Mr Wesley Simpson Chief Operating Officer ISC 2 ISC 2 Congressional Testimony The Subcommittee on Cybersecurity Infrastructure Protection and Innovation of the Committee on Homeland Security Tuesday May 21 2019 310 Cannon House Office Building Mr Chairman and esteemed members of the committee thank you for inviting me here today to testify on behalf of ISC 2 regarding the goal of a more inclusive and diverse cybersecurity workforce My name is Wesley Simpson and I am the Chief Operating Officer for ISC 2 Headquartered right here in the United States ISC 2 is the world’s largest nonprofit membership association of certified cybersecurity professionals We function as an advocate for the cybersecurity profession and as a training and certification body Our certifications are approved by the American National Standards Institute ANSI which is the primary organization for fostering the development of technology standards in the United States As part of our association’s stated mission to inspire a safe and secure cyber world we regularly commission market research on a host of relevant industry topics that help to inform our global base of more than 140 000 certified members across more than 170 countries as well as influence policy discussions corporate programs and educational opportunities In the course of doing so we have issued research related to the size of the cybersecurity “workforce gap” since 2004 The state of the industry has changed quite a bit over that time and ISC 2 is constantly identifying ways to improve its research methodology to keep up with the evolution of the market As part and parcel of our workforce research we are in a position to be able to identify the demographic make-up of the cybersecurity workforce as it changes and I’m pleased to share some of those findings with you today as well as some conclusions we might draw from them Our most recent round of workforce research was conducted in 2018 and reveals a cybersecurity workforce shortage of 498 000 skilled professionals in the United States alone and 2 93 million globally This points to a growing gap in the amount of cybersecurity staff that private sector and government bodies indicate they need to maintain optimal security and the amount of skilled professionals currently available As a point of clarification this is not meant to indicate that there are currently one half million open or unfilled jobs As we collectively explore ways in which the talent pool can be increased it’s important to recognize the clear under-representation of women in the cybersecurity workforce While Department of Labor statistics1 indicate that women make up 47% of the overall U S labor force our research shows that they only constitute 22% of U S cybersecurity staff and only 24% of global staff To be more specific that figure includes anyone for whom at least 25% of their daily job tasks consist of security-related activities not just those with cybersecurity titles This expands our view to include those with IT roles for example who have some cybersecurity responsibilities This change to our methodology was made in 2018 to more closely mirror the reality of how cybersecurity is executed at the ground level and more importantly by who We also found that pay inequality between genders remains an issue and is something that could affect a woman’s decision to pursue a career in our field If we can find more ways to attract women to cybersecurity and make it a welcoming profession we may be able to decrease the cybersecurity workforce gap to a large degree There are more ISC 2 Congressional Testimony – May 21 2019 - 1 findings specific to our “2019 Women in Cybersecurity Report” found in my written testimony but I wanted to highlight the obvious under-representation as the key data point for discussion here today Another under-represented group identified through our research is ethnic and racial minorities Our 2018 study titled “Innovation Through Inclusion The Multicultural Cybersecurity Workforce ” showed that just 26% of the U S cybersecurity workforce identifies as nonCaucasian While this compares favorably to Department of Labor statistics that show only 22% of the overall U S labor force is made up of minorities2 this is still a low ratio that could be improved by creating programs that specifically market the path to a cybersecurity career to a wider talent pool Furthermore employment among cybersecurity professionals who identify as racial or ethnic minorities tends to be concentrated in non-management positions with fewer occupying leadership roles despite being highly educated And here as well our research showed that an inequity in pay exists Despite higher levels of education a cybersecurity professional of color earns less than their Caucasian counterparts on average Under-participation in cybersecurity by large segments of our potential workforce be it women or minorities represents a loss of opportunity for individuals and a loss of collective creativity in solving the problems we face in the field Not only is this an issue of inequity it is a threat to our global economic viability as a nation The major opportunities as we see them are a stronger focus on equal pay for women and minorities in cybersecurity more advancement and leadership opportunities for deserving professionals formalized mentorship programs to help unearth untapped potential and hidden talents and more programs that expose young women and minorities to technical