Why You Need a Diversity and Inclusion Program in Cybersecurity
This is a period of significant changes for agencies and businesses. This includes the transition to the cloud, and the shift towards being digital-first. Cybersecurity has become a central part of many industries and companies.
It’s easy to get lost in the details when it comes to security. They’re what we use for protecting apps, data, and infrastructure. When we talk about people, it is often about their skills. We occasionally focus on the fact that employees are often complicit in cyberattacks through poor cyber habits. They also need to be trained in cybersecurity.
A team of people is the heart of any cybersecurity program or effort. They collaborate to create the strategy and processes. People are the core of digital transformation and related digital safety efforts. Many cybersecurity discussions ignore the importance of having a diverse, inclusive team.
Why add a Diversity and Inclusivity Program to Cybersecurity?
Dimple Ahluwalia (IBM’s VP, managing partner, security consulting and systems integration) spoke to us to learn more about why Diversity & Inclusion strategies are so important for organizations’ success in employee retention and cybersecurity. She shares her thoughts on how to broaden our approach to recruiting and hiring in order to improve D&I within the cybersecurity industry.
- Why is diversity important in cybersecurity teams?
A: Cybersecurity begins with solving problems. Different people see situations differently based on their perspectives. If we want to solve social engineering, for example, we need to have a variety of perspectives and experience to see the situation from different angles and discover what is missing. Different people can interpret and communicate information differently. A strong communicator can translate technical information into terms that are easily understood by both employees and business leaders. This will help you gain a better understanding of your organization’s security issues and drive desired outcomes such as a stronger cybersecurity posture.
Neurodiversity is also important because everyone thinks differently. Some people have the ability to spot patterns in seemingly unrelated data, which could indicate data breaches. Some people are more detail-oriented and could be useful when reviewing test cases for applications. Security team members with special skills could provide additional insight and correlations that can validate findings and help to further tune automated systems.
It is time to look at the strengths of people again. Cyber is more than technology. Cyber involves people, processes, and technology. People are crucial. It is important to ensure that people involved are able to think through situations and how they will affect others. Technical skills are valuable and useful, but they can also be taught with effort and time. We should not limit our hiring to those who have the best training in technology.
- What’s the first thing that cybersecurity should do to improve its overall D&I?
A: It is important to expand the applicant pool to include more potential cybersecurity professionals. The ability to hire people without a four year college degree in cybersecurity is a benefit. We need to take advantage of that. We must continue to do traditional activities like adding cybersecurity curriculums to schools, helping students find practical opportunities, and offering apprenticeships. We need to go further, particularly in the area of assessments that assist people in determining what opportunities exist and how their skills translate.
As a community, we need to stop thinking that all cybersecurity hires should be placed in one category. We must think outside the box and look for untapped, raw talent in many places. Recently, I met with a client that said they wouldn’t allow anyone to work without a bachelor’s degree. This rigid requirement and closed-minded thinking may be costing the company tremendous talent. Another professional I worked with was able to acquire unique skills in threat hunting through multiple military tours. He was told by transitioning services that he should work as a waiter in hospitality after he had left the military. He ignored the advice and applied for an IT company that would consider him. He was eventually a member of their internal threat team.
We must find a way of nurturing talent from unorthodox fields. We must look beyond the current roles and be more open-minded about the roles that will come in the future.
Q: Can you share any tips to improve D&I efforts?
A: D&I begins with challenging the organization’s way of working. Many leaders desire to pursue D&I, but aren’t sure how to do it. The cybersecurity industry must push for the advancement of the industry’s interest. We must help people make the most of the available resources.
To reduce the skill shortage, we need to think about how we can push the boundaries. While I don’t advocate that we hire people without the right education, many cybersecurity positions require hands-on experience that can be gained on the job. This is more than a four-year or two-year degree. IBM’s ‘New Collar” approach, backed by SkillBuild as well as Digital Badging, is a good one.
We all have the responsibility of serving our organizations. However, as an industry we can do more by looking at opportunities for companies to join together or platforms that help companies collaborate. It is important to examine how D&I can be improved across the entire industry and not just within our own company.
IBM SkillsBuild was not created to train future IBM employees but to improve the IT workforce. Many people who use SkillsBuild go on to pursue careers in cybersecurity or other IT fields. Without the Education and Enablement provided by the Program, this is not likely to be the case.
It’s not about competing for the same resources. This is about working together to develop new ideas, expand the talent pool, and look at things differently. My adversaries are more creative when it comes to how they view talent, and focus more on applicants’ propensity than their formal education.
