I often ask industry professionals what their least favorite thing about the industry is. Recently, I’ve heard the same recurring answer: Lack of diversity.
We talk about the lack of gender diversity in the industry a lot; whether or not those discussions have any impact is yet to be proven. What is certain is that it’s on everyone’s radar. We’re aware of it, we want more women and we’re committed to try and get them.
As an industry, however, we are so distracted by the women in security drought that we, arguably, ignore the other diversity shortcomings that are equally as shocking.
Like it or not, the information security industry is heavily dominated by white, male, 40-something, middle-class straight men in suits.
There is the sub-culture of the research community; the tecchie community tends to be younger and more diverse in terms of class, but they’re still typically white males…they’re just wearing t-shirts and jeans instead of suits.
There will be people reading this and berating me for generalizing and using stereotypes, but we need to start being honest with ourselves and acknowledging that whilst these are stereotypes, they are a very true reflection of our industry.
By politely choosing not to comment on the lack of diversity that makes up our industry, we’re not being politically correct, we’re being ignorant.
We are so distracted by the women in security drought that we, arguably, ignore the other diversity shortcomings that are equally as shocking...Eleanor Dallaway
It actually goes beyond just age, skin color and gender. I recently asked Rik Ferguson, Trend Micro’s VP security research, if he’d ever consider being a CISO, and he answered that he’d love to but he doesn’t think he’d be accepted because he doesn’t like to wear a suit. He wasn’t joking, and as baffling and sad as it sounded, I couldn’t help but wonder whether there was any truth in it.
It’s absolutely true that C-level events and ‘hacker’ events attract a completely different dress code. There’s nothing wrong with that at all, it’s perfectly natural. The issue arises if either becomes exclusive, allowing only a certain type of dresser, or indeed person, to be involved.
Why does it matter? Because if certain pockets of the industry accept only a certain type of person, we are not representing the people that the foundations of our industry exist to protect. Further, if we’re not representing them, we’re certainly not serving them.
Beyond that, of course, is the reality that more diverse teams are more effective. It’s statistically proven. So by allowing this lack of diversity to plague information security, we are handicapping ourselves as an industry. Given the current cybercrime climate, the last thing we need is a handicap.
Interestingly, when I think about the industry’s most famous names, those that people travel to events to hear speak and those that have huge followings on Twitter, very few wear suits. Many are even aesthetically eccentric, you can check out my interview with Jack Daniel in the Q4 issue of Infosecurity Magazine for confirmation! So you don’t have to wear a suit to make it in information security – but perhaps to get to the C-Suite you do.
When I think about the industry’s most famous names, very few wear suits...Eleanor Dallaway
There’s a very popular discussion about how, in order to be truly successful as a CISO, you need to be able to bridge the communications gap between the tech teams and the board and speak the right language. It strikes me as strange that the industry can acknowledge that those bridges need to be built, but are content to segregate its own players based on something as ridiculous as how they dress.
I’m certainly not calling for a common uniform; I don’t want to see an entire industry in jeans and t-shirts any more than I want to see an entire industry in suits. What I want is for people to be able to wear whatever they want without instruction, assumption or judgement. If Rik Ferguson, covered in tattoos and in jeans, wants to get a job as a CISO, he should not have to worry about whether the way he looks will stand in the way. The current CISO of the Year (See the Ed Tucker Q&A in the Q4 issue of Infosecurity Magazine) has more than 30 tattoos, by the way. Likewise, if a pen-tester wanted to go to work in a suit, why the hell shouldn’t they?
The information security industry’s lack of diversity (ironically) doesn’t discriminate – it lacks diversity in pretty much every category you could apply.
There is no single advantage to having an industry of clones. Yet there are multiple reasons why it’s a good idea to encourage people from all ethnicities, all economic backgrounds, any gender, any sexuality, wearing anything they bloody well want, to work in information security.
The one requirement should be for passion and aptitude, the rest is completely irrelevant.