fbpx
713.893.3940

 

Company

Title

Fortune 500 Rank

Biographical Info

City

State

Creating Diversity in Cybersecurity

Fortify Experts analyzed over 90,000 cybersecurity profiles on LinkedIn to get an accurate understanding of the diversity within cybersecurity. We segmented profiles into the following categories:

  • Women
  • Veteran
  • Hispanic
  • Asian
  • African American

Our analysis aimed to determine if there was a significant under representation of each group relative to its percentage of the U.S. population.

Similar to many STEM fields, women, African-Americans and Hispanics are underrepresented in cybersecurity. The gap is the largest for women, who make up 56.7% of the overall workforce according to the BLS. In cybersecurity, they are only 22% of the workforce. This is lower than general IT roles, where women comprise 30% of the workforce. In some biomedical fields, women make up the majority of the workforce.

The veteran and Asian communities are traditionally considered diversity candidates, but both groups are well-represented in cybersecurity. In fact, as a result of military training, veterans are overrepresented in the cybersecurity workforce, making up 9.2% of the cybersecurity workforce when they are only 5.5% of the population.

How Much Diversity is in Cybersecurity?
Similar diversity gaps are present across different cybersecurity positions. We analyzed the diversity across the following roles: security analyst/engineer, auditors, security architects, and CISO.

The largest gap among women is in the highly technical roles. For example, women represent less than 7% of the security architects.

The African-American community is well-represented among auditor roles, but under represented in all other security positions.  Hispanics are consistently underrepresented in every role.

Why Should Teams Seek Diversity?
Diversity is an asset to cybersecurity teams. A diverse workforce produces better results for businesses. In cybersecurity, diversity can mean many things: diverse race, gender, veteran status, professional background, disabilities, and personality.

Companies with diverse teams see tangible business results through increased innovation, better communication and better cooperation. Diversity can make companies more profitable too.  A BCG study of more than 1,600 companies analyzed the most diverse companies and saw a 19-percentage point increase in revenue from innovation alone.

Fortify Experts coaches security teams to focus on diversity of thought. This purposeful method of designing a team of people with different perspectives naturally leads to more diverse teams.

Leaders can create more productive and creative teams by balancing out behavioral strengths. A balanced combination of thinkers, doers, analysts, and communicators is ideal. Thinkers
bring the big ideas and innovations, while doers are task-oriented.

Analysts dive deep into the data and the communicators help the cybersecurity team sell their mission and purpose. With the right mix, teams will be more inclusive, collaborative, and
communicate better.

Creating Diversity
Diversity won’t happen on its own. Companies have to be proactive to gain the benefit from it. From our diversity research and coaching experience, we have identified six steps companies can take to attract, build and retain diverse teams.

  • Build diverse leadership: Diversity starts at the top. Diverse leaders will attract employees from a variety of backgrounds, creating diverse teams.
  • Promote social relevance: Cybersecurity is critical to prevent attacks and keep society functioning. By highlighting the societal need for cybersecurity,
    companies can bring in a wide range of passionate candidates.
  • Reduce intimidation: Big egos are common in an industry full of experts but can be intimidating for new and diverse hires. Companies should address
    those who are intolerant of employees from diverse backgrounds and create a welcoming and inclusive environment for all.
  • Create mentorships: Fostering mentorships between experienced leaders and younger or diverse works is beneficial for everyone. Junior members can
    learn technical skills and gain confidence by having a trusted advisor and mentor they can lean on. Working with a mentor improves soft skills and
    leaderships skills, which could lead to future promotions.
  • Leverage collaboration and social skills: A fun work environment is attractive. Social team activities can be a selling point for candidates from
    other specialties or non-technical backgrounds.
  • Provide personalized training: Train employees according to their individual needs. Leaders should evaluate their team members’ individual weaknesses
    and determine where they can build them up. Individualized training will help each employee develop the skills they need.

In a recent trend to push women into cybersecurity, CIODIVE found that women who expressed an interest in cybersecurity could move from an IT management position to a cybersecurity leadership position in less than two years.

To help rebalance the gender inequity in cybersecurity, Fortify Experts has funded Cybersecurity Divas. This organization promotes the accomplishments of women in cybersecurity and provides mentoring.  Learn more about Cybersecurity Divas.

This is an excerpt from Fortify Experts’ annual Cybersecurity Employment Trends Report. To read the report in its entirety, go to the 2021 Cybersecurity Employment Trends Report

About Tim Howard

Tim Howard is the founder of Fortify Experts (www.fortifyexperts.com) which helps companies hire and deploy Best on the Planet talent through executive search perm placement and expert consulting. 

In addition, he has a passion for simplifying the hiring of security experts, as well as, simplifying how companies assess and plan for improving their security programs.

Tim conducts monthly CISO Round Tables which provides security leaders a forum to discuss best practices around relevant topics.

He also teamed up with Lyndrel Downs to launch www.CybersecurityDIVAS.com to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.

