Diversity in Cybersecurity: A Problem without a Quick Fix

Kathryn Pick explores why diversity in cybersecurity is a far wider topic than gender inequality

For every woman that works in cybersecurity across the world, there are nine men, according to a report from Frost & Sullivan. In the UK, just 11% of the industry’s workforce is female.

It is a statistic Sue Henley, head of diversity and inclusion at CA Technologies, calls “unsettling,” especially at a time when the industry is crying out for skilled cybersecurity professionals.

Thankfully though, this is a loud conversation being had widely within companies and in conference halls. Figures from the smallest start-ups to the largest corporations are determined to make a change and are attempting to rebalance the gender split, even if many acknowledge that the pace is too slow.

Although focus has rightly been on this issue, diversity is a much wider space than gender. The stereotype of the white, middle class, straight employee in security centers all over the globe is there for a reason and that needs to be questioned.

Take that Frost & Sullivan report. It shows that just 12% of the UK’s cybersecurity workers are from an ethnic minority, and it seems this issue is prevalent on the other side of the Atlantic too. 

Am I Going to be Challenged?
Mari Galloway works as the director of finance and communications for the Women’s Society of Cyberjutsu and loves her role. However, as a black woman walking into rooms full of white men, her experience is far from positive.

“In my first job right after college [in 2009], I was the only black female there. There were times I would think I just didn’t want to do this anymore.

“I was trying to get them to recognize me and to let me work on things, as I wanted to be hands-on and more technical, but it was so difficult to get them to see me as technical rather than as a secretary. At that time I just didn’t see the point of carrying on with it.”

As well as holding her back in the progress she could make in her career, it was damaging to her mental wellbeing.

“Being the only minority when you walk into a room sucks,” she says. “It kind of makes me nervous and worry about what is going to happen. Am I going to be challenged? I wonder if people are looking at me and wondering why I am here.

“When all I see is people who look different to me, it makes me nervous and apprehensive. It makes me close up. I don’t know what they are thinking and they could be thinking different things.”

It is clear that such feelings do not create a productive, forward-thinking team. Who can perform at their best if they are forced to question if anyone will listen to them?
Galloway now works at a casino in Las Vegas in a team of 70 and she is pleased the conversation of diversity is much more prominent than a decade ago. Yet, on that large team, there are still only four black people and she is the only woman. For her, it again puts barriers on her own progression. 

“I have aspirations to move from technical to managerial, but it is hard when you don’t have anyone to look up to and aspire to,” she admits. “I have to look outside my own company for that.”

You Can’t Have Lesbians if There Are No Women
Rebecca Fox, change director at Gray Blue IT consultants, identifies as a lesbian trans woman, and for her, a lack of representation of the LGBT community has impacted her experience of the industry.

“IT has always been a male dominated place and whilst there is absolutely progress when it comes to bringing more women in, that lack of [women] impacts other areas of diversity too,” she says. 

“The LGBT aspect of diversity in the industry is fundamentally broken and that is linked. In those sorts of spaces, you will find homophobic language [for example], and you can’t have lesbians if there are no women.”

When Fox ‘came out’ as trans, she found the lack of understanding hard to tackle, with people often confusing her sexuality and gender, which to her are two very separate things.
As a result, she felt the need to leave the job she was in. “I didn’t feel that it would be OK and I didn’t want to be there, in a very male-dominated organization,” she says. “You need to be somewhere where you feel you can ‘come out’ and [see the light at the end of the tunnel], and I didn’t feel like that.”

Whilst she believes there is change happening in the workplace – especially in the UK where she sees it as more welcoming to the LGBT community than elsewhere – there are still many challenges. “Look at Tim Cook at Apple,” she says, “him ‘coming out’ showed progress, but how long did it take him? There is still a long way to go.” 

Finding a Way
There is also a question of representation when it comes to disability. A recent survey in the Financial Times found 60% of disabled employees faced discrimination at work, and that is if they even get past the interview stage to secure a job.
 
