Podcast with Dr. Kevin Harris, Program Director, Cybersecurity, Information Systems Security and Information Technology and
Larry Whiteside Jr., founder, International Consortium of Minority Cybersecurity Professionals
The vast majority of cybersecurity professionals are white men, but there’s a major push to close this diversity gap. In this episode, learn about the changes organizations must make to successfully recruit more minorities and women, and the role of schools to build awareness about cybersecurity opportunities among young students. Join AMU cybersecurity program director Dr. Kevin Harris as he talks to Larry Whiteside Jr. about his job as a Chief Information Security Officer (CISO); the evolution of cybersecurity during his 25-year career; and the passion driving his work as a founding member of the International Consortium of Minority Cybersecurity Professionals.
Listen to the Episode:
Read the Transcript:
Dr. Kevin Harris: Welcome to the podcast Protect and Secure. I’m your host, Dr. Kevin Harris. October is Cybersecurity Awareness Month, and we’re grateful for you sharing a few moments on this very important topic.
Today’s guest is Larry Whiteside Jr., a former Air Force officer who ran InfoSec at the Pentagon before cyber even existed. He served as CISO for multiple large organizations over his vast 25-year career, and more recently he founded the International Consortium of Minority Cybersecurity Professionals. Welcome to Protect and Secure, Larry.
Larry Whiteside: Thanks for having me.
Dr. Kevin Harris: Larry, with this being Cybersecurity Awareness Month, do you mind just sharing a little bit with us and our listeners about your career and how you’ve seen this cybersecurity field grow?
Larry Whiteside: Absolutely. So it’s been an amazing journey. If I think about where we started in the mid- to early-90s, right, where it was really about network security at that time, because we were just getting to the world of really interconnecting devices. And we were focused really on that the network. We were focused on that infrastructure piece of trying to watch bad guys coming in across this new thing that we were experiencing called the internet.
And as we watched it grow and change and morph, and all these different things come about to where we are today with this thing called the cloud and all the new threats that we’re starting to experience. It’s been a wonderful journey, right?
I didn’t, I couldn’t have predicted where we are today, but I can honestly say, I’m glad that I’m a part of it. I think God purpose-built me for this industry. I think to be successful in the field of cybersecurity, you have to have a certain mindset, and there’s a certain way of thinking as it relates to just everyday risk and how you deal with things in technology. So it’s been fun to watch, and I really think we’re, we’re still in the midst of massive change that we’re going to see happen over the next two decades as well. With information and data becoming so sprawling and so broad, I think we’re in for a lot more change and I’m excited about that.
Dr. Kevin Harris: Yeah, Larry, when I hear you use excitement and fun as you talk about your career, it sounds like it’s been a very rewarding career. Do you mind just talking a little bit about the current state of the workforce in cybersecurity and any gaps here in the country and globally?
Larry Whiteside: Yeah, so the current state of the workforces is an interesting dilemma. There are two sides to a coin that we get into a debate on a regular basis.
So the first side is, do we have a talent gap? And some people say there is not a talent gap, right? Some people say there’s no talent gap because there are people in the field of cybersecurity who have skills and cannot find a job. Well, the reality is, is we’ve got millions of open jobs.
And so for those who think that there’s not a talent gap, what they say is we are just poorly writing job descriptions. We’re writing jobs for things like certification. We’re writing jobs that require things that are absolutely placing people out of an ability to actually get into them. Wanting an entry-level job with two year’s experience. Wanting someone to have a four-year degree, right? Having all these requirements that really don’t line up to where people are at skills-wise.
The other side to the coin is people saying that well yeah, there is a skill shortage because when you look at the field and you look at the number of people coming out of college or coming out of just any aspect of learning, trying to enter the field, the number of jobs that is being created is more than the number of people coming into it. So we’ve got this dilemma of the two.
From my perspective, a way to solve this is diversity, right? If you look at the field as a whole, the largest percentage of people in the field of cybersecurity is white men. Now that’s common amongst many technology disciplines, and that’s common amongst many different career fields. But when you look at the lack of diversity coming into the field, there’s a combination of problems that have led to that, right?
