The Diversity Issue In Cybersecurity: What Can Be Done?

Lack Of Representation

The issue as it stands today is that there is simply not enough minority representation in the field of cybersecurity.

According to the most recent publication of the Bureau of Labor Statistics, 75% of all information security professionals are White. Meanwhile, other minorities are left with about a fourth of the cyber workforce pie and women in particular account for just 14%.

Diversity is not just some ploy that companies can use to their advantage by appearing more inclusive to the public. Instead, having diversity in the workplace actually comes with a myriad of benefits.

Why Diversity Is Critical

One of the biggest benefits of having a diverse team is to have a much more open mind in tackling problems.

Having different cultures and backgrounds means that workers can approach challenges from multiple perspectives which is especially crucial for a field such as cybersecurity. Conversely, having only one demographic and largely one viewpoint may potentially lead to stagnation.

For those only concerned with tangible evidence that diversity is beneficial, there are multiple studies that are in favor of diversification as well. According to a study done by ISC2, diverse teams are much more likely to be profitable than non-diverse teams. In addition to profitability, the report also points out that diversity can improve organizational culture and overall employee happiness.

Another major advantage that comes with hiring diverse individuals is that it will contribute to diminishing the perpetually widening cybersecurity workforce gap.

The Cybersecurity Skills Gap

It comes as no surprise that because there is a lack of diversity, there is also, similarly, a lack of positions that have yet to be filled.

Recent statistics reveal that 68% of cybersecurity professionals report that they have a staff shortage in their organizations. Due to these shortages, 56% also mention that they’ve experienced moderate to severe security risks. Yet, positions will continue to go unfilled and many junior professionals will be glossed over.

However, there is one program that seeks to tackle both issues of diversity and cyber skills gap head on. This program is called the nextCISO Apprenticeship.

What Is The NextCISO?

The nextCISO Apprenticeship Program approaches the prevailing challenges holistically. It targets governance, risk management and compliance (GRC) as an entry point, ensuring that a strong understanding of controls frameworks for enterprise security and compliance capabilities are baked into the foundation at the onset. Part of the training addresses the variable side of the equation – human interaction and response, resulting in a thorough understanding of GRC audit requirements.

After mastering basic GRC concepts, nextCISO students work toward the following certifications and capabilities:

  • Certificate of Cloud Security Knowledge (CCSK) from the Cloud Security Alliance
  • Information Security Foundation based on ISO IEC 27001 from EXIN
  • Fundamentals of Children’s Privacy from the GRC Center for Intelligent Ecosystems
  • Fundamentals of Auditing Algorithms from the GRC Center for intelligent Ecosystems

One major takeaway from the 2020 (ISC)2 Cybersecurity Workforce Study, was that cloud computing security is the most in-demand skill set by far, with 40% of respondents indicating they plan to develop it over the next two years. The specialized ISO 27001 training gives graduates the ability to get organizations the certification necessary to show that its data is sufficiently protected. Also covered as part of the course are requirements of the Children’s Online Privacy Protection Act (COPPA) and the Family Educational Rights and Privacy Act (FERPA), both federal laws that anyone doing business on the internet must follow.

The nextCISO program also includes real client work that aims to give students real world experience in applying what they have learned.

A Word From The Students

A majority of the candidates for the nextCISO Apprenticeship Program had no previous experience in tech positions but showed an interest in changing careers and advancing themselves through hard work and determination. The program was open to anyone showing potential but actively recruited and encouraged minorities – black, indigenous persons, people of color (BIPOC), LGBTQIA, and women – to apply.

Currently the program has come to a close this past week after nine strenuous months. As previously mentioned, many of the apprentices did not come from a technical background but that did not deter them from applying and succeeding.

We asked each graduate about how their previous experience helped them in the cybersecurity and GRC space. Here are what some of the students said:

Teresa Ramirez: “I feel like my high pressure situations as a cashier and previous experience working at a casino contributed to my success in the GRC space. When working at a casino, there are a lot of regulations and laws that we have to follow and enforce. This translates well into GRC because there are a lot of policies to abide by and we have to make sure that these companies are compliant in them. I also took courses like cloud security, database, and organizational behavior in college which benefitted me during the program.”

Margarita Azizyan: “I had worked in the pharmaceutical industry and had to follow USDA regulations to ensure compliance so that aspect translated well into GRC. One of the things that I had to do was to create documentation such as policies and procedures and I was able to transfer that knowledge over to the client work. I also believe my courses in network and data security along with forensics aided me in the regulatory aspect of GRC. I am a strong believer that anything you do has value no matter the field and can be applicable to other industries as well.”

Kimberly Vivas: “Working in HR means you need to understand the processes of the business, the entire employee experience, and what roles people play. As HR, you are also required to keep certain things confidential and know which laws to abide by, which is helpful within GRC. Another helpful point is that HR often works closely with IT and senior leadership.”

Sean Coutee: “I feel like my military background and my QA experience have been big contributors in helping me adapt to learning the GRC/Cyber curriculum. I have noticed that there are a lot of parallels between these areas with having to use critical thinking and trying to approach things out of the box.”

Lauren West: “I’ve been lucky that most of my growth has been organic (my background is i went to culinary school, worked in restaurants for several years, transitioned to facilities at a big start up, then did a mix of HR/ Operations/ Project Management/ Tech Ops, and then switched tracks to be a marketing copywriter before realizing marketing isn’t for me. I enjoy writing and communicating (which is a big part of GRC.) In HR, I’ve had to strategically implement policies that balance the organizational needs and company culture, with a kind of “path of least resistance” mentality (to get the best adoption.) I’ve had the chance to run classes, and facilitate meetings, which helps me navigate client and 3rd party vendor calls. Even my restaurant experience has helped me learn how to identify the smoothest workflows to capture the best defined process. For me, GRC is a mix of things that I’ve enjoyed doing in the past and areas that I’m excited to grow into.”

Lucky Wolcott: “As an African immigrant who came from humble beginnings with limited resources, I learned from an early age how to be resourceful, problem-solve with limited materials and work together for communal benefit. Now I am more determined and prepared with the knowledge and skills in cybersecurity which has been afforded to me by the nextCISO Apprenticeship program. I feel there is a fire that has been ignited in me and will be burning for a long time.”

Many of our students are now looking for their first opportunity in the GRC / Cybersecurity world.  If you are looking for entry-level staff that are anything but entry-level with zero fees for full-time permanent employment then please reach out to Kris Rides for an introduction.

A Word About Our CEO

Tiro Security’s CEO Kris Rides is one of the most experienced cybersecurity staffing specialists in the industry.

He is a founding board member of the Southern California Cloud Security Alliance Chapter and serves as an advisory board member to the National Cybersecurity Training & Education Center (NCYTE). With his many years of experience, Kris has spoken at some of the most prestigious conferences in the field including DEFCON, BSidesLV, ISC2 Congress, and RSA.

Kris is looking forward to speaking this week at Wild West Hacking Fest’s Way West conference in Reno, Nevada.  He’s extra excited as this will be his first in-person talk since the pandemic hit.

Posted in