skills earlier in their educational lives I thank you for your time today and look forward to answering any questions you may have to the best of my ability End of Opening Oral Statement ISC 2 Congressional Testimony – May 21 2019 - 2 Following are key data points from ISC 2’s two most recent studies that touch on diversity The first is the “Innovation Through Inclusion The Multicultural Cybersecurity Workforce” study submitted as Exhibit A which was released in March 2018 based on 2017 data from the ISC 2 Global Information Security Workforce Study – submitted as Exhibit B The second is the “2019 Women in Cybersecurity Report” submitted as Exhibit D sourced from data within the 2018 Cybersecurity Workforce Study – submitted as Exhibit C Key data points from each are identified below Minorities in Cybersecurity The diversity report was developed by ISC ² and The Center for Cyber Safety and Education in partnership with Frost Sullivan Although the study is global in its scope questions of race and ethnicity were asked only to respondents in the U S This report was developed by ISC ² in partnership with the International Consortium of Minority Cybersecurity Professionals ICMCP Findings were based on survey responses from 9 500 U S cybersecurity professionals Employment among cybersecurity professionals who identify as a racial or ethnic minority tends to be concentrated in non-management positions with fewer occupying leadership roles despite being highly educated Key Findings  Minority representation within the cybersecurity field is at 26% which is slightly higher than the overall U S minority workforce which was at 21% at the time the study was conducted  62% of minorities in cybersecurity have obtained a master’s degree or higher compared to 50% of professionals who identified as White or Caucasian  23% of minority cybersecurity professionals hold a role of director or above compared to 30% of their Caucasian peers  On average a cybersecurity professional of color earns $115 000 while the overall U S cybersecurity workforce average is $122 000 32% of cybersecurity professionals of color report that they have experienced some form of discrimination in the workplace To foster diversity in the workplace 49% of minority cybersecurity professionals said mentorship programs are very important   Conclusions  Despite higher levels of education a cybersecurity professional of color earns less and is underrepresented in senior roles o Racial and ethnic minorities tend to hold non-managerial positions and pay discrepancies especially for minority women women of color make an average of $10 000 less than Caucasian males and $6 000 less than Caucasian females is a challenge  With the estimated global cybersecurity workforce shortage at 2 93 million we need to make the profession inviting to all  Understanding the challenges our profession faces related to diversity is a critical first step in accomplishing that goal and ultimately addressing the widening cybersecurity workforce gap ISC 2 Congressional Testimony – May 21 2019 - 3  Mentorship programs and better representation in senior roles are needed to help advance minority cybersecurity professionals  Companies with more diverse workplaces perform better financially Data from McKinsey and Company report titled “Is There a Payoff from Top-Team Diversity ” Key Takeaway  Under-participation in cybersecurity by large segments of our potential workforce represents a loss of opportunity for individuals and a loss of creativity in solving the problems we face in the field Not only is this an issue of inequity it is a threat to our global economic viability as a nation The major opportunities as we see them are a stronger focus on equal pay for minorities in cybersecurity more advancement and leadership opportunities for deserving professionals and formalized mentorship programs to help unearth untapped potential and hidden talents Women in Cybersecurity On Tuesday April 2 2019 ISC 2 issued its 2019 Women in Cybersecurity Report sourced from data within the 2018 Cybersecurity Workforce Study The headline finding from the report was that women make up an estimated 24% of the global cybersecurity workforce It’s important to understand where this number came from The figure is derived from the Workforce Study which was actually fielded twice within the 2018 calendar year in order to confirm the relative accuracy and integrity of the data Both waves of research produced the same statistically valid results Last year’s global Workforce Study was a departure from the way past studies have been fielded and the way the workforce gap had been calculated previously and that’s what has led to a seeming increase of women in the field from 11% to 24% over the two year period since we released our last Women in Cybersecurity report As such we do not make the claim that there has been a 13% increase over a two-year period but we feel that our new methodology explained in the section below provides a more accurate picture than ever before of the true make-up of the workforce IMPORTANT We did not address the issue of discrimination against women in this report so we don’t have data to share While it is an important topic of discussion in our industry this particular report does not address it specifically and we focused on the demographic of professionals in the workforce as opposed to the hurdles they face Methodology Past ISC ² research had estimated the percentage of women working