I don’t want to get on the whole social injustice and lack of education and things of that nature, but there’s a lot of that plays into the fact of people not even knowing that the field of cybersecurity exists.
If you go into underserved neighborhoods, if you go talk to a school of all women or all girls at the middle school and elementary school level, they don’t even know about cybersecurity. It’s not a field that they are aware of, right? It’s not something they even recognize as an opportunity for them to go into and feel like they can do something. And so if they don’t know the field existed, you’re not going to get people to come into it.
But then once they do know, if you don’t empower them and make them recognize that they are capable, that they can develop analytical thinking, and that they can be successful in this field, then you’re not going to get people to go into it.
Because diverse candidates, it’s been shown that at the seventh and eighth grade, girls and people of color tend to convince themselves that they’re not good at certain STEM- and STEAM-based disciplines.
And we know that in the field of cybersecurity, it’s important to have analytical thinking. It’s important to be able to do analytical problem-solving. So if someone has convinced themselves that they’re not good at these types of things at an early age, by the time they get to a point of graduating high school and getting ready for college, or are in college in whatever discipline they’re in and looking to join the workforce, this isn’t necessarily a field that they will have prepared themselves for.
And so I think as it relates to the lack diversity in the field, the lack of talent that some people feel exists in the field, the plethora of jobs that are continuing to be created in the field. I think if we start early and we create a better pipeline at the middle school and up level, as well as for those people in high school or coming out of high school, or in college and coming out of college, create better training mechanisms to get them prepared for the workforce and create the analytical thinking and the mindset that they need to be successful, we can help fill a lot of these gaps.
Dr. Kevin Harris: When you talk about those gaps and diversity. I know you’re the founder of the International Consortium of Minority Cybersecurity Professionals. Do you mind just describing ICMCP for our listeners and how that organization supports closing the skills gap?
Larry Whiteside: Yes, absolutely. So, I am very blessed to have a circle of friends who are very like-minded. And in 2014, a number of us came together because in our global travels, right, for work and for speaking and everything else, we all came to the same realization that there are not enough people that we see that look like us.
It doesn’t matter where we were. We could be in Johannesburg, or we could be in the UK, or we could be anywhere here in the states or Canada. No matter where we went, the room was never filled at that time with more than 15% in total of women and minorities.
We felt there was a problem, and so when we formed the ICMCP our goal was to what we call to close the great diversity divide, right? We recognized that there was a huge gap in how diverse candidates were coming into the field, the number that existed in the field, and how they were being not just utilized, but also trained and educated to be able to get to the next level.
Because our goal is we want to see a lot more diverse CISOs. We want to see a lot more diverse C-level executives, right, in the field of cybersecurity, because then theoretically they will reach back and pull more that look like them, more that have backgrounds like them, more that come from these diverse backgrounds as well. Because it leads to better outcomes for the company.
So from an ICMCP standpoint, what we’re doing now to really help close this gap is we are providing training mechanisms. We are providing a job pool, right, where we identified this year and a number of conversations that we’ve had over the last year, that there’s a sourcing problem for diverse candidates in cybersecurity.
All of these hiring companies that I’ve spoken to for months and months and months at a time, they all say, Hey, you know, we want to hire diversity. We have the best intentions. We’ve put these jobs out to hire diverse candidates, but we just seem to not be getting them to apply.
And that’s because when a company goes to hire, even if they change their mindset to say they want to hire diversity if they haven’t changed their tactics, then they’re going to get the same candidates they’ve always gotten.
So they’re just putting it on LinkedIn, and they’re just putting it on Dice, and they’re just putting on Indeed and the normal job sources, and they’re just giving it to head hunters, they’re going to get a lot of the same results that they’ve always gotten.
They also aren’t taking into account something I mentioned earlier as it relates to the requirements and what they put down as requirements for the role. If you are putting down that a degree is mandatory if you’re putting down certain certifications are mandatory, if you were putting down certain things, you may be literally canceling out a large population of diverse candidates because they don’t have some of those things, right?
There’s a far greater likelihood for a person of color to not go to college than to go to college. So if you put a college degree is required, are you going to necessarily get as many diverse candidates as you’re going to get non-diverse candidates? Probably not.
