This week, the PCI Asia-Pacific community gathers in Melbourne, Australia for the 3rd and final installment of the 2019 PCI Community Meetings. I was invited to be a speaker at the conference, having delivered “Opening the Talent Spigot to Secure Our Digital Future” at both the North American and European Community recently. Unfortunately, my schedule prevented me from hitting a trifecta, which I would have loved as this is a talk near and dear to me. It’s a talk about puzzles... kind of. It’s more of a talk about tapping into resources that can help solve several problems simultaneously:
- The massive cybersecurity job shortage
- The under-representation of women and minorities in the cybersecurity industry
- The under-utilization of freely available training resources
- How to extract significant value out of standards that some view as oppressive, pedantic, or worse useless, e.g., PCI standards
I’ll be delivering a similar talk at NIST's NICE Conference in Arizona this week. The message is pretty simple, but let’s begin with some data.
- According to the Cybersecurity Jobs Report, by Cybersecurity Ventures, sponsored by Herjavec Group, there will be 3,500,000 million unfilled cybersecurity positions by 2021
- According to the National Association of Software and Services Companies (NASSCOM) India alone will need 1 million cybersecurity professionals by 2020
- According to the US Department of Labor and ICMCP
- Women comprise 47% of the US workforce; in cybersecurity that number is 14%
- Blacks/African-Americans comprise 12% of the US workforce; in cybersecurity that number is 6%
- Hispanics comprise 15% of the US workforce; in cybersecurity that number is 7%
- The 2017 Global Information Security Workforce Study reports that 29% of the workforce are Director-level or Above
- In the Caucasian workforce, that number is 30%
- In people of color, that number is 23%
Next, consider the impact that PCI standards have had on the cybersecurity industry.
Before 2004 (a mere 15 years ago) nobody had heard of PCI. There were ZERO PCI-related certifications and ZERO fully-compliant organizations. Since then, PCI standards have become arguably the most influential, widely-adopted non-government/regulatory standards ever created for cybersecurity. Today there are 15 different training, qualification, and certification programs available just from the PCI Council alone. Plus countless others from many vendors and non-profits around the globe.
Last year, the Verizon Data Breach Investigation Report stated there had been no breach of a fully PCI-DSS compliant organization in 14 years. In the five years from 2012-2016, we saw an increase in fully-compliant organizations worldwide from 11% to 55% — those are some staggering numbers if you pause for a moment to think about it.
OK, so we’ve got a large body of capable folks, eager to get high-paying jobs in the cybersecurity industry. We’ve got many companies looking to hire qualified cybersecurity professionals. And, we’ve got a set of influential standards for which there is ample free (and paid) training. This is where the puzzle part comes in. There are 3 pieces in this complicated enigma. Put them all together and you’ve got a recipe that could taste really good to a bunch of different taste buds, so to speak (I’m lousy with analogies.)
It’s a simple puzzle with a simple solution:
+ Keen, Capable Minority Population
+ Training
= Fill millions of cybersecurity jobs
An important fact to remember — cybersecurity jobs do not have to be technical. Many cybersecurity fields don’t require coding or deep IT skills. Fields such as audit, forensics, cyber crime, compliance, GRC, policy, and others are actually better suited for folks with backgrounds in accounting, psychology, law enforcement, etc.
If you are already fostering a program or organization structured around diversity and inclusion, you’re probably already sold. For those who need a little more fuel, let me give you some business reasons to support the drive.
Many organizations are willing to help. I am associated with a few, e.g., www.icmcp.org, www.wisporg.com, and www.owasp.org, but there are a lot of others. If you want to find them, all you need to do is search. Once again, I’ll lean on people smarter than I. People who have done the research and published the results. You can find these as easily as I did:
- Harvard Business Review: "Diverse teams are able to solve problems faster than cognitively similar people
- McKinsey’s research: "Gender-diverse companies are 15% more likely to outperform their peers ➢ Ethnically-diverse companies are 35% more likely to do the same”
- Catalyst research: "Companies with more women on the board statistically outperform peers”
- Deloitte research: "Inclusive teams outperform their peers by 80% in team-based assessments; Engagement is an outcome of diversity and inclusion"
I also had the distinct privilege of interviewing some of my colleagues and peers. I asked them what they did to promote diversity and inclusion; I also asked why they do it. We dug into what worked and what didn’t. I also documented their opinions on standards like PCI. If you want to learn what people like Edna Conway, Julian Waits, Marybeth Westmoreland, and Vandana Varma said, you’ll have to come to one of my talks - or check out the slides below.
The aphorism "a rising tide lifts all boats” could not be truer than in this scenario.
Relevant links:
- https://events.pcisecuritystandards.org/vancouver-2019/
- https://events.pcisecuritystandards.org/dublin-2019/
- https://events.pcisecuritystandards.org/melbourne-2019/
- https://www.pcisecuritystandards.org/program_training_and_qualification/
- https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity
- https://www.securityinnovation.com/about/community/