January 22, 2024

Last Updated on January 23, 2024

While the competitive benefits of workplace diversity are widely acknowledged, putting diversity goals into practice is challenging for many organizations. The cybersecurity field would benefit from increased diversity to help close the talent gap and improve practitioner performance and job satisfaction. Yet the latest research shows that only 26% of cybersecurity professionals are ethnic or racial minorities, and only 24% of security professionals are women.

Why is diversity so important for cybersecurity and how can businesses improve workforce diversity? This article shares thought leadership.


How does diversity benefit organizations and cybersecurity teams?

The core benefit of diversity in groups is simple: Diversity brings diversity of thought.

Hence diversity can often improve collaborative problem-solving and lead to better solutions, whatever the subject area. Diversity is an anecdote to myopia and groupthink.

Life experience gives each of us a unique “lens” or “filter” through which we see the world. Women and people of color have different viewpoints than white men in many ways.

In cybersecurity, different perspectives can inform our collective view of cyber risk and the decisions we make about risk. This can be a huge advantage for planning, everyday operations, and incident response.


Why is diversity difficult to achieve?

75% of companies rate diversity as a priority. But while business leaders widely agree that diversity and an inclusive workplace culture improve innovation and financial performance, many organizations do not successfully attract and retain diverse talent—especially in technology areas such as cybersecurity.

Why is this? Like many organizational initiatives, the drive for diversity must start at the top to succeed. Yet the senior leaders of organizations are overwhelmingly white men. This group may express enthusiasm about diversity but may lack practice stepping out of their comfort zone to actualize it.

“At the end of the day, in order to accomplish [diversity], you have to get uncomfortable, right?” notes Larry Whiteside, Jr., CISO of RegScale and co-founder of Cyversity. “Which means you have to bring people to the room that you may not be familiar with. Who have different views. Who look different. It’s disruption, and disruption is uncomfortable.”

Hiring a diversity, equity, and inclusion (DE&I) specialist role is a common step but is not a substitute for true executive buy-in and incentivization.


“If I can see it, I can be it.”

Another factor limiting diversity in cybersecurity is a lack of role models in underserved communities. Role models help current and future job-seekers visualize themselves in a role and take steps to actualize that vision.

“In underserved communities of people of color, they tend to see athletes and musicians as examples of what they can be,” says Larry Whiteside. “If you don’t have a parent or family friend that knows about [cybersecurity], how will you know it even exists, right?”

The solution starts with awareness. Cybersecurity and IT professionals from underserved communities reaching out through schools, career days, etc. can have a huge impact with raising awareness. There is also a need to reverse the stereotype that cybersecurity equals hacking.


Common HR practices that may create barriers to diversity

Several common HR practices may inadvertently create barriers to diversity.

These include inappropriate requirements in job descriptions, such as salary bands or ranges that are “too high” to permit hiring someone without a bachelor’s degree, even though a degree is not essential for the job. This is common with even entry level cybersecurity positions and could eliminate candidates from underserved communities who have the right skills and talent but have lacked the financial resources to get a bachelor’s degree.

“Cybersecurity practitioners are unicorns, and we cannot be treated like the rest of the regular horses in the stable,” Larry Whiteside relates. “Cyber executives have allowed this because they have not gone in and really had these conversations with their HR teams to reshape the requirements to enable them to hire more broadly.”


Best practices to diversify your cybersecurity team

Recommended steps to improve diversity on your cybersecurity team include:

  • Don’t just do what you’ve always done and expect change. This is the definition of insanity. Just telling HR you want diversity isn’t enough. You have to reshape hiring practices to remove barriers.
  • Promote your business at career days and other job events at minority educational institutions or in urban areas with minority demographics. This will help identify more minority candidates.
  • Get hands-on and rethink your cybersecurity job descriptions. The mandatory requirements and highly desired requirements are very important. They need to be realistic and work synergistically to align with the diverse candidates you want to attract. For example, requiring or desiring a Certified Information Systems Security Professional (CISSP) certificate for an “entry-level” role requiring one year of experience is inappropriate.
  • Think twice about the certifications you require for job roles. The cost of attaining some certifications may serve to exclude underserved people.


What’s next?

For more guidance on this topic, listen to Episode 129 of The Virtual CISO Podcast with guest Larry Whiteside, Jr., CISO at RegScale and co-founder of Cyversity.