Skip to main content Why Microsoft Security AI-powered cybersecurity Cloud security Data security & governance Identity & network access Privacy & risk management Security for AI Unified SecOps Zero Trust Microsoft Defender Microsoft Entra Microsoft Intune Microsoft Priva Microsoft Purview Microsoft Sentinel Microsoft Security Copilot Microsoft Entra ID (Azure Active Directory) Microsoft Entra Agent ID Microsoft Entra External ID Microsoft Entra ID Governance Microsoft Entra ID Protection Microsoft Entra Internet Access Microsoft Entra Private Access Microsoft Entra Permissions Management Microsoft Entra Verified ID Microsoft Entra Workload ID Microsoft Entra Domain Services Azure Key Vault Microsoft Sentinel Microsoft Defender for Cloud Microsoft Defender XDR Microsoft Defender for Endpoint Microsoft Defender for Office 365 Microsoft Defender for Identity Microsoft Defender for Cloud Apps Microsoft Security Exposure Management Microsoft Defender Vulnerability Management Microsoft Defender Threat Intelligence Microsoft Defender Suite for Business Premium Microsoft Defender for Cloud Microsoft Defender Cloud Security Posture Mgmt Microsoft Defender External Attack Surface Management Azure Firewall Azure Web App Firewall Azure DDoS Protection GitHub Advanced Security Microsoft Defender for Endpoint Microsoft Defender XDR Microsoft Defender for Business Microsoft Intune core capabilities Microsoft Defender for IoT Microsoft Defender Vulnerability Management Microsoft Intune Advanced Analytics Microsoft Intune Endpoint Privilege Management Microsoft Intune Enterprise Application Management Microsoft Intune Remote Help Microsoft Cloud PKI Microsoft Purview Communication Compliance Microsoft Purview Compliance Manager Microsoft Purview Data Lifecycle Management Microsoft Purview eDiscovery Microsoft Purview Audit Microsoft Priva Risk Management Microsoft Priva Subject Rights Requests Microsoft Purview Data Governance Microsoft Purview Suite for Business Premium Microsoft Purview data security capabilities Pricing Services Partners Cybersecurity awareness Customer stories Security 101 Product trials How we protect Microsoft Industry recognition Microsoft Security Insider Microsoft Digital Defense Report Security Response Center Microsoft Security Blog Microsoft Security Events Microsoft Tech Community Documentation Technical Content Library Training & certifications Compliance Program for Microsoft Cloud Microsoft Trust Center Security Engineering Portal Service Trust Portal Microsoft Secure Future Initiative Business Solutions Hub Contact Sales Start free trial Microsoft Security Azure Dynamics 365 Microsoft 365 Microsoft Teams Windows 365 Microsoft AI Azure Space Mixed reality Microsoft HoloLens Microsoft Viva Quantum computing Sustainability Education Automotive Financial services Government Healthcare Manufacturing Retail Find a partner Become a partner Partner Network Microsoft Marketplace Marketplace Rewards Software development companies Blog Microsoft Advertising Developer Center Documentation Events Licensing Microsoft Learn Microsoft Research View Sitemap

How to solve the diversity problem in security

By , Corporate Vice President, Deputy CISO, Customer Security Management Office

Tags

Content types

Topics

 I was in the midst of composing this blog on diversity in cybersecurity when a Fortune article on Women in Cybersecurity found its way to my LinkedIn feed. It was promoted to me by a man I know and respect. As I reflected on the content of this piece in the context of my post, a key detail leapt out at me. It was a male member of the cybersecurity industry advocating for women in this instance. So, what does it all mean?

I have enjoyed a technology career to date spanning 30 years. I have been fortunate to encounter amazing mentors along the way, female and male, many of whom I met very early in my career. My professional experiences, good and bad, successes and failures, have shaped who I am today. Through those experiences, I have become convinced we need more diversity in cybersecurity. Whilst there are no easy answers to solving this problem, understanding some of the root causes will help inform our decisions.

We need to hire and mentor more women and diverse talent in security not only because it is the right thing to do, but also because gaining the advantage in fighting cybercrime depends on it. If we do not diversify the cyber talent pool:

  • We are not likely to fill the estimated 1M+ global cybersecurity openings.
  • We will continue to engender group thinking among a few “experts” with similar backgrounds. Remember: diversity is not just about the color of our skin, gender, religious or ethnic background, it is also about being surrounded by people whose varied experiences contribute new ideas to problem solving.
  • We become weaker relative to our adversaries. Cybercriminals will continue to exploit the unconscious bias inherent in the industry by understanding and circumventing the homogeneity of our methods. If we are to win the cyberwars through the element of surprise, we need to make our strategy less predictable.

I firmly believe most bias is unconscious. Certainly, conscious bias exists, but in my view the majority are doing the best they can with the background and experiences that have shaped their lives. We tend to mentor and hire people we know and trust. If our professional sphere is limited to a certain segment of the population, then the hiring pool simply replicates the makeup of our network.