in cybersecurity at 11% but with a change to research methodology – including surveying IT ICT professionals who spend at least 25% of their time on security activities – that number is now believed to be 24% Results presented in the report are extracted from a study conducted by ISC ² and Spiceworks in August 2018 The sample structure was carefully designed to obtain feedback from a diverse group of professionals working in cybersecurity roles and the survey measured various aspects of working in the cybersecurity field including workforce staffing shortages education and skills needed to do the job and challenges faced in the profession 1 452 individuals from North America Latin America and Asia-Pacific participated in the survey The margin of error for this research is plus or minus 3% at a 95% confidence level Below are the three key messages that rise to the surface related to the report Following those some notes on other relevant data points that may be of interest ISC 2 Congressional Testimony – May 21 2019 - 4 Key Findings 1 Today’s figure reflects more women in cybersecurity than previously estimated o 24% of the overall cybersecurity workforce is female Recruiting from traditionally overlooked demographics will be a huge part of closing the current global talent gap of 2 93M We need more women and more young talent to join us as well as individuals who want to transfer other skills into a career in cybersecurity and we need to show them why and how they should do so 2 These women are younger highly-educated and moving into leadership roles 45% of women surveyed are millennials compared to just 33% of men This will radically alter the gender balance in the cybersecurity profession in the next decade as the Baby Boomer generation continues to retire in larger numbers o Women also bring higher levels of education to cybersecurity More women 52% in the survey hold a post-graduate degree than their male counterparts 44% o Women in the field are advancing to leadership positions Higher percentages of women than men are attaining senior leadership and decision-making positions o ▪ Chief Technology Officer – 7% of women vs 2% of men ▪ Vice President of IT – 9% of women vs 5% of men ▪ IT Director – 18% of women vs 14% of men ▪ C-level Executive – 28% of women vs 19% of men 3 There are still challenges to face including pay inequity o 17% of women globally reported annual salaries between $50 000 – $90 000 as compared to 29% of men and 15% of women earn between $100 000 – $499 999 while 20% of men earn at least that much Other key data points to be aware of  Women and men have pretty much the same workplace values priorities and aspirations Both place a similar level of importance on salary and working close to home and use the same skills at work  The report indicates that men and women share a lot of the same concerns about their roles including lack of commitment from upper management the reputation of their organization risk of seeing their job outsourced lack of work life balance the threat of artificial intelligence AI reducing the need for cybersecurity workers and a lack of standardized cybersecurity terminology to effectively communicate within their organizations Key Takeaway  Although we now see women making up nearly one-quarter of the cybersecurity workforce we need more gender balance in order to strengthen our national and global cybersecurity readiness The opportunities that exist revolve around making cybersecurity a more attractive career path for women This could be supported by enforcement of equal pay between genders and the creation of more programs that expose young women to technical skills earlier in their educational lives In terms of breaking down the roles in which women participate in cybersecurity hence the jump from 11% to 24% it is difficult to draw any hard and fast conclusions and this is a pretty nuanced point but I think the first attachment to this email is a good way to look at the differences You can see that men disproportionately outnumber women in the roles of Security ISC 2 Congressional Testimony – May 21 2019 - 5 Specialist and Security Compliance Officer both of which would be considered “cybersecurity” titles that would have been included in our research prior to 2018 When you add in roles such as Help Desk Technician IT Director VP IT and CTO you can see that there are a higher percentage of women Of course that doesn’t mean there are more women than men because women still represent a 3-1 minority ratio of the overall total in the profession but you can see how that percentage of women starts to shoot up from 11% to 24% with the inclusion of the more general IT roles Additionally it’s important to understand that our data prior to 2018 also largely surveyed ISC 2 members as part of the sample and our members are required to have at least five years of professional experience in cybersecurity in order to earn a certification Therefore when we opened up the survey to a broader audience and adjusted the methodology this led to the inclusion of many other professionals who while they have not been certified are still doing the work of cybersecurity That added a larger percentage of women to the overall count 1 2 U S Department of Labor - https www dol gov wb stats NEWSTATS latest demographics htm#LF-SecRaceEthnicity U S Department of Labor - https www bls gov opub reports race-and-ethnicity 2017 home htm ISC 2 Congressional Testimony – May 21 2019 - 6