Ed Adams discusses addressing the cybersecurity skills shortage and diversity imbalance. He outlines that there will be 3.5 million unfilled cybersecurity jobs by 2021 according to a Cybersecurity Ventures report. However, PCI standards have been influential in improving security and could help address these issues. If more groups like minorities and women are trained through PCI certification programs, it could help fill many open jobs. Diversity in the workplace also provides cultural and business benefits, with research showing diverse teams outperform less diverse peers. Speakers provide tips on successful diversity initiatives like mentorship programs, partnering with universities, and ensuring all groups feel included and supported in technical fields.

1. Ed Adams
Opening the Talent Spigot
Securing our Digital Future

2. About Me
• Director, ICMCP
• CEO, Security Innovation Inc.
• Mechanical Engineer, Software Engineer
• Research Fellow, Ponemon Institute
• Privacy by Design Ambassador
• In younger days, built non-lethal weapons
systems for government & law enforcement

3. Agenda
 Cybersecurity Skills Shortage & Diversity Imbalance
• PCI Impact on Cybersecurity
• Lessons Learned, Tips and References

4. Cybersecurity Skills Shortage
* Cybersecurity Jobs Report, Cybersecurity Ventures, sponsored by Herjavec Group
# The National Association of Software and Services Companies (NASSCOM)
“Until we can
rectify the quality
of education and
training that our
new cyber experts
receive, we will
continue to be
outpaced by the
Black Hats.”
- Robert Herjavec
• 3,500,000 million unfilled cybersecurity positions by 2021*
• India alone will need 1 million cybersecurity professionals by 2020#
• Israel (2nd largest exporter of cybersecurity tech after USA) leads
employer demand for cybersecurity talent by a wide margin
• “The Cybersecurity Talent Gap Is An Industry Crisis” – Forbes
• Cybercrime to cost the world $6 trillion annually by 2021*
No wonder the PCI DSS is so Necessary!

5. Cybersecurity Diversity Imbalance
by the numbers
Sources: Europa Eurostat May 2019; Center for Cyber Safety and Education;
https://www.catalyst.org; www.icmcp.org
“The under-
participation by large
segments of our
society represents a
loss of opportunity for
individuals, a loss of
talent in the workforce,
and a loss of creativity
in shaping the future of
cybersecurity.”
- Aric Perminter
• EU-28 Female workforce = 45%; Cybersecurity = 7%
• US Workforce
• Black/AA = 12%; STEM = 6%
• Hispanic = 15%; STEM = 7%

6. Cybersecurity Diversity Imbalance
by the numbers

7. Cybersecurity Diversity Imbalance
by the numbers
“Measures that can
be taken by
organizations to
help foster,
promote and
nurture the
success of this
group include
mentorship and
training
programs.”

8. Agenda
• Cybersecurity Skills Shortage & Diversity Imbalance
 PCI Impact on Cybersecurity
• Lessons learned, Tips and References

9. PCI DSS
“Arguably the most
influential, widely-
adopted non-
government/regula
tory standards ever
created for
cybersecurity”
- Ed Adams
• Since December 2004:
• Number of PCI certifications available 0  10+
• Introduced AppSec requirements in June 2006
• Full-stack coverage: network & systems, encryption, access controls,
identity management, staff training, etc.
• New PCI SSF addressing biggest threat to cybersecurity: software
• Cross-referenced and mapped to other standards
o e.g., NIST Cybersecurity Framework
• No breach of a fully PCI-DSS compliant organization in 14 years*
Always ahead of threat and attack landscape
* 2018 Verizon Data Breach Investigation Report (DBIR)

10. PCI DSS compliance
Worldwide
Overall compliance increasing but…
• Small dip in 2017
• GDPR pre-occupation?
• Not equal across industries
• IT services 77.8%
• Retail 56.3%
• Financial Services 47.9%
• Hospitality organizations 38.5%
• Is customer accountability a driver?
*Verizon 2018 Payment Security Report

11. PCI Training & Qualification Programs
Talk about Specialization

12. 3.5M
Jobs
PCI
Standards
Large
Body of
Keen
Talent
The easiest puzzle we’ll ever do!
• Supply: Those looking for cybersecurity jobs
o Master a PCI domain and be in demand
• Demand: Those looking to hire cybersecurity talent
o Consider developing via PCI/cybersecurity training
o Partner with minority groups for mentorship, recruitment,
train-to-hire paths, etc.
• Motivation: Get involved, personal or corporate
• ICMCP: https://www.icmcp.org
• WISP: https://www.wisporg.com/
3 highly complementary pieces

13. PCI Related Careers
Technical or Business
Sample Titles
• PCI Consultant
• PCI Analyst
• Project Manager – PCI
• InfoSec Manager
• PCI DSS Auditor
• Data Architect
• Compliance Officer
• Information Risk Manager
Jobs can focus
directly on PCI DSS,
have it as a subset,
be technical, or
more business
focused

14. Cybersecurity & PCI Education Resources
Many excellent free (and paid) options
PCI SSC
• https://www.pcisecuritystandards.org/program_training_and_qualification/webinars
• https://www.pcisecuritystandards.org/program_training_and_qualification/
US FTC
• https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity
NIST National Initiative for Cybersecurity Education (NICE)
• https://niccs.us-cert.gov/training
• https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-framework
OWASP Academy:
• https://owasp-academy.teachable.com/
Security Innovation CBT and Cyber Range:
• https://www.securityinnovation.com/training/
• https://www.securityinnovation.com/about/community/

15. Benefits of Workplace Diversity
Diversity means
varying gender, age,
religion, race,
ethnicity, cultural
background, sexual
orientation,
language, education,
abilities, etc.

