Diverse Cybersecurity Workforce Act Offers More Than Diversity Benefits
Our adversaries certainly have diversity — so cybersecurity teams need it, too.
COMMENTARY
While some may consider the Diverse Cybersecurity Workforce Act as intended primarily to improve diversity in a workforce dominated by white men, that attitude ignores the real security risk that exists due to the lack of different perspectives brought by women and underrepresented communities. The lack of diversity creates a groupthink mindset, causing people to set aside personal beliefs and/or simply adopt the opinion of the group, which creates the illusion of invulnerability. We need to solve challenges that have never previously existed; to do that, we not only need all genders, but identities, ethnicities, races, cultures, ages, backgrounds, and experiences. The adversaries certainly have diversity — and cybersecurity teams need it, too.
Building a Pipeline of Diverse Skills
Ensuring the cybersecurity workforce becomes more diverse isn't possible without building a talent pipeline that looks like the world around us. That pipeline must be created by tapping into underrepresented communities. The Diverse Cybersecurity Workforce Act offers the Cybersecurity and Infrastructure Security Agency (CISA) a way to create a structure that supports these efforts through intentional resources and programming designed to empower individuals to:
Explore cybersecurity careers
Find hidden talents
Elevate those with aptitude, grit, and determination
Build real-world cyber skills and launch careers
The next step is to create inclusive spaces for cybersecurity training and offer services that champion and drive impactful programming efforts, including incentives for students/career changers, mentorship, and career placement. This act presents an opportunity to bring underrepresented individuals into lucrative, life-changing careers, and it's our best chance at mitigating current and future security risks, as well as ensuring the cyber workforce achieves greater diversity across sectors.
Timeline and Funding
Last year, Gartner predicted that nearly half of cybersecurity leaders would change jobs by 2025, and 25% of those leaving would find different roles due to the stress of working in cyber. Meanwhile, ISC2's 2023 Cybersecurity Workforce Study showed the industry was already struggling with a record workforce gap of 4 million. Adding new talent to the cybersecurity workforce has never been more urgent. CISA must create very intentional programming that provides accessibility programs and opportunities for disadvantaged communities. By including mentorship, peer support, community engagement, check-in calls, career services, and "ask me anything" sessions, alongside high-quality skills training, it is achievable to lift people from zero cybersecurity skills into careers in a year and a half or less.
These efforts must be started immediately, ideally by using a turn-key programming effort that has already been shown to make a strong jobs impact on employers and career changers. The $20 million per year budget is enough to make an impact; Women in Cybersecurity (WiCyS) invested $1.8 million to allow 2,900 women to explore cybersecurity careers and enabled 181 to achieve multiple advanced SANS GIAC certifications with career placement services that positioned them for success in the workforce on day one at their new cyber job. WiCyS has supported career changers in pivoting from teaching to pen testing, physical therapy to cloud security, and so much more. While WiCyS focuses on the recruitment, retention, and advancement of women, our experience shows these efforts successfully increase diversity, equity, and inclusion in the workforce.
Barriers to Retention
The act is focused on getting diverse talent into cybersecurity, but what about getting them to stay? Any effort by government agencies and organizations to hire a diverse workforce must address the barriers to retention and overcome them. The "2023 State of Inclusion Benchmark in Cybersecurity" report, conducted by WiCyS in collaboration with DEI firm Aleria, showed that workplace experiences are dramatically worse for women than for men.
Across all experience categories, women were excluded at a rate two times higher than men, citing their direct managers and peers as sources of experiences that interfered with their job satisfaction and ability to perform their best work. Women's second source of exclusion was the lack of career growth and advancement, contributing to them experiencing a glass ceiling just six to 10 years into their career, despite 46% of women in the field holding advanced degrees. Given these challenges, it's not surprising that an Accenture report showed that half of young women in tech leave the field by 35.
Retention Is Driven by Inclusion
When diverse talent joins the cyber workforce, there must be programs in place that create more inclusive communities. That means looking at common ways that underrepresented individuals are excluded and addressing those issues openly, including:
Underappreciating skills and experience from underrepresented groups
Failing to recognize the contributions of individuals appropriately
Requesting or expecting disadvantaged individuals to do menial tasks unrelated to their role
Assuming underrepresented individuals were only hired, promoted, or included in a project to give the appearance of equality
Generally disrespectful and sexually inappropriate behaviors
Social exclusion activities
Lack of career growth and advancement opportunities
To create an inclusive culture, organizations must ensure that diverse talent has a community and support structures within the organization designed to promote learning and career growth. Without a plan to create this inclusion and growth, organizations lose their diversity hires, leading to higher recruitment expenses and ongoing cyber-workforce gaps. Inclusion, quite simply, is vital for building and retaining a diverse workforce and addressing evolving cybersecurity risks.
About the Author
You May Also Like