IT diversity and the cyberskills gap Q&A with Jules Okafor
Jules Okafor discusses the skills gap in the cybersecurity industry, how better IT diversity could help, and what is needed to bring in more women and minorities.
A continuing trend in cybersecurity has been concern about a shortage of skilled workers to fill the ever-expanding number of open positions. But experts have noted that one potential solution would be to improve IT diversity and work harder to bring in more women and minority workers.
Juliet "Jules" Okafor, vice president of global business development at Fortress Information Security in Orlando, Fla., spoke to SearchSecurity via email about various aspects of IT diversity and how more women and minorities could be a benefit to the cybersecurity industry.
How do you think finding ways to promote IT diversity could affect the cybersecurity industry skills gap?
Jules Okafor: We have to grow or cultivate the workforce we need for the future of the industry. Today, everyone is stating that there is a shortage of qualified talent. But, it is my view that if we were to transition more current minority and women [science, technology, engineering and mathematics] STEM professionals into technical training programs, in a few years, we could begin to reduce the gap.
Our industry suffers from a PR and branding problem -- the message is so often military-focused, law-enforcement-based and 'alpha-male-oriented' that women and minorities are not expressing a desire to enter the field; therefore, we keep the pool of talent from which to draw limited to the same types of people, over and over again. Our No. 1 job should be to put in a welcome sign to all groups and focus on minimizing conscious and unconscious biases that filter out potential talent.
Has there been a concerted push to bring in more women and minorities and improve IT diversity, or has this potential solution been pushed aside?
Okafor: The success of the diversity and inclusion initiatives has largely been sporadic and led by industry leaders on an individual company basis. The efforts by some organizations -- many of them listed in the DiversityInc List -- [have] been focused, direct and sustained. They have integrated diversity at every level of the business management and believe that it drives great customer and market value. Other companies give lip service to diversity as a priority in public, but either take no affirmative actions within the organization to address the diversity gap or continue to support actions that reaffirm the status quo.
Why do you think the industry hasn't done enough to promote IT diversity? And what should be done?
Okafor: The industry as a whole has begun to recognize the connection between diverse and multicultural workforce, positive security outcomes, better customer experiences and overall revenue generation. However, there is no clear regulatory mandate, framework or standard to which the industry is holding security teams or leaders. So, it's up to the individual companies to create a [diversity and inclusion] program, which often includes security professionals, and implement it on their own. This leads to a lack of clear goal-setting, self-serving definitions of diversity, inconsistent hiring efforts, selective enforcement of race or gender policies and metrics calculated to cast a positive light on the company -- but limited results.
I am working to build a national cybersecurity minority apprenticeship program: The goal is to develop a collaborative national effort to provide a systematic and sustainable approach to ensure minorities and women gain access to the experience and teaching to create job opportunities in this growing and critical field. Qualified candidates will pass an assessment tool and endure a strict selection process, then be placed at a government agency or corporation, for a chance to 'earn while they learn' for up to two years. Through a combination of coaching, interview prep, social skills development, and intense educational training and on-the-job experience, [they will] transition into an entry-level role in the cybersecurity industry.
Do you think there is a reluctance to talk about the lack of women and minorities in infosec?
Okafor: Yes. Race and gender discrimination is the foundation of the diversity and inclusion discussion. It remains a topic that most people are uncomfortable discussing. Further, the world outside of the cybersecurity industry is struggling with highly charged political and societal events and policies negatively impacting the lives of underrepresented groups and women. The same people enter the office, and there has been little done to address some of the inequalities still prevalent in our society.
Why is there reluctance to talk about IT diversity?
Okafor: It is human nature to hire people that make you feel 'comfortable.' Many of us spend up to 16 hours a day in the office and subconsciously want to work in an environment that you feel welcome, surrounded by people with similarities, with whom you understand. But, this plays into the idea of unconscious bias: We assume that people who look most like us are most like us, and as a result, our predominantly white, male industry continues to hire itself.
Diversity hiring is a subtle act of social change. It requires that one take a risk, and our industry is one that leans more toward risk mitigation and aversion. So, it's easier to hire using the same ineffective processes and use the similar HR recruitment tools, even if they don't yield a larger pool of qualified minorities and women. The onus is then put on minorities and women to identify themselves, who often don't know the jobs exist.
The topic is brought up as a solution, but the efforts to move from theory to action can be so painful, require so much bargaining inside the organization from management down, reduce 'political capital,' create additional work and often create tense team dynamics. Therefore, some executives, with the best of intentions, try it once and then dismiss it if it doesn't immediately yield results.
Is it accurate to say there is more focus on automation filling in the skills gap, rather than improving IT diversity?
Okafor: Yes. The assessment is correct. In security, leading with technology is the default approach, until it's found to be ineffective. If you look at the state of security today, it's only in the past few years that companies came to understand how critical people, process and technology [are] against advanced cyberthreats.
Jules Okaforvice president of global business development at Fortress Information Security
Years ago, the answer was [to] put in a firewall. When that didn't work, they created the next-gen firewall. Now, we see the growth of [managed security service providers] and [security operations centers] manned with human experts. Automation as a solution to the lack of a skilled workforce will solve issues related to productivity and maximizing existing resources.
On the other hand, automation will create new problems. One is that it will increase the need for an even more highly skilled, highly technical workforce, creating a bigger chasm between the haves and have-nots, mostly rural and underrepresented groups.
The result will be a need for fewer people to do the same work, but the pool of talent will have to be even more proficient in technology. Without early education STEM programs for minorities and women and teaching cybersecurity as a part of the college curricula, we will even more alienate these groups from the opportunities in our industry.
In terms of recruiting, is there too much emphasis put on certifications and college degrees?
Okafor: Yes. Cybersecurity is not like the legal or medical industries -- you can learn on the job. Most professionals didn't plan to become security professionals; they came across it while doing some other job. College degrees and certifications cannot replace the need for hands-on learning. Therefore, I would hire a security analyst with three to five years' experience and a high school diploma before I hired a certified, cybersecurity graduate with one to two years' experience.
College and certifications teach the fundamentals of security practice, but only when you get in the seat, in the office, in the plants can you truly test one's ability to detect, analyze and respond to ongoing security events. I have found that the biggest indicators of success in the cybersecurity industry are natural curiosity, analytical thinking and persistence. These traits are not taught in college; they are either natural or nurtured over time through individual experiences.