Last week at AWS re:Inforce, the company’s security event that took place in Boston, there was a welcome message about diversity. It seems that given the sheer number of people needed in cybersecurity in the coming years could represent a way for historically underrepresented groups to find their way into tech.
CJ Moses, CISO at AWS, spoke at the company keynote about the importance of diverse ways of thinking when it comes to keeping companies secure. “Another key part of our culture is having multiple people in the room with different outlooks. This could be introversion or extroversion, coming from different backgrounds or cultures, whatever enables your culture to be looking at things differently and challenging one another,” he said.
He added that new ways of thinking can be transformative to cybersecurity teams. “I also think new hires can offer a team high levels of clarity because they don't have years of bias or a group think baked into their mechanisms. So when you're hiring, our best practices encourage being sensitive to the makeup of the interview panels, having multiple viewpoints and backgrounds, because diversity brings diversity.”
Jasmine Henry, field security director at startup JupiterOne, recently helped put together a book called Reinventing Cybersecurity, looking at how women and trans people are helping transform the cybersecurity field. But to fully achieve that transformation, companies will need to hire more diverse candidates. Henry sees it as the industry’s responsibility to make the workforce more diverse, especially larger organizations like AWS.
“I think there's a lot of folks who really want to break in. I think of it more as a kind of a skill mismatch than a skill gap, since there are individuals who are willing and able and want to work [in this field]. So I think there's a lot of responsibility on employers, especially large employers, to train these apprenticeships, to upskill their own workforce, to partner with community groups…to train individuals who want to take those roles,” Henry said.
She said as people like her make their way into the field, they can help others up the ladder by helping them get the skills they need to work in this area. “I am a first-generation college grad, I do not come from wealth. Security was how I became middle class, and I'm proud of that. And I am very passionate about mentoring others, particularly first-generation college grads,” she said.
In general, the tech industry has not done a good job when it comes to diversity. According to hiring site, Zippia, just 25% of technology employees are women, even though they are half the population, 7% are Black in spite of being 14% of the total U.S. population and 8% are Latinx in spite of being over 18% of the total U.S. population.
When you look at cybersecurity jobs specifically, women hold 24% of these jobs, Blacks hold 9% and Latinx just 4%, according to research from The Aspen Institute.
Jenny Brinkley, director of security at AWS, says Amazon does take this responsibility to hire more diversely very seriously. In fact, she says that the company sees security as a way to bring more diversity into the company in general. “We're really focused on how we can contribute [as a company], whether that be through open source contributions to upscaling talent, to creating and identifying skill gaps shortages for these cybersecurity jobs,” she said.
Echoing what Moses said in the keynote, Brinkley believes that security in particular takes a diverse mindset. “We can start talking more about neurodiversity and as we think about inclusion and equity and diversity as a whole. Security really represents a moment where we can start talking about how do you create and find individuals to fulfill these jobs?” She added that these are jobs that have the potential to create multi-generational wealth for individuals, and she sees a big opportunity for people who have historically been left behind by the industry and these kinds of high paying jobs in general.
Henry says that when she put together the book earlier this year, she saw a way to amplify a variety of voices and see the diversity that already exists in the field. “I really learned a lot about myself along the way because I realized that I had to be intentional about diversity when assembling the authors as well, and realize that a lot of folks wanted to talk about identity. They wanted to discuss security through an intersectional lens,” she said.
The Aspen Institute has some concrete suggestions to increase diversity in cybersecurity, including taking away the burden of the cost of certification, something larger companies could certainly do; establishing partnerships with organizations that can bring in more diverse candidates; and creating mentorship programs that focus on diverse people, among other things.