A new survey found a majority of organizations are feeling the effects of the cybersecurity skills gap and experts said there could be an untapped talent resource available.
In a survey of 580 scheduled attendees of the Black Hat 2017 conference to be held in Las Vegas, Black Hat found that 71% of respondents felt their companies lacked sufficient staff to defend itself against current cyberthreats. And, although less than half of respondents (45%) were "concerned" about the shortage of women and minorities in the information security sector, many seemed to be aware of the systemic issues making it more difficult for women and minorities to fill the cybersecurity skills gap.
Steve Wylie, general manager at Black Hat, said IT managers need to do everything they can to close the cybersecurity skills gap.
"Greater diversification among infosec professionals will only help in providing organizations with the trained staff they need to better protect themselves from these increasing threats," Wylie told SearchSecurity. "Nearly 60% of our respondents blamed society for not doing enough to incentivize women and minorities to consider a career in the field."
Bryson Bort, CEO of Grimm, a security engineering company based in Arlington, Va., said the cybersecurity skills gap must be addressed from the top down.
"It's unfortunately rare that women and minorities in infosec have risen to leadership positions, which is one of the reasons that this issue doesn't get addressed as it should," Bort told SearchSecurity. "However, this is an issue that needs to be addressed from the top down. This puts some of the onus back on the few women and minority leaders that exist in the industry today; however, it's critical that these few act as role models, as the voice to help pull women and minorities up in the industry to overcome systemic bias."
Farrah Vijayan, senior technical product manager at STEALTHbits Technologies, said although there has definitely been a concerted push by the industry to hire more women and minorities, more needs to be done.
Survive the tech talent shortage by adopting self-managing systems and recruiting tools instead of only degree holders, Capgemini expert advises.
"The industry is represented by a mostly white male population who are looking from the inside out, never having had to experience the gender and racial bias that often exists," Vijayan told SearchSecurity. "Additionally, people tend to hire candidates that they can relate to, and in an industry that is white male dominated, it's not hard to predict who will get the job."
Erin Malone, vice president of North American channel sales at Sophos, said conversations around women and minorities in helping close the cybersecurity skills gap have "grown louder in recent years."
"When I first started working in software 18 years ago, there were so few women working in security, but that's really started to shift. It's exciting to come full circle and see a lot of fantastic, highly qualified women in important roles at Sophos and other infosec companies," Malone told SearchSecurity. "To me, the importance of recruiting women for tech leadership roles is about the need for a well-rounded group of people, made up of men, women and many races, to create sound leadership and technical teams with varying perspectives and skill sets."
Shahar Ben-Hador, CISO at Imperva, said the benefits of diversity can be far-reaching.
"Reaching out to women and minorities gives us a larger pool to pull from and provides the cybersecurity industry with a unique opportunity to make the field more diverse. And from a corporate perspective, a diverse team with different points of view and ways of approaching problems is a big benefit when it comes to solving security issues," Ben-Hador told SearchSecurity. "Much like IT seven to 10 years ago, infosec is starting to realize the skills that women and minorities provide and is embracing both."
School and certifications
Respondents to Black Hat's Portrait of an Imminent Cyberthreat survey also noted the troubles causing the cybersecurity skills gap can begin before the hiring process. Of those surveyed, 45% said primary schools and colleges don't offer enough infosec courses.
Bort said one of the issues is that science, technology, engineering and math (STEM) programs "treat people as products."
Farrah Vijayansenior technical product manager, STEALTHbits Technologies
"Accomplished women and minorities that make it in these programs are pushed aside. There are still unfortunate sexist attitudes that plague the industry. This is why it's important to foster women and minority role models and celebrate those we have," Bort said. "These efforts help address the problem and ultimately amplify deserved prowess. The problem is that there is a bottom-up approach to staffing and building skills -- the number of STEM graduates entering the industry is limited and among these graduates, few are women."
Ben-Hador said there is an "over emphasis on certificates and degrees in the cybersecurity field versus the background and aptitude of candidates."
"For example, I have a degree in math and computer science and started my career as an IT data director, and while I have a passion and flair for cybersecurity, I don't possess any cybersecurity certificates or credentials," Ben-Hador told SearchSecurity. "Some of the smartest people I work with have no security certifications. That said, in areas like [governance, risk and compliance], it is very important to have the formal context to be successful and build trust with customers and third parties."
Vijayan said the requirement for certifications, degrees and specializations can hinder opportunities to close the cybersecurity skills gap.
"There is the concern that the reason there is a lack of minority representation in the industry is due to the large social barriers that have to be overcome to attain such degrees. This is why companies need to take some level of social responsibility and invest in their workforce diversity," Vijayan said. "As both a woman and a minority, my choice to pursue a degree in engineering was driven by the encouragement from my parents to pursue a technical degree, as well as from the motivation by seeing many other family members and friends who have been successful going down the same path."
Learn more about the profound change in infosec that may be in the future.
Find out ways the cybersecurity skills gap can be fixed.
Get info on how IT security governance could foster a culture of shared responsibility.