Does diversity matter in cyber?

Kim Jones: Welcome to CISO Perspectives. I'm Kim Jones, and I'm thrilled that you're here for this season's journey. We're bringing the deep conversations out of the conference or, more realistically, the conference bar, and tackling a single complex issue from every conceivable angle across a multi-episode arc. As we continue our inaugural season, we're examining the challenges surrounding the cyber talent ecosystem. Today, we explore the question: Does diversity matter in cyber? Let's get into it. [ Music ] I thought long and hard before I put together today's podcast topic, going back and forth about whether or not I should discuss this. In this current political climate, I understand that some will believe this to be a political statement. Be assured that it is not. I just can't see how we can talk about the talent ecosystem without addressing the issue of diversity and how crucial it is to our profession. Some of you might enter this discussion with preconceived notions about my views and opinions. My hope is that those who choose to listen to this podcast are, by definition, inquisitive and open-minded. As CISO's past, present, and future, we cannot pioneer creative solutions to thorny problems if we assume that we already know the answers before we even start the conversation. Given the potentially controversial nature of this topic, I've decided to do this podcast solo. This way, any slings and arrows regarding the content will be focused exclusively on me. So here goes. [ Music ] As anyone who has ever worked with me is aware, one of my favorite sayings is, "Making lemonade out of lemons is easy." The job of a security professional is to make lemonade out of two apples, a grapefruit, and a kumquat and make it look easy. The problems and situations we're asked to address are not ones whose answers can be found on Google. In a career where "no" might be the first answer, but "how" must be the last, our ability to put forth creative solutions to thorny problems is one of our most indispensable competencies. When I find that security teams are failing to innovate, my experience has been that it's a result of a failure to think critically about the issues. Critical thinking is the ability to evaluate, analyze, and objectively incorporate information to develop a unique interpretation and synthesize an appropriate resolution. Via critical thinking, we can conceptualize solutions to truly vexing problems and circumstances. In a world where raw, unsynthesized data is at our fingertips, the need for individuals and teams who can think critically is at a premium. We need to sort through mounds of chaff as we try to divine where the relevant gold kernels are. In most cases, the kernels and chaff look almost identical. So where does one gain critical thinking skills? Optimally, these skills are taught in some type of structured academic program focused on problem-based learning. However, the best critically thinking teams are ones made up of folks with exposure to diverse experiences outside of their primary areas of expertise. What is commonly known as thinking outside the box is, in actuality, remembering solutions to challenges unrelated to business or technology and wondering if those experiences can help solve a current problem. If everyone came from the same background, lived in the same neighborhood, and had the same teachers, dressed the same, thought the same, and played the same games, how on earth could they be expected to suddenly, spontaneously have a unique thought? Multi-layered perspectives about things outside of tech disciplines from human behavior, psychology, linguistics and cognition, philosophy, cultural belief systems, and religious contexts to current events, economics, sociology, and political science, and certainly what the past has taught us. History and how individuals and societies as a whole are sculpted, molded, and influenced through cultural context promotes more creative security solutions. One example of anemic thinking concerns the implementation of email encryption software such as PGP. In the seminal paper "Why Johnny Can't Encrypt," the author showed that great technology failed to be effective because its creators did not adequately factor in usability issues. Specifically, only 33% of users were able to properly sign and encrypt an email in 90 minutes, and 25% of users accidentally sent their secret email in the clear. In a follow-up study done eight years later, these problems persisted despite upgrades to the software. It would be a fallacy to believe that the designers of PGP were inept. Rather, the problem was their frame of reference regarding usability. The designers made a great tool that made sense to a technologist, but how do you make a tool intuitive enough so that non-technologists, whose priorities are not security-based, can and want to use the tool? A critically thinking team might have considered different perspectives to help the developers envision a more user-friendly solution. If innovative solutioning is enhanced by critical thinking, and critical thinking is boosted by a variety of perspectives and experiences, it stands to reason that a more diverse team, in gender, ethnicity, cultural viewpoint, age, foundational education, physical abilities, and sexual and gender orientations, will provide more innovative solutions to problems. A 60-year-old Black man raised in New England has a different set of outlooks and priorities than a 30-year-old woman raised in Kansas. A first-generation immigrant who attended college part-time while supporting her family has a different perspective from a fourth-generation trust funder with influential parents who went to school on family money. A combat veteran will have a different viewpoint than a conscientious objector. The issue is not whose outlook is correct or better. Rather, it's that collective experiences and contexts help feed the innovation engine, resulting in more varied and creative solutions. In theory, cybersecurity should have no issues with diversity. Most of my peers would describe our profession as one of the last great meritocracies in the technology field. As one of my colleagues said, "I really couldn't care less about your race, creed, color, religion, or sexual orientation." Do you like hard work? Do you like whooping up on the bad guys? Do you like keeping people safe? If you answered yes to those questions, then I've got a job for you. Indeed, I've built all of my CISO teams with this philosophy using those same three questions as my final interview questions for job candidates. While I've never set