Tim has been leading technology staffing teams for over 20 years and is the founder of three other technology firms. He has degrees from Texas A&M University in Industrial Distribution and Marketing.  

Cybersecurity Career Paths

Cyber professionals must have fundame ntal technical skills to develop a successful cybersecurity career. Protecting systems against the world’s most sophisticated hackers requires expertise  beyond what university programs can provide. Traditionally, cybersecurity has been a secondary career. Most people have come into cybersecurity after they become very good at a previous role and were given the opportunity to move into a role where they could add more value by leveraging that experience in security.

The cybersecurity career path most often starts with these feeder roles. These roles include netwo rking, software development, systems engineering, financial and risk analysis, and security intelligence. Experience in these roles prepares professionals for entry-level cyber roles like cybersecurity specialist/technician,

cyber-crime analyst/investigator, incident analyst/responder, and IT auditor.

Leaders recruiting for cybersecurity roles should pay attention to these feeder roles. Professionals who succeed in these entry-level feeder roles will be better prepared for
learning the more advanced cybersecurity roles.

 

 

This is an excerpt from Fortify Experts Cybersecurity Employment Trends Report. To read the report in its entirety, go to the Cybersecurity Employment Trends Report

About Tim Howard

Tim Howard is the founder of Fortify Experts (www.fortifyexperts.com) which helps companies hire and deploy Best on the Planet talent through executive search perm placement and expert consulting. 

In addition, he has a passion for simplifying the hiring of security experts, as well as, simplifying how companies assess and plan for improving their security programs.

Tim conducts monthly CISO Round Tables which provides security leaders a forum to discuss best practices around relevant topics.

He also teamed up with Lyndrel Downs to launch www.CybersecurityDIVAS.com to help promote the most influential women in cybersecurity and provide a mentoring program to help encourage and support more diversity within the industry.

Tim has been leading technology staffing teams for over 20 years and is the founder of three other technology firms. He has degrees from Texas A&M University in Industrial Distribution and Marketing.  

3 Critical Issues within the Cybersecurity Employment Landscape

As the founder of Fortify Experts, a nationally recognized leading cybersecurity executive search and staffing firm, we are pulled into the trenches of the cybersecurity employment gap every day.  We are exposed to both job seekers and companies seeking security professionals.  As a result, there are three critical issues I see rising up in the cybersecurity employment space.

#1:  Few opportunities for newbies.

There are many college-age individuals and others who have heard of the massive cybersecurity employment gap.  These hopefuls have jumped into the field to take advantage of what CSO Magazine is reporting as a zero unemployment field.  They have been taking cybersecurity basic, advanced, and even Master’s level courses in hopes of landing a new career in this ever-widening space. Universities and security certification programs are seeing increased interest and beginning to train up a larger number of individuals.  As a result, there is a new wave of cybersecurity graduates coming out ready to be welcomed by an industry starving for new talent.

However, many are shocked to find employment is much harder to land than expected.  They are getting doors slammed in their faces when they were expecting welcome signs.  They are being told they need a minimum of 2-5 years of cybersecurity experience to be considered for entry-level roles.  Resumes of new graduates pour across our recruiters’ desks and the frustration level continues to increase.

Although the demand for cybersecurity professionals is high, most companies realize that becoming a good cybersecurity analyst or engineer is often a progression of skills that requires many years of other training prior to becoming a cybersecurity expert.  Most often, the so-called ‘security experts’ were experts in other domains before they became security experts.

For example, to adequately secure enterprise websites, companies need someone who understands the intricacies of Unix, Linux, web servers, and web services.  To secure applications, they want someone who has been in the trenches developing code, testing code, understanding how the code is written, and how it can be exploited.  To secure enterprise networks, they are looking for someone who has designed network systems and who has configured routers, switches, and firewalls and therefore, knows the breachable weaknesses within those devices.

The easy fixes have already been corrected. 

Unfortunately, all of this experience takes time and the cybersecurity domain is extremely broad and highly complex.  The easy fixes have already been corrected.  Adversaries are getting smarter, better funding, and more sophisticated.  Therefore, a recent graduate of a security program will be very limited on how they can contribute from the start.  It would be rare for them to be able to identify or remediate advanced threats.  Most employers need immediate results and don’t have the patience to train up recent graduates.

Related:  Starting a Career in Information Security – Practical advice from security experts on how to accelerate becoming an effective security professional

#2:  Gap widens for experienced security experts.

The gap for those security engineers and experts who do have advanced technical skills continues to widen because it takes years to develop that level of expertise.  Furthermore, the demand for cyber talent will continue to rise as exploits become more sophisticated and widespread.

(ISC)2 earlier this year predicted that the cybersecurity employment gap will fall 1.8 million short of the available talent pool by 2022.  Even if the gap is smaller, as I believe it is, it still will take years to correct.

To close this gap, employers will have to be willing to spend the time and resources to train up other non-traditional security resources.   They will need to create programs to draw in women and less experienced technical employees.  

Related:   How to Attract More Women into Cybersecurity Careers.

