Cyber criminals are diverse, shouldn’t your cyber team be too?

Cyber criminals are diverse, shouldn’t your cyber team be too?
Originally Published on LinkedIn March 22, 2019 by Shelley Westman, Principal/Partner at EY - Focus on Cybersecurity/Seasoned Executive/Passionate Leader/Diversity Champion

Shelley is an advocate for the advancement of diversity and inclusiveness in the workplace, having founded Women in Security Excelling (WISE), a group devoted to advancing women in cybersecurity. She is also a new board member with the International Consortium of Minority Cybersecurity Professionals (ICMCP). Shelley is a requested speaker at cyber conferences; most recently, she was an RSA® Conference speaker discussing the importance of diversity in cybersecurity.

Organizations face unprecedented challenges on their digital transformation journey.  One such challenge is protecting their most valuable assets from cyber criminals, a challenge that rests most heavily on their cybersecurity team. It is clear in this transformative age, cybersecurity is in the hot seat — front and center for companies. Cyber is a hinging point where organizations’ biggest needs, liabilities and opportunities converge. 

The need for cybersecurity to transform and reach a momentum that keeps pace with criminals has reached critical mass, only highlighting the imperative need for cyber’s traditional paradigm to be replaced with a new model — one that can support disruption from cyber attackers in diverse and agile yet unexplored ways. Yet, cybersecurity teams continue to struggle with moving diversity initiatives forward.

To outpace cyber criminals, cyber teams must embrace and embed diverse backgrounds, skills and perspectives.

The cybersecurity talent gap continues to grow

There’s no question that cyber criminals are unrelenting, yet the demands on cyberteams and scarcity of resources create a significant challenge. According to the EY 2018–19 Global Information Security Survey, 30% of organizations are struggling with cybersecurity skills shortages.[1] With such short supply and high demand, the talent deficit will inevitably continue to grow. Estimates point to a talent deficit that is approaching three million professionals globally.[2]

That number is staggering, but this is not a new trend, simply a growing one. The industry has been facing this challenge for years, but each day, as cyber attacks become more prevalent, the intensity of the talent gap only heightens — highlighting the need for new perspectives and new talent strategies — namely, more diversity in the field.

Cybersecurity demands diversity

To outpace cyber criminals, cyber teams must embrace and embed diverse backgrounds, skills and perspectives. Although progress has been made, women make up less than 25% of the global cybersecurity workforce according to recent surveys.[3] However, women represent more than 50% of college graduates in the US.[4] Those numbers tell the story succinctly — and it is imperative that we change that, not just in terms of women, but for minorities as well.

All the while, cyber-attacks continue to grow at an alarming rate — in 2017, 214 records were compromised every second.[5] Some estimate that by 2021, the global cost of cybersecurity breaches will reach $6 trillion, double the total for 2015.[6] While the news can barely cover all the breaches happening to companies around the world, organizations are searching for answers. Even with their abundance of technology and existing resources, it is clear organizations are not positioning themselves to stay ahead of their attackers.

So, what is the answer to not just keeping pace, but outpacing, these digital criminals?

The industry needs to spearhead concerted efforts to fill the ranks, and do so properly, with women and minorities. Diversity must become a business imperative for cybersecurity,because only diverse teams will be able to effectively drive results across an organization. According to the Harvard Business Review, diverse teams bring innovative, objective and collaborative ideas, which are critical to creating an integrated, holistic cybersecurity strategy.[7]

Now is the time to face this unequivocal fact: cybercriminals may have shared goals, but that is where their similarities end. Attackers are not all the same, nor do they operate in the same way, yet many cybersecurity teams still do. But by rebuilding cyber teams to include a variety of perspectives, organizations can create multidimensional teams ready for digital combat. Diversity in cybersecurity will be a game changer.

There are three key ways organizations can begin to change the status quo and add the strength of diversity and inclusiveness to their cybersecurity teams, and the industry as a whole:

  1. Stamp out stereotypes about the profession

Stamping out stereotypes means several things. First, we must eliminate learned stereotypes that are automatic, unintentional, deeply ingrained, universal and able to influence behavior. These unconscious biases are far more prevalent than conscious prejudice and often incompatible with one’s conscious values. Education is essential for your organization to begin to address these biases.

Bias can take shape around seemingly innocuous details such as the name on a resume being male vs. female or having a name on a resume that suggests the applicant is of a different race than the reviewer. Some applications are still being developed only for those who are right handed leading to unintended consequences, like pictures appearing upside down to left-handed users.

Next, we must change the picture of cybersecurity as a male-dominated career choice. It is an ingrained but flawed mindset. 

Let us take a closer look at this: when you think of a typical hacker, who do you picture? Almost always we imagine a young man in his parents’ basement navigating through the holes in cybersecurity as both a challenge and a reward — testing his skills and often reaping some of the valuable rewards he finds. Even search engines offer up these images when you search for “hacker.”

