Skip to main content
Skip to main content
Microsoft Security

How to solve the diversity problem in security

  • Ann Johnson Corporate Vice President, SCI Business Development


I was in the midst of composing this blog on diversity in cybersecurity when a Fortune article on Women in Cybersecurity found its way to my LinkedIn feed. It was promoted to me by a man I know and respect. As I reflected on the content of this piece in the context of my post, a key detail leapt out at me. It was a male member of the cybersecurity industry advocating for women in this instance. So, what does it all mean?

I have enjoyed a technology career to date spanning 30 years. I have been fortunate to encounter amazing mentors along the way, female and male, many of whom I met very early in my career. My professional experiences, good and bad, successes and failures, have shaped who I am today. Through those experiences, I have become convinced we need more diversity in cybersecurity. Whilst there are no easy answers to solving this problem, understanding some of the root causes will help inform our decisions.

We need to hire and mentor more women and diverse talent in security not only because it is the right thing to do, but also because gaining the advantage in fighting cybercrime depends on it. If we do not diversify the cyber talent pool:

  • We are not likely to fill the estimated 1M+ global cybersecurity openings.
  • We will continue to engender group thinking among a few “experts” with similar backgrounds. Remember: diversity is not just about the color of our skin, gender, religious or ethnic background, it is also about being surrounded by people whose varied experiences contribute new ideas to problem solving.
  • We become weaker relative to our adversaries. Cybercriminals will continue to exploit the unconscious bias inherent in the industry by understanding and circumventing the homogeneity of our methods. If we are to win the cyberwars through the element of surprise, we need to make our strategy less predictable.

I firmly believe most bias is unconscious. Certainly, conscious bias exists, but in my view the majority are doing the best they can with the background and experiences that have shaped their lives. We tend to mentor and hire people we know and trust. If our professional sphere is limited to a certain segment of the population, then the hiring pool simply replicates the makeup of our network.

The cybersecurity industry has historically been predominantly male for a few reasons:

  • Women pursue STEM education at a lower ratio than men.
  • Many cybersecurity professionals come from traditional law enforcement or investigative backgrounds, and these industries are currently male majorities.
  • Women are reluctant to pursue careers in cyber because they don’t see themselves reflected in the employee pool, thereby creating a self-perpetuating cycle.

Given the serious implications the lack of diversity has for cybersecurity, how do we attract, recruit, mentor and retain a broader more inclusive workforce? The answer lies with a programmatic approach where we continuously measure effectiveness and adapt accordingly. The below steps, while not easy, and certainly not exhaustive, are imperative and urgent. The bad actors are well-funded and organized – innovating their methods, and growing their numbers – certain to become a permanent fixture of our digital future. Our ability to remain a step ahead is dependent on evolving our tools and talent through the following:

  • College recruiting. This is a must. Microsoft has a robust college hiring program and we make a conscious effort to include this talent on our security teams. We invest heavily in intern opportunities and new graduate hiring programs. We are not the only company to do so, but we need more firms to join us with a commitment to well executed and measured programs. We are also building a relationship with the Security Advisor Alliance which runs meaningful programs at both the high school and college levels, to provide cybersecurity education and industry recruiting.
  • Participation in our own rescue. I heard this expression a few years ago in a training class, and it stuck. The cybersecurity industry created this diversity problem, so we bear the onus to find a solution. We need to make training and retraining programs available to technical as well as non-technical talent, making cybersecurity a viable path. Including training options for those with non-technical degrees is key to addressing our well documented talent shortage in cyber. I know that this can work first hand. I was law school-bound with a degree in Communication and Political Science, when I decided that a technology career was more apt. By spending time on the go-to-market side and taking advantage of every vendor program available to further my technical training, I fulfilled my desired path.
  • Participation in organizations that promote diversity in cybersecurity. There are many who are tackling this initiative, but two that come to mind are: International Consortium of Minority Cybersecurity Professionals and #brainbabe.
  • Education on unconscious bias. I mentioned earlier that I believe most people are not aware of the language or behavior that implies bias. There is no intent to offend on their part. They are simply reflecting their life experience. Unfortunately, if you are a diverse person who works in these environments, you may not feel welcomed and often you choose to leave. You certainly won’t recommend these companies or work environments to your peer group – thus furthering the diversity gap. It is imperative that we educate about unconscious bias to address this issue.
  • Realization that all of us are smarter than one of us. Our CEO Satya Nadella says this on a regular basis to remind us that working through and with teams makes us all better. And working with team members that bring diverse perspectives and thoughts can only elevate team creativity and effectiveness.
  • Tailored mentorship. Recruitment and training programs alone will not change the cybersecurity employee landscape short-term. Diverse talent needs to hear from group members who have succeeded in cyber. Mentors that are trained and incented to grow group diversity are key to breaking stereotypes and misconceptions, as well as fostering optimism in those who would elect to pursue cybersecurity careers.

We will only solve the diversity problem as an industry. The industry’s conferences are all tackling diversity through meaningful dialogue which will hopefully lead to further investments. It is time for everyone to embrace a cybersecurity future where all who feel they can make a positive impact are welcomed, and our ability to recruit and retain these persons is free of the caveats and excuses of the past.