By Helen Patton, CISO, Ohio State University
Any currently serving security leader cannot but notice the industry focus on diversity and inclusion in technology—particularly in cybersecurity. Here’s the summary version:
From a US government policy perspective, there is little to suggest that this situation will change any time soon.
Clearly, no appetite exists in the US for any policy-based solutions to this problem. However, this may be a problem that policy cannot solve.
Research suggests that many of the inherent cultural biases in our society influence cyber workforce diversity. Simply mandating higher proportions of diverse workers will not solve this issue if our workplace cultures reflect wider social biases that assume males are technical and leaders, while women are communicators and supportive.
Happily, there is much happening within the private sector to help solve these problems. Certainly, we are focusing on how to change our hiring practices to encourage more diverse candidate slates. Efforts exist to involve younger minorities, particularly girls, in cyber programs at earlier ages such as the Girl Scouts CyberSecurity badge or IBM’s Cyber Day for Girls. Community colleges and universities have developed increasingly better cyber programs that not only include computer skills but also cross-disciplinary skills such as psychology, risk management, and international studies, which will help the entire profession.
Yet, we are starting to veer off course in two areas.
In a well-meaning attempt to attract more females to the profession, some people emphasize that you can become a security person without “being technical.”
While I appreciate that not all security roles are technical, this approach assumes that men are more likely to be technical while women are not. If we populate our security teams with non-technical females and more technical males, we will not solve the diversity problem. We will make it worse. This sets the profession up to have a first- and second-class track.
Cybersecurity is technical. Instead of approaching women and girls with this “non-technical” approach, I recommend shifting toward a “females are technical too” perspective. This parallels the effort of ensuring “technical” also means “has emotional intelligence, communication capabilities, and social skills”–an expectation for women and men.
We have an incorrect sense that if we can get diverse people into an organization and train them to be “like us,” we will have succeeded at diversity.
The point of having a diverse workforce is to create a place where an organization leverages the value of diversity to make outcomes better. I don’t want to take a 25-year-old female of color and have her act like a middle-aged white male. I want them both to bring their experiences, thought processes, and skills to the problem at hand.
Leda Glyptis captures this perfectly in her fintech blog:
"Reward outcome-based experimentation and diversification. Measure if diversity is leading to diversification, and assess how thoroughly you are supporting the transition with HR policies, risk profiles, execution cadence, etc. If you hire them and then bind their hands with the established way of doing things, you are choosing to not go far the long and expensive way.”
The old adage “culture eats strategy for breakfast” is particularly applicable to the issue of cybersecurity diversity. Lack of diversity is a cultural problem–and one we can (slowly) change. It’s not a policy problem, and the cyber community is already starting to rise to the challenge of fixing it. It won’t be solved by a tool or even just a process. It will be solved when we change the way we think–and we’ll need a diverse and inclusive way of thinking to make this happen.
With more than 20 years of experience in the Security, Risk and Resiliency profession, Helen Patton (CRISC, CISA) brings a wealth of experience in managing information, technology and operational risk for global organizations, and advocates using Information Risk and Security Management to enable the mission of the Institution. As Chief Information Security Officer at The Ohio State University, she works to enable a risk-aware culture. She manages the Enterprise Security team, and oversees Information Risk and Control Governance across University units. Helen also chairs the University Information Security Advisory Board, which governs the execution of the University’s award-winning Information Security Framework.