Cybersecurity Diversity Cannot Be Solved by Tools or Policy, But By the Way We Think

Cybersecurity Diversity Cannot Be Solved by Tools or Policy, But By the Way We Think

By Helen Patton, CISO, Ohio State University

Any currently serving security leader cannot but notice the industry focus on diversity and inclusion in technology—particularly in cybersecurity. Here’s the summary version:

  • Not enough cybersecurity professionals exist to fill demand.
  • A disproportionately high number of white males work in cyber.
    • Only 11 percent of the 2017 cyber workforce was female.
    • 26 percent of the 2017 US cybersecurity workforce were ethnic/racial minorities. That’s roughly in line with the US population but disproportionate when considering non-management positions.
  • A growing school of thought postulates that a lack of diversity in thinking and experience in the cyber workforce may contribute to the negative outcomes we are all experiencing in the cybersecurity industry. According to the InfoSec Institute, “Cybersecurity, perhaps more so than other areas of technology, is one requiring a multidisciplinary approach to a problem. The area of cybersecurity is one where problem-solving skills and a holistic view of a challenge is key to resolving an issue. Having a team made up of diverse individuals can only work to improve the outcome of that team.”

From a US government policy perspective, there is little to suggest that this situation will change any time soon.

  • While the workplace non-discrimination policies of the EEOC continue to apply to all sectors and professions, no policies target how companies should encourage and support a diverse workforce.
  • The NIST NICE cyber framework is silent as to skills or training for encouraging diversity.
  • The 2018 White House National Cyber Strategy makes no mention of a focus on diversity issues.

Clearly, no appetite exists in the US for any policy-based solutions to this problem. However, this may be a problem that policy cannot solve.

Research suggests that many of the inherent cultural biases in our society influence cyber workforce diversity. Simply mandating higher proportions of diverse workers will not solve this issue if our workplace cultures reflect wider social biases that assume males are technical and leaders, while women are communicators and supportive.

Happily, there is much happening within the private sector to help solve these problems. Certainly, we are focusing on how to change our hiring practices to encourage more diverse candidate slates. Efforts exist to involve younger minorities, particularly girls, in cyber programs at earlier ages such as the Girl Scouts CyberSecurity badge or IBM’s Cyber Day for Girls. Community colleges and universities have developed increasingly better cyber programs that not only include computer skills but also cross-disciplinary skills such as psychology, risk management, and international studies, which will help the entire profession.

Yet, we are starting to veer off course in two areas.

In a well-meaning attempt to attract more females to the profession, some people emphasize that you can become a security person without “being technical.”

While I appreciate that not all security roles are technical, this approach assumes that men are more likely to be technical while women are not. If we populate our security teams with non-technical females and more technical males, we will not solve the diversity problem. We will make it worse. This sets the profession up to have a first- and second-class track.

Cybersecurity is technical. Instead of approaching women and girls with this “non-technical” approach, I recommend shifting toward a “females are technical too” perspective. This parallels the effort of ensuring “technical” also means “has emotional intelligence, communication capabilities, and social skills”–an expectation for women and men.

We have an incorrect sense that if we can get diverse people into an organization and train them to be “like us,” we will have succeeded at diversity.

The point of having a diverse workforce is to create a place where an organization leverages the value of diversity to make outcomes better. I don’t want to take a 25-year-old female of color and have her act like a middle-aged white male. I want them both to bring their experiences, thought processes, and skills to the problem at hand.

Leda Glyptis captures this perfectly in her fintech blog:

"Reward outcome-based experimentation and diversification. Measure if diversity is leading to diversification, and assess how thoroughly you are supporting the transition with HR policies, risk profiles, execution cadence, etc. If you hire them and then bind their hands with the established way of doing things, you are choosing to not go far the long and expensive way.”

The old adage “culture eats strategy for breakfast” is particularly applicable to the issue of cybersecurity diversity. Lack of diversity is a cultural problem–and one we can (slowly) change. It’s not a policy problem, and the cyber community is already starting to rise to the challenge of fixing it. It won’t be solved by a tool or even just a process. It will be solved when we change the way we think–and we’ll need a diverse and inclusive way of thinking to make this happen.

With more than 20 years of experience in the Security, Risk and Resiliency profession, Helen Patton (CRISC, CISA) brings a wealth of experience in managing information, technology and operational risk for global organizations, and advocates using Information Risk and Security Management to enable the mission of the Institution. As Chief Information Security Officer at The Ohio State University, she works to enable a risk-aware culture. She manages the Enterprise Security team, and oversees Information Risk and Control Governance across University units. Helen also chairs the University Information Security Advisory Board, which governs the execution of the University’s award-winning Information Security Framework.