Creating a Diverse Security Team
Look around a security conference floor and you may notice that the demographic of the attendees does not match the demographic of the overall United States.
Caroline Wong, vice president of security strategy at Cobalt.io, said she has been in the security industry for 12 years and a lack of diversity at events and in the workplace has been a long-standing problem. What is changing, however, is that people are starting to talk about it, she said.
"I think the unfortunate thing at this point in time is that for whatever reason, a lot of the press coverage and studies have a tendency to focus on the negative, because that's what's obvious, and it's what is exciting to write about," Wong said.
And while there are obstacles faced by minorities in the security industry, Wong stressed the importance of hearing about positive experiences from women and minorities in the industry.
Wong recently conducted a survey of more than 300 women in the cybersecurity industry and found that the majority of responses were positive, with women affirming that they love their jobs and feel deeply satisfied by the work they are doing.
The survey also explored the benefits of diverse teams, and the challenges that hiring managers, especially those in the talent-starved cybersecurity field, face in hiring employees with different backgrounds.
Donna Kobzaruk, chair of the ASIS International Women in Security Council, noted that it is critical for all members of an organization to understand the importance of diversity.
"If a senior leader just demands diversity in hiring decisions, there will never be buy-in or a true understanding of the importance," Kobzaruk said. "Once the organization's members are educated on the concept, then it is important to look at those hiring practices."
Wong advised that hiring managers become personally involved in the hiring process and think deeply about the skills needed for open positions.
"Recruiters will be looking for those key terms, CISSP or having a master's degree in computer science, and if you sort on a relatively small number of these labels then what you'll find is a not very diverse group of candidates."
Wong noted that less than half of the women that responded to her survey came from a computer science background.
"In the cybersecurity industry specifically, we are suffering from a massive talent shortage, it's ridiculous," Wong said. "We have this diversity problem, so it's obvious that if we have this massive talent shortage, why not extend our arms and look in a different way and take advantage of different parts of the workforce that may not have been considered?"
Kobzaruk agreed. "If you have a team that has the same thoughts, how can it grow?" she asked. "In security, we must have a difference of opinions and ideas. Otherwise, we would never grow or progress as an industry."
While high-profile organizations like Uber and Google have been under fire for gender inequality, Kobzaruk noted that these companies shouldn't be singled out; there are probably numerous other companies in the same position.
Earlier this month, a group of former employees filed a class action lawsuit against Google accusing it of gender-based pay discrimination.
"A big lesson learned is to ensure that the diversity program has proper oversight," Kobzaruk said. "To merely state that there must be diverse candidates or managers must focus on promoting diverse candidates is simply not enough. Creating groups to oversee diversity numbers is a start in the right direction."
Wong said depending on how the lawsuit proceeds, Google may have to make public its employees' salaries, which will show in black and white whether women are being underpaid. "It's like a lawsuit-driven audit," she said.
Kobzaruk agreed that concrete statistics are one way to understand diversity in the workplace.
"Look at the promotions in the organization," she said. "We all have unconscious biases. We need to pay attention to those to achieve our diversity goals."
Drawing more women and minorities to the security industry is crucial as well. Wong acknowledged that while discussions about women's negative experiences in the security industry are important, they make it more difficult to convince young women to explore that career path.
"There are a ton of women in the security field, and their careers have really awesome advantages: great pay; flexible work style; opportunity to work on very challenging problems; working with creative, interesting, and smart people; travel opportunities. There are all these great lifestyle factors that are not talked up as much as they ought to be," she said.