Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

10/28/2020
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Breaking the Glass Ceiling: Tough for Women, Tougher for Women of Color

Security practitioners shed light on obstacles limiting career growth and the steps businesses can take to achieve their promises of a more diverse workforce.

The glass ceiling that separates women from career advancement in cybersecurity is tougher to crack for minorities. At a time when many businesses have committed to diversity and inclusion efforts, it's imperative they know which actions will drive substantial and sorely needed change.

More than half (53%) of women in a new study from Synack said a "glass ceiling" prevents them from achieving certain roles at their organizations. For minority women, that number was 71%.

Related Content:

Q&A: How Systemic Racism Weakens Cybersecurity

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Tracking Down the Web Trackers

Professional barriers are real – and high: Twenty-five percent of respondents said their company has one or no woman in an executive role, and 53% estimate their company has one or no minority executives. Nearly all (91%) women said they don't have the same opportunities as their male counterparts, and only 25% said there is sufficient representation of women in security.

More than half (54%) of minority respondents said they experienced either a great deal or a moderate amount of bias based on their ethnicity or background. When asked whether they're given the same chances as other ethnicities to progress in the company, only 47% of minorities said yes.

"At a base level, it is hard to navigate an industry where you are often 'othered' in some way – othered as a woman, othered as a person of color, or even worse, at the intersection," says Camille Stewart, head of security policy at Google Play and Android.

Being a woman, and being a person of color, "is a very underserved, underdiscussed part of the diverse experience," she says.

The glass ceiling separating women of color from advancement can manifest in a number of ways, Stewart says. It could mean a woman is able to do a job well, and has the agency to do it, but is unable to achieve the authority and pay the job would typically bring.

"I have experienced that quite a bit. I know a number of women of color who have," she notes. 

Women of color who can get into middle management roles "usually cannot get much farther," Stewart continues. Many women do work beyond their titles but can't break into authoritative leadership, often hearing a range of excuses as to why that's the case. For example, they may have been hired at a level below their ability and organizational process impedes the rise to the next level. These limitations are a disservice to women of color, particularly because they're more likely to be brought in undervalued or "underleveled" in some way, Stewart adds. 

"If you come in 'underleveled,' you're either doing the work at a level that's beyond you and you're not getting that authority agency … or you feel underutilized because you're having to operate at this more junior level, and the time for you getting to fully function and thrive in a leadership role is a lot longer and artificial than it had to be," she explains.

A major barrier many women of color face is ensuring their voices are heard and respected, says Tiffany Ricks, CEO of Hacware, who points to social challenges she faced in the workplace.

"Oftentimes, earlier in my career, it was always the challenge of [being] the only woman in the room. Oftentimes I was the only African American in the room," she says.

Ricks often struggled to make her ideas heard, sometimes letting other people communicate them so they were. This was why she left corporate America to work on her own and eventually founded Hacware.

"I left corporate America because I was the only one in the room, and I was tired of constantly fighting for my voice and not reaching the levels that I should because I had to give others my voice to get them to a certain level," she recalls. 

Ricks says she sees many African Americans, and many women, growing sick of the corporate environment and doing the same. Many technical practitioners leave to build their own companies; those who are focused on policy, marketing, or other areas of expertise typically leave cybersecurity altogether. Ultimately, this is doing the industry a huge disservice.

"The way that cybersecurity really grows is we have a well-rounded industry where it's not just the technical people who understand it," she explains. "We need people who understand policy. We need people who understand the social behavior, the psychology behind it … I see those people leaving the industry as a whole and using their skills in another area."

Now Is a Moment for Change
Nearly half (46%) of respondents to Synack's diversity and inclusion survey said the reason for lack of diversity is a lack of qualified diverse applicants. But when researchers took a look at the numbers, they noticed the number of women and minorities increasing at the college level, says Aisling MacRunnels, chief growth officer at Synack.

"We have spoken with women who say they have degrees in STEM, so they say, 'It's simply not true. We're there. We're looking for the jobs,'" she says.

The number of women is increasing at the educational level but not in the enterprise, and there is a disconnect between the two.

Ricks suggests more organizations hire at historically Black colleges and universities (HBCUs) and be more transparent about their diversity initiatives and goals. If you don't have any security executives who are Black or female, then be transparent about how you plan to make that happen. Who can you bring into the business? Which employees could fill those roles?

"Once you get those candidates in your organization, it is very important to make them feel included, so they want to stay," she emphasizes. If there is a skill set lacking, for example, create a mentor program where candidates can work with internal employees and senior leadership. 

Part of these inclusion efforts should involve creating an environment where people can talk about the issues that are important to them without being dismissed. If a company is truly focused on diversity and inclusion, they must have conversations around social issues, whether that's Black Lives Matter, the Me Too movement, or other topics, Ricks explains.

"The worst thing an organization could do is stay silent because they're saying to that employee that they don't care about those issues, and they're saying to the other employees who are not affected … that it's OK to continue with potentially harmful speech at work," she continues.

To eliminate these conversations is to alienate members of the workforce. To welcome different perspectives will help employees feel included and motivated to solve problems. 

Of course, as Stewart points out, there is no single solution. Each organization has to take a close look at its environment and workforce to decide what's best for them.

"I think one of the things that has hindered progress is our unwillingness to be specific – that fear of making a mistake, or offending someone, or the discomfort with drilling down on these issues," she explains.

As a result, discussions tend to be grouped into "women of color" or "people of color" conversations, and the topic of "women in security" tends to focus on white women and often neglects the nuance of how issues affect minorities, Stewart explains. Even the conversations related to people of color merit nuance: Being an Asian male is different from being a Black man, which is different from being a Black woman. 

"Those nuances are where the solutions lie," Stewart says. "There's not going to be a one-size-fits-all solution for diversity issues or outreach and retention problems."

Unless we're willing to name how these problems manifest and identify solutions that meet their needs, as well as areas for growth and opportunity, we won't make progress the industry needs to evolve. 

"Men and women at the table, different races at the table together, is incredibly powerful," Synack's MacRunnels says. "Your attackers are going to come from different backgrounds. Your mindset needs to be diverse. You need to think of solutions using the diverse mindset to beat the attacks we see every day."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29144
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, MX is a web base module in BSCS iX that is vulnerable to stored XSS via an Alert Dashboard comment. In most test cases, session hijacking was also possible by utilizing the XSS vulnerability. This potentially allows for full account takeover, or e...
CVE-2020-29145
PUBLISHED: 2020-11-27
In Ericsson BSCS iX R18 Billing & Rating iX R18, ADMX is a web base module in BSCS iX that is vulnerable to stored XSS via the name or description field to a solutionUnitServlet?SuName=UserReferenceDataSU Access Rights Group. In most test cases, session hijacking was also possible by utilizing t...
CVE-2020-29136
PUBLISHED: 2020-11-27
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach (SEC-575).
CVE-2020-29137
PUBLISHED: 2020-11-27
cPanel before 90.0.17 allows self-XSS via the WHM Transfer Tool interface (SEC-577).
CVE-2020-29135
PUBLISHED: 2020-11-27
cPanel before 90.0.17 has multiple instances of URL parameter injection (SEC-567).