Infosecurity invited three information security experts to share their thoughts and advice on how to create a culture of diversity and inclusion
Harman Singh, Security expert and consultant
Harman Singh is a security professional with more than 10 years of consulting experience across private and public sector organizations. His day job involves serving his consulting business customers at Cyphere to reduce their security concerns. @DigitalAmli
For productivity and competitiveness, you need a prosperous workplace and diversity is an important component of that. Diversity is a powerful ingredient to a flourishing workplace culture because it dispels personal biases, helps us respect each other’s differences and pushes our boundaries to think beyond what we know. This leads to better thinking, positive ideas and more knowledge.
Having technological security controls in place and implementing processes in the context of business is only effective with the key layer: the human firewall. Inclusion is more of a universal human right. Its aim is to welcome everyone irrespective of their gender, race, disability or age.
The following four factors offer business benefits and act as a catalyst to diversity and inclusion in the workplace.
Understand Customers
Whether you work in a customer-facing capacity or within an internal security team, your business departments and associated contacts outside the security team are your customers. To service a diverse customer base, you need to have a team from all walks of life. According to a stat quoted by HBR, teams with diverse members that can relate to the client’s ethnicity are 152% more likely to understand their clients.
Productivity
No two individuals are the same, there will always be multiple ways of thinking around and solving problems. Assembling together a team of diverse backgrounds with different skill-sets and experiences helps generate fresh ideas and perspectives.
With multiple vectors at play, numerous approaches work towards solving bigger challenges that are required for 21st century businesses.
"True acceptance is more than policies on the wall or in emails"
Equality
True acceptance is more than policies on the wall or in emails. The closest security analogy would be businesses following the ‘tick the box’ approach to get compliance certification. We all know where this leads to when the groundwork isn’t done well and a race to compliance certification follows shortcuts.
Due to unequal power relations, interpretations could be different. As a cybersecurity champion, your role is to think about who is not included in the conversation and who is not represented.
Conflict Resolution
It is important to accept that conflicts occur and they must be managed well. A conflict is not a failure unless mismanaged. Middle management and senior management must embrace conflicts when they occur and offer open conversations to understand all parties. This should be done with a positive mindset to reduce the chances of such conflicts in the future.
Just like cybersecurity initiatives, leadership plays a critical role when implementing such programs. All the above factors offer real-time advantages to cybersecurity teams such as a wider pool of resources for the recruitment process and a diverse team that can adapt and use innovative techniques to boost security-driven culture across the globe.
Samantha Humphries, Head of Security Strategy EMEA, Exabeam
Samantha has been happily entrenched in the cybersecurity industry for over 20 years. She has helped hundreds of organizations recover and learn from cyber-attacks, defined strategies for pioneering security products and technologies, and is a regular speaker at security conferences around the world. @safesecs
Recent research conducted by the National Cyber Security Centre in partnership with KPMG provides some uncomfortable insights into diversity and inclusion issues across the UK’s cybersecurity industry. Despite finding that the representation of certain minority groups in the sector were in line with the national average, highlighted was a pressing need to address the high prevalence of negative workplace experiences many cybersecurity professionals encounter on a day-to-day basis.
Just over 20% of survey respondents stated they didn’t feel they could be themselves at work, and almost 15% said they had experienced some kind of barrier to career progression because of a diversity-related issue. Furthermore, 16% said they have experienced at least one incident of workplace discrimination in the past year.
In recent years, there has been much discussion about the value of diversifying the infosec workforce. The problem is that many organizations continue to encounter pitfalls in attempting to tackle the issue.
Here are three tips for building a culture of diversity and inclusion:
Do More than Pay Lip-Service to Inclusivity
Hiring someone for the purpose of ticking a box really isn’t good practice. As well as creating uncertainty around whether someone is really up to the job, it can create doubt in the mind of the new hire – even if they are the best person for the job.
Diversity goes beyond just hitting number targets; quotas don’t automate inclusion. Organizations need to proactively create working environments in which everyone feels valued, heard and confident to contribute.
Reboot Team Thinking
High-performing teams communicate clearly and respectfully, trust and respect one another, celebrate success together and recognize one another’s contributions. Delivering soft skills training that helps reshape how people engage with others can go a long way to enhancing team dynamics. It can also help prevent the formation of subgroups and cliques that can affect engagement levels across the team.
