As cybercriminals come up with new ways to penetrate systems, it is important to cultivate and explore various perspectives for better defense against advanced threats. One effective way to cultivate these diverse perspectives is to prioritize diversity, equity, and inclusion (DEI) policies across various levels in an organization, starting with hiring professionals from different ethnic, cultural, and economic backgrounds.
(ISC)²'s Innovation Through Inclusion study shows that there are fewer minorities in leadership roles and more in non-management positions in spite of them being highly educated. Among minority representation in the cybersecurity workforce in the United States, 23% hold a role of director or above, which is 7% below the national average. Those that are in management positions have higher academic qualifications than their Caucasian peers who hold similar positions, which implies that despite being qualified, minorities have to overcome a lot more to break the glass ceiling.
There is an increasing need for better representation in executive and leadership roles. A three-part McKinsey series on diversity in the workplace, with reports released in 2015, 2018, and 2020, collectively states that organizations with diverse executive teams are more likely to see an increase in financial performance. After examining over 1,000 companies in 15 countries, the study found (according to the latest report released in 2020) that companies with higher ethnic and cultural diversity outperformed others by 36% in profitability. Executives that come from different ethnic backgrounds can instill change across various levels of their company and the cybersecurity industry as a whole.
There is a pressing need for qualified professionals in the cybersecurity workforce. According to Cybersecurity Ventures, the number of unfilled cybersecurity jobs increased 350% over an eight-year period, from 2013 to 2021, with over 3.5 million jobs left to be filled in 2021. It is expected that there will still be 3.5 million openings in 2025.
There is also a glaring disproportion in the representation of races and genders in the industry, as explored previously. Despite the availability of jobs and cybersecurity occupations being lucrative, they are not the first choice for women or students from minority communities because of their lack of representation in the educational programs that would qualify them for these positions. However, several institutions have started stepping up. According to Forbes, tech companies like Google, Microsoft, and Cisco have begun to provide DEI-minded career training and invested more in diverse suppliers. Clearly, diversity is now being acknowledged as an important part of the cybersecurity recruitment process.
What about the performance efficiency and sustainability of teams that consist of mixed genders and races? A study conducted by a researcher from Brigham Young University to measure the impact of diversity on cybersecurity team effectiveness presented 35 teams with a series of security challenges in the form of a game. The teams were divided into heterogeneous and homogeneous teams. Heterogeneous teams consisted of all genders, and homogeneous teams were made up of men.
The effectiveness of the teams was measured in terms of the correlation between the members' cybersecurity proficiency and the time taken to solve the challenges. All the teams were presented with challenges in four fields: penetration testing, incident response, cybersecurity management, and security analytics. The study found that heterogeneous teams (with the same level of cybersecurity experience and proficiency as the homogeneous ones) completed more challenges in less time.
The findings of the study show that including diverse perspectives helped heterogeneous teams perform better despite homogeneous teams having the same level of cybersecurity proficiency and experience. Despite companies like Google and Cisco acknowledging what the study proves, organizations continue to face barriers in implementing diversity in their cybersecurity teams and processes.
There are two kinds of barriers that organizations deal with while trying to implement DEI in their cybersecurity divisions: one is from a recruitment standpoint and the other is through the lens of users, who will also be from diverse backgrounds. As explored before, there is a need for diverse talent in the cybersecurity sphere, where the number of vacancies is increasing tremendously. Despite this, there aren't a lot of hires being made, and the gap continues to grow with the rise in demand.
Inclusion is one of the top three challenges that companies face, according to Deloitte's The changing faces of cybersecurity report, which examined a human-centric approach to dealing with Canada's increasing need for cybersecurity talent. The report explored how sticking to an esoteric, traditional profile may lead to a significant amount of untapped potential, such as women who should be considered for executive positions in cybersecurity or candidates from non-IT backgrounds who may bring new perspectives to the field and help it avoid homogeneity.
