By Kayne McGladrey, CISSP
People may aptly sum up 2020 in a single word: crisis. An inadequate response to the COVID-19 pandemic has led to the deaths of hundreds of thousands of people globally. The underlying data are more tragic, as the pandemic has disproportionately affected communities of color that have lived with the daily existing threats of shrinking economic mobility and racism. At the same time, both public and private organizations have struggled to mount an effective defense against cybercrime, which represents not only one of the largest transfers of wealth in human history but also threatens public trust in democracy and civil society. This article provides context and actionable steps to begin to dismantle the underpinnings of these long-standing crises; however, this article is not the solution. Only sustained action will lead to meaningful change.
According to early data on COVID-19 from the Center for Disease Control, 45% of individuals with COVID-19 for whom race or ethnicity data was available were white, compared to 59% of individuals in the surrounding community. However, 33% of hospitalized patients were Black, compared to 18% in the community, and 8% were Hispanic, compared to 14% in the community. Data from New York City identified death rates among Black/African American persons (92.3 deaths per 100,000 population) and Hispanic/Latino persons (74.3) that were substantially higher than that of white (45.2) or Asian (34.5) persons.
COVID-19 spreads primarily through direct person-to-person contact, and those who work near other people are at highest risk. These essential critical infrastructure workers as defined by CISA include public service jobs, such as firefighters, EMTs, and the military. Similarly, nurses, grocery store clerks, and food processing workers are designated as essential critical workers for having a functioning society. This diverse collection of people shares two other key attributes: low wages and stagnant economic mobility. According to the National Academy of Sciences of the United States of America, people generally have less upward mobility than their parents or grandparents. According to the Brookings Institute, a large portion of the critical infrastructure workers are from Black (16%) and Hispanic (21%) communities. The National Bureau of Economic Research found that Black economic mobility has lagged white economic mobility in every area of the United States. Families in these communities have faced a no-win situation: go to work, and thus risk exposure and possible death; or not go to work, and thus face one or more of hunger, eviction, and debt collectors.
Yet one group of critical essential workers have continued working without regularly risking exposure or debt collectors. CISA, the United States Cybersecurity and Infrastructure Security Agency, designated cybersecurity professionals as critical workers. And these critical workers have safely worked from their homes throughout the pandemic.
According to Cybersecurity Ventures , there will be 3.5 million unfilled cybersecurity jobs globally by 2021. This is in direct response to the predicted $6 trillion annual cost of cybercrime globally in 2021, a cost that will only increase if left unchecked. Broadly speaking, today’s technology workforce does not represent diversity, with less than 10% of the employees at many large tech companies being Latino or Black. The International Information System Security Certification Consortium (ISC(2)) found that just 9% of cybersecurity workers self-identified as African American or Black, 4% as Hispanic, 8% of Asian, and 1% as American Indian, Alaskan Native, and Native Hawaiian/Pacific Islander.
This lack of diversity harms companies, as McKinsey found that companies with better minority employment records had a 35% greater financial return. A lack of diversity in cybersecurity also has led to group think. Despite over thirty billion dollars in investment since 2009 the total number of data breaches has only increased every year since 2009. 2020 will be no different as the pandemic forced many companies to hastily enact work-from-home technologies. The problem is not the level of investment; rather, a contributing factor is a lack of diverse people with different life experiences working together.
And cybersecurity jobs are a clear path to the middle class. ISC(2) found that on average, a cybersecurity professional of color earns $115,000, while the overall U.S. cybersecurity workforce average is $122,000. By comparison, the Brookings Institute found that more than half of essential front-line workers earn less than $20 an hour. Even if an essential worker were able to work 40 hours a week, every week, taking no holidays, they would earn a maximum of $41,600, or nearly a third of the average cybersecurity employee, while at the same time facing health risks. These health risks are both direct, in the form of the pandemic, as well as indirect, as it’s more challenging for lower-income families to buy and prepare healthy food, or have access to the comprehensive health care that’s a regular perk of cybersecurity jobs. While the $7,000 gap within the cybersecurity workforce should be eliminated, bridging the $80,000 gap by encouraging people to pursue cybersecurity careers will provide a material benefit to society.
When children and young adults think about their future jobs, those ideas are inevitably influenced by the people they have seen around them and in the media. This leads children to say they would like to be a hip-hop star, or a firefighter, EMT, soldier, doctor, teacher, or veterinarian. “Cybersecurity professional” does not appear on that list. If children have seen anything about cybersecurity, it has likely been an image in the news of a Caucasian male wearing a hoodie with some Matrix-styled text on a computer. This detestable image led the Hewlett Foundation to create a contest to reimagine the visual language of cybersecurity. Regrettably, the media continues to perpetuate their divisive images of white men in hoodies, or meaningless green zeroes and ones.
“You can’t be what you can’t see,” according to Marian Wright Edelman. This lack of visibility of cybersecurity professionals perpetuates the cycle of diminishing economic mobility in communities of color. Children in these communities will instead largely grow up with a strong probability of choosing a job with low pay and high direct and indirect risks.
While bridging the gap between the current lack of diversity in cybersecurity is one way to promote economic mobility and improve public health outcomes, it is not an easy fix. Rather, this will take ongoing and visible action. A hashtag campaign will not do, and a breakout session for minorities at a cybersecurity convention is not a fix; in both cases, people had to be aware that cybersecurity jobs even existed in order to see the hashtag or attend a convention. And while many critical workers have uniforms, the closest cybersecurity workers come to for uniforms are either jeans and a t-shirt, or a button-down and khakis.
There are at least five potential actions to bridge the gap.
Public policy for education should make age-appropriate cybersecurity lessons an integral part of the curriculum. This is not a one-hour talk on password complexity in a computer science class. Instead, children and young adults should see that cybersecurity is a core part of their schooling from a young age. Even if they choose to pursue other careers, they will take the lessons learned and be more resilient to cyber threats.
Tech companies should volunteer in their local Black and brown communities. Wear a shirt with the company logo, whether it is planting flowers in bare public areas, volunteering to clean up trash at a community event, or helping at a rally. This is particularly important for cybersecurity companies, as it demonstrates an investment in community and provides individuals an opportunity to talk with people not in cybersecurity as they work toward a shared goal.
Tech companies should recruit interns from non-traditional fields of study. A decade of increasing breaches despite investment shows that hiring another computer science major from an Ivy-league school will not produce large-scale, meaningful change. Cybersecurity is meant to be a meritocracy, and interns should be identified based on individual aptitude and willingness to learn rather than on certifications, degrees, ZIP codes, and other socio-economic markers of privilege.
Individual cybersecurity professionals should seek out community organizations and ask about speaking opportunities. Although it is tempting to seek out the local business organizations, move farther afield and look for opportunities with organizations like Black Lives Matter, the Hispanic Alliance for Career Enhancement, or similar local community organizations. Talking about cybersecurity and safer online practices to these audiences helps promote awareness of the profession while directly helping people who face discrimination and hate crimes online.
Cybersecurity professionals should also connect with local middle and high schools to learn about volunteer opportunities. Given the opportunity, professionals should talk about how much fun cybersecurity jobs are, the camaraderie of being part of a team, and the average salaries. But also consider mentoring opportunities or working as a volunteer in a classroom. Engaging with children and young adults, either one-on-one or as a group, gives them the opportunity to see what cybersecurity jobs look like and hear first-hand that the jobs are interesting, safe and pay well. That last part – pay – may be a strong motivator for those who have seen their parents regularly fight about money towards the end of the month, and who want to break the paycheck-to-paycheck cycle.
We each will choose how to respond to this year of crises. Cybersecurity professionals have an unparalleled opportunity to step up and help make the future a better place for all people. Do not hesitate; now is the time for action and change.