The Cybersecurity Crisis Requires Getting Serious About Diversity

fizkes/Shutterstock.com

It is not simply a numbers game: diversity is a proven “differentiator” that research shows makes organizations better.

NATIONAL HARBOR, MD— Building a strong cyber workforce means emphasizing diversity, particularly closing the gender gap in the field, state cybersecurity leaders and experts said this week.

“We need more people,” said Laura Bate, a policy analyst with New America, during a workshop at the National Association of State Chief Information Officers midyear conference. “313,000 jobs are open out of 715,000, so we need to very nearly double the cybersecurity workforce in the U.S. … and you’re not going to do that if you’re not considering half the population.”

In state government, the workforce shortage is particularly acute. Cybersecurity is a highly competitive industry with effectively zero unemployment. State CIOs have ranked security as their members’ top priority for the past six years, and NASCIO’s 2018 biennial cybersecurity study showed inadequate staffing as the second-most significant barriers to addressing their cybersecurity challenge following a lack of sufficient budget. The fact that women make up far less than a quarter of the cybersecurity workforce (and even those numbers are highly uncertain, according to Bate) is part of the problem.

However, the value of gender diversity goes well beyond finding additional staff.

“The data is there to say we do better as teams if we are more diverse,” Bate said, pointing to research and analysis ranging from Harvard Business Review to the Central Intelligence Agency.

In addition, Bate said that if there are structural issues excluding certain populations from engaging in a sector with high paying jobs, there should be a concern from an equity standpoint that states should be committed to addressing.

North Carolina’s Chief Risk Officer Maria Thompson said that closing the gap is going to take more than just one strategy.

“We need to look at two phases,” Thompson told the attendees. “The long-term strategy is hit them while they are young. The now strategy is how do we get folks my age that are transitioning in careers interested in cyber.”

On the long-term front, many states are investing in various efforts to draw younger women into cybersecurity, as well as other STEM fields. Thompson pointed to GirlsGoCyberStart, a partnership between the SANS Institute and governors across the United States that aims to interest high school age girls into the field.

“We’ve made some strides, but there’s more we can do,” Thompson said. She pointed to working with corporate and non-profit partners to establish apprenticeship and internship programs as another means to bring younger individuals into the professional cyber arena.

North Carolina is not the only state moving to create new pathways for young women who may not have had a chance to consider a career in cybersecurity. Sixteen other states participated in GirlsGoCyberStart, and there are dozens of other initiatives out there. Andy Hanks, Montana’s chief information security officer, pointed to legislation and a working group in his state dedicated to bringing more young women into the field. New York CISO Deborah Snyder explained how revenue from the state-run cybersecurity conference went to an endowment that provides scholarships for women entering the cyber profession.

That long-term strategy does little to fill the hundreds of thousands of current vacancies in the field. That has a real cost on society—and the public sector, which has had its share of high-profile cyber-attacks in the last few years. State officials believe bringing in women and other diverse populations in mid-career transitions will be key to building a cyber-workforce in the near term.

One key point raised was that these new cyber workers won’t necessarily always be recruited from adjacent IT professions.

“I would be careful how we market, because cyber is all-encompassing,” said Tony Riddick, CIO for the U.S. Virgin Islands. He pointed out that after taking his first programming course, he knew he wasn’t going to be a programmer, but if he had understood IT leadership was still an option it would have appealed to him. Similarly, there are other skills that are required to move organizations forward when it comes to cyber risk. He pointed to the need for people with other skills, including policy backgrounds, research and writing.

“We say STEM, but most of us at our level of work is cyber policy,” he explained. “We’re not working ones-and-zeros and attack vectors and all those things. So as we go through the approach of recruiting anyone, we need to be a little more specific what we are recruiting for, because it’s a broad field and it’s a vertical.”

Another barrier to attracting a more balanced workforce has to do with perception and acceptance. Bate explained that the cultural cues that show STEM-fields and hacking as a place dominated by men lead to exclusion. Some of those are societal, but often they have much to do with the workplace culture—right down to the job description.

“What happens when you call everything cyber ninjas? You might lose some folks,” Bate said.

Thompson herself has some experience in cultural cues in cybersecurity. One of the first 30 U.S. Marines chosen to train for information assurance positions, as an African American woman she did not look like her most of her peers, describing herself as always “one-in-ten” at every step in her career.

“It is what it is, but it made me a lot stronger and it made my understanding of where we are right now,” Thompson said. “That has helped me appreciate why we need to be a little bit more proactive in getting women into areas such as IT.”

After 20 years, Thompson retired as the Cyber Security Chief for the Marine Corps.

Beyond gender, cybersecurity has a problem with inclusion of minority and underrepresented populations. An ISC2 study found that while minorities were represented within the cybersecurity profession at a slightly higher rate than the overall minority workforce, “[e]mployment among cybersecurity professionals who identify as a racial or ethnic minority tends to be concentrated in non-management positions, with fewer occupying leadership roles, despite being highly educated.”

When Thompson transitioned to a new public service role in North Carolina, she noticed a solid number of women were in key IT leadership positions. She pointed out that sort of diverse leadership matters in attracting a diverse workforce.

“You need to see people that look like you and understand that there is a possibility for you to advance in that position and potentially own it,” Thompson said.

States may have a way to go in that regard. According to Thompson, only five states have women in lead cybersecurity roles.

“Until we stop viewing diversity as a problem in our organizations and shift our message to a strength-based inclusion and diversity thought structure, where organizations value diversity as a winning proposition or as a value-based differentiator for you as an organization, we will always be behind the curve,” Snyder said, one of those few women who have made it to that top security rung at the state level. “We have to shift our messaging.”