Diversity in cybersecurity is a ‘national security’ issue, congresswoman says

Closing the gender and racial employment gaps in the cybersecurity workforce is a “mission critical” issue for the U.S., Congresswoman Lauren Underwood (D-IL) said at an online event hosted by the Aspen Institute Thursday. 

Racism and sexism in the sector are both “national security” issues because they prevent the government and private companies from recruiting from the best and widest possible pool of talent, she said. 

Recruiting a diverse workforce with a variety of backgrounds can also help security programs prepare against different threat models, Underwood argued—comparing the situation to how her background as a nurse and in healthcare policy brings a unique perspective to her work as the Vice Chair of the House Committee on Homeland Security as the country is facing a public health emergency. 

“Less diversity means more blindspots in our threat assessments,” Underwood said.

A report released by Aspen Digital and the Aspen Tech Policy Hub in conjunction with the event argues that current diversity, equity, and inclusion efforts have largely failed and suggests aimed at correcting racial and gender employment gaps in the sector. 

Less than a quarter of the cybersecurity workforce self-identifies as female, less than 10% as Black, and only 4% as hispanic, according to research from infosec membership organization (ISC)²—figures far below those groups’ share of the general population. 

Changes to education, hiring, and retention processes could help close those gaps, according to the report and event panelists. For example, the report recommends reviewing the role of some (often costly) professional certifications and current criminal background check processes during hiring, as well as exploring more on-the-job training and apprenticeship opportunities for junior roles. 

Despite the crunch for technical talent, some job listings in the industry ask for three to five years experience for entry-level positions, noted Ron Ford, a Cybersecurity Advisor at the Cybersecurity Infrastructure Security Agency. 

“It’s not realistic,” he added. 

Instead, Ford said, cybersecurity employers need to start meeting people where they are—both technically and physically. The latter should include more direct outreach to Historically Black Colleges and Universities that produce top-tier tech talent, but are all too often overlooked in recruiting, he added. 

But that and many other recommendations outlined in the report will require substantial, sustained commitments from employers. Panelist and #ShareTheMicInCyber movement co-founder Camille Stewart warned there is no quick fix for these sort of systematic problems. 

“Don’t let short-term wins cause you to negate the long-term investment that is also important,” she said. 

(Disclosure: The author of this post was an Aspen Institute Cyberjournalism fellow in 2019.)