So when you think about that, then you have to factor in, it’s been statistically proven that diverse candidates will not apply to roles to which they do not align to nearly 100%. So back to the point of the requirements. If you’re putting requirements on there, which someone does not completely align to, even if they align to almost everything else, if there are one or two that they don’t align to nine times out of 10, they’re not going to apply.
So what we’re doing is, in recognizing these two competing powers, we’re working with hiring entities to post jobs in our cyber careers area. What that does is that then allows our members who get to see these jobs to know, “Oh, these jobs they’re being posted because they specifically want someone who looks like me. They specifically want someone with my background. They specifically want someone who brings to the table potentially what I bring to the table.”
So it removes some of the apprehension that these diverse candidates may bring to the table as it relates to not applying for the role, and what we’re seeing in working with these hiring entities is that they are getting a better list of diverse candidates in front of them for potential roles.
Dr. Kevin Harris: Thanks, Larry. I really appreciate that perspective and sharing what ICMCP’s purpose is and some of the great work that you all do there. Another question: There’s a lot of interest for individuals that are in the military or have an interest in going into the military. And I know with your military background it’s probably a question that you get a lot. Any advice you could give someone who’s interested in serving our country through military service and also interested in the cybersecurity field?
Larry Whiteside: Yeah. So if you are interested in going into the service, right, it’s an honorable thing to do, and it’s a personal decision. I loved the military. I miss a lot of the camaraderie and brotherhood that comes from the military, and I owe the military a lot because it created the guy that everyone sees today, right? It is part of the foundational components that created who I am today.
To add to that, the military also is one of the leading entities as it relates to cybersecurity and innovation, right? The military, and the Department of Defense, and government as a whole are doing a lot around cybersecurity because at the end of the day the next major war is going to be a cyberwar. Right? And so because they recognize that they are ramping up their investment in cyber consistently. They are doing a number of different, innovative things on a regular basis.
So it is a good way for someone to go in and get a very good from the ground up training and understanding. Because the other thing the military does well is train.
In the private sector, we have not gotten to the point of building good career paths for our employees in the cyber field. We just don’t do a great job of it. But the military does. The military because of the rank structure and system, they’ve got a very, very good training program to align both your rank and the skills that you need as you move up. And so it’s a good way to start.
The military is not for everybody, right? Because some people feel that the military is very regimented and very, very strict. But the military does serve a great purpose, and as I stated, me being a former military member, I do miss it.
Dr. Kevin Harris: Larry, one of the things that I left out earlier when we talked about your being a CISO with multiple organizations, could you just explain that title and what that means for someone in that role?
Larry Whiteside: Yeah. The Chief Information Security Officer is a very interesting role, and at the end of the day, the role is purpose-built to really manage technical and data risk for an organization, right? We sometimes call it the top of the food chain in the field of cybersecurity on the operation side.
But what a lot of people don’t realize is when that role really began, probably a couple of decades ago, where it was officially starting to be called CISO, it was largely a technical role, right? You went into a number of organizations and the people who sat in that role were deeply technical. They were talking about switches and firewalls. And when they put together PowerPoints, it was a lot of numbers and things on there that were really technically driven.
Today’s CISO, today’s Chief Information Security Officer is largely a business person, which is why we’re starting to see people come from different disciplines and backgrounds into the CISO role. I know some great CISOs who have little to no technical background because they came out of other disciplines. Some of them have come out of different aspects of business to being the CISO.
And so today’s CISO business leader has to understand the business just as well as any leader of a particular business unit does. They have to understand the business just as well as the CEO does. They have to understand business strategy because, at the end of the day, the CISO is one of the people leading the technology risk persona. They’re one of the ones who are helping to make the risk-based decisions as it relates to how data is used, how data is accessed, and what technology is going to help enable the business to be better, and what security controls must go in place.
As the role transitioned over the years, it was funny to watch it go from—and I was in it—go from me being required to be really technical, to then people looking at security as the office of where it was just the place that people came, where we told them what they couldn’t do.
