Select Page

By: Lynn Dohm, Executive Director at WiCyS

 

In 2020, diversity, equity, and inclusion (DEI) initiatives became far more common in the aftermath of George Floyd’s death and the ensuing civil unrest. Just four years later, many organizations are rolling back their DEI efforts, either because of social pushback or lack of evidence that it was making a positive impact. Many implementations were poorly articulated and failed to make meaningful improvements to inclusion, making it difficult to evaluate whether the programs were producing the desired outcomes. Now some leaders are looking to a new acronym to make a difference: MEI. 

 

Merit, excellence, and intelligence are the latest buzzwords to hit the news, promoted by Scale AI Chief Executive Alexandr Wang. This effort claims to be aimed at hiring the best candidates — without considering their demographics. MEI may be a new term, but it’s an old concept. It’s just more coded language that allows or even promotes the status quo to continue unchallenged without enabling and encouraging people from different backgrounds to enter the workforce. Merit may sound like the ideal way to level the playing field, but it pretends to operate on the assumption that hierarchical power structures and natural human biases don’t exist. They do. 

 

In 2018, the year WiCyS was founded as a non-profit, research from ISC2 showed that women represented just eleven percent of the cybersecurity workforce, rising to twenty four percent in 2019. The latest data shows that number has hardly changed; women are still not getting hired for cybersecurity roles at the same rate as men. MEI advocates may argue that this gender imbalance is only because women aren’t as good at analysis, investigation, training, leadership, and management. After all, if applicants exhibit excellence and intelligence, surely they merit being hired and promoted in the cyber workforce. Right? But the data shows that simply isn’t happening. The same ISC2 report shows that almost one third of organizations are reporting that they have zero entry level professionals on their teams, which effectively makes it impossible to hire more women onto these teams or transition women into cybersecurity roles from other parts of the organization.

It’s Not a Performance Issue

This year, WiCyS partnered with N2K Networks to conduct a comprehensive cyber talent study, and put that premise to the literal test. The study analyzed cybersecurity skills across the WiCyS professional member community and assessed participants at all experience levels. The findings show just how exceptional WiCyS member skills are — they outperformed in all seven NICE categories: 

 

  • Analyze
  • Collect and operate
  • Operate and maintain
  • Investigate
  • Oversee and govern
  • Protect and defend
  • Securely provision

 

The NICE Cyber Workforce Framework was developed by the National Institute of Standards and Technology (NIST), providing a standardized taxonomy and common lexicon for organizations to understand the essential tasks, knowledge, and skill (TKS) statements required for cybersecurity roles. In addition to these categories, N2K assessed WiCyS professionals across its specialty areas; WiCyS members outperformed in seventeen out of twenty areas. Yet, even as DEI initiatives aimed at increasing diversity, WiCyS members continued to encounter challenges in the workplace, all while outperforming their peers in an independent analysis of skills.

 

N2K also classified NICE Specialty Areas into broader Functional Groups, where members exhibited particular strength in communications and network security (60.6%), cyber workforce training and awareness (62.3%), cyber/IT leadership and management (64%), and cyber/IT policy and governance (64.3%). The three areas where members didn’t outperform were software development, incident response, and systems analysis. By identifying these gaps, WiCyS can offer educational support, training, and mentorship to enable members to outpace peers in these areas soon enough.

 

Collecting empirical WiCyS member skill performance data not only provides critical direction to WiCyS programs that continue to support women pursuing careers in cybersecurity, but it also lends ammunition to debunk the argument that women do not have the requisite skills or abilities to effectively succeed in cybersecurity roles. 

It’s Not a Skills Gap, It’s an Opportunity Gap

Since its inception as a non-profit, WiCyS has focused on setting up initiatives, enabling training, and creating partnerships to ensure that members have both the hard skill and power skills needed to excel in cybersecurity. The N2K report demonstrates the effectiveness of these efforts in advancing skills and identifying growth areas for WiCyS members, aligning capabilities with industry standards to help close the cyber workforce gap. The data clearly shows that, based on a hard skills assessment, WiCyS members are at a mid- to senior performance level in terms of cybersecurity. 

 

Often, women are told that lack of opportunity is just their perception, not based on reality. To investigate this, WiCyS teamed up with Aleria to conduct the State of Inclusion Benchmark in Cybersecurity study. This report helps to identify some of the real causes of disparities in the experiences of women in cybersecurity. Aleria, founded by Chief Scientist Paolo Gaudiano, discovered that the lack of career and advancement opportunities is the second highest area of exclusion for women in cybersecurity — a finding that is very uncommon in other industries. The data shows that women hit a glass ceiling just six to ten years into their cybersecurity career, despite exceptional skills and ability. They’re ready and able to lead but are not provided the opportunity to do so. 

The Next Step

Unfortunately, the alphabet soup of DEI and MEI is unlikely to resolve the issue women and other underrepresented individuals face when entering and seeking advancement in the cybersecurity workforce. If an organization was already focused on DEI but failing to hire and promote women in cyber, the data shows that excellence and intelligence did not fulfill the ambiguous promise of sweeping in to advance their careers. And focusing on the ambiguous “merit” classification as a way to hire and promote people is an illusion that won’t improve the cybersecurity industry as a whole.

 

It’s time to focus on the right metrics. Using the same data and skills assessments analyzed in the N2K report, employers can hire and promote cyber talent based on hard earned skills and demonstrated knowledge. To succeed and enable more advancement for women and underrepresented groups in cybersecurity, the tech industry, and beyond, allies need to step up and advocate for these changes. Doing so will benefit us all — just look at the Olympics, where women won more than half of Team USA’s Olympic medals. Aptitude, skill, and training tested on a world stage showed the strength of a talented and diverse Olympic team. Three letter acronyms won’t help women break the glass ceiling, but benchmarking skills and promoting and hiring based on demonstrated expertise may — and indeed, it’s about time it did.

 

 

Educate yourself with the data in the resources provided by WiCyS:

WiCyS State of Inclusion Benchmark Report

WiCyS Cyber Talent Study

Learn how to navigate through existing challenges through WiCyS inclusive resources here: WiCyS Inclusive Resources Center

Calculate the hidden costs your company is incurring by not having an inclusive workforce:

Inclusion Impact Calculator — Aleria 

Assess your talent internally to promote based on skills:

Cyber Talent Insights for your Workforce | N2K