Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

11:05 AM
Connect Directly

Q&A: How Systemic Racism Weakens Cybersecurity

Cybersecurity policy expert and attorney Camille Stewart explains how to dismantle systemic racism in the industry - and build a more diverse and representative workforce.

Meet Camille Stewart, Google's head of security policy for Google Play and Android, who leads the company's cybersecurity, privacy, election integrity, and misinformation policy. Stewart is an attorney and national security and foreign policy expert who recently authored the article "Systemic Racism is a Cybersecurity Threat" for the Council on Foreign Relations. The article explores the impact of systemic racism in cybersecurity and how to dismantle it. 

Stewart recently spoke with Dark Reading executive editor Kelly Jackson Higgins about how systemic racism affects security tools, users, and organizations, and what specific actions security professionals can take to help create a more diverse workplace and industry. 

Here is an excerpt from that interview. 

Camille Stewart
Camille Stewart

Q:  Cybersecurity has long had a diversity problem with gender and race. You have written about systemic racism in cybersecurity and how diversity can't be addressed until systemic change is addressed. Would you elaborate on that?

Stewart: Systemic change is what's necessary to really eradicate racism; that won't happen in one day. That's a long-term goal, so we have to be conscious of issues of race in the work that we do every day. I think in cybersecurity, we focus mostly on the workforce issue: We recognize that we don't see people that are diverse in our industry and in our jobs, but that alone is not enough. These societal issues, these issues of import to how we operate and move as people and as a society, directly wrap into and are inextricably linked to how we develop technology, how we implement systems in an ongoing manner, and how the cybersecurity industry will evolve. To ignore them means that we are leaving ourselves vulnerable to a very big threat vector. The most obvious one I think most people can connect with is the misinformation/disinformation problem.

We saw that Russia was targeting, in particular, African-Americans in the 2016 election around misinformation/disinformation. That problem is twofold: [African-Americans] are both a target for manipulating their narratives to exacerbate racial tensions and to sow discord in a way that further pulls them out of the system: self-selecting yourself out of voting because you feel disenfranchised, disconnected, and unheard.

But it is also a tool to exacerbate the polar ends. The far left is chiming in for justice, which is directly opposed by the far right, which says this is not really an issue. That makes them more at odds around something that should be a fundamental right for all people. It politicizes and polarizes something that we should all coalesce around.  

I have not seen ... any comprehensive strategy or counter-narratives or anti-narratives that really focus in on this problem. It's not exclusive to Black Americans ... but it's happening in the immigration context, to disenfranchised immigrants, to veterans, and it's happening to a number of different demographics. So the narrative of the disenfranchised is easily being manipulated and weaponized this way, but we're ignoring it because it makes us uncomfortable.

Q:  How can diversity be applied to cybersecurity tools, and how can it help make the tools more effective?

Stewart: Tools that don't contemplate how different groups will actually use them and perceive them ... tend to fall flat. Not to say everything has to be targeted to everyone. But you should know who your audience is, know use cases you're targeting, and you should understand how implementation – and particularly interaction – will change based on their lived experiences.

I think understanding that the tools you're building will interact with different groups differently and that race is an important factor, gender is an important factor, lived experience is an important factor, allows you to open yourself up to the fact that this might apply differently to different groups. You can set up the infrastructure that leverages the talent you have internally – who have different backgrounds – to expand or test those assumptions. Or you hire an external consultant to help test your product.

Quite frankly, the best solution is to have diverse teams.

Q:  How does a lack of diversity hurt security? How would having more diverse perspectives within enterprises make them or the tools they build more effective?

Stewart: A good example is in a critical infrastructure company. If you are contemplating how to build resilient systems internally that will then affect a diverse consumer base – your critical infrastructure, whether it's water or electricity – how that [then] affects the daily lives of people who live in predominantly white suburbia versus a black suburban area, versus an inner city with a diverse array of socioeconomic folks, [these] things will be different: The city's ability to respond. The city's ability to mobilize around whatever your mitigation is. The impact it will have on how the children in the home are able to connect to school. The ability for the family to have a generator to back them up should the electricity go out. The ability to combat food insecurity if you've lost water, or electricity, etc.

All of those things change based on things like race and socioeconomic status. And if your mitigations don't contemplate for the diversity of your consumer base, you have a problem.

How citizens trust or don't trust the institution that provides them that common function is a big part of how they then interact with those tools and what permissions they give you, and how they elect to provide data and provide feedback to you. ... If you don't contemplate how folks will interact with you as an entity – but also with that tool and mitigation specifically – there will always be a gap.

Q: What can the cybersecurity industry do to foster a more diverse and inclusive space that attracts and welcomes diverse job candidates – and retains them?

Stewart: We need to be better at having hard conversations, and people need to be open to the difficult to the uncomfortable, because at the core of all of this it is about how we relate to each other and our willingness to stand in the gap for each other. I recognize that there are a lot of people who have a heart for these issues, so they are very empathetic and passionate and see that there is a gap and would love to see something happen. But not a lot of people have the stomach to do the work that it takes to bridge that gap and to create a more inclusive industry.

That requires your being willing to stand in the gap on an individual level and speak up when your co-worker is underleveled. or looked over in a meeting, or not included in something, or not given credit for some work that was done. That is holding your leadership accountable with incentives or structures that will empower them or encourage them to meet a target around making sure there are more women, black people, women of color ... in a given space in the company, or [that] the company as a whole is pulling in diverse voices.  

