In biology, it is well known that genetic diversity creates strength in that it helps build resilience to disease, disorders, and other human ailments. At a community level, we also find strength in diversity. Individuals from different backgrounds, experiences, upbringings, geographies, cultures, races, and religions all contribute ideas, talents, and skills that make us stronger as a group.
This notion has been brewing for quite a while in security, and during RSA Conference in San Francisco last week, ITSP Magazine brought together a versatile panel of security experts to discuss Diversity and the Art of Cybersecurity.
Cybersecurity as an industry remains a fairly homogenous group; women currently represent less than twenty percent of the workforce, and combined, Black/African Americans, Asian-Americans, and Hispanics/Latinos make up a meager twelve percent. Many organizations, including the International Consortium of Minority Cybersecurity Professionals (ICMCP), co-founded by Larry Whiteside Jr., a panelist for the aforementioned discussion, are addressing diversity issues faced in security. While many groups aimed at promoting diversity abound, the panelists discussed how diversity is everyone’s job—not just the job of hiring managers, executives, or specifically dedicated individuals or groups.
Imagine there’s no heaven
Dug Song, Co-founder & CEO of Duo Security shared how his team is building diversity into the hiring process. He says the company “hires for cultural contribution” rather than cultural fit. So many organizations talk about “cultural fit,” but to Song’s point, “fit” implies that a person needs to be or become a part of what already exists. This idea, unfortunately, limits the amount of diversity that can be brought into the group. If everyone “fits,” there is less of a chance that new ideas will be brought forth, that employees with challenge cultural norms, and that horizons will be broadened.
Diversity is not only about gender or skin color, although both have implications beyond what is skin deep. True diversity in the workplace means including those who have come from different backgrounds and who have complementary skill sets. It means considering candidates for roles or projects who bring a contrarian point of view so the company can test these ideas and learn how they might resonate with varying groups of buyers, partners, or customers. Diversity means taking into account that others communicate and absorb communication differently, and then accepting that one way isn’t the “right” way. It means being open to new, different, and sometimes uncomfortable things, because as we, as individuals, learn about all of these differences, we become stronger and gain tolerance and acceptance.
It’s easy if you try
Cybersecurity is a global field, by any measure, yet within our companies we tend to look at our own culture and not consider others’. Doing this limits organizational growth in terms of capabilities and opportunities, and it is most certainly limiting to how security organizations approach adversaries. It’s an accepted norm that cyber adversaries hail from diverse backgrounds, educational experiences, geographic locations, capabilities, and more. Therefore, it only makes sense to fight fire with fire—include a broad swath of individuals on our enterprise security teams who can see and analyze things from a fresh perspective.
Panelist Jennifer Steffens, CEO of IOActive, shared that her college degree is in psychology, and this has helped her accomplish much in a very technical, male-dominated field. Diana Kelley, panel moderator and Global Executive Security Advisor at IBM, received her degree in English, which has allowed her to become an evangelist for one of the biggest companies on the planet and a sought-after writer and presenter. Both women have seen firsthand how a diverse education and skill set can pave the way to tremendous success.
Paying it forward, when looking to hire the next wave of employees for her company, Steffens and her team take a similar open-minded approach. Steffens said of her company’s hiring process, “We rarely start with the résumé because things like certifications, specific education, or a certain number of years of experience” serve only to “wipe out so many options.” Song agreed and said Duo’s first question to applicants is generally, “What makes you unique?” When choosing a new employee from those unique candidates, Duo’s hiring managers will then ask themselves: What can the individual bring to the organization that the organization can’t currently do? What do they have that we don’t which will expand our strength as a business?
No hell below us
It’s from this perspective of strengthening the organization through complementary—or sometimes contradicting—personalities and skills that security will become more effective against adversaries. Building this diversity and resulting strength doesn’t come easily, though. All humans are subject to bias, despite what we might want to admit out loud. To break down those barriers and build bridges between seemingly disparate groups, Ayelet Steinitz, panelist and VP of Business Development at Imperva advised, “If you peel a layer—you don’t have to go very deep, just a layer or two—of different things to interpret [about a person], you can get to a lot of commonality.” She offers that within the security community, many people hold similar values and interests; it’s about finding those associations that bring people together without changing who they are at their core. At the same time it’s important for individuals to maintain character—keep that diversity in place—otherwise the benefits are squandered. Yet removing the “us against them” or “me versus you” is critical to a healthy, productive working environment.
Above us only sky
Circling back around to biology, cybersecurity has many similarities: “Resilience to disease” is akin to business resilience in the face of malware, viruses, and other attacks; “decreasing the likelihood of disorders” is related to improving business processes that cause or create vulnerabilities, such as poor password hygiene, weak code, storing sensitive information in plain text, lack of adequate backups, ignoring critical alerts, etc. The goal is to drive down these weaknesses by applying critical thinking, and the greater number of perspectives and experiences from which our security community can draw, the better prepared our organizations will be.
Diversity is about inclusion and acceptance—of people and ideas. The attacker community is an excellent model of how bringing together all types of people, regardless of background, contributes to creative goal achievement. The defender community—law abiding enterprise security teams—would do well to mirror the attacker community in this respect and speed up the process of developing more diverse teams. The critical thinking that can result from bringing together employees from diverging experiences, educational backgrounds, personalities, geographies, races, cultures, etc., explained Whiteside during Diversity and the Art of Cybersecurity, is beyond compare. Your security team will be more effective, will contribute to greater growth, and will achieve goals more quickly if the entire team is not (contrary to traditional enterprise thinking) drinking the same proverbial Kool-Aid. With current market conditions, security teams have an opportunity to embrace diversity and strengthen capabilities. It’s up to each group to decide which direction to take; what will your organization choose?