Top-quality cybersecurity workers are in high demand. According to the ISACA, a non-profit information security advocacy group, there will be two million cybersecurity professional jobs unfilled globally by 2019. Your security teams are already affected by this situation. Go ask your security leaders how easy it is to fill an open cybersecurity position with qualified personnel today. You will be stunned.
With this ever-growing shortage, you would think that we would pursue all avenues to fill the pipeline. But here’s the thing: Women only make up 11% of the current cybersecurity workforce. If you add other adjectives to the hiring categories—say, black women or Hispanic women—that number drops below 5%. In cybersecurity leadership, men are nine times more likely to hold a managerial job, and four times as likely to be in executive leadership roles.
How is such a state of affairs possible considering the severe shortage of cybersecurity personnel we have in the industry today? That’s a rhetorical question, of course. Clearly, if we have any hope to fill these two million jobs, at least half of them must go to women. Why would we exclude such a rich pool of qualified people?
And they are qualified. I recently returned from the Grace Hopper Celebration of Women in Computing, in Orlando. It is the world’s largest gathering of women technologists; some 18,000 attended this year. It was inspiring because I met so many talented and highly technical women there that I couldn’t capture their resumes fast enough. An event such as this unquestionably proves that a pipeline of qualified technical women exists. That is the good news.
Hiring can be complicated
The bad news is that hiring and keeping women and other minorities as valuable contributors to an organization is much more complicated than you might imagine. There are many biases at work here—conscious biases such as racism, misogyny, gender stereotypes, and modern culture itself. But there are unconscious biases, too: conformity bias, beauty bias, affinity bias, and confirmation bias, just to name a few. And you not only have to consider these things during the hiring process, you must also double down on handling them once you’ve made the hire, because nobody wants to work in an environment where they feel they are being unfairly mistreated. Even if you hire a minority, you must work very hard to keep them.
One of the many reasons we struggle with this issue is that our thinking is still so immature. We tend to think in terms of solving a single problem. “Just go hire more minorities,” I have heard myself say. But the issues are considerably more nuanced than that. To get to the heart of it, we all must understand a concept called “Intersectionality.”
The concept of intersectionality emerged from a discrimination case lodged by Emma DeGraffenreid. She applied for a job with a local car manufacturer and didn’t get it. Emma is black and a woman, and she alleged that the company didn’t hire her because of her race and gender. The judge decided against her case because the car manufacturer did hire women and did hire black people. Emma’s counter was that she was both a woman and a black person, and the car manufacturer didn’t hire her because of the combination. The court refused that argument because the judge thought that putting two causes for action in the suit would give Emma special privilege.
Kimberlé Crenshaw coined the term “intersectionality” in a 1989 essay that asserts that anti discrimination law, feminist theory, and antiracist politics all fail to address the experiences of black women because of how they each focus on only a single factor. “Because the intersectional experience is greater than the sum of racism and sexism, any analysis that does not take intersectionality into account cannot sufficiently address the particular manner in which Black women are subordinated.” Since the original essay, Crenshaw has expanded the intersectionality idea to include other cultural labels of race and gender: heterosexism, transphobia, xenophobia, and ableism.
The bottom line is that, yes, we want to hire more woman or more minorities, but this is not a binary decision. You can’t solve for female without considering race, class, sexuality, and/or ability. Intersectionality is the understanding that people are made of up many characteristics. If we are to fill the shortage of cybersecurity personnel in the network-defender community, we have to consider all the intersection sets. The daunting part is that we thought hiring for one label, women, let’s say, was hard. It feels like hiring for intersectionality will be exceptionally hard.
What can be done?
At the Grace Hopper conference, I learned some practical advice from a session presented by Dr. Freada Kapor Klein. She is a venture capitalist, a social policy researcher, and a philanthropist. She and her colleagues have just finished a study on what is working and what is not working to improve the hiring of minorities in Silicon Valley.
One thing is clear. Stand-alone efforts such as spending a lot of time and resources forming Employee Research Groups (ERGs) to talk about intersectionality and bias in the work place will not move the needle. ERGs are important, but they need to be one part of the overall Diversity and Inclusion (D&I) strategy, not the only thing the company does. The five common pillars to a D&I strategy include:
(1) Having a D&I director or manager.
(2) Having explicit diversity goals.
(3) Having Employee Resource Groups [ERG].
(4) Offering bonuses for recruiting/referring diverse candidates.
(5) Implementing unconscious bias training.
And Dr. Klein’s study demonstrates that executing on these strategies does improve the situation. So there is hope.
Our ability to fill the open the two million cybersecurity positions in the next couple of years is no longer just human resources problem. Your security leadership can convince you to write big checks to pay for a ton of security technology, but if you don’t have the people on board to manage and maintain that technology and establish the processes needed to make that technology useful, you might as well just throw that money away.
For myriad reasons that are way more nuanced than you might have thought, executive leadership has not been able to reverse this non-hiring trend. Within the organizations you are responsible for, there exists conscious and unconscious resistance to changing the way the company does things. This massive friction caused by known and unknown bias in the workplace is too strong. To reduce the friction requires board members to understand the complex issues involved and demand that forward progress be made. It is just common sense to understand that, if we are going to succeed in filling these jobs, we must pull massively from the pool of qualified women.
Here is the question you should be asking your male leadership because, let’s face it, the men in your organizations are mostly making these hiring choices: What is the intersectionality of your security teams? If it is mostly white and male, the company and executive have a problem.
Editor’s Note: Palo Alto Networks recently teamed with the Girls Scouts of the USA to create a badge program encourages girls to fully embrace the possibilities of STEM and to focus on the possibility of a career in cybersecurity. Read the story here.