When deciding which secure coding training program is right for you and your team, it’s important to choose a program that won’t unintentionally alienate certain groups. In 2021, it’s common knowledge that diversity improves performance and business outcomes, although the field of cybersecurity lags precariously behind other fields in terms of gender and ethnic diversity. If your goal is to improve the overall security of your company’s software by integrating secure coding practices into your software development lifecycle, there are certain considerations you and you and your company’s Chief Information Security Officer can make to ensure you are setting your team — and company — up for greater success.
How bad is the diversity problem in cybersecurity? Research suggests that only 11 percent of jobs in the global cybersecurity workforce are held by women. This is unfortunate for many reasons, one of which is that gender-diverse teams are smarter, and have been found to outperform homogenous teams in decision-making tasks. According to the Harvard Business Review, “by breaking up workplace homogeneity, you can allow your employees to become more aware of their own potential biases — entrenched ways of thinking that can otherwise blind them to key information and even lead them to make errors in decision-making processes.” With a global talent shortage in cybersecurity threats listed by Gartner as the top threat to businesses in 2019, with almost half of organizations surveyed as having experienced “security incidents due to lack of security staff or specific skill sets over the past two years,” it’s time to think hard about how to close staffing gaps and create more diversity in the industry.
When assessing some of the reasons why women seem to be repelled from the field of cybersecurity, researchers have turned to examining language — specifically, how unintentionally gendered language may play a role in keeping women at bay. An analysis conducted by CSO Online looked at the language in recruiting ads and found nearly twice as many male-gendered terms as it did female-gendered terms in job ads. The researchers hypothesize this is one of the reasons why women aren’t seeking jobs in this field. If language is deterring women from entering the field of cybersecurity, it certainly has an impact in learning opportunities within the field for those already working in the world of software development.
In the world of secure coding training programs, you don’t have to look far to see programs riddled with gendered, violent language. Many of the programs out there use language and gamified training strategies that equate software development to warfare. And while protecting computer systems from attackers is something of an arms race, not every app developer wants to equate themselves to a ninja, warrior, or dragon slayer — and they don’t need to in order to write functional, secure code. If going on “missions” or attending “boot camp” doesn’t sound appealing to you, you’re not alone.
So what can managers do to increase representation across diverse groups? One recommendation from HBR is to “recognize that subtle, intentional shifts can have ripple effects.” Another recommendation comes from the UN Women’s empowerment principles (PDF), a set of principles for business offering guidance on how to empower women in the workplace: to “promote education, training, and professional development for women.” By making sure the language used in the educational material you select to educate your developers is gender neutral, non-violent, and accessible to everyone, you can ensure that the hard work your company did toward hiring a diverse team of developers is not lost when it’s time for security training, and that everyone on the team has an equal opportunity to bring their security awareness up to par as your company moves through the software development cycle.
Serving an industry where less than 48 percent of software developers say their organization provides training on how to secure the coding process — even though 40 percent of attacks against vulnerable applications could be thwarted if developers had training — we’re interested in how to increase that overall statistic.
That’s one of the reasons why we think it’s so important to make sure our training material doesn’t contain language or imagery that could intentionally bias the uptake and success of our programs. And when more women IT security professionals are involved, everyone wins, as Symantec found that they “put a higher priority on internal training and education in security and risk management,” and “are also stronger advocates for online training.” That’s why we take language into consideration at every turn and aim to design our secure coding training programs in a way that intentionally creates an equitable learning environment for everyone.