RSAC 2023 Delivers the Business Case for Inclusive Cyber Teams


Posted on by Megan Sawle

You’ve heard it before – there are not enough qualified candidates to fill open cybersecurity roles. It’s been a common topic at RSA Conference in recent years and RSAC 2023 was no exception. While the problem is well known and widely discussed, finding and implementing viable solutions remains a major challenge for most. 


Wednesday’s Inclusive Security sessions leaned into this year’s “Stronger Together” theme with a call to action for cyber leaders: we must make building diverse, inclusive teams a business imperative to patch the cyber talent shortage. And we need to do it today. In addition to taking the burden off existing staff, inclusive cyber teams drive innovation, build operational resiliency, and deepen brand trust. 


Panelists in the Diversity, Equity & Inclusion: The Paradoxical Effect & Impact on Security session kicked off the day with a focus on short- and long-term recruiting and retention strategies to drive sustained progress and results. 


Recommendations included community engagements and academic partnerships to support recruiting efforts, implementing employee mentorship and sponsorship programs, and setting program metrics that drive social accountability for engaging and retaining diverse talent. 


“There’s a difference between being invited to the dance – and being invited to the dance floor,” summarized panelist Colonel J. Carlos Vega. Beyond driving diversity in the candidate pool, Vega challenged hiring managers to also build the safe spaces needed to support and empower those same candidates throughout their career journeys.


Participants in the Strategic Approaches to Growing Talent session followed with several actionable ways to widen cyber talent pipelines. Implementing apprenticeships for recent graduates and career transitioners, tapping into the veteran and military spouse talent pool and influencing K-12 curriculum were three methods they’ve successfully leveraged to drive awareness of cyber career opportunities, fill open cyber roles and build inclusive teams. 


Emy Dunfee, Director - Security, Incident Management at FirstBank, suggests cybersecurity hiring managers might be getting in their own way by overemphasizing skills and experience in the screening process. “I don’t care about your tech skills,” said Dunfee. “I care about where you want to go and what you want to learn. I can’t teach soft skills, but I can teach tech skills.”


Peter Dornheim and Dr. Thorsten Weber from SAP SE later confirmed this sentiment with new insights shared during Bridging the Cybersecurity Skills Gap: Re-Thinking Job Profiles. Their research found that more than 50% of cyber candidates self-select out of the application process due to burdensome position requirements and a perceived lack of experience, certifications, technical skills, and degrees. This misalignment of job descriptions and day-to-day role responsibilities is so systemic that when prompted by Dornheim and Weber to write an entry-level cybersecurity job description, ChatGPT included requirements for two years of experience and familiarity with multiple frameworks and technical tools. 


Dornheim and Weber’s recommended solutions are both simple and practical: organize job description skill requirements into required and optional categories to encourage more candidates to apply and ask junior team members to review job descriptions before publication for feedback.


During the Gapped Out: Unconventional Strategies for Addressing Cyber Talent Shortage panel, Ben Brophy, Group Chief Technology and Information Security Officer at Reckitt Benckiser Group, shared he classifies unfilled cyber roles as business risk to drive awareness and urgency around hiring challenges. To mitigate this risk, Brophy and co-panelists Bobby Ford and McKaela Doherty from Hewlett Packard Enterprise suggest limiting job description requirements to mission-critical skills and giving more opportunities to candidates from non-traditional backgrounds. 


Rob Duhart, Deputy CISO and eCommerce CISO at Walmart and Camille Stewart Gloster, Deputy National Cyber Director at the Office of the National Cyber Director, urged RSAC attendees to focus on progress – not perfection – in the Strengthening Cyber Through Inclusion session. People from all backgrounds and communities build, buy, use, and manipulate technology, so it’s no surprise that the industry needs diverse cyber teams to stay a step ahead of bad actors. 


As Duhart stated, “we underestimate the adversary when we build homogeneous teams.” To counter this, Duhart and Stewart Gloster suggest leaders commit to taking action now – but also, to remain realistic. Interviewing customers, running focus groups with product users, and running red and blue teaming scenarios staged in different communities are three easy steps any leader can take now to foster an inclusive culture. 


For a full list of Inclusive Security sessions at RSA Conference 2023, please be sure to visit our library and check out the individual sessions On Demand.


Contributors
Megan Sawle

Director of Product Marketing, LogicGate

RSAC Insights Professional Development & Personnel Management Human Element

professional development & workforce security education

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs