The cybersecurity industry is becoming more diverse as women and people of color increasingly enter the profession, yet the executives who lead it don’t reflect the reality of the workforce’s composition. The imbalance between an overwhelmingly male, white leadership and their employees isn’t just a statistic for equity committees to ponder. It can affect worker satisfaction, stymie the hiring process, and ultimately become a drag on the effectiveness and efficiency of a team.
In its recent Cybersecurity Workforce Study, industry training and certification group ISC2 surveyed more than 14,000 infosec decision-makers and workers worldwide. In exploring diversity, equity, and inclusion (DEI), the report zeroed in on 5,768 cybersecurity professionals in Canada, Ireland, the US, and the UK. The numbers paint a picture of an increasingly diverse workforce, especially among the youngest cohort now entering the sector:
- 58% of cybersecurity workers under 30 years old were non-white.
- 24% of cybersecurity workers under age 30 were female.
- 66% of cybersecurity workers who entered the profession within the previous 12 months were non-white.
By contrast, among infosec professionals aged 50 to 59 (those more likely to be executives and managers), almost two-thirds (73%) were white and only 16% were female.
No one is calling for the elimination of white, male leaders. Rather, experts are sounding an alarm that all leaders in cybersecurity should pay attention to the diversity in their teams, supporting it with recognition and exploiting its strengths.
Fortune 500 CISOs only 13.8% female, 4.7% African American
Looking specifically at CISOs, a 2023 Fortify Experts report on Fortune 500 CISOs revealed a similar dearth of diversity: Only 13.8% were female and just 4.7% were African American. The incoming generation of cybersecurity workers is more diverse than the managers who lead them and businesses that don’t address this gap will find it harder to recruit and retain talent, Clar Rosso, CEO of ISC2, tells CSO.
“People don’t stay in organizations where they don’t see people like themselves, especially in leadership roles. It may not be overt, but [diverse] people are receiving a subconscious message that says ‘there’s no place for me here,’” Rosso says.
Leaders who ignore DEI also risk weakening the brain trust in their cybersecurity arsenal at a time when AI has supercharged the threat landscape, she adds. “If you’re faced with solving complex problems and managing complex risk on a daily basis, the more diverse backgrounds you have helping you do that, the better off you are. Different people see problems from different perspectives.”
As the global war for talent rages on, cybersecurity executives must consider how they can provide leadership that resonates with their increasingly diverse workforce.
Mind the diversity gap
Cybersecurity workers from underrepresented groups are much more likely to feel discriminated against at work, according to a 2023 report by the ASIS Foundation. Based on the poll of 474 cybersecurity professionals around the world, here’s how those data broke down:
- 60% of women feel discriminated at work (vs. 22% of men).
- 60% of LGBTQIA+ (vs. 33% of heterosexuals).
- 48% of non-Caucasians (vs. 34% of Caucasians).
- 57% of disabled workers (vs. 34% of able-bodied).
- 52% of neurodiverse workers (vs. 34% of neurotypical).
Those numbers undermine the idea that DEI is only about recruiting more diverse candidates. After bringing different types of people into their organization, cybersecurity leaders clearly need to think hard about what comes next. “That’s the phase of actual inclusion and belonging,” says M.K. Palmore, president of Cyversity, a non-profit industry group formerly known as the International Consortium of Minority Cyber Professionals.
Inclusion and belonging aren’t solely HR’s responsibility. CISOs and CSOs play an important role in making diverse employees feel like their perspectives and contributions really count, says Palmore, who’s also director of the CISO’s office at Google Cloud. “You have to be thinking about that as a leader, in order to ensure that those folks feel like they found a place where they can grow, develop, acquire skills, and be effectively heard and seen in terms of the work environment,” he says.
As an African-American woman in an executive leadership role, Nicole Darden Ford tries to model that inclusive approach as global VP and CISO of Rockwell Automation. “It’s just showing that I care, right? It’s giving [diverse employees] a place where they can come in and talk to me in an open, candid way about how things are going, or work together to make things better or course correct if needed,” she says.
In Rosso’s view, listening and working together are key. She says inclusion isn’t just inviting someone to the table; it’s what happens once they get there. “Some organizations are really good at inviting a great range of diversity to their meetings, but they don’t actually listen,” she says. “Inclusion is really about how you listen to your employees. Do you ask them what’s important — and then do something about it?”
DEI mentoring as an executive leader
One thing cybersecurity leaders can do, says Darden Ford, is to “set clear expectations” with new hires from underrepresented backgrounds during the onboarding period. That includes outlining what the company hopes they’ll accomplish in their new job; making them aware of internal resources and pathways that can set them up for success; and checking in with them periodically. “As a leader, I’m leading them into spaces to help them gain skills they may need. I’m giving them continuous feedback about how they’re doing,” she says.
Darden Ford encourages freshly recruited hires to join employee resource groups (ERGs), an initiative some companies set up to support workers from similar minority backgrounds. “There are some ERGs in organizations for Black or Hispanic or Asian workers,” she says. “It gives them a safe space with people who can kind of understand what they may be going through. Finding your tribe internally is super important.”
Externally — outside the sphere of their own companies, that is — Palmore urges executives to champion industry mentorship programs like Cyversity’s. It pairs up novice workers (those in the industry for five years or less) with more seasoned mentors, who meet with them eight times during the 16-week program.
“The number one thing we hear from our [Cyversity] members is that people want mentors,” says Palmore. “They want guidance. They don’t just want to go blindly into the [cybersecurity] space. For those that have, they find it very difficult to find their footing. They essentially don’t know where to start.”
Palmore says Cyversity regularly turns mentee applicants away from its mentorship program because it doesn’t have enough mentors to meet demand. That’s one reason he encourages white, experienced cybersecurity professionals — both male and female — to become Cyversity mentors. An additional reason? To help everyone in cybersecurity confront the DEI elephant in the room.
Fear of DEI is often the elephant in the room
Fear is one of the biggest obstacles to DEI efforts in cybersecurity. According to the ASIS Foundation’s report, “fears about getting things wrong cause paralysis.” Palmore puts that fear into blunter terms. “People don’t want to step into this [DEI] space and then somehow say something wrong or be perceived as insensitive to what’s going on,” he says.
Instead of withdrawing entirely from the DEI conversation for fear of committing an offensive blunder, Palmore believes experienced white males in cybersecurity must be allies to new workers from underrepresented populations. How? He says becoming a Cyversity mentor is one place to start.
“I get questions all the time from my colleagues who don’t look like me, asking how they can help, how they can show up and be a part of this,” says Palmore, who is Black. “So, I tell them ‘People entering this industry need to see you and I together coexisting, leading, and effectively engaged on this issue. That shows them it’s important to you as well.’”
“It’s an all-hands-on-deck effort,” Palmore continues. “We need everyone participating in that, not just diverse leaders. Because as diverse leaders, we can’t do all of this on our own. It’s just an impossible, insurmountable task if we don’t have allies with us helping to educate, inform and grow this new workforce.”
Women making fewer strides in cybersecurity
Female underrepresentation is yet another issue that cybersecurity shares with other industries. Although women make up roughly half the world’s population, ISC2’s DEI data suggest they account for only 24% of cybersecurity professionals under the age of 30 and the incoming generation of cybersecurity workers is still largely male.
Rosso blames this on a lack of gender diversity in the profession’s higher echelons, which creates a role model vacuum. (Based on ISC2’s research, only 15% of cybersecurity professionals aged 50 to 59 are women.) “If I don’t see somebody like me in a leadership position in an organization, I question if there’s a place for me there,” Rosso says.
She cites another potential culprit: women not receiving the same amount of money or power as their male counterparts in cybersecurity. “There will be people who tell you the reason women leave [cybersecurity] is because they’re having babies. That’s not the reason women are leaving,” Rosso says. “[It’s because] they’re not experiencing equity in terms of pay and advancement opportunities. And we have to fundamentally change that.”
Rosso speaks from firsthand experience. After her first year as CEO of ISC2, the organization did a compensation review and detected instances of pay inequity among its female and visible minority staff. Though she says the situation has since been “fixed” (ISC2 also created an equity review body for promotions), it was an eye-opener. “You might think you’re good based on affirmative action reporting. Well, you’re not good until you’re line-by-line looking at what you’re paying people,” she says.
The ASIS Foundation makes a similar recommendation in its report, urging organizations to collect diversity data so they can establish a baseline, measure progress over time, and “hold colleagues accountable through key performance indicators.”
CSOs and CISOs have the clout to push for that kind of accountability, in their own companies and the wider industry. It’s one way leaders can confront the diversity gap between them and the next crop of incoming talent. “The younger generation of male, female and more diverse individuals are saying ‘this is what we want to see within our organization. We want to have a voice,’” Rosso says.