD— Building a strong cyber workforce means emphasizing diversity, particularly closing the gender gap in the field, state cybersecurity leaders and experts said this week.

“We need more people,” said Laura Bate, a policy analyst with New America,during a workshop at the National Association of State Chief Information Officers midyear conference. “313,000 jobs are open out of 715,000, so we need to very nearly double the cybersecurity workforce in the U.S. … and you’re not going to do that if you’re not considering half the population.”

In state government, the workforce shortage is particularly acute. Cybersecurity is a highly competitive industry with effectively zero unemployment. State CIOs have ranked security as their members’ top priority for the past six years, and NASCIO’s 2018 biennial cybersecurity study showed inadequate staffing as the second-most significant barriers to addressing their cybersecurity challenge following a lack of sufficient budget. The fact that women make up far less than a quarter of the cybersecurity workforce (and even those numbers are highly uncertain, according to Bate) is part of the problem.

However, the value of gender diversity goes well beyond finding additional staff.

“The data is there to say we do better as teams if we are more diverse,” Bate said, pointing to research and analysis ranging from Harvard Business Review to the Central Intelligence Agency.

In addition, Bate said that if there are structural issues excluding certain populations from engaging in a sector with high paying jobs, there should be a concern from an equity standpoint that states should be committed to addressing.

North Carolina’s Chief Risk Officer Maria Thompson said that closing the gap is going to take more than just one strategy.

“We need to look at two phases,” Thompson told the attendees. “The long-term strategy is hit them while they are young. The now strategy is how do we get folks my age that are transitioning in careers interested in cyber.”

On the long-term front, many states are investing in various efforts to draw younger women into cybersecurity, as well as other STEM fields. Thompson pointed to GirlsGoCyberStart, a partnership between the SANS Institute and governors across the United States that aims to interest high school age girls into the field.

“We’ve made some strides, but there’s more we can do,” Thompson said. She pointed to working with corporate and non-profit partners to establish apprenticeship and internship programs as another means to bring younger individuals into the professional cyber arena.

North Carolina is not the only state moving to create new pathways for young women who may not have had a chance to consider a career in cybersecurity. Sixteen other states participated in GirlsGoCyberStart, and there are dozens of other initiatives out there. Andy Hanks, Montana’s chief information security officer, pointed to legislation and a working group in his state dedicated to bringing more young women into the field. New York CISO Deborah Snyder explained how revenue from the state-run cybersecurity conference went to an endowment that provides scholarships for women entering the cyber profession.

That long-term strategy does little to fill the hundreds of thousands of current vacancies in the field. That has a real cost on society—and the public sector, which has had its share of high-profile cyber-attacks in the last few years. State officials believe bringing in women and other diverse populations in mid-career transitions will be key to building a cyber-workforce in the near term.

One key point raised was that these new cyber workers won’t necessarily always be recruited from adjacent IT professions.

“I would be careful how we market, because cyber is all-encompassing,” said Tony Riddick, CIO for the U.S. Virgin Islands. He pointed out that after taking his first programming course, he knew he wasn’t going to be a programmer, but if he had understood IT leadership was still an option it would have appealed to him. Similarly, there are other skills that are required to move organizations forward when it comes to cyber risk. He pointed to the need for people with other skills, including policy backgrounds, research and writing.

“We say STEM, but most of us at our level of work is cyber policy,” he explained. “We’re not working ones-and-zeros and attack vectors and all those things. So as we go through the approach of recruiting anyone, we need to be a little more specific what we are recruiting for, because it’s a broad field and it’s a vertical.”

Another barrier to attracting a more balanced workforce has to do with perception and acceptance. Bate explained that the cultural cues that show STEM-fields and hacking as a place dominated by men lead to exclusion. Some of those are societal, but often they have much to do with the workplace culture—right down to the job description.

“What happens when you call everything cyber ninjas? You might lose some folks,” Bate said.

Thompson herself has some experience in cultural cues in cybersecurity. One of the first 30 U.S. Marines chosen to train for information assurance positions, as an African American woman she did not look like her most of her peers, describing herself as always “one-in-ten” at every step in her career.

“It is what it is, but it made me a lot stronger and it made my understanding of where we are right now,” Thompson said. “That has helped me appreciate why we need to be a little bit more proactive in getting women into areas such as IT.”

After 20 years, Thompson retired as the Cyber Security Chief for the Marine Corps.

Beyond gender, cybersecurity has a problem with inclusion of minority and underrepresented populations. An ISC2 study found that while minorities were represented within the cybersecurity profession at a slightly higher rate than the overall minority workforce, “[e]mployment among cybersecurity professionals who identify as a racial or ethnic minority tends to be concentrated in non-management positions, with fewer occupying leadership roles, despite being highly educated.”

When Thompson transitioned to a new public service role in North Carolina, she noticed a solid number of women were in key IT leadership positions. She pointed out that sort of diverse leadership matters in attracting a diverse workforce.

“You need to see people that look like you and understand that there is a possibility for you to advance in that position and potentially own it,” Thompson said.

States may have a way to go in that regard. According to Thompson, only five states have women in lead cybersecurity roles.

“Until we stop viewing diversity as a problem in our organizations and shift our message to a strength-based inclusion and diversity thought structure, where organizations value diversity as a winning proposition or as a value-based differentiator for you as an organization, we will always be behind the curve,” Snyder said, one of those few women who have made it to that top security rung at the state level. “We have to shift our messaging.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.