One CISO that has gotten it right is Andrew Stanley, now the CISO at Mars.  He hires young graduates and also draws internally from the company’s employee base to attract anyone with an interest in cybersecurity.  He has developed a highly-effective and intense nine-month long cybersecurity training program.  His program is dedicated to helping non-technical staff get up to speed so they can effectively identify and remediate advanced threats in their global security operations center.

To achieve this, Stanley pairs each new hire with a senior security resource for the first 6 months of their employment. The senior resource is required to mentor and answer any question the new hire has.  This creates a trusted bond and an outlet to ask all the ‘stupid’ questions that will translate into knowledge later.  As a side benefit, it also trains the senior engineers to have more patience and even helps them develop their communication and leadership skills which can be lacking in some of the more technical security engineers.

After the 6 month initiation, if an employee shows promise, Stanley will send them to 3 months of intense SANS training which is the largest information security training program in the world.  This training deepens their technical knowledge along with increasing their threat analysis skills.  Employees can choose their own specialty paths and can become certified in any of a number of specialties.  Those who do achieve certifications receive a raise upon completion.

Stanley has found that this investment has produced highly effective and loyal security employees.  However, this comes at a cost.  Excluding salary, he says he invests well over $30,000 in each newbie during this nine month training period.

This extensive investment in training is expensive and takes time.  Most employers do not have the luxury of nine months to train up their staff nor the budget to fund that extensive of a training program.

The problem then becomes finding experienced experts.  Cyber experts have been overwhelmed with opportunities and now rarely apply to job postings. 

In a recent review of Security Architect positions on LinkedIn by Fortify Experts, on average, each posting received less than 5 job applicants even after being posted for 30 days.  In comparison with other more common IT jobs, the average was over 30 applicants during the same time period.  

Demand is high, but active job seekers are very, very low.  To find good security talent, companies must go back to old-fashioned headhunting where they have to find, then sell candidates on the opportunity.  Internal recruiters often focus on candidates who come through their job postings, therefore, struggle to fill security positions.  If this is the case, it may be prudent to look at hiring a firm that specializes in networking and attracting security professionals.

#3 Security leaders are ready to jump to security-focused companies.

In most companies, the security team is often looked at as a necessary evil.  A black sheep of the IT department.  Security budget dollars are tight because it is considered a cost center, not a business enabler or revenue producing function.  In addition, security leaders are unable to get funding for additional staff or security tools unless there is a breach.  If there is a breach, the security leaders are the first to be blamed for it and if a major breach happens, they often take the heat and get fired. 

They shoulder all the responsibility with very little executive or financial support.  It is a vicious cycle that results in an extremely high leadership turnover rate.  CIO Magazine claimed the average tenure of a Chief Information Security Officer (CISO) is only 17 months.

Therefore, this high churn of security leaders creates a flurry of activity when a leadership position is posted.  Plus, the architects and technical security experts all want to throw their hat in the ring because they have heard the stories of big salaries and sign-on bonuses for those with CISO titles.  Then, you add in the incumbent CISO’s, who work within companies who are unsupportive of security or do not take cybersecurity seriously.  They also want to be considered if the leadership role comes with a higher degree of respect.  For companies who do treat security leaders like a CXO’s and/or have them reporting to someone other than the CIO (such as the CEO, CFO or the Board directly), there is no shortage of security leadership candidates.

This flood of applicants creates another challenge for employers to sift through the many flavors of security leaders to uniquely match them with the specific needs of the company.  Most human resource managers and many CXO’s, including CIO’s, do not have the in-depth understanding of their current security landscape nor what the future landscape needs to look like to be able to effectively choose a security leader.  This lack of proper upfront qualification, in turn, sets up many security leaders for failure.  This, in turn, contributes to the high turnover rate.

Before hiring a security leader, companies should engage with a trusted security advisor, such as a virtual CISO or security consulting or search firm, who can help them assess the specific security needs of the company. Then, partner with them during the search to thoroughly screen and qualify those candidates within each of the necessary security domains.  This provides the company with the best path to making a long-term hire and in securing their corporate digital assets.

About Tim Howard

Tim Howard is the founder of Fortify Experts (www.fortifyexperts.com) and Energy Sourcing (www.energysourcing.com) which help companies hire and deploy exceptional “Embedded” talent through executive search perm placement and expert consulting. 

In addition, he has a passion for helping companies develop Higher Performing Teams by coaching them to increase effective communications and improve non-productive behaviors. With each new hire, his firm produces an Employee Operating Manual to help clients understand how to communicate better and get the most out of each new hire.

He also teamed up with Lyndrel Downs to launch www.CybersecurityDIVAS.com to help promote the most influential women in cybersecurity to provide a mentoring program that helps encourage and support more diversity within the industry.

Tim has been leading technology staffing teams for over 20 years and is the founder of three other technology firms. He has degrees from Texas A&M University in Industrial Distribution and Marketing.  

Invite Tim to connect:  www.linkedin.com/in/timhoward