out to create highly diverse teams, my teams have always been the most diverse in the organizations in which I've worked. This is a bit surprising, given cybersecurity's less-than-stellar diversity track record. Reliable demographic data for the cyber profession is hard to come by on the best of days. Today is not the best of days. What statistics can be gathered are quite disheartening. Over 65% of our profession is white. This is followed by Asian, African-American, and Hispanic or Latino, which cover around 9% for each group. For comparison, in the United States, the demographic analysis says that 19.5% of the population identified as Hispanic or Latino, and 14.4% identified as African-American. Women make up about 26% of all cybersecurity employees, although they represent 50.5% of the population. And less than 25% of cyber executives self-identified as non-white. [ Music ] Is it possible that the homogeneity of the cybersecurity profession contributes to its negative reputation as being myopic, unhelpful, and a hindrance to business priorities? When I spoke at RSA in 2018 on diversity and cybersecurity, changing the conversation, I opened the talk by mentioning that in 2017, I had spoken, sat on, or moderated panels, participated in, or otherwise attended seven diversity sessions or diversity conferences here in the United States, either as individual sessions at large cybersecurity conferences or at smaller venues devoted specifically to diversity. I ended 2017 with the opinion that cybersecurity was not ready to take diversity seriously, and vowed never again to attend a seminar focused solely on diversity. When RSA approached me politely to speak on diversity in 2018, I explained my position and was told that I had an obligation to come and talk about why I felt the industry was not prepared to take diversity seriously. At that time, women made up only 10.5% of cyber professionals. Black and brown people made up less than 12%. Since then, we have focused on the issue. The numbers and innovation have improved. When we diversified, we thought more critically and solution better than ever. [ Music ] You still with me out there? Haven't run away yet? Well, then let's talk about how we create diverse, critically thinking teams. Here are some starting points. One, be KSAE-based. As I've stated in the past on this podcast, our profession tends to complain about what is lacking in candidates, rather than be specific and concrete about what they want. Getting specific around your knowledge, skill, ability, and experience requirements provides objectivity around your searches for qualified candidates. Remember, a lack of objectivity creates false justifications for exclusion. Two, diversify your interview panels. I'm going to single out my white male friends for a moment and ask you to visualize the scenario with candor. How would you feel about an organization you were vetting if everyone you interviewed with was a woman of color? Or if you, at nearly 50, faced a panel of all 22-year-olds? Even if you were thrilled about the potential opportunity, how would you feel about the company and your prospects for employment and advancement? The phrase "DEI initiatives" has become code for the return to discriminatory philosophies that would impair our profession and stifle creative solutioning and critical thinking. Merely being a person of color does not automatically make me a DEI hire. A lack of a DEI program or policy should not become a cover to return to the days of biased hiring practices. For those not old enough to remember, these policies first came into being because their absence led to systemic inequities. Three, interview for what you specifically want. Organizations using outdated interview tropes and formats are just as myopic and out of touch as those who insist that technical interviews are all that should matter. To the latter, having great technical prowess and an inability to communicate or function as part of a team make you less than optimal for a majority of the non-entry-level positions out there. Consider testing critical thinking skills by presenting the candidate with a Kobayashi Maru-like problem to solve. The answer is less important than understanding the candidate's thought processes and their ability to unpack their thinking to the interviewer. Note that the next step in such an interview would be to vary the parameters of the problem and see what the candidates do and how they react. Four, candidates show up. When I talk to young or aspiring cyber professionals, I often hear that they're reluctant to apply for a position in a company because there's no one already there like them. Every time someone says this to me, my answer is the same. How the hell is it going to get any better if you don't show up? Folks, being the first at anything is hard. Actually, it kind of sucks in most cases. But if no one steps up to be the first person, nothing ever changes. Worse, you provide individuals in that company the excuse to keep their hiring practices unchanged since they can't find underserved candidates to apply. The world doesn't change through complaining. It changes through direct action. That old story about everybody blaming someone when nobody did what anybody could have done is still true. Be the courageous hero. If there's no role model, become one. Show up. [ Music ] Sadly, the topic of diversity, equity, and inclusion is currently a contentious hotbed, which is, in my opinion, sending some companies careening haphazardly in the wrong direction. I submit that teams are stronger, think better, and devise more creative solutions to today's thorniest problems because of a diversity of thinking, not despite it. We need a broad range of perspectives to figure out how to make lemonade out of two apples, a grapefruit, and a kumquat. Our ability to trailblaze visionary solutions to tricky problems is the unique secret sauce that makes the cyber profession extraordinary. Let's make sure we don't lose that. My two cents. [ Music ] And that's a wrap for today's episode. Thanks so much for tuning in and for your support as N2K Pro subscribers. Your continued support enables us to keep making shows like this one. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the show notes. Tune in next week for more expert insights and meaningful discussions from CISO Perspectives. This episode was edited by Ethan Cook, with content strategy provided by Ma'ayan Plaut, produced by Liz Stokes, executive produced by Jennifer Eiben, and mixing, sound design, and original music by Elliott Peltzman. I'm Kim Jones, and thank you for listening. [ Music ]