Hacking diversity in cybersecurity

How gender and racial imbalance in the field affects women, minorities, and white men working in digital security.

LAS VEGAS – The cybersecurity industry is notoriously male dominated. Women make up just 11 percent of the field and don’t earn as much as their male counterparts. Blacks, Hispanics, and Asians represent less than 12 percent of the digital security workforce. And for many people in this community, the lack of diversity is a problem.

A growing number of organizations and companies are working hard on a solution. It’s a process that’ll involve ditching the “bro pipeline,” into the field from computer science, military, and intelligence says Betsy Cooper, executive director of Center for Long-Term Cybersecurity at the University of California, Berkeley, and recruiting outside the traditional industry feeders.

Instead, she says, firms should look to public policy, law, or psychology – fields that value the sort of problem-solving skills that could benefit cybersecurity organizations.

But how does a lack of diversity actually affect people in the field  – and how do the hackers, security analysts, and executives who make up the cybersecurity community actually define diversity? Do they recognize the racial and gender imbalance as a problem? And, if so, what are they doing about it?

So, we put those questions to attendants at this year’s Black Hat and DEF CON cybersecurity conferences in Las Vegas. We wanted to hear from the women and minorities who are working in the space – and also from the white men who dominate the field.

Here’s what we heard.

“It means bringing in people of different backgrounds, which means that they are able to bring in different ways of thinking.

If you have a monolithic thought process, where will you go? If everyone thinks the same way, you can’t think outside of the box. So diversity to me means thinking out the box.”

– Gina Sharp, security administrator

“I think it’s a diverse field to begin with. You have people from different cultures, different systems, different backgrounds. So I think diversity is really innate in the construction of cybersecurity as whole.

Everything in security and computers is like ones and zeros but there’s a lot of external influences that help read between the lines, which is essential.”

– Daniel Oak

“I think diversity in the cybersecurity industry is more a mix of cultural backgrounds and education. I think that’s the most important variety that we can have in our field.

With different core values, training and education we bring in variations. We’re all human and we do have different ideas in how we can secure cyberspace and simple home internet of things.”

– Pam Dill, Department of Defense consultant

“I’m a minority and it’s important to me to see representation, especially in the security field. I’ve been in the field for 15 years and I’ve seen a gradual evolution, but compared to the pace of cybersecurity, there isn’t corresponding growth in terms of how visible minorities are ... and I think that has to do with how cybersecurity is perceived.

Another big aspect of cybersecurity to me is awareness. It’s one thing to do a core analysis but you also have to make people aware. It’s important if you’re able to reach certain sectors that don’t necessarily pay attention.”

– Damion Levy, security analyst

“Anyone with an idea to secure their systems, their company, their country can work together with other people with different ideas.

I’ve worked on multiple teams where we all bring different industry backgrounds together. I work for an engineering firm right now, I have a background in insurance security, others have a background in energy security, others have a background in military security, so we all have a different approach and a different view to what security means and we put the puzzle pieces together to make it work.”

– Colette L’Heureux-Stevens, a senior information security analyst in the energy sector

“It means bringing in as many different points of view and as many different experiences as we can possibly find. The key is, an incredible amount of experience and points of view that come with a sense of curiosity, interest and passion for the work, that’s the most important part. Being able to be incredibly curious, wanting to dig in more and wanting to understand the systems that are in front of view.

I think that it’s really important for hiring managers and company cultures to understand that it truly does bring value. It’s not just a numbers game, it’s not just statistics, it really brings a valuable perspective to the products and services we offer in the industry if we have people that come from different backgrounds and have different points of view.”  

– Sherrod DeGrippo, director of emerging threats for Proofpoint

“Usually it goes back to men and women, race, educational background – you’re looking for diversity of input.

Specifically with cybersecurity, it’s a specialized niche where you want a varied group of folks to provide that input.

It’s not a women or race issue, it’s a people issue that we need to know and be aware of.”

