Like most technology workforce segments, the cybersecurity diversity issue is a very acute problem: there simply isn’t nearly enough representation of diverse backgrounds in cybersecurity roles, from security operations center (SOC) analysts all the way up through enterprise-level CISOs and board members.
Erkang Zheng, founder and CEO of JupiterOne, said the primary issue that comes with a lack of gender, race and neurodivergence is a lack of differing views and opinions when it comes to making decisions.
“Every person comes from their own unique background and history,” he said. “The ability to empathize in different and deeper ways creates a well-rounded discussion for problems facing the cybersecurity team and the overall business.”
Gaps in Diversity, Gaps in Perspective
Zheng noted cybersecurity is as much an art as it is a science, and because of that, the lack of diversity creates gaps in perspectives, which could result in gaps in identifying hidden issues in the security operations and protection that can be exploited by attackers.
“Everyone comes from different backgrounds and life experiences and this impacts how they approach their day-to-day life as well as their cybersecurity opinions and ideals,” he said. “Every team should be as diverse as possible to ensure that the highest level of efficacy and divergent opinion is brought to the foreground. It will only improve how effective cybersecurity teams and ethical hackers can be.”
Heather Paunet, senior vice president at Untangle agrees, and noted a multilayer approach in cybersecurity is absolutely key.
“You can’t necessarily secure a network with just one security product. To keep data, assets and people using any network safe, it is much better to apply a multi-faceted approach,” she said. “In a similar way, when considering who to have on a cybersecurity team, diversification and having different perspectives will give a broader, more well-rounded approach.”
She added that in order to succeed, young women require the same things they need in all other areas of their careers and in their lives in general, which is an opportunity to fulfill their passion to do something they believe in.
“It’s an easy sell to many women that working within cybersecurity is not just high tech, it’s a way to be part of something that makes the world a better place,” she said. “Whilst of course it would be much better if there weren’t hackers, and people trying to make money with ransomware and steal information they are not meant to [have], being a part of blocking that and keeping people’s assets safe and secure is very satisfying.”
Jamie Hart, a cyberthreat intelligence analyst at Digital Shadows, said she thinks the cybersecurity industry has made strides in filling the diversity gap, but that it remains an issue in several respects.
She pointed to a 2018 study by (ISC)² on U.S. companies, which showed that minority representation in cybersecurity is 5% higher than the national average, and female representation is 3% higher than the national average.
However, Hart noted, gaps remain, as minority representation in director roles or above was 7% lower than the national average.
“The most significant consequence of a lack of diversity in the cybersecurity workforce is the risk of homogeneous thinking, which leads to cognitive biases,” she said. “Failure to build diverse teams could lead to narrow-minded approaches and lead to the group making assumptions about their end users. People of different genders, races and neural standpoints gauge risk, think, lead and solve problems differently.”
She explained ethical hacking can help with this issue by identifying the weaknesses and risks within an organization.
“Although it’s unlikely that weaknesses found can be traced back to a lack of diversity, there is a good chance that a diverse group of people will cover more bases in security as they can bring different thinking, experiences and concerns to the table,” Hart said. “So yes, we should be looking at diversity in hacking and the very same reasons we should consider diversity in cybersecurity as a whole.”
Beyond Traditional Education
Jennifer Carlson, co-founder and executive director of Apprenti, noted the cybersecurity sector has historically been made up of white men with technical degrees, but, like Hart and others, pointed out the threats that all workers face are coming from all points on the globe, backgrounds and are being applied creatively.
“In addition to protecting a diverse workforce, the industry’s focus on recruiting select degree types and experience already in the field, has made an artificial determination that the skills they have are capable of identifying, preventing and fixing all threats,” she said. “What we need to recognize is that a diverse workforce – including education, background, ethnicity and gender – is going to approach incoming threats differently, and perhaps more creatively.”
Carlson said it is important to think about how a different point of view might approach a threat much faster than a traditional perspective, or how some threats might be identified and addressed earlier because of experience and skills offered by a diverse workforce.
“There is high value in diversity, not only to the benefit of the company and its products, but it is also beneficial for employees to see value in alternate viewpoints and value input from people whose backgrounds differ from their own,” she said.