Shifting mindsets and amending programs and strategies to ensure DEI initiatives remain broad and inclusive is not a difficult undertaking. But it needs thought and understanding.
By Sal Portaro, CSSLP
It is almost universally accepted that there is a huge shortage of cybersecurity professionals. And it is also recognized that this shortfall is growing. The numbers of cybersecurity professionals employed and needed vary among different sources, but not by that much. A Fortune article stated that the shortage increased worldwide from one million unfilled jobs in 2013 to 3.5 million in 2021. In the U.S. alone, the number of these professionals was around one million in 2021; the number needed was over 700,000 according to Fortune. ISC2 research puts the active global workforce at 4.65 million, and the global workforce gap at 3.4 million.
As I began researching this piece, another large breach was in the news: a telecoms company had 35 million records stolen. We need every qualified, talented, skilled cybersecurity professional that we can get.
Such talent and skills span gender and ethnicity; diverse perspectives generate the innovative ideas we need to solve the complex problems facing our world. Consequently, gender and racial equality must be promoted at every opportunity. When I was an IT manager, I hired several qualified people with diversity of ethnicity in mind. Furthermore, most of the people I hired were women. They were well-qualified and were hired because of their talent. One group, however, is being overlooked in our push for a diverse workforce: the disabled.
My Experience with Disability
Because I have cerebral palsy, I have firsthand experience in how difficult it can be for the disabled to find employment. For approximately 33 years before my retirement, I was employed in IT, in roles ranging from network administrator for an Inc. 500 company to an IT manager for a state agency. For almost 28 years I worked for a single state agency. Although I worked for the same employer for a long time, from time to time I would try to get other jobs. I found that I could never get traction anywhere else, even though I was very qualified. After I retired - even with my experience and having the CSSLP, CRISC and CIPT certifications - I could not make headway in finding a contracting job.
It is disheartening to read, over and over, that there is such a need for cybersecurity personnel and to know that many very talented resources are being left out of the fight. There are several benefits to hiring the disabled, including improving the bottom line. I am all for hiring people with the talent or the potential to excel at a job. It is a waste of valuable resources to ignore groups of people because of their gender, race, or disability.
Unfortunately, many people with disabilities are not as fortunate as I have been. According to the U.S. Labor Department, in 2019 31% of people with disabilities and aged 16 to 64 had a job, compared to 75% of people without disabilities. In the U.K., in 2019 53% of the disabled were employed as opposed to 82% of the non-disabled potential workforce.
Don't Miss Out
I am by no means saying that hiring the disabled is a magic solution to every issue. As in any population, you have the good and the bad. Women can do the same jobs as men. People from ethnic minorities are just as capable as any ethnic majority. However, it may get trickier with the disabled. Some people cannot physically do some jobs. Sometimes accommodations may need to be reached, or some reconfiguration of workloads may be needed. But, if you dismiss somebody outright simply because of the way they talk, walk or look, you may be missing out on a great employee. And you may be missing out on a vital tool in your cybersecurity program.
Here are a few points to consider when it comes to hiring the disabled.
- Do you create unnecessary barriers with unnecessary job requirements? I will never promote giving an unqualified person a job. But are there legacy job requirements that may prohibit qualified people from getting a job? Does an entry-level security analyst really need to be able to carry 40 pounds for 50 feet? I interviewed for a programming job at a factory. Everybody who worked there had to pass a dexterity test - even if you would never get near the assembly line. This was an unnecessary requirement that kept people like me out of a job there. Ensure that operational requirements for a role are actually relevant for the role.
- Can you be flexible enough to make changes that may be required? As referenced earlier, every situation is different and may call for different solutions. Physical accommodations may be needed, such as adding a ramp or lowering or raising a desk. Technology solutions may be needed, like screen readers or trackballs instead of mice. Most changes are low cost. According to data from the U.S. Department of Labor, "59% of accommodations cost nothing while the rest of the accommodations cost only $500." There may also be changes in job duties. Maybe a new hire cannot crawl behind servers. Could he trade that task with somebody by monitoring the SEIM more? Be fair with any job reconfiguration. Although there are usually organizations and government agencies that can provide help and advice, the best resource will usually be the candidate or employee themselves. Ask appropriate questions.
- Be willing to give your disabled employee the same opportunities for training and advancement as your other employees and pay them the same. Underemployment is also an issue with the disabled. I am personally concerned that contracting opportunities are not readily available to the disabled. From Forbes: Under-employment for people with disabilities is defined as being employed in a job that is inferior by some standard - either in hours, pay or likelihood of being promoted. Underemployment can also plague people who are overqualified for a job - common when people have 20 or more years of experience.
- You may be able to get help from the government and nonprofits. There may be training programs, tax credits, and help with adapting the workspace. In the U.S., the Federal government has several programs to help with this. This is one example from the U.S. Chamber of Commerce.
We all have our comfort zones and getting outside of them is sometimes very difficult. As cybersecurity professionals we are constantly learning new things, solving issues in innovative ways, and seeing things from different perspectives. We need to use the attributes listed above to tear down barriers that exclude people from jobs they are qualified for and able to do, regardless of gender, race, or disability. All of us need to be on the alert for ways to bring more qualified people into the fight.