Cybersecurity Diversity. PHOTO: Cybercrime Magazine.

Cybersecurity is people. Cybersecurity is diversity.

Filling the cracks where attackers can try to break in

Ann Johnson

Seattle, Wash. – Dec. 17, 2019

The talent and skills gap in cybersecurity is getting larger every year, as the threats grow and security becomes more important to every industry and organization; we needed an extra million people in 2017 and it is projected that by 2021, the shortfall could be 3.5 million cybersecurity professionals. The issue isn’t just about filling headcount. We must remember that cybersecurity is people; the cyber defenders, the people who create the technology, and the people the technology protects. That is why at the core of it all, our security teams need to be as diverse as the problems we are trying to solve – because diversity is how we get the best security.

AI and security software make us more productive and more effective, but it’s people who make critical security decisions. It’s people who work to detect intrusions, to block them, and then to clean up and restore operations. They’re the source of the operational resilience organizations need.

But if all the people in your security team think the same way, you’re missing out on the diversity of understanding and problem-solving that a wider group of approaches and experiences would bring. We need to avoid the risk of group think, and that’s best done by having teams that come from different backgrounds, with varied experiences that help them find new answers to problems. Not only do you need different viewpoints to get creative solutions: you may not even notice some of the areas you’re neglecting, because you can’t tackle what you don’t know about.

Looking at the data, women make up 20 percent of the cybersecurity workforce (and people of color much fewer). Fifteen percent of organizations have no women in their security teams at all. Few women hold leadership roles in security and nearly two-thirds of women are paid less than their male counterparts. They also leave the industry at higher rates than their white and male peers.

It doesn’t have to be like that. For example, the cybersecurity team at United Airlines is 46 percent women and 48 percent people of color. The airline was honored by Diversity, Inc., lauding the airline’s leadership in promoting diversity through a diversity-focused talent pipeline and talent development, leadership accountability and a top supplier diversity program.

With diversity, we can build passionate workforces that are unafraid to speak up, to point out the issues and who bring a breadth of experience and understanding to tackling those issues.

So how can we change things? We need to focus on more than just recruitment, though of course that’s important. We also need to think about how we encourage a more diverse workforce to consider working in security. That requires also thinking about different ways into the security field, as well as about training people moving into the field, and accessible tools that support the widest possible workforce. We need to work to find pathways into the security industry that mean we accept all who want to take part, hiring for skill and passion rather than just the right certifications or college degrees.

Let’s also look at diversity from another angle. The bias angle. We also need to focus on unconscious bias. This is a problem that’s too easy to dismiss as too hard to tackle, or even to dismiss because we simply don’t recognize it. It’s built into our culture, and we need to find ways to expose it and develop new ways of thinking. It’s easy to overlook people who come from different backgrounds, and different experiences.

We might not think we’re biased, but cultural assumptions impact our decision making in ways we often don’t recognize. Educating trainers and recruiters — as well as people who are already working in the industry — on our unconscious biases can make a big difference, not just in recruiting and retention, but in the tools and technologies we build and the way we handle incidents.

The formal paths that we’re used to for recruitment often don’t work well to build diverse teams, and we need to start outside them. That can mean working within the education system, where there are initiatives like the hackathons the Security Advisor Alliance runs for grades 7 to 12 in underserved schools, with the aim of encouraging students to consider careers in cybersecurity. We also need to find ways to encourage people with existing skill sets to consider moving to cybersecurity to fill the current demand.

One way is to work with organizations that are focusing on attracting underrepresented groups into the security industry, like the International Consortium of Minority Cybersecurity Professionals (ICMCP). Traditional training and recruiting approaches can put women off, and the free women-only reverse engineering Blackhoodie workshops aim to provide a welcoming environment, with networking and relationship building, as well as teaching deep technical problem-solving skills. Microsoft sponsors a Blackhoodie workshop at its annual Bluehat security event which is always over-subscribed, which suggests there are plenty of women interested in these opportunities once they know about them.

Another option is working with military veterans, who can bring their experience and training to cybersecurity. Microsoft offers cross-training to IT for veterans and serving military transitioning to civilian careers via its Software & Systems Academy, which includes a specific security track. Microsoft itself has employed graduates of the program in its own security teams. There are similar programs at an increasing number of large organizations.

But hiring is only part of the problem. We also need to support the diverse teams we hire, by making sure that their value is recognized and that they’re included and appreciated, and can progress in their careers.

How do we keep staff from burning out and protect them from stress? A significant number of security professionals look to leave the industry every year, because they find the work stressful. Security can be so demanding that half of them are willing to go to a lower-paid job and two-thirds of all security professionals consider switching to a different job entirely, because of the pressure. That means we need better support systems; not just managing and mentoring staff to keep learning and progress their career, but also giving them resilience training to deal with being on the front line defending their organization.

Technology can’t replace people, though it can help by automating mundane tasks and giving them more time for the interesting and challenging work that keeps them engaged. But even there we need to be careful. If we support cybersecurity professionals with AI, we need to make sure that those AI tools are accessible and unbiased, and that too needs diverse development to avoid building existing biases into our tools.

Those automated systems can support humans working in security but they don’t make the creative connection that people do. They can’t make the intuitive leap to saying that a new set of signals are an attack, they can only point them out. It’s up to people to make decisions, and to guide the responses of systems. And the people making those decisions need to have as diverse a set of views and backgrounds as the attackers they’re defending against.

Every gap where a process moves from one team to another, every assumption that developers and defenders make about how a system is designed or what users will try to do with it; those are the cracks where attackers can try to break in. If everyone in the security team thinks the same and follows the same way of working, you’re going to carry on missing those attack surfaces. Getting a wider range of people into security isn’t just equitable; diversity is the best chance we have to make a real difference with security.

Microsoft Archives

Ann Johnson is Corporate Vice President, Cybersecurity Solutions Group for Microsoft. She is a member of the board of advisors for FS-ISAC (The Financial Services Information Sharing and Analysis Center), an advisory board member for EWF (Executive Women’s Forum on Information Security, Risk Management & Privacy), and an advisory board member for HYPR Corp. Ann recently joined the board of advisors for Cybersecurity Ventures.

Sponsored by Microsoft 

Microsoft provides enterprise-class security for emerging cyberthreats. Be prepared to defend your organization from new cyberthreats with help from Microsoft. Start by learning ten tips to enable Zero Trust security.

To find out more about Microsoft’s Cybersecurity Solutions, visit the Microsoft Security Site, or follow Microsoft Security on Twitter at Msft Security Twitter or Msft WDSecurity Twitter.