Homogeneity also refers to similarity in the assumptions made of user behavior. In order to build an effective cyberdefense strategy, it is important to assess potential weaknesses that may arise due to user behavior. Here, in order to plug possible loopholes, assumptions are considered about the various ways user behavior can leave the system open to unmitigated threat vectors.
For example, a cybersecurity professional from a minority community could come up with use cases or examples of user behavior based on the wide variety of experiences they've been through and the difficulties they have faced while dealing with technology and cybersecurity. Studies show that a lot of women and minority communities lack exposure to proper cybersecurity practices, education, and awareness due to their socioeconomic conditions. Having someone represent them on a cybersecurity team helps the team capture possible anomalies in user behavior that would be missed otherwise.
In her article, "Connecting the dots on diversity in cybersecurity recruitment," Mandy Andress, the CISO at Elastic, emphasizes the need for a change in mindset. Instead of hiring only specialists in cybersecurity, organizations should seek out generalists. Andress references David Epstein's argument of how generalists (i.e., candidates without cybersecurity backgrounds) are more creative and agile and have a wide range of interests, making them ideal members of an effective cybersecurity team.
She goes on to talk about Elastic's approach to DEI and how inclusion and acceptance of their employees are now a core part of its source code. Some of the approaches they have adopted include ensuring equal pay for all employees, emphasizing internal hiring, and prioritizing skills over location. Elastic's aspirational DEI goals this year consist of hiring women or nonbinary individuals at a target rate of 40% for non-technical roles and 30% for technical roles globally.
Deepa Kuppuswamy, a senior member of the Zoho Security team, feels that there is a need for awareness about the various sub-areas and roles in the information security industry. "Many women, and men, seem to think that cybersecurity means 'hacking.' Their image is that of a guy wearing a hoodie and hacking systems," she said. "I feel that women have this image in mind and are hesitant to enter the industry. There are a lot of other roles in cybersecurity (like in governance, risk, and compliance; incident response; and SOCs) that candidates can explore."
When asked about possible barriers to address during recruitment, Kuppuswamy stated there are two things that can be addressed. The first is preconceived notions that recruiters have while hiring women and the age-old question of work-life balance that all women face. "Questions about their personal life must be avoided unless the role specifically demands that information," said Kuppuswamy. The second aspect she mentioned is looking at the person's ability to focus and their interest and passion towards the subject, instead of specific qualifications in cybersecurity.
Aspen Institute's Diversity, Equity, and Inclusion in Cybersecurity report, released in September 2021, states that only 4% of cybersecurity workers identify as Hispanic, 9% as Black, and 24% as women. With the help of the Hewlett Foundation and Camille Stewart, cybersecurity lawyer and head of the #ShareTheMicInCyber initiative, Aspen conducted a series of roundtable discussions with leading cybersecurity professionals representing various groups and ethnicities.
The report's key recommendations based on the conversations are divided into five areas: education, recruitment and hiring, retention, mentorship, and shifting the narrative. They are represented in two parts: actions that can be taken immediately and actions that need additional institutional support.
Under recruiting and hiring, the report recommends companies immediately partner with programs that focus on providing opportunities for diverse talent and work to remove biases from hiring practices. Some of the recommendations requiring additional support include anonymous hiring, working with pro bono experts to rewrite job descriptions, and setting up a task force that ensures fairness and equity in the criminal background check process.
Most cyberattacks that happen today are the result of human error and social engineering attacks. It is important to avoid groupthink and to include diverse perspectives to consider the full spectrum of possible anomalies and gain a deeper understanding of user psychology. To ensure this, it is important for recruiters to address possible issues faced by candidates from minority communities during the hiring process.
The arrival of Women's History Month (and with Black History Month just a couple of weeks behind us) reminds us of the many unacknowledged yet profound contributions of women and minority groups to the fields of science and technology and to the progress of humankind towards a better future. It is high time we learn to expand teams and embrace inclusivity. Choosing the right DEI measures might just be the one missing element holding us back from creating a more efficient, profitable cybersecurity team.
You will receive regular updates on the latest news on cybersecurity.
© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.
