- Employee awareness
- 6 min read
The diversity problem in cybersecurity has gained another dimension of late. It seems the good-guy AI algorithms we’re relying on as a bulwark against a hyper-agile threat community are developing a bias problem.
From racially flawed facial recognition to recruitment aids that discriminate against women to one-sided threat analysis tools, artificial intelligence has ended up duplicating real-world problems. A reflection of our own propensity to uniformity and group think.
Which is a worry.
After all, AI is supposed to lead to free-ranging, adaptable and radically innovative solutions to some of the most intractable problems we face.
That includes defending against the bad guy’s own use of AI, powering malware mutations that lack such niceties as identifiable signatures. It includes also AI tools able to sniff out the subtle signs of a compromised system.
Is AI-bias bringing new problems?
We also want to use AI systems as efficient workhorses to ease our debilitating skills shortage. But is AI-bias bringing new problems alongside these solutions?
Of course, our problem here isn’t with the AI itself. It’s with the people bringing AI to life.
Whether it’s the code behind the AI systems or the data that’s being fed to them, the human hand is hard to remove. So, the original sin of low diversity in the cyber sector is spilling into the digital domain.
So, how do we tackle this troubling dimension to the diversity problem? Well, to state the blooming obvious, diversity isn’t the problem. It’s the solution. We need to tackle the problem at source and make the cybersecurity community more welcoming.
There are hopeful signs of arms being more open. The bellwether of buzz that is the conference scene has shifted from talking to doing. Those attending Black Hat in Las Vegas in August will have noticed that child daycare and nursing rooms were added to the list of facilities on offer. Defcon has similarly raised its game on inclusivity.
The International Consortium of Minority Cybersecurity Professionals (ICMCP), which is holding its 4th conference in September, has recently announced its keynote speaker to be Chris Young, CEO of McAfee. Diversity really is top of the boardroom agenda for the cybersecurity industry, as our good friends at SASIG show with their second dedicated event on diversity this year, in September.
And on some fronts at least, the reality on the ground is shifting too. Whereas two years ago, women were found to make up just 11% of cybersecurity employees, the latest survey by ISC2 has that proportion up to 24% of the overall workforce for 2019.
Ethnic minorities in the US are now at 26% of the cybersecurity workforce, above their representation in the wider workforce. There’s still a long way to go – fewer of those positions are managerial than would be expected – but it’s progress.
And there’s money being put on the table, where once there was talk. The third round of the UK Government’s funding for tackling the cybersecurity skills shortage is all about diversity. The Department for Digital, Culture, Media and Sport (DCMS) has announced that, through its Cyber Skills Immediate Impact Fund (CSIIF), providers can apply for up to £100k each for cybersecurity diversity training programmes.
But how can we help sustain that welcome momentum and broaden it across the spectrum of diversity?
Well, TSC has ‘culture change’ in its DNA – changing security cultures is at the heart of the advice we give to our customers. Previously, TSC's Managing Director, Zoe Edmeades, has also spoken about how we need to think about recolouring the diversity picture through the prism of cultural change.
It’s a bold agenda, but one we’re totally committed to here at TSC. Diversity doesn’t seem to be an issue for the bad guys – we need to embrace it too.
If we’re to avoid polluting one potentially critical solution to the cyber-skills crisis – AI-powered defensive and supportive systems – with our current monoculture of perspectives, then diversity needs to stay at the top of the agenda for our community.
© The Security Company (International) Limited 2023
Office One, 1 Coldbath Square, London, EC1R 5HL, UK
Company registration No: 3703393
VAT No: 385 8337 51