The glass ceiling that separates women from career advancement in cybersecurity is tougher to crack for minorities. At a time when many businesses have committed to diversity and inclusion efforts, it's imperative they know which actions will drive substantial and sorely needed change.
More than half (53%) of women in a new study from Synack said a "glass ceiling" prevents them from achieving certain roles at their organizations. For minority women, that number was 71%.
Professional barriers are real – and high: Twenty-five percent of respondents said their company has one or no woman in an executive role, and 53% estimate their company has one or no minority executives. Nearly all (91%) women said they don't have the same opportunities as their male counterparts, and only 25% said there is sufficient representation of women in security.
More than half (54%) of minority respondents said they experienced either a great deal or a moderate amount of bias based on their ethnicity or background. When asked whether they're given the same chances as other ethnicities to progress in the company, only 47% of minorities said yes.
"At a base level, it is hard to navigate an industry where you are often 'othered' in some way – othered as a woman, othered as a person of color, or even worse, at the intersection," says Camille Stewart, head of security policy at Google Play and Android.
Being a woman, and being a person of color, "is a very underserved, underdiscussed part of the diverse experience," she says.
The glass ceiling separating women of color from advancement can manifest in a number of ways, Stewart says. It could mean a woman is able to do a job well, and has the agency to do it, but is unable to achieve the authority and pay the job would typically bring.
"I have experienced that quite a bit. I know a number of women of color who have," she notes.
Women of color who can get into middle management roles "usually cannot get much farther," Stewart continues. Many women do work beyond their titles but can't break into authoritative leadership, often hearing a range of excuses as to why that's the case. For example, they may have been hired at a level below their ability and organizational process impedes the rise to the next level. These limitations are a disservice to women of color, particularly because they're more likely to be brought in undervalued or "underleveled" in some way, Stewart adds.
"If you come in 'underleveled,' you're either doing the work at a level that's beyond you and you're not getting that authority agency … or you feel underutilized because you're having to operate at this more junior level, and the time for you getting to fully function and thrive in a leadership role is a lot longer and artificial than it had to be," she explains.
A major barrier many women of color face is ensuring their voices are heard and respected, says Tiffany Ricks, CEO of Hacware, who points to social challenges she faced in the workplace.
"Oftentimes, earlier in my career, it was always the challenge of [being] the only woman in the room. Oftentimes I was the only African American in the room," she says.
Ricks often struggled to make her ideas heard, sometimes letting other people communicate them so they were. This was why she left corporate America to work on her own and eventually founded Hacware.
"I left corporate America because I was the only one in the room, and I was tired of constantly fighting for my voice and not reaching the levels that I should because I had to give others my voice to get them to a certain level," she recalls.
Ricks says she sees many African Americans, and many women, growing sick of the corporate environment and doing the same. Many technical practitioners leave to build their own companies; those who are focused on policy, marketing, or other areas of expertise typically leave cybersecurity altogether. Ultimately, this is doing the industry a huge disservice.
"The way that cybersecurity really grows is we have a well-rounded industry where it's not just the technical people who understand it," she explains. "We need people who understand policy. We need people who understand the social behavior, the psychology behind it … I see those people leaving the industry as a whole and using their skills in another area."
Now Is a Moment for Change
Nearly half (46%) of respondents to Synack's diversity and inclusion survey said the reason for lack of diversity is a lack of qualified diverse applicants. But when researchers took a look at the numbers, they noticed the number of women and minorities increasing at the college level, says Aisling MacRunnels, chief growth officer at Synack.
"We have spoken with women who say they have degrees in STEM, so they say, 'It's simply not true. We're there. We're looking for the jobs,'" she says.
The number of women is increasing at the educational level but not in the enterprise, and there is a disconnect between the two.
Ricks suggests more organizations hire at historically Black colleges and universities (HBCUs) and be more transparent about their diversity initiatives and goals. If you don't have any security executives who are Black or female, then be transparent about how you plan to make that happen. Who can you bring into the business? Which employees could fill those roles?
"Once you get those candidates in your organization, it is very important to make them feel included, so they want to stay," she emphasizes. If there is a skill set lacking, for example, create a mentor program where candidates can work with internal employees and senior leadership.
Part of these inclusion efforts should involve creating an environment where people can talk about the issues that are important to them without being dismissed. If a company is truly focused on diversity and inclusion, they must have conversations around social issues, whether that's Black Lives Matter, the Me Too movement, or other topics, Ricks explains.
"The worst thing an organization could do is stay silent because they're saying to that employee that they don't care about those issues, and they're saying to the other employees who are not affected … that it's OK to continue with potentially harmful speech at work," she continues.
To eliminate these conversations is to alienate members of the workforce. To welcome different perspectives will help employees feel included and motivated to solve problems.
Of course, as Stewart points out, there is no single solution. Each organization has to take a close look at its environment and workforce to decide what's best for them.
"I think one of the things that has hindered progress is our unwillingness to be specific – that fear of making a mistake, or offending someone, or the discomfort with drilling down on these issues," she explains.
As a result, discussions tend to be grouped into "women of color" or "people of color" conversations, and the topic of "women in security" tends to focus on white women and often neglects the nuance of how issues affect minorities, Stewart explains. Even the conversations related to people of color merit nuance: Being an Asian male is different from being a Black man, which is different from being a Black woman.
"Those nuances are where the solutions lie," Stewart says. "There's not going to be a one-size-fits-all solution for diversity issues or outreach and retention problems."
Unless we're willing to name how these problems manifest and identify solutions that meet their needs, as well as areas for growth and opportunity, we won't make progress the industry needs to evolve.
"Men and women at the table, different races at the table together, is incredibly powerful," Synack's MacRunnels says. "Your attackers are going to come from different backgrounds. Your mindset needs to be diverse. You need to think of solutions using the diverse mindset to beat the attacks we see every day."