If you’re a security practitioner or long-time reader of this blog, you may be all-too-familiar with the dangers of practicing “checkbox security”. By blindly following rules and directives without appreciating why they’re important, you may make short-term gains while ultimately dooming your long-term goals. That being the case, you may intuitively understand why “checkbox diversity” measures are doomed to fail.
Fairness vs. learning
Much as the purpose of securing a network is not simply to play by arbitrary rules, including a wider variety of people in security positions is not just about trying to hire an assortment of people that represents the population at large. In other words, security and diversity are not just about being compliant and fair. They are also about helping business get the widest possible range of perspectives, to help them take considered steps instead of leaping blindly without adequate information.
Taking the time to identify cost-effective measures that will protect your digital assets can help you identify potential problems earlier on, when they can be fixed at a lower cost in terms of both money and public goodwill. Likewise, ensuring that you’re finding – and retaining – people with a wider variety of life and work experiences will help ensure that you have the opportunity to learn from people with a broad range of perspectives from the outset, rather than after unforeseen missteps cause serious public relations problems.
Diversity in security perspectives
As my esteemed colleague Stephen Cobb discussed in a series of posts late last year, cyber-related risks are now firmly embedded in public consciousness, but the specifics of the ways in which risk is perceived may differ depending on a number of factors. Relative levels of perceived risk for security-related problems were assessed differently depending on a respondent’s age, income, gender, ethnicity and cultural alignment: there was no one source or type of risk that all groups identified as the most troubling.
In order to prepare for the widest variety of vulnerabilities, we need people who are attuned to all types of risks to participate in all levels of the discussion about risk assessment and mitigation.
Not just a pipeline problem
While the dearth of women and people of color in the pipeline for tech is a well-documented phenomenon that is beginning to change for the better, both recruitment and retention rates are very poor for people within these demographics. At every point, from middle school to mid-career, the pipeline has sprung a series of leaks and is periodically catching fire.
The good news is that the ways to improve this situation are not only beneficial for people in underrepresented demographics. By seeking new sources of qualified applicants and increasing psychological safety for employees, you can potentially decrease the time it takes to fill positions, and improve both retention and effectiveness of the people already in your employ. Improving your company culture is simply good business-sense.
Moving towards the future
To ensure an increasing supply of high-quality applicants to keep the pipeline flowing; we need to get kids excited at the idea of pursuing cybersecurity careers, we must identify people who could use mentorship and training to excel in this industry, and it’s imperative to include a wider variety of people in our recruitment practices. Here are a few ways that you can help:
There are a lot of national tech education groups such as TEALS, Girls Who Code, Women’s Society of Cyberjutsu, and CoderDojo as well as local STEM events, hackathons and boot camps that are in need of expert support. Each year many of ESET’s own researchers join a team of mentors who help teach kids during Securing Our eCity’s yearly Cyber Boot Camp in the San Diego area – this is a fun event that can always use more help from the community.
The cost of formal education is growing at a rapid pace, which may keep interested people from trying to get the necessary training and credentials that are helpful in getting a job in this industry. There are a lot of scholarships out there that have been set up to encourage people to pursue an education in security. The Women in Cyber Security (WiCYS) website maintains lists of resources for students seeking scholarships and internships.
3- Reaching underrepresented groups
There are a growing number of groups that are focused on the inclusion of a wider variety of people in cybersecurity and technology careers. National groups like Code2040 and Black Girls Code are helping to cultivate the next generation of developers. You may also be able to find local groups in your area, especially through sites like MeetUp.
4- Improving psychological safety
Even if you’ve not yet started efforts to improve diversity and inclusion within your organization, you can start looking at your company’s culture and see where you can improve conditions for psychological safety. Your employees are the eyes and ears of your organization; if they don’t feel comfortable speaking up about what they’re seeing and hearing, or discussing creative or unusual ideas, you are not getting their full value. This is especially true of people who may feel they are outside the majority of your company’s demographic.
5- Help your employees find support
Do you help pair your employees with peers, mentors and (especially) sponsorship within your organization? Ensuring that people have someone to call on for support and advocacy can have dramatic effects on people’s job satisfaction. As competition for cybersecurity talent can be especially stiff, investing in your existing employees is especially important.
The success of a company relies on that of its employees. By setting individual employees up for success, you’re also setting your business up for success. Populating your company with people who have different backgrounds and life experiences gives them a chance to learn from each other, and to be more effective in their jobs and careers.
Author Lysa Myers, ESET