Thomas Seidling, the relationship manager for CyberSmart, is visually impaired and takes a very practical view. “I would not go and work in design, it wouldn’t make sense and at the end of the day, these companies are businesses, that’s the bottom line, so they want someone there who can do the job.

“I used to run a company and I would not employ someone who couldn’t do the task,” he continues, “but if they can show their talent, it wouldn’t make any sense for the company not to hire them.”

Seidling admits there is still a problem with hiring people with diverse abilities, and believes that if a manager sees someone is blind on their CV, they may hesitate.

“Also, some people from a very young age are told they cannot do something because of their disability,” he says. “That has to change.”

Whilst he wants the industry to welcome those with disabilities through the door, he urges individuals to push themselves to showcase their skills – even if it means more effort than those without disabilities. “You need to find a way,” argues Seidling. “I have never applied for jobs with a written application. I look to networking or other ways to show that I can do the job.”

Enlist the Stereotype
The positive side of the coin seems to be that some progress is being made. A number of large companies are leading the way in diverse recruitment and on the smaller scale, start-ups seem to apply their modern attitudes to their hiring practices.

Blogger and podcaster for Varonis, Cindy Ng, has faced her own issues going to male-dominated security events, where men have tried to, as she puts it, “steer the conversation towards something inappropriate.”

However, she still believes changes are afoot. “We all see that changes are happening in our society, as well as the infosec industry, but just not fast enough,” says Ng. “As a wise colleague reminded me, ‘What’s considered fast? Rome wasn’t built in a day.’”

She thinks that the less diverse portions of the industry need to help fight the battle. “We need to figure out a way to enlist them to join the conversation with minorities, women, LGBT, people with disabilities and to take action together as we all 
co-exist together.”

Christina Luconi, chief people officer at Rapid7, says there is a “laziness” in hiring practices that needs to be addressed. “If you are working on a project and you need to get people in, a lot of people will say, ‘I worked with that guy, he is good and he can get it done’, and hire them, rather than looking further afield. 

“People in life surround themselves with people like themselves. People don’t have diverse personal lives and as a result, this moves into their professional life. If you make a conscious effort, maybe that person you know knows someone who would be even better for the job.” 

Seidling thinks the increasing competitiveness of the industry is helping push things forward. “If you look back 50 years, there were only a certain number of banks. If they decided they didn’t want to hire a black woman or someone with a disability, that was it, no job in banking. Now, they are being challenged by new firms. It is the same in infosec and those traditional companies.

There are now companies that innovate and think differently, he continues. “They are challenging old ways and making things more diverse.”

Diversity = New Ideas
As Seidling says, these are businesses with a bottom line. They need to see the benefit for them to have a diverse force, beyond a PR exercise. So what would bringing in more staff from diverse backgrounds actually bring to the industry?

The answer appears to be the same across the board; new ideas, which in turn, means progress at tackling threats. 

Morey J Haber, vice-president of technology at BeyondTrust, believes that “infinite diversity presents infinite views,” which is exactly what the industry needs.

“Everyone can contribute regardless of age, culture, religion or sexuality,” he says. “Their views on the world will help us design and build better solutions, better defenses, and help us understand our attacks. Without diversity, we will never understand their logic, position and moral ground.”

Galloway agrees: “If you just hire people from the same background, who went to the same private schools, did the same assignments, played the same sport and came from the same families, they all have the same mindset and they are going to come to the table with that. There is no disruption.”

Fox also only sees the benefits: “There are people there from all backgrounds, equally talented, if not more so, and that of course scares some people, but it means you can bounce ideas off each other and think differently.”

Whether it is race, sexual orientation, disability or other forms of diverse background, the conversation needs to be increased in volume. Whilst infosec may shine when it is reactive, ready to leap at any moment to stamp out new threats, diversity isn’t going to be a quick fix.

“It won’t happen overnight,” says Galloway, “there are huge corporations trying but it will take some time. I do think I will be able to walk into a room someday and see more people like me, but I just can’t tell you how long that will take.