It started to become this business entity where we started participating in more strategically and understanding business strategy so that we can get ahead of the business strategy and implement mitigating controls so that we could enable the business to do what they wanted securely versus trying to bolt something on at the end.
So it’s been an interesting journey, and most CISOs that you speak with today that have been in a CISO role for 10 years or more can talk about this journey quite a bit. And it’s been fun. It’s been very interesting to see.
But I will say, it is a job that I don’t think everybody sees it and they think they want it because of the paycheck, and they think they want it because it is, quote-unquote, the top of the food chain. But I don’t think a lot of people realize and understand a lot of the strife that comes with the role, right? The politics.
Corporate politics are painful and they’re not fun. And being in the CISO role, you tend to have to deal with corporate politics. It’s not something that I ever anticipated having to work through. And so it’s part of the reason, with all of these other things outside of where the CISO role started, that you sort of see the CISO role, the tenure of the CISO role being 18 to 24 months.
Dr. Kevin Harris: I can definitely see that. As you talk about the role of the CISO changing from technical to business-oriented, it kind of leads me to conversations that I hear people talk about that if there’s an interest in cybersecurity and someone’s not highly technical, or that program is not an area that they’re interested in, are there roles for individuals that aren’t technical in cybersecurity?
Larry Whiteside: Absolutely. So I think there’s a fallacy that’s gone on that in order to be in cybersecurity, you have to know command line, be able to get on a Linux machine, and be able to hack this box. And it’s not true, right?
Cybersecurity is probably one of the vastest technology disciplines that exist, right? There are so many different things that you could get into and not even really know the technology extremely deeply.
Like I hired a young lady from HR to be a governance risk and compliance analyst because she had an understanding of controls. I’ve hired a project manager to be a governance risk and compliance analyst because she knew how to manage projects. So she came in and ran my vulnerability management program because doing vulnerability management isn’t necessarily about running the tool. The tool can run itself.
It’s about when the output comes out, how do you get all of the things that are identified as vulnerabilities, how do you get them fixed in a timely manner? How do you ensure and hold IT and the responsible parties accountable to ensure that things are getting done?
Larry Whiteside: Well, that’s not a technical job, right? That’s not something where someone has to know ones and zeros. They don’t have to understand the command line. They just know, “Hey, this task needs to be assigned to this person, or this group, or this team. And they need to get it done within this timeframe or there’s a problem, or we’re creating risks.”
And so there are a number of different disciplines in the field of cybersecurity that someone who is even not technical can get into.
Dr. Kevin Harris: All right. Thanks, Larry, for helping dispel that myth. I know it’s out there, keeps floating around. So really appreciate you, somebody that’s in it day-to-day, kind of helping to share the truth on that area.
With your career, that you’ve kind of talked through some of the broad areas that you’ve worked in, what would you say is been the biggest accomplishment of yours during your distinguished career?
Larry Whiteside: From a career perspective? Honestly, the biggest accomplishment that I’ve made is co-founding ICMCP. I love what I do. I love my career. I love what I’ve accomplished professionally.
But at the end of the day, when I think about everything I’ve done, the people I’ve led, the teams I’ve built, the thing that’s been the most impactful to me personally, the thing that is driving my passion and fulfills my soul, is ICMCP.
Recognizing the lack of diversity and actually doing something, or trying to do something about it, and leaning forward and being willing and open to having tough conversations with people that weren’t prepared for a tough conversation. Being able to start dialogues with people and even start just a movement of the communication in the community that we’ve started to build around the fact that we know there’s a lack of diversity. For me, this is the thing that I hope becomes part of a legacy.
It wasn’t intentional when we did it. We weren’t doing it in hopes of creating a legacy. But the more we’ve done it, and the more we see the change and the impact it’s having on people’s lives when people receive these scholarships, the life-changing moments that are happening for them.
To see some students that we mentored years ago, to see them now be in the field for a couple of years and being successful and watching their growth, these things have and continue to shape me and drive me more than anything else.
And so as much as I love the field of cybersecurity, and I love my job, and I continue to love what I do, ICMCP is really the thing that I’m most passionate about and most proud of.
