Sam Humphries is a security strategist at Exabeam with 20 years of experience in cybersecurity, having held various roles across the industry including global threat response manager. Throughout her career, she has defined strategy for multiple security products and technologies, helped hundreds of organizations of all shapes, sizes, and geographies recover and learn from cyber-attacks, and trained people on security concepts and solutions.
In her current role, Humphries plays an integral role in the global product marketing team at Exabeam and is frequently the go-to person for data compliance-related questions.
She is also a member of the ExaGals program, which looks to support and empower the women of Exabeam, as well as women in the technology community at large, with career development, education and personal growth opportunities.
Keen to learn more, Infosecurity spoke to Humphries about the ExaGals program and the wider issue of diversity in the cybersecurity industry.
What is ExaGals and what does it aim to achieve?
ExaGals is an incredible initiative that Exabeam started in 2014. Our CEO and co-founder, Nir Polak, led the charge in the beginning, inviting a handful of women in the company to form a Company Culture Committee. Championing culture and diversity has always been close to Nir’s heart, and something that is celebrated throughout the company.
There’s an interesting double meaning to the name ExaGals. Whilst ‘gal’ is an Americanism for girl…it also stands for a more obscure meaning: the measurement unit of gravitational acceleration. That’s what happens when you put geeks together in a room! The group inspires positive conversations, offers training and reading material, and provides volunteering and other opportunities.
ExaGals’ mission to harmonize and usher the company culture has continued, but also evolved to have a more external focus not only on the women of Exabeam, but women in the broader technology community and beyond.
Our hope is that by supporting programs that expose and encourage women and girls to the possibilities of an education and career in tech, we can help address the skills shortage by introducing new perspectives and problem-solving skills to the industry.
How important is it for modern companies to be diverse in both nature and approach?
It’s critical. This challenge is widespread across many industries – it’s not just a security problem, but it’s definitely more pronounced in security. It starts at the hiring level, as people tend to gravitate towards hiring people who are like them because it’s comfortable, which is a major flaw in the hiring process. Also, it’s vital to note that diversity isn’t just about which bathroom someone uses, there are multiple factors which make a person unique. Ultimately, if you want to see new ideas, innovation and spark positive change, then you need different individuals who think, speak and act in different ways, otherwise you’ll fundamentally end up with more of the same. There are so many benefits to having a diverse organization, and as many successful businesses have proven, a diverse C-level and board.
How would you rate the state of diversity in information security in 2020?
It’s getting better, slowly, but it’s still a challenge and it’s not where it needs to be. I think what’s significant is that diversity is now a conversation, it’s not so much of a taboo and it’s a recognizable issue in the industry.
More people are more comfortable talking about it and less likely to feel that they’re going to get shot down or shrugged off if they voice their opinion, or for it to be disregarded. We have seen positive change – there are more opportunities and safe spaces for people today. For the last three years, I’ve been involved in The Diana Initiative, which is one of the many conferences that take place at ‘Hacker Summer Camp’ in Las Vegas. They’ve done an amazing job of creating a safe space focused on diversity and inclusion in cybersecurity, where participants feel comfortable to network and learn, and be inspired by speakers at a conference that embraces everyone.
There’s still a long way to go; there is no easy route to overnight success, and there are some pitfalls which companies, looking to improve their diversity situation, need to avoid. For example, making ‘diversity hires’ for the purpose of meeting a quota. Firstly, there’s the concern that someone is being hired for a role who is not necessarily the best person for the job, purely to tick a box. Secondly, any new hire of a skilled person who happens to be a minority may have doubt that it’s warranted, despite them being the best person for the role. It can be a double-edged sword and those seeds of doubt can exacerbate the problem
What needs to be done to effectively tackle the diversity issue across the infosec industry?
One of the most effective things I’ve seen is hiring manager training, or open involvement in the interview process. Training around hiring people who do not look like you, act like you, or like the same things as you – that’s really important. Reviewing your talent pool options can also make a big difference – yes it’s great to have an employee referral scheme, but it’s definitely not the only fruit. When creating job descriptions, document the qualities you’re looking for, and consider crossover capabilities which would be valuable to a role.
I attended an amazing (and very uncomfortable at times – by design) course on recognizing unconscious bias – and everyone has unconscious bias. It’s in all of us, but what’s important is recognizing it and being able to call yourself out. That, in effect, will then help you to move out of your comfort zone and make better decisions, ultimately leading to more diverse hires and balanced teams.
Safe spaces are also important, offering individuals different spaces and environments that suit them and enable them to do their job well, and the facilities to make them feel comfortable. This can be something as simple as providing quiet pods for people to help them focus. You can also promote diversity in your offices through celebrating different holidays and promoting commemorative events such as Pride. I think that’s why initiatives like ExaGals are so vital, because there’s a freedom and safety of being able to share concerns or discuss what’s on your mind, and everyone can be included. It’s positive movements like this that the industry needs.
Today, I think there’s a ton of opportunity to enter into, and have a successful career in, cybersecurity. I’ve found that taking the time to go into schools, universities and attending conferences like The Diana Initiative can make a real difference. Security can be a wonderful career for everyone and unless we take positive action, we will struggle to see a more diverse workforce in the industry.