When we think about diversity and inclusion in the workplace, we think about expanding our environment by embracing people of all different ethnic and social backgrounds, abilities, religions, genders, sexual orientations, and politics, and making sure everybody feels welcome and safe to be themselves regardless of background.
Why is it essential as a company to implement a diversity and inclusion agenda? In the realm of cybersecurity, the reasoning goes beyond the primary fact that it’s the right thing to do.
The industry of identifying suspicious activity and retroactively predicting threats relies heavily on the diversity of thought and sense of curiosity. Without it, we’re at risk of echo chambers and unilateral thinking, stagnancy, and witnessing substantial cross-sector financial loss.
Attack vectors in cloud environments are getting vast since the mass exodus to the cloud, and the corporate world has become a cyber criminal’s playground. In 2021 alone, victims of breaches included the Colonial Pipeline, the entire UC system, Experian, GEICO, ClubHouse, LinkedIn, Instagram, Facebook, the Cancer Treatment Centers of America, Microsoft Exchange, the California DMV, and Ubiquiti. Nobody is immune.
Why is the offense winning, and how do we revamp our defense? One significant way is through diversity and inclusion.
Research conducted by KPMG and NCSC actually found that certain types of minority representation in cybersecurity are consistent with the national average. In the UK, for instance, women make up 31 percent of the cybersecurity workforce compared to only 19 percent of the tech industry. Still, only 6 percent are Asian, 3 percent are from mixed backgrounds, 4 percent are Black, 10 percent are lesbian, gay, or bisexual, 1.3 percent are trans, and 1 percent are non-binary. Furthermore, representatives from all of these groups have reported that they don’t feel like they can be themselves at work (a textbook inclusivity problem), which likely contributes to the lack of diversity in cybersecurity.
People are attracted to industries and jobs that equal parts allow them the freedom of being their authentic selves, and equal parts offer growth opportunities and relatively clear lines of progression. Unfortunately, a 2020 cybersecurity diversity report by Synack showed that 91 percent of women don’t believe they have the same opportunities as their male counterparts. In addition, 25 percent of cybersecurity employees reported that their company had only one or no women serving an executive role, and 53 percent said their company had only one or no minorities serving executive positions.
While there has been undeniable progress in gender representation in cybersecurity over the years, there is an urgent need to improve minority representation and inclusivity.
With 500,000 new job openings and a massive talent shortage, we need to start asking ourselves the key questions that will reveal new paths to mitigating this problem.
What has exacerbated the cybersecurity talent shortage?
- Cloud migration
The acceleration of Cloud and Cloud-based SaaS adoption has put additional pressure on security teams to fulfill the extra work that comes with implementing and securing these technologies. Security teams now spend 80 percent of their time plumbing data and only the remaining 20 percent on meaningful analysis. Additionally, threat analysis is trickier now that more people work from home with more elevated access and frequent data sharing between departments.
- Cybersecurity tools are built by engineers for engineers
The tools cybersecurity professionals use require a tremendous amount of technical expertise that most people simply don’t have. These tools tend to be built by engineers for engineers, feeding into the problem and leaving out many that don’t have the technical know-how to leverage these tools.
How do we fill the gap?
Cybersecurity can re-tool and leverage automation to reduce the need for solely highly technical people and alleviate the stress and mountainous expectations of existing cybersecurity professionals. A better technology stack can help the sector educate newcomers at scale, normalize the conversation around cybersecurity, and bridge the gap between IT and all other departments.
With re-thought technology that opens the door for many to solve critical problems instead of data plumbing, we may be able to start hiring people based on their core soft skills, a sense of curiosity, and potential. As an industry, we’ll also need to commit to training the right people and providing easy-to-consume education at scale.
Cybersecurity Ventures predicts that ransomware will cost businesses a collective $6 trillion globally in 2021, an amount doubled from $3 trillion in 2015. We can change this. We have to strive to have our software do busywork for us so that we can onboard those from diverse educational backgrounds and branch out to include and celebrate professionals of different ethnic and social backgrounds, abilities, religions, genders, sexual orientations, and politics.