16. The Proof is in the Pudding
Diversity has positive cultural AND business benefit
• Harvard Business Review
 Diverse teams are able to solve problems faster than cognitively similar people.
• McKinsey’s research
 Gender-diverse companies are 15% more likely to outperform their peers
 Ethnically-diverse companies are 35% more likely to do the same
• Catalyst research
 Companies with more women on the board statistically outperform peers
• Deloitte research
 Inclusive teams outperform their peers by 80% in team-based assessments
 Engagement is an outcome of diversity and inclusion.

17. Agenda
• Cybersecurity Skills Shortage & Diversity Imbalance
• PCI Impact on Cybersecurity
 Less Learned, Tips and References

18. Edna Conway, CSO
Global Value Chain, Cisco
• Need for education at multiple levels
• Pre-college STEM program, e.g., middle school digital natives
• Girl scouts cyber badge
• Embed security into existing (and excellent) programs
• e.g. FIRST https://www.firstinspires.org/
• Mission: position security as not just for engineers and scientists
• Her path: English Literature undergraduate degree then law school
• Invest in diversity groups at enterprises
• Many grass roots efforts; combine to gain economies of scale
• Men for Women / Him for Her
• “Do it with love. Do it because you care.”
• “Choose to help just 1 person and watch the ripples.”

19. Julian Waits
GM Cyber BU, Devo
• Frequent speaker at colleges, universities, and tech conferences
• What works well
• Must have commitment and passion from the people at the top of the organization
• Must fund initiatives for diversity & inclusion (D&I) … build a program
• Community of people with one voice, willing to push comfort boundaries on D&I issue
• Pick your area of focus: women, minorities, LGBTQ, whatever
• What doesn’t work
• D&I initiative that alienates others
• Others outside of your group aren’t the enemy
• Cybersecurity mentor was Caucasian
• Passion without a realistic strategy for success… treat your D&I program like a business
• PCI standards represents hugely important component of cybersecurity
• Only part of the security equation

20. Marybeth Westmoreland
CTO, Blackbaud
• What worked well
• Partnering with local universities through sponsoring equipment, clubs, etc.
• Cross functional Executive Women’s Leadership Council
• Spreads the “why”?
• Form allies with other internal groups: veterans, LGBT, etc.
• Make sure people feel secure in participating, promoting, etc.
• Challenges faced
• Minorities felt isolation in Scrum chain (worked hard to correct)
• Women/minorities went into product management & marketing instead of tech
• Career pathing was unclear; engaged HR to help
• Disparity widens as one elevates up the seniority ranks (sensitize C-suite)
• Unconscious biased training – must match to corporate culture

21. Vandana Varma
Security Solutions Architect, IBM Software Labs
Women in Cybersecurity Advocate
• Initiated InfoSec Girls in India to remove intimidation barrier
• Delivers free OWASP training to all diversity groups (3rd gender, any religion, whatever)
• Personal and professional impact
• Encourages continual dialogue
• Focuses on removing obstacles, primarily knowledge ones
• Had a mentor (male) who exposed her to InfoSec
• Thoughts on PCI Standards
• Has been a great door opener for women & minorities, especially in audit
• Mandatory gives it teeth and keeps security top of mind
• HUGE opportunity for minorities to get into Cybersecurity
• Advice
• Need for differentiation; focus on niche sectors (e.g. law and psychology)
• “Remove group think.” Go beyond “xyz for xyz”

22. Partnered with SI for D&I
Me
• Motivation
• Wife’s personal and professional experiences
• Tired of seeing ”myself” at CEO roundtables, board meetings, etc.
• Professional and personal initiatives
• Participate in Glassdoor Equal Pay Day
• Lean In member: practice tips as CEO of Security Innovation
• Run regular hacking events for LGBT, Women, Minorities
• DEFCON and ICMCP scholarship programs
• 13-week child leave policy
• Staff sensitivity training for transgender employees
• Impact I’ve seen
• Employees “coming out of shells”
• Employees getting involved
• Career changes

23. Conclusion
• Perfect storm to address multiple industry problems
 PCI standards + Keen, Capable Minority Population + Training  Fill millions of cybersecurity jobs
• Rising tides lifts all boats
• Cybersecurity is a business problem, not technical problem
 “Getting into security” doesn’t mean you have to be a hacker or coder
• Start early
 Promote STEM programs; encourage girls and minorities to stick with it
• Start small
 One mentorship, one program, one person
Good social, cultural, and business reasons to build diverse workforce

24. Ed Adams
Opening the Talent Spigot
Securing our Digital Future
@AppSec linkedin.com/in/edadamsboston/