It’s no secret that the security industry has a DEI problem. Yes, I just linked to six different articles or social media posts supporting that point, and I’ve barely scratched the surface. My colleagues, Jinan Budge, Jess Burn, Allie Mellen, and Alla Valente, authored a blog about gender bias in the security industry last month, and I’m proud to be joining them in our upcoming research in this area.

But it’s not all bad news. During the demos for The Forrester Wave™: Software Composition Analysis, Q3 2021, many of the vendors shared their goals and investments around improving diversity, equity, and inclusion (DEI) within their organizations and in the industry. Whether through the head of HR or a dedicated DEI leader, DEI programs at several of these vendors are formal, funded initiatives that go far beyond platitudes on a website. I’d like to take a moment to highlight some of the great things that these vendors are doing to promote a more diverse and inclusive security culture:

  • Hiring. One vendor spoke proudly of its Arabic-language hiring campaign. Another stated that it is targeting to double the percentage of Black and Latinx workers by 2030. A third spoke of a program to move underrepresented candidates from outside of the tech sector into internships, many of which extend or convert into full-time positions.
  • Industry partnerships. External partnerships include Girls in the Game, Women in Tech, PowerToFly, and the MassTLC Tech Compact For Social Justice. A few vendors mentioned donations to Black Lives Matter and other organizations that promote racial and social justice.
  • Employee support and training. A couple of vendors spoke of unconscious bias training, particularly for interviewing and performance reviews. One mentioned accommodations and tools for neurodiverse employees. And kudos to the vendor that performs annual pay equity reviews.
  • Inclusive products. Some vendors are localizing their products for languages other than English and have invested in 508 compliance to ensure accessibility. More than one software composition analysis (SCA) vendor has removed terms such as “blacklist” and “whitelist” from its product UI and documentation and replaced them with more inclusive terms like “allowlist” and “denylist.” A couple of other vendors are in the process of doing so.
  • Events and affinity groups. Almost every vendor in the Wave spoke about companywide events to celebrate Pride Month or Black History Month. Employee affinity groups around gender or race are equally common. Such programs are becoming table stakes, and firms will be expected to continue these as they take on the more advanced initiatives described above.
  • Metrics. The vendors with the most mature DEI programs are not only talking the talk and walking the walk, but they are being transparent about it by sharing their metrics publicly and holding themselves accountable. A number of vendors provided metrics and goals, particularly around hiring and leadership — some were able to compare themselves very favorably to the local or industry averages. Others spoke of regular employee feedback surveys and tracking against stated goals.

Several of the vendors in The Forrester Wave™: Software Composition Analysis, Q3 2021 have public-facing sites that highlight their DEI work — this level of transparency must become the norm. Firms with more nascent DEI initiatives: Remember that 65% of consumers won’t buy from a brand that stays silent on an issue they expect it to address.

For more on SCA and the key vendors, check out The Forrester Wave™: Software Composition Analysis, Q3 2021, or reach out for an inquiry.