Aspen Digital

What Can We Do Today and Tomorrow?

Despite tech and cybersecurity companies proclaiming to advance new initiatives to advance diversity, equity and inclusion (DEI) in recent years, not nearly enough progress has been made in the cybersecurity industry, which remains stubbornly white and male. Recent statistics show that only 24 percent of cybersecurity workers identify as women, 9 percent as Black and 4 percent as Hispanic. Women and people of color are less likely to serve in leadership positions in cybersecurity companies, and there are stark cybersecurity salary discrepancies across race and gender. Yet the government and private sector laments a cybersecurity talent gap, as thousands of cybersecurity positions remain unfilled due to a supposed lack of qualified workers.

We must do better. Building a more diverse cybersecurity industry is not only critical to creating a more inclusive America, it will also strengthen our nation’s security by bringing in new perspectives to solve thorny information security challenges and shoring up our workforce.

Over the past year, our organizations led a series of roundtables with cybersecurity practitioners across disciplines to develop a set of concrete, impact-oriented commitments that organizations could take on to improve DEI in their workforce. The attendees worked together to outline a specific set of commitments that organizations could adopt now, and identified gaps in the broader ecosystem that would require additional institutional support from governments or foundations. Ultimately, we hope these recommendations, summarized in a longer report released today, will motivate cybersecurity organizations to sign onto specific commitments that are actionable and will meaningfully make progress in improving DEI. 

Here are a few steps that cybersecurity organizations could take today to improve DEI within their workplace:

• Take over the burden of certification costs from candidates, as certification exams can cost almost one thousand dollars. Employers should pay for new hires to complete certification exams required, or subsidize costs for diverse candidates.
• Establish partnerships with programs that provide pathways for diverse talent, such as cybersecurity apprenticeship programs that support diverse talent entry into the market and investment at community colleges or minority-serving institutions. 
• Reduce the importance of employee referrals in hiring decisions, for example by saving referrals until the end of the hiring process. Oftentimes employee referral systems can disproportionately benefit white and male candidates. 
• Carve out a certain percentage of staff time and monetary investment for projects related to DEI, since many DEI initiatives in organizations are currently volunteer-driven, unpaid initiatives. Organizations should especially incentivize top-level managers and executives to get involved in these efforts, for example, by embedding DEI engagement into performance reviews and compensation decisions.
• Track retention and attrition rates for diverse candidates so that organizations can clearly determine whether their DEI initiatives are successful. Most technology companies currently suffer from abysmally low retention rates for diverse candidates.
• Create diversity-focused mentorship programs where companies provide additional support to diverse staff and provide them with networking and professional development opportunities. Women and people of color are oftentimes left out of informal sponsorship and mentoring opportunities, even though they can be hugely beneficial in promoting retention and for professional development.
• Participate in and fund #ShareTheMicInCyber and other movements that amplify the profiles of and reduce barriers for underrepresented communities in the cybersecurity industry. Movements like this harness both individual and collective action to improve diversity. 

These actions are just a first step towards making progress. As described in our report, funders should also spearhead cross-organization initiatives going forward to make a more fulsome change in this field.

Some of these broader initiatives for tomorrow include:

• Organizing a coalition to assess the value of cybersecurity certifications in actually recruiting and developing quality candidates, since there is currently scant evidence on the effectiveness of these certifications.
• Establishing a task force to track C-suite executive commitments to DEI initiatives — such as commitments made after this August’s White House cybersecurity meeting with tech executives — and publicly hold them accountable for progress.
• Fund a group of cybersecurity and human resources experts to help organizations rewrite job descriptions that focus on skills, and less on technical jargon.

Making cybersecurity a more inclusive industry will require a combination of individual organizational actions and broader industry-wide initiatives. We hope that these recommendations motivate individual organizations to take action today, and broader civic sector coalitions to take actions tomorrow. In doing so, we can ensure that DEI commitments become more than just a pledge on a website. Our security depends on it.