We need to be individually active stewards of being antiracist and eradicating discrimination within our industry. I think a lot of people have a lot of empathy, but they're like, "I don't know what I can do," so they kind of separate themselves from the solution and say, "I hope it comes" rather than diving in every way they can, from the individual interaction, to what they demand of their company, to standing with a co-worker when they make demands of their company – even if they don't quite understand it.

When you hear people of color, women, any disenfranchised group, call out for a change or call out some kind of discrimination, that is not an easy thing to do. It doesn't bode well for them to call that out. Even if you don't quite understand it, stand with them because they are putting themselves out there in a way that does not benefit them by saying it. So putting out there your support for them is a big help and encouragement when they are standing alone in the middle of an industry that doesn't look like them and has not make space for them, and they are trying to call out for space.

Q: How do you effect change policy-wise?

Stewart: There are definitely things we can do from the pipeline, with more recruiting events.

[But] just focusing on the early pipeline, I think, we also do ourselves a disservice. If you do not have people midcareer and senior level who are visible for folks to see and who also have good stories to tell, all that work at the beginning of the pipeline is for naught.

You have to also focus on elevating and improving the experiences of our midcareer and senior career professionals who have stayed in the industry. These things from a policy perspective and in our current political climate that might be hard hold people to task to make those companies look more like their consumer base and look like the country they're in. Let it be more reflective.

We can have funders and investors and all the infrastructure that we used to drive change in the industry as a whole: Use those things to encourage that kind of change. As a funder, you should be asking for folks to have a representative staff at all levels, and as an investor you should be doing the same. There are a number of ways we can hold each other accountable.

Q: How has the COVID-19 pandemic affected diversity and systemic racism in cybersecurity? Does the shift to working from home provide an opportunity to move the needle?

Stewart: I think it's an opportunity for people. All of us being locked in our homes meant that we felt the murders of George Floyd, Ahmaud Arbery, and Breonna Taylor ... in a way that [pre-pandemic] we were moving through our lives, flying around, engaging with people – we were able to kind of feel in the moment and then we were able to dissociate ourselves from it.

That in and of itself is an opportunity ... the deep feeling of it.

Companies are also having to completely rethink their working models.

Now we have options to allow us to be sensitive to the fact that some of the places that we are asking people to live and work are not conducive to them thriving as individuals, and what you want is a workforce that feels comfortable where they live so they can bring their whole selves to work.

Stewart will lead a discussion session at Black Hat USA Virtual  on "Taking Steps to Break Down Systemic Racism in Cybersecurity," in the event's Community track, on Thursday, Aug. 6, at 10 a.m. PT

Related Content



Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/24/2020 | 5:26:05 AM
If you don't see systemic racism then you're part of the problem
Her point is that her comments are relevant to EVERYONE and we should all open our eyes to what's around us.  If our workplace/management isn't diversified how will anything ever change?

I nearly didn't comment on this article but then I'm not standing in the gap and speaking up about this issue and then I become part of the problem.

If a tool is selected on its ability to fulfill a need/remove a pain point first, followed by how much then we should be looking at our data/need/pain point before we even start and if our data/need/pain point isn't diverse then we're not fulfilling the need - we're missing HUGE groups of people and HUGE groups of issues that we're not looking into/responding to.

I find it ironic that the article finishes with Stewart leading a discussion session at Black Hat USA Virtual - that's a whole other topic of conversation but at least there's a discussion about systemic racism.
User Rank: Strategist
7/23/2020 | 5:28:59 PM
Re: systemic racism driving cybersecurity
in my experience a tool is selected on its ability to fulfill an need/remove a pain point first, followed by how much?  Other considerations are after these two are next.  

Perhaps her comments are more relevant to the management-level where one moves farther and farther away from tangible deliverables.  When one is the pair of hands on the end of the shovel, the ability to do the work as prescribed, on time, per spec is the first priority.  Where they came from, their gender, or ethnicity aren't a consideration.  The last two hires at my employer were people of color.  They were hired for their technical ability not for any other reason.
User Rank: Strategist
7/23/2020 | 2:19:26 PM
Re: systemic racism driving cybersecurity
please cite the specific actions that can be taken now that haven't been tried before
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
7/23/2020 | 1:49:59 PM
Re: systemic racism driving cybersecurity
I disagree. Camille has shared some specific action items that folks in this industry can do. And these are changes that are long, long overdue.
User Rank: Apprentice
7/23/2020 | 12:53:35 PM
There is no SYSTEMIC racism!
Racism as by definition, will never be fully eradiated.  It does exist unfortunately, but IMHO, very few feel this way. Those that believe that racism is systemic have been covertly misled for decades.  I truly despise articles like this, purporting a topic as fact when in reality there are definitely two sides.  So here we understand that Dark Reading fully supports the notion of "systemic racism" when they shouldn't be supporting any controversial topic whatsoever--even under the guise of technology!  Please, spare all readers in the future, from the sly attempt at passing trendinig fiction as fact and lets use our brilliance to uncover the real truth, no matter what that is--outside a professional technology forum.
User Rank: Strategist
7/23/2020 | 12:34:25 PM
systemic racism driving cybersecurity
All these questions, and the same answers, have been around for at least 40 years.   And if those answers didn't work then, there is no reason to think they will work now.   The problem is that those calling for change want someone, other than themselves, to change.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
Teradici PCoIP Graphics Agent for Windows prior to 21.03 does not validate NVENC.dll. An attacker could replace the .dll and redirect pixels elsewhere.
PUBLISHED: 2021-05-13
The lack of nested page table protection in the AMD SEV/SEV-ES feature could potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise the server hypervisor.
PUBLISHED