If you’re a security
practitioner or long-time reader of this blog, you may be all-too-familiar with
the dangers of practicing “checkbox security”. By blindly following rules and
directives without appreciating why they’re important, you may
make short-term gains while ultimately dooming your long-term goals. That being
the case, you may intuitively understand why “checkbox diversity” measures are
doomed to fail.
Fairness vs. learning
Much as the purpose of
securing a network is not simply to play by arbitrary rules, including a wider
variety of people in security positions is not just about
trying to hire an assortment of people that represents the population at large.
In other words, security and diversity are not just about
being compliant and fair. They are also about helping business get the widest
possible range of perspectives, to help them take considered steps instead of
leaping blindly without adequate information.
Taking the time to identify cost-effective measures
that will protect your digital assets can help you identify potential problems
earlier on, when they can be fixed at a lower cost in terms of both money and
public goodwill. Likewise, ensuring that you’re finding – and retaining –
people with a wider variety of life and work experiences will help ensure that
you have the opportunity to learn from people with a broad range of
perspectives from the outset, rather than after unforeseen missteps cause
serious public relations problems.
Diversity in security perspectives
As my esteemed colleague
Stephen Cobb discussed in a series
of posts late last year,
cyber-related risks are now firmly embedded in public consciousness, but the
specifics of the ways in which risk is perceived may differ depending on a
number of factors. Relative levels of perceived risk for security-related
problems were assessed differently depending on a respondent’s age, income,
gender, ethnicity and cultural alignment: there was no one source or type of
risk that all groups identified as the most troubling.
In order to prepare for the
widest variety of vulnerabilities, we need people who are attuned to all types
of risks to participate in all levels of the discussion about
risk assessment and mitigation.
Not just a pipeline problem
While the dearth of women and
people of color in the pipeline for tech is a well-documented
phenomenon that
is beginning to change for the better, both recruitment and retention rates are very poor for people within these
demographics. At every point, from middle school to mid-career, the pipeline
has sprung a series of leaks and is periodically catching fire.
The good news is that the
ways to improve this situation are not only beneficial for people in
underrepresented demographics. By seeking new sources of qualified applicants
and increasing psychological
safety for employees, you
can potentially decrease the time it takes to fill positions, and improve both
retention and effectiveness of the people already in your employ. Improving
your company culture is simply good business-sense.
Moving towards the future
To ensure an increasing supply of high-quality
applicants to keep the pipeline flowing; we need to get kids excited at the
idea of pursuing cybersecurity careers, we must identify people who could use
mentorship and training to excel in this industry, and it’s imperative to
include a wider variety of people in our recruitment practices. Here are a few
ways that you can help:
1- Volunteer
There are a lot of national
tech education groups such as TEALS, Girls Who Code, Women’s Society of Cyberjutsu, and CoderDojo as well as local STEM events, hackathons and
boot camps that are in need of expert support. Each year many of ESET’s own
researchers join a team of mentors who help teach kids during Securing
Our eCity’s yearly Cyber
Boot Camp in the San Diego area
– this is a fun event that can always use more help from the community.
2- Scholarships
The cost of formal
education is growing at a rapid pace, which may keep interested people from
trying to get the necessary training and credentials that are helpful in
getting a job in this industry. There are a lot of scholarships out there that
have been set up to encourage people to pursue an education in security. The
Women in Cyber Security (WiCYS) website maintains lists of resources for students
seeking scholarships and internships.
ESET’s
own Women in Cybersecurity scholarship is now open for submissions by students nationwide. Applications
for this are being accepted until April 1, 2018.
3- Reaching underrepresented groups
There are a growing number
of groups that are focused on the inclusion of a wider variety of people in
cybersecurity and technology careers. National groups like Code2040 and Black Girls Code are helping to cultivate the next generation
of developers. You may also be able to find local groups in your area,
especially through sites like MeetUp.
4- Improving psychological safety
Even if you’ve not yet
started efforts to improve diversity and inclusion within your organization,
you can start looking at your company’s culture and see where you can improve
conditions for psychological safety. Your employees are the eyes and ears of your organization; if they
don’t feel comfortable speaking up about what they’re seeing and hearing, or
discussing creative or unusual ideas, you are not getting their full value.
This is especially true of people who may feel they are outside the majority of
your company’s demographic.
5- Help your employees find support
Do you help pair your
employees with peers, mentors and (especially) sponsorship within your
organization? Ensuring that people have someone to call on for support and
advocacy can have dramatic
effects on people’s job
satisfaction. As competition for cybersecurity talent can be especially stiff,
investing in your existing employees is especially important.
The success of a company relies on that of its
employees. By setting individual employees up for success, you’re also setting
your business up for success. Populating your company with people who have
different backgrounds and life experiences gives them a chance to learn from
each other, and to be more effective in their jobs and careers.