You could say one of the purposes of the annual (ISC)² Security Congress is to deliver an industry status check. How is the cybersecurity industry doing, what could be better, and what are the biggest challenges it faces?

This year’s Congress, which took place virtually from October 18 – 20, addressed a host of pressing topics in the industry, from combatting ransomware to zero trust implementation to protecting critical infrastructure against foreign adversaries. One of the biggest challenges though is to attract more diversity into the cybersecurity workforce to counter the shortage of personnel in the field. It was a theme that (ISC)² CEO Clar Rosso highlighted right at the start of the event in her welcome address.

Cybersecurity remains a white male-dominated profession. Making it more diverse and inclusive is critical to addressing some of the biggest challenges the industry faces. That includes filling a 2.7 million professionals worldwide shortage and coming up with effective, innovative solutions to combat cyber adversaries that never seem to run out of creativity, energy and motivation.

As Rosso made the case for increased diversity live, (ISC)² published a study on diversity, equity and inclusion (DEI) called “In Their Own Words: Women and People of Color Detail Experiences Working in Cybersecurity” which highlights the personal experiences of globally diverse cybersecurity professionals and makes recommendations on initiatives that could help organizations be more successful in recruiting and retaining diverse talent.

During a panel on women in cybersecurity on Tuesday morning, participants tackled the reasons why it is so hard for women to enter the field. Intimidation, said Meg West, an IBM X-Force Incident Response member, is one reason. Many women are intimidated by the field, which helps to explain why they remain underrepresented in cybersecurity, she said.

When deciding whether to apply for a job, a woman lacking some of the qualifications will not apply, she said. However, a man lacking the required skills is likely to apply anyway.

During the same panel discussion, Aanchal Gupta, vice president of Azure Security for Microsoft, used her own experience as an illustration of this issue. Gupta said she turned down her first opportunity to work in cybersecurity because she felt unprepared, even though she had led an identity and user management team for eight years. Part of the reason she felt unqualified was the lack of a cybersecurity degree.

Eventually, she realized, no one in cybersecurity knows everything about it. “The cybersecurity space is so broad that you can always think you will know it a mile wide and an inch deep,” she said. Different people have different areas of expertise, she said. Whatever your background, she added, bring it to the table because the field needs diversity and people with different skillsets.

At a different panel on Monday, speakers discussed the challenges faced by women and men from ethnic and minority groups working in cybersecurity. Dwan Jones, an independent diversity consultant working with (ISC)², revealed that participants in focus groups commissioned by (ISC)² said they struggle to feel a sense of belonging, not being heard by leadership, and having their ideas stolen for the advancement of others.

Zero Trust Implementation

The need for different skillsets is undeniable as the industry looks to address challenges brought on by new technologies and practices. One of the most pressing concerns is how to protect critical infrastructure , which was one of the event’s main themes.

There was also a lot of discussion on the concept of Zero Trust security; it was one of the areas former CISA Director Chris Krebs touched on in his opening keynote address. It’s also one of the measures that an Executive Order  issued by President Joe Biden in May instructs federal agencies to implement.

On Monday afternoon, Heather Lowrie, lead security architect for National Records of Scotland, talked about implementation of Zero Trust strategies and architectures in hybrid environments. Securing the perimeter may have worked in the past, she noted, but the proliferation of endpoints and evolution of the threat landscape has brought about a paradigm shift in security.

Essentially, Zero Trust boils down to making authentication decisions “as close as possible to the resources,” Lowrie said. A process of authentication and authorization is required each time users and devices attempt to access a resource to ensure they have the right level of privileges.

Lowrie said this requires a new mindset because it fundamentally changes how security architects have developed their models, which traditionally were based on trusting everything inside the perimeter and distrusting outside users.

Zero Trust also came up in a presentation by Daniel Paillet, Cyber Security Lead Architect at Schneider Electric’s Energy Management Business Unit. Paillet’s session focused on how to secure the architecture of the Industrial Internet of Things (IIoT) so that it delivers the safety and reliability paramount to the critical operations it supports.

“I think the Zero Tust model is going to become more and more pertinent,” he said “It’s going to play a bigger and bigger role. I haven’t architected a zero trust network yet but hope to soon.”

Diversity and Innovation

As Lowrie mentioned, Zero Trust requires a new way of thinking. So do many of the challenges faced by cybersecurity professionals. Meeting them all will require perseverance and ingenuity, as noted by another keynote speaker, Adam Steltzner, chief engineer and mission leader of NASA’s Mars 2020 mission.

And as Steltzner said in answer to a question from Rosso, diversity and inclusion can help better prepare a team to innovate and meet its challenges. He should know; after all, he and his team have landed three spacecraft on Mars.

Registered attendees of (ISC)² Security Congress 2021 can view all breakout sessions on-demand. CPE credits will be applied automatically on your behalf as you view until December 31, 2021.