Dr. Kevin Harris: Gotcha. So that kind of leads me, I’ve got to ask this, Larry. When I hear you talk about the passion and then the work of ICMCP, if somebody is looking to help mentor, or they are wanting to be a part of ICMCP. They’re interested in the field and want to join ICMCP. How do they go about doing that?
Larry Whiteside: Yeah. Just go to our website. It’s free to join for the rest of 2020, but you go to our website and there’s a link for you to join. There’s also a link for you to get involved, right? We’re looking for volunteers. We’re looking for people to volunteer on different committees. We’re looking for people to get involved. We’re looking for chairs of some committees, right? So if you really have a passion about this.
And I want to make sure I’m clear about something. ICMCP’s mission is to increase diversity in the field of cybersecurity, right? We want to close the great cyber divide. That doesn’t mean to be a member that you have to be a person of color, that you have to be a woman. Because at the end of the day, if you believe in our mission and you trust in our mission, then we want you to participate.
We’ve got volunteers of every shape, color, size, and from every background, you can imagine, because they believe in our mission and what we’re doing. They believe in the people that we’re trying to help.
And they recognize, like I do, that cybersecurity as a field can actually be a driver of a socio-economic change in certain communities. So if we leverage it appropriately, we continue to communicate it openly into these underserved communities, letting people know that this is a field that you can be successful in and to drive them towards it, it can be impactful in people’s lives.
I can tell you from my own personal story, that today I’ve got five children with my ex-wife. And my children have been afforded a life and experiences that I would’ve never even thought of as a youth myself. My children will never experience the things that I had to deal with growing up as a youth.
And it’s because the field of cybersecurity has enabled that. My children and the education they’ve been able to receive, and what they are going forward within their own careers as they go on their journeys, they all have benefited from the field of cybersecurity indirectly.
And so when I look at this for me, it’s directly provided generational change. And so, as I think about it for others, if we continue and we’re able to build this pipeline and get more women and more people from underserved communities into the field of cybersecurity, we can help make the socio-economic change that needs to happen in this country for some of the social justice problems.
Dr. Kevin Harris: Perfect. So just to remind everybody, if you are interested, icmcp.org for interest, or just to find out more about what the work that Larry’s doing. And just as we’re finishing up, Larry, what piece of advice would you have somebody have for somebody that’s looking to enter the field?
Larry Whiteside: If you are looking to enter the field of cybersecurity, number one, don’t pick something for the money. I know a lot of people who’ve gotten into this field for the money, and they’ve realized it’s not right. Doing it for the money for the wrong reason.
This field is very, very broad. Find something in this field that you’re passionate about. There’s tons of opportunity in it. And so if you find something in this field that you’re passionate about, you’ll be more successful than you can imagine, because passion drives success. Passion drives effort.
Passion also exudes out of you and others around you will see it, because passion is also infectious. So the people that I’ve seen be most successful, the people that I have seen do amazing things in this field, are the ones who are the most passionate about it. So drive and follow your passion.
Dr. Kevin Harris: Thanks for that, Larry, and thanks for sharing your passion. I definitely hear it. Thanks for sharing your expertise and perspective on this issue. Thanks for joining me on today’s episode of Protect and Secure.
Larry Whiteside: Thanks. I appreciate it, Kevin.
Dr. Kevin Harris: And thanks to our listeners for joining us. You can learn more about these topics, and more, as you continue to stay tuned in to Protect and Secure. Be well and stay safe.
About the Guest
Larry Whiteside Jr. is a veteran CISO, former USAF Officer, and thought leader in the cybersecurity field. He has 25+ years of experience in building and running cybersecurity programs, holding C-level security executive roles in multiple industries including DoD, the federal government, financial services, healthcare, and critical infrastructure.
Larry currently serves as the Chief Technology Officer at CyberClan, a full-service global incident response and managed security services provider for small- to medium-sized business.
Larry is also the co-founder, president, and on the Board of Directors at the International Consortium of Minority Cybersecurity Professionals (ICMCP), a 501(c)3 non-profit association that is dedicated to increasing the number of minorities and women in the cybersecurity career field by providing workforce development that includes skills assessment, training, education, mentorship, and opportunity.