freshidea - Fotolia
Minorities in cybersecurity face unique and lasting barriers
IT is facing renewed scrutiny into its lack of diversity. Explore the unique barriers minorities in cybersecurity face and why hiring approaches are ill equipped to address them.
After the death of George Floyd and other Black citizens at the hands of police, institutions in law enforcement, educational and technological spaces are again being questioned about their roles in upholding racism.
It is no secret that IT has a diversity issue, and cybersecurity is no exception. Factor in a security skills shortage exacerbated by the growing importance of infosec responsibilities in the transition to remote work due to COVID-19, and the lack of an inclusive workforce is raising eyebrows.
"The cybersecurity industry is one of the biggest ongoing growth markets, and the opportunities for career growth and stability are extensive," said M.K. Palmore, vice president and field chief security officer at Palo Alto Networks. "Minority communities should have the same opportunities to benefit from this expected continual growth as others."
That is where the International Consortium of Minority Cybersecurity Professionals (ICMCP) comes in. This nonprofit serves as a pipeline for security professionals from marginalized groups, including people of color and women. Through corporate sponsorships, ICMCP and its chapters distribute scholarships for minorities in cybersecurity to pursue academic and technical infosec degrees or certifications. The founders emphasized the importance of inclusive infosec programs to enhance data security and protect assets from sophisticated adversaries.
Co-founder and ICMCP President Larry Whiteside Jr. reported an enormous influx of interest in the organization in the last few months. Black Lives Matter and other social justice movements across the globe "have had a direct impact on our membership growth, as well as our sponsorships," he said.
The demonstrations against racial and social injustice reflect the same message he has expressed as a speaker at industry events. At RSA Conference in 2019, Whiteside appealed to his audience of cybersecurity leaders and practitioners to take personal responsibility for the lack of diversity in their industry. "But I think the death of George Floyd and subsequent social injustice actions that are going on have actually pushed that narrative more than I ever could myself," he said.
Hiring is not the be-all and end-all of diversity
When white males in leadership are asked about efforts to diversify their organizations, they frequently cite recruitment efforts designed to bring in a wider range of talent. But that does not address that minorities are paid less, promoted at lower rates and tokenized in the workplace -- a troubling pattern evidenced in ICMCP's 2018 study with (ISC)2.
If new recruits enter an inequitable work environment, leadership can flaunt their diversity "improvements" without dismantling problems like unequal pay or workplace discrimination that persist for people of color and women.
As a Black man, Whiteside sees other minority infosec professionals like himself as "unicorns." To make commitments to diversity at the hiring level effective, it is critical to examine HR's monolithic policies that are used to judge job candidates, he said, because many policies are written without inclusivity in mind.
"We cannot be held to the same standards that HR has always measured applicants -- for example, salary bands. You can't say [to a minority applicant], 'If you're asking to make X amount of money, then you must have this degree, and you must have that certification.' Because that's not always applicable," he said.
Some organizations are seeking out new tools and technology to modernize HR processes and mitigate unconscious biases, but this isn't always the best answer. AI-enabled tools have already been proven to reflect bias against certain demographics. For organizations that take efforts to create an inclusive workforce seriously, supplementing hiring practices with technology alone is not enough.
Attract diverse talent from underserved areas
Even organizations with the best intentions struggle to attract diverse talent because they do not know where to find it. In a job market described as being 70% who you know vs. 30% what you know, expecting diverse talent to simply appear at an organization's doorstep is not enough to address racial and gender disparities.
There must be more concerted efforts to promote the infosec career path to a wider pool of people -- and the younger generation especially, Whiteside said. In his experiences when speaking at K-12 schools, churches and underserved areas, most members of his audience report having never heard of the cybersecurity field as a career option.
Having grown up in an underserved area himself, Whiteside understands the socioeconomic barriers and systemic racism that many people of color face. After his parents divorced, his mother moved, and he was placed in a new, predominantly white high school, where he was first introduced to computers.
"I had never seen a computer before that. It changed the course of my entire life. That one action changed things because I was now attending a school that had more resources than my previous one," he said.
Palmore is used to being the minority at the leadership table, too. His position, as well as his leadership of the San Francisco Bay Area chapter of ICMCP, gives him "the widest opportunity to impact industry change," he said. Palmore considers the organization's mentoring, job skills assessment, community networking and industry outreach initiatives viable ways to "help others get the same opportunities from which I have benefited."
And, until people from all marginalized groups are represented at every level and in the boardroom, the work is not finished, Whiteside added.
"Diversity doesn't just stop after you hire minorities," Whiteside said.
New opportunities reveal new potential barriers
Minorities in cybersecurity are underrepresented in senior roles, despite the ways that company culture and revenues benefit from diverse leadership. One area of opportunity is the startup space, where minority founders are in leadership and decision-making roles. But, for minorities in cybersecurity, the barriers do not go away when pursuing businesses of their own.
Researchers at Harvard Business Review found that venture capital (VC) investors are more likely to partner with individuals who share their gender or race. When only 8% of VC investors are women and fewer than 1% are Black, it is evident how a homogenous VC workforce intersects with the challenges that minorities in cybersecurity face.
Because so few VC investors look like them, cybersecurity entrepreneurs from marginalized groups are less likely to receive funding for startup initiatives. According to PitchBook, female startup founders brought in just 2.8% of U.S. VC dollars in 2019 -- with an even wider gap for Black female founders. Whiteside said it is incumbent on the VC space to diversify its workforce to give minority-led cybersecurity startups an equitable shot.
Why does diversity matter in cybersecurity?
As co-founder and president of ICMCP, Whiteside gets this question a lot, and he said it comes down to fending off adversaries. As the cybersecurity threat landscape continues to evolve and create new challenges for infosec teams, diverse viewpoints are critical to improving incident response and data protection.
"Different backgrounds and different life experiences give you a different lens into the problem that is in front of you," he said.
Despite frustration with the lack of quantifiable commitments to racial and gender equity in favor of vague corporate promises, Whiteside remains optimistic. Look at the Black Lives Matter movement, he said, which was founded in 2013 by Alicia Garza, Patrisse Cullors and Opal Tometi after the acquittal of George Zimmerman in Trayvon Martin's death.
"It's not new. But what is so significant about the Black Lives Matter movement today is that it is not just minorities, but a rainbow coalition of people raising their fists and saying, 'Enough is enough,'" Whiteside said. "That's what needs to happen in cybersecurity."