Experts are quick to bemoan the glaring lack of diversity in cybersecurity, but proffered solutions have failed to close the gap. That's because the cybersecurity "industry is not ready to take diversity seriously," said Kim Jones, director of the Cybersecurity Education Consortium at Arizona State University, speaking at RSA Conference 2018 in San Francisco Monday.
Part of the problem is diversity messaging. Cybersecurity is considered "pale, male and stale," Jones said. The other stereotype is of hackers in hoodies, both messages that don't resonate with women and minorities. "[I'm] sick and tired of the hoodie," Jones said. The industry should instead focus on how cybersecurity is a profession dedicated to protecting and defending people, imagery that is far more effective than shadowy figures in sweatshirts stooped over glowing computer screens.
To make an impact across the industry, diversity discussions need to move into the "main hall," Jones said. Those present to discuss diversity shortcomings are often in an echo chamber. Instead, stakeholders need to be part of the conversation and work on creating a more diverse security workforce because it's the "right thing," Jones said.
For years the same statistic has been bandied about: Women make up less than 11% of the cybersecurity sector, a number that has remained unchanged since 2015.
Problems with diversity predated the talent shortage and will persist as the talent gap is closed. Organizations need to separate diversity from the talent pool issue and work to make the field more welcoming to women and minorities, according to Jones.
The talent gap is, of course, a critical issue for many organizations, both inside technology and across other sectors. There are more than 285,000 job openings in cybersecurity across the U.S., a number which will continue to expand as the cyberthreat landscape becomes more challenging to navigate.
The cybersecurity industry needs an "extreme makeover" to keep up with talent demands, said Christine Izuakor, senior manager of global security strategy and awareness at United Airlines. If organizations rethought where talent comes from and required fewer rigorous credentials, recruiting would become more seamless.
Requiring years of experience to newcomers in the field will only work to turn qualified workers away, said Izuakor. Creating better opportunities for entry and rethinking qualifications will make it easier for candidates to enter into the workforce.
Companies cannot expect candidates to have security-specific degrees ether. After all, many security experts find the field by chance, and pipeline-qualified candidates exist outside of what companies are willing to consider as qualified.