– Lisa Jiggetts, founder and chief executive officer of Women’s Society of Cyberjutsu

“The first thing is that we have a lack of people in cybersecurity, so diversity means accessing all the talent we have around us. Whether it’s women or minorities or people from different socioeconomics, we have lots of people that are smart and have capacity and we have one of the few areas in the global economy that has a lack of people. That’s a mismatch that we should fix.

I think the idea of diversity is easy. The practice of bringing in more diverse people is hard work. I think it’s hard to do unless you have intentional time and energy that’s spent on it.

There are organizations that support diversity, there is the time and attention of mentoring that goes along with it, there’s the embryonic aspect of working with schools with training and certification. There are these cluster groups that are forming, whether they’re support or working with the schools. I would say that if everyone can just figure out one or two ways that they want to engage, we’d all be better off.”

– Corey Thomas, president and chief executive officer of the cybersecurity firm Rapid7

"Diversity means being blind to everything except a person’s abilities. Throwing out everything else, race, gender, all that we tend to make presuppositions on, and it’s all about what people are able to do. In cybersecurity that’s very easy to do. It’s mostly about your knowledge and your technical skill set which is transcendent of anything to do with you.

I absolutely think that diversity will make cybersecurity much better. I think that when we look at things in just one way, that’s what the bad guys do, they do things one way until it stops working then they try something else.

From a defense perspective, trying to make things more secure, we need to look at things from every angle.”

– Georgia Weidman, founder and chief technology officer for Shevirah and Bulb Security

“To me it means a much broader pool of talent coming into the industry. Anyone who knows me knows I talk a lot about the fact that we have a huge shortage of talent in cybersecurity today.

One of the ways I think we can help solve that talent shortage is to broaden the pool of people from whom we choose to bring into the industry. That could be gender diversity that could be racial diversity, it could be geographic diversity, but I think that opening up and providing more opportunities for women and underrepresented minorities is a good thing for our industry.

It’ll help us make a dent in one of the problems that I think is really going to hurt us quite a bit in the next few years, which is our ability to staff for the positions we have available.”

– Chris Young, senior vice president and general manager of Intel‘s security group  

“The important thing is forgetting about who it comes from, the important thing is getting as many views as you can to become educated.

Maybe it’s just my eyes as a Caucasian, but I don’t see diversity of race as a problem in my industry. Maybe there is, but I see more of a problem with the number of females in my industry. There needs to be more. I can see that they want to be part of cybersecurity, and I’d like to see that.”

– Chris Rock, founder of Kustodian

“Diversity means good problem solving. More than anything else, the thing that makes me nervous when it comes to policymaking, to leaders in business, in government, in the community, is finding out someone has only heard one point of view. Just like there’s no crying in baseball, there’s no altruism in applied math and I’m a mathematician.

So the reason I care, the reason I’ve spent the work and time in game theory and technology is because I like being able to provide a different point of view.

The development of a great solution to the kinds of complex problems that we have in cybersecurity and information security can only come from having people with different experiences, with different kinds of technical knowledge, all clashing and then agreeing to work together to come up with the best possible solution that takes the most possible angles into account.”

– Tarah Wheeler, author of “Women in Tech” and website security czar at Symantec

“Coming from the field of software engineering, it tends to be a fairly monochromatic, male-oriented field, and there’s a strong Southeast Asia and Central Asia contingent, but from the standard of what you think in the US of being diverse, it really isn’t. So we need to work on it.

It’s something that I’m trying to be very conscious about, especially in hiring and seeking out talent. There’s issues with talent out in the field, it’s hard to find [diverse] applicants and they’re sought after. It’s a programmer’s market and it’s very hard to find good talent.

Everybody I know in the field who is worthwhile and isn’t just bashing on a keyboard is conscious of this problem and looking to rectify it.

Of course we need diversity because a monoculture won’t be able to solve our problems or get the proper shakeup. Now there’s a logical fallacy that people who look different, think different. No – it’s just that people who are different, are different and we need that.”

– Jeff Labonski, software engineer

What does diversity mean to you? Write us: passcode@csmonitor.com

Hacking diversity in cybersecurity
  1. Section 1