Security has a diversity problem, but not just the way you think
Understanding the root causes is the way to correcting the issues that we wrestle with.
According to the World Economic Forum1 women make up around 30% of cybersecurity workforce globally, minorities are underrepresented in the industry as well. During Disobey weekend I had the pleasure of attending a separate happening with around 200 or so in attendance. There were more men with mohawks than women (I exaggerate but not by much). We have a culture in the industry that actively pushes away women and minorities. That is an acknowledgement of a problem that should be self-evident. However, this is not the only issue or the root cause when it comes to diversity, there is something much more fundamental lying just behind the surface. Lets scratch, shall we.
Pic. Copilot with the stupidest f'*****g looking mohawk.
Recently, we had an incident at Disobey regarding a guest and one person on our team that I wrote about on LinkedIn: The Post. Just to make sure: Disobey is part of the solution, fostering a culture of inclusion, but still suffering from the wider industry effects. For me, this incident hints at the crux of the issue: the distorted culture within security that frowns upon anything different. Hostility towards those younger, divergent from the mean is a default setting in many men people working in the industry. I have seen both men and women actively pushing down those around them they deemed not worthy.
Actions looking to correct these issues are varying, from recruitment, identification of bias and sensitivity trainings. From a personal point of view, I feel that the situation is improving, but there is still much to accomplish. The currents in the world are blowing against DEI, but lets take solace in little history lesson. The immediate reaction to the French revolution was a return to despotic leadership under Napoleon. Maybe the overreach of the revolution was clear, at least in hindsight. Maybe next time don’t make up your own calendar to replace the one we have lived with globally for close to 500 years. Yeah, also a little less with the guillotine and beheading people for the slightest of missteps. The overreach of the revolution ate its children so to speak, but what is less emphasized is that the ideals of democracy, universal suffrage (at least among men :)) and freedom prevailed. Leading to the world as we know it. I have faith that the ideals of inclusion and respect for the individual will live on, even though the world looks like going to hell in a handbasket.
But I digress, what I’m trying to say is that sometimes we throw the baby out with the bathwater. Sometimes the best option is to focus on actions rather than purity of thought, which I think has maybe taken too much airtime in the discussion. And this gives us a way to broach the actual subject for today: one root cause why we struggle with diversity in cybersecurity…
Our view on cybersecurity is too narrow and as such we do not appreciate skills, interests or ideas that fall outside our own area of expertise.
And then we tend to be assholes about this distinction to anyone falling outside our own narrow view…
What cybersecurity is has evolved through time. When I was starting my career in security, all the talk was about viruses and network worms. Then came organized criminal phishing targetting mostly banking sector. Nowdays we talk about nation state hybrid attacks and penetration testing. The hacker culture has totally warped our view on how wide an area of expertise cybersecurity is or at least should be. Don’t get me wrong, nothing bad about being technically focused, trying to break things and into things. But it is not the be-all and end-all of security. The airtime given to hacker culture is suffocating all other areas of security, which is bad.
Cybersecurity is very context driven. What I mean about this, is that you cannot have cybersecurity without something to be secured. Like a lock without a door. Might be fun, but has no real meaning. Hacking though is very much fun, especially if you can compromise a system or company that will reward you for it.
Now we come to a large part of enterprise security: it’s pretty basic stuff. Asset management, hardening, patch management, SDLC etc. Run of the mill stuff, with no glory in it, but it just has to be done. Definition and implementation of controls, over and over and over again. Documenting the aforementioned controls. Again and again and again. You get the point.
But not everyone can hack cool stuff all the time. Or at least, that is not how you secure and enterprise. You secure an enterprise by implementing an ISMS, building policy structure and guidelines, managing compliance, doing IAM, running an SDLC, doing different types of testing on your shit, running monitoring and incident response, exercising all the mentioned areas and so forth.
Much of the listed stuff is technical, but much of it is human interaction, communication, project management, measurement, learning from your mistakes. And by now it should be obvious that if we only value technical skills, we create large areas of blind spots and vacuums when it comes to security.
What we are seeing a lot in the industry today is junior people joining our team in either SOC or AppSec-roles, and within 6 months of starting asking to move to offensive or red teaming roles, DFIR-roles or something similar and very advanced. Cool technical stuff usually is also very complex. Building skills to get there is essential, so everyone of our high level technical people have gone through basic roles: maintenance of networks, systems, working SOC-analyst roles for years, doing basic vulnerability scanning or code reviews etc. This hurry is probably a topic for another rant, but the focus on roles is clear and tainted by the public view of what cyber is.
Next up: old man yells at a cloud.
One area that has bugged me for a long time is efficiency within cybersecurity. Or the lack of it. I’m not sure that I’ve seen a single security organization that measures the efficiency of its work well, or had metrics for investment efficiency. This does not mean that there aren’t any, I am not privy to all the stuff even our own clients do. But this is also an underrepresented topic in blogs, seminar talks etc. My best evidence is the quiet around this topic. Sure, security is a difficult area to measure, but we could at least try. Mostly it’s just crying about the lack of budget, rather than being analytical on what the current time and resources are spent and what does the organization get out of it. One of the main things that consulting has thought me: getting shit done. Not just doing things, but actually finishing tasks, shipping projects. We have clear definitions of done and we work hard to hit them. We also have clear drivers: if we don’t get things done, we don’t get paid.
But again, I digress. The point is:
Communication skills are very valuable: translating stuff to layman’s terms, business language, even beautiful technical prose has value
Organizational skills are very valuable: setting up operating models, running efficient processes, measuring things and executing feedback loops can be golden for an organization
Stakeholder management is grossly under-appreciated in any large organization, getting people to see your view and managing decisions before they are made is a superpower in a modern organization
Project Management skills should be valued more, projecting and executing on plans, being able to communicate value added and efficiency of investment is a neglected area in security
And on and on. Only once we realize how wide the actual range of skill that can be beneficial to the security of any organization is, we can fix one of the root causes of the lack of diversity: overvaluing technical skills for all types of roles.
We need more diverse roles within security organizations, if not we risk creating inefficiencies and blind spots. Like the lack of diversity in security technologies, you risk catastrophic failures and weak spots by neglect. Groupthink and biases are real and will have an effect on how your security works.
So, next time you are setting up a recruitment or defining a role, think beyond technical skills, take a good look on the strengths and weaknesses of your team. For in the acceptance of facts is the true root of wisdom.
https://www.weforum.org/stories/2023/10/ai-organization-harness-diversity-and-inclusion-cybersecurity/