This limited mindset has permeated our subconscious, and it is going to take a concerted and purposeful effort to change this — but the question remains: when? Until when transforms to now, women and minorities will continue to feel that they cannot relate to this profession.

This issue is reinforced as women are steered into “typical female careers” by well-intended parents and guidance counselors starting from the time they are little, resulting in approximately 78% of all young women ruling out a career in cybersecurity before the age of 16.[8] By building interest in a career that includes a wide range of skills from different degrees, cyber can become a sought-after field that offers a variety of opportunities and career paths.

...by rebuilding cyber teams to include a variety of perspectives, organizations can create multidimensional teams ready for digital combat. Diversity in cybersecurity will be a game changer.

To that end, it is pivotal that organizations be open to people with different backgrounds. That means looking to other industries and professions for talent matches, such as law, mathematics, analytics and psychology — and for professionals in those fields to know that there is a career path for them in cyber, too.

2. Change job descriptions to attract more inclusive talent to cyber careers

Five studies conducted by researchers at the University of Waterloo and Duke University found that job listings for positions in engineering and other male-dominated professions used more masculine words, such as: leader, rock star, active, assertive, ambitious, autonomous, dominant, superior, independent, outspoken, aggressive and ninja, just to name a few.

This may all seem like semantics, and to a degree it is, but these semantics influence decisions. These words are small but play a big part when it comes to attracting women to positions in cyber. Words matter, so make sure they are inclusive – to attract the right talent you must speak a universal language.

Diversity is an answer, not an obstacle — and those who see its value will be able to create immeasurable value for minorities and women and measurable value for business — it is a win-win for all those who take up the call.

3. Create an inclusive culture that supports diversity.

More than half of women in the cybersecurity industry have experienced some form of discrimination throughout their careers from their male peers.[9] Organizations must foster an environment that does not tolerate discrimination and celebrates all. Often, diversity and inclusion are considered one idea, but they are different. As Verna Myers so eloquently pointed out, “Diversity is being invited to the party; inclusion is being asked to dance.”[10]And we need more people on the dance floor — specifically, minorities and women.

Men, particularly the men in cyber, must be a part of the solution. They must become active advocates for equality and inclusiveness, using their existing positions to drive change. Only when everyone is valued equally can a true environment that fosters innovation exist — and that is exactly what the industry needs.

Without men proactively prioritizing diversity and true equality in cyber, and business overall, change will take longer — too long — and the effects on the industry, business and talent could be detrimental.

Diversity is an answer, not an obstacle — and those who see its value will be able to create immeasurable value for minorities and women and measurable value for business — it is a win-win for all those who take up the call. The criminals are taking up the call every day, which means it is time for the cyber industry to retrain, rebrand, recruit, retain and reward with a new mindset focused on change, diversity and equality.

Ernst & Young LLP is helping organizations create diverse and innovative cybersecurity teams that are prepared to face the challenges and cybercriminals of today and tomorrow. We have made a commitment to creating a diverse and inclusive workplace and I am proud to say that we were named one of the 2018 Best Workplaces for Diversity by the Great Place to Work® Institute and Fortune magazine. For further insight on this critical issue and additional information, listen to our podcast:  Is gender equality the secret to success in our Transformative Age? or contact Shelley Westman at [email protected].

 [1] Source: https://www.ey.com/en_gl/advisory/global-information-security-survey-2018-2019.

[2] Source: https://www.isc2.org/-/media/7CC1598DE430469195F81017658B15D0.ashx

[3] Source: https://www.darkreading.com/operations/new-data-finds-women-still-only-10--of-security-workforce/d/d-id/1322371.

[4] Source: https://www.darkreading.com/operations/new-data-finds-women-still-only-10--of-security-workforce/d/d-id/1322371.

[5] Source: “2017 Data Breach Level Index: Full year results are in …”, gemalto, 14 August 2018.

[6] Source: “Cybercrime Report 2017 Edition,” Cybersecurity Ventures, 19 October 2017.

[7] Source: https://hbr.org/2016/11/why-diverse-teams-are-smarter.

[8] Source: https://usa.kaspersky.com/about/press-releases/2017_kaspersky-lab-study-most-women-decide-against-a-career-in-cybersecurity-before-age-16.

[9] Sarah Santiago, "Women in cybersecurity: when the data speaks for itself,” Open Data Securityhttps://opendatasecurity.io/women-in-cybersecurity-when-the-data-speaks-for-itself/, accessed 13 September 2018.

[10] Janet H. Cho, “’Diversity is being invited to the party; inclusion is being asked to dance,’ Verna Myers tells Cleveland Bar,” Cleveland.comhttps://www.cleveland.com/business/index.ssf/2016/05/diversity_is_being_invited_to.htmlaccessed 13 September 2018.

Share this post:

Comments on "Cyber criminals are diverse, shouldn’t your cyber team be too?"

Comments 0-5 of 0

Please login to comment