The cybersecurity industry has historically been predominantly male for a few reasons:

  • Women pursue STEM education at a lower ratio than men.
  • Many cybersecurity professionals come from traditional law enforcement or investigative backgrounds, and these industries are currently male majorities.
  • Women are reluctant to pursue careers in cyber because they don’t see themselves reflected in the employee pool, thereby creating a self-perpetuating cycle.

Given the serious implications the lack of diversity has for cybersecurity, how do we attract, recruit, mentor and retain a broader more inclusive workforce? The answer lies with a programmatic approach where we continuously measure effectiveness and adapt accordingly. The below steps, while not easy, and certainly not exhaustive, are imperative and urgent. The bad actors are well-funded and organized – innovating their methods, and growing their numbers – certain to become a permanent fixture of our digital future. Our ability to remain a step ahead is dependent on evolving our tools and talent through the following:

  • College recruiting. This is a must. Microsoft has a robust college hiring program and we make a conscious effort to include this talent on our security teams. We invest heavily in intern opportunities and new graduate hiring programs. We are not the only company to do so, but we need more firms to join us with a commitment to well executed and measured programs. We are also building a relationship with the Security Advisor Alliance which runs meaningful programs at both the high school and college levels, to provide cybersecurity education and industry recruiting.
  • Participation in our own rescue. I heard this expression a few years ago in a training class, and it stuck. The cybersecurity industry created this diversity problem, so we bear the onus to find a solution. We need to make training and retraining programs available to technical as well as non-technical talent, making cybersecurity a viable path. Including training options for those with non-technical degrees is key to addressing our well documented talent shortage in cyber. I know that this can work first hand. I was law school-bound with a degree in Communication and Political Science, when I decided that a technology career was more apt. By spending time on the go-to-market side and taking advantage of every vendor program available to further my technical training, I fulfilled my desired path.
  • Participation in organizations that promote diversity in cybersecurity. There are many who are tackling this initiative, but two that come to mind are: International Consortium of Minority Cybersecurity Professionals and #brainbabe.
  • Education on unconscious bias. I mentioned earlier that I believe most people are not aware of the language or behavior that implies bias. There is no intent to offend on their part. They are simply reflecting their life experience. Unfortunately, if you are a diverse person who works in these environments, you may not feel welcomed and often you choose to leave. You certainly won’t recommend these companies or work environments to your peer group – thus furthering the diversity gap. It is imperative that we educate about unconscious bias to address this issue.
  • Realization that all of us are smarter than one of us. Our CEO Satya Nadella says this on a regular basis to remind us that working through and with teams makes us all better. And working with team members that bring diverse perspectives and thoughts can only elevate team creativity and effectiveness.
  • Tailored mentorship. Recruitment and training programs alone will not change the cybersecurity employee landscape short-term. Diverse talent needs to hear from group members who have succeeded in cyber. Mentors that are trained and incented to grow group diversity are key to breaking stereotypes and misconceptions, as well as fostering optimism in those who would elect to pursue cybersecurity careers.

We will only solve the diversity problem as an industry. The industry’s conferences are all tackling diversity through meaningful dialogue which will hopefully lead to further investments. It is time for everyone to embrace a cybersecurity future where all who feel they can make a positive impact are welcomed, and our ability to recruit and retain these persons is free of the caveats and excuses of the past.

Headshop of woman in white turtleneck and brown blazer

Ann Johnson

Corporate Vice President, Deputy CISO, Customer Security Management Office

See Ann Johnson posts

Related posts

Get started with Microsoft Security

Protect your people, data, and infrastructure with AI-powered, end-to-end security from Microsoft.

Learn how

Connect with us on social

Surface Pro Surface Laptop Surface Laptop Studio 2 Copilot for organizations Copilot for personal use AI in Windows Explore Microsoft products Windows 11 apps Account profile Download Center Microsoft Store support Returns Order tracking Certified Refurbished Microsoft Store Promise Flexible Payments Microsoft in education Devices for education Microsoft Teams for Education Microsoft 365 Education How to buy for your school Educator training and development Deals for students and parents AI for education
Microsoft AI Microsoft Security Dynamics 365 Microsoft 365 Microsoft Power Platform Microsoft Teams Microsoft 365 Copilot Small Business Azure Microsoft Developer Microsoft Learn Support for AI marketplace apps Microsoft Tech Community Microsoft Marketplace Marketplace Rewards Visual Studio Careers About Microsoft Company news Privacy at Microsoft Investors Diversity and inclusion Accessibility Sustainability
English (United States)
Your Privacy Choices Opt-Out Icon Your Privacy Choices
Consumer Health Privacy Sitemap Contact Microsoft Privacy Manage cookies Terms of use Trademarks Safety & eco Recycling About our ads