Over the course of the past decade, the best schools have attracted the smartest and most promising students. Some of those students have gone on to graduate and work in cybersecurity. A few have founded cybersecurity companies, others have joined software vendors, and many work in security operations centers or on security teams at organizations.
Despite the efforts of the smartest people in the cybersecurity industry, the number of breaches has not fallen in the past decade. Every year, Information is Beautiful posts a visualization of the world’s biggest data breaches. They also make their source data available for analysis. A casual analysis of their data shows that the number of breaches and the number of records that threat actors steal per year have been rising steadily for over ten years. This data does not include malicious cyberweapons or ransomware, which have also been steadily eroding the market value of companies while enriching criminal organizations.
Cybersecurity has several problems, only some of which are technical. The popular (but misleading) images of the players is a concern. The media consistently depict a hacker as a white cis male in a hoodie, with an optional scruffy beard. Unfortunately, the default perception of a typical cybersecurity employee trades the hoodie for a button-up shirt or a polo. The beard remains an option.
The cybersecurity industry also has a language problem. The term “bad guy” is often used to describe threat actors. The word “bad” is a matter of perspective—if a woman in a depressed economy overseas joins a call center supporting a ransomware campaign, she does not think of herself as “bad.” The term “bad guy” implies that only men can be hackers, which is offensive and inaccurate.
A consequence of this default view is that the people who meet the description of a hacker or a “bad guy” are the ones who pursue cybersecurity careers. With some exceptions, those who do not meet that inaccurate description choose other professional fields. For example, a study by Kaspersky Lab in 2017 showed that young women in the US, Europe, and Israel had already decided against a career in cybersecurity before the age of 16. The study further noted that there are no high-profile female role models in cybersecurity. Just 11% of cybersecurity employees are women. There has been no similar large-scale study to determine how many LBGTQI* people work in cybersecurity.
This is a homogenous threat surface from an attacker’s perspective. The best students all come from similar geographic regions, have similar economic backgrounds, study roughly the same courses, and have broadly similar life experiences and challenges. As a result, groupthink has become an accepted standard, where multiple cybersecurity vendors create similar solutions to similarly perceived problems. This groupthink has led to the acceptance of a software development cadence that rewards rapid product iterations despite the increasing probability of breaches of consumer and company data. This consistency of thought and behavior makes it easier for smart threat actors to develop campaigns and cyberweapons that prey on blind spots of cybersecurity employees.
With between 1.8 and 5.5 million cybersecurity jobs that are likely to go unfilled by 2021, the cybersecurity industry needs to encourage people who have not previously considered these jobs to include cybersecurity in their job options. The world does not need another whitepaper about the lack of diversity of race, gender, and orientation in cybersecurity. The #includecybersecurity project intends to encourage diverse individuals to pursue careers in cybersecurity.