Similarly, unconscious bias training can generate benefits that go well beyond simply reconfiguring the way teams work together. It can also kick-start new perspectives on how security professionals approach their day-to-day work tasks too.
"Organizations need to proactively create working environments in which everyone feels valued, heard and confident to contribute"
Build Physical and Virtual Safe Spaces
Offering a choice of working spaces and environments means people are free to find the option that makes it easier to do their job well. That may be something as simple as providing quiet pods where people can get their heads down and focus on the task in hand.
Establishing clear protocols around how team meetings and get-togethers are conducted will help ensure that no one gets shot down or shrugged off if they voice their opinion. Plus, offering opportunities for people to network and learn, both within and beyond the organization’s walls, will expand the scope of what work can offer infosec professionals as individuals.
At Exabeam, our CommUNITY council aims to promote and celebrate diversity and inclusion. It undertakes a range of initiatives from education and mentoring to volunteering events and talent acquisition – encouraging open and honest dialogue on difficult issues, aiming to foster and affect organizational change.
As more and more companies expand the talent pools they’re exploring in order to close the cybersecurity skills gap, they need to think beyond the initial recruitment process itself. Preparing the workplace, and the teams that new hires will encounter, will ensure that positive inclusivity experiences are optimized. Not only will this mean that people will be more productive in their roles – they’ll also be more likely to stay for the long term
Jennifer DeTrani, General Counsel and Head of Culture, Nisos
Prior to joining Nisos, Jennifer co-founded a secure messaging company, litigated as an assistant US attorney and ran her own law practice. She also serves on the executive committee of SunLaw, and is a visiting fellow at the National Security Institute. @jendetrani
Creating a culture of diversity and inclusion is like taking a boulder and trying to roll it down a hill. With no momentum, it can remain stuck. Someone strong and decisive needs to come along and give it a shove.
For security in particular, the gains that can come from driving top-down, bottom-up and middle-out strategies around diversity, equity and inclusion (DE&I) can be transformative. After all, threat actors are nothing if not diverse, and if out-matching adversaries is not a compelling enough reason to prioritize diversity and inclusion, then security might not actually be your calling.
Letting Your Talent Walk Out the Door
While most companies strive to provide a diverse and inclusive workplace, these objectives are also being driven by legislatures, regulators and judges who are now insisting that diversity and inclusion be the norm with board composition, and mission, vision and value statements as exemplars of these critical changes.
However, in the HR lifecycle, simply attracting diverse candidates is not enough. Retention can also present issues. One big mistake many companies make is seeking out diversity but not sufficiently attending to equity and inclusion.
Security professionals worth their salt are in high demand. If you are not going to give them benchmarked salaries, defined bonuses, career progression and equity, someone else will. Being a minority in a company where the leadership team is not leaning into diversity is not going to hold much long-term interest for an A-player. The security job market is too competitive not to try to keep your talent engaged.
One big mistake many companies make is seeking out diversity but not sufficiently attending to equity and inclusion
‘Unconscionable’ Bias Impedes Progress
Don’t conflate the existence of policies with a lack of discrimination or bias. Go the extra distance and actually create policies that set up diversity and inclusion programs for success. Goal setting around workforce and partner and vendor diversity is a good way to ensure progress.
Successful security companies or programs know how to equip their management teams with the tools to achieve change when it comes to DE&I. Unconscious or systemic bias can be a root cause in failing to retain talented and diverse employees because they may not mirror the attributes of existing high performers.
Similarly, failing to align with recruiters and HR stakeholders who understand the value of diverse talent impedes progress. Good recruiters know how to help a candidate present in the right light and highlight career or educational achievements that employers value. Investors and companies that support academic institutions, or non-profits which help minorities access technical skill sets or find mentors within the industry, are a big part of the solution and can help the right candidates get recognized.
In security, the networks we secure, the environments we strengthen and the adversaries we face aren’t ‘one size fits all.’ Effective DE&I stakeholders recognize that the workforces they support aren’t comprised of clones either. Moving away from a compliance-based mindset and towards a genuine intention to equalize and de-homogenize the workplace, with leadership that is empowered and driven to do so, is going to yield the greatest gains. In the end, the only people who won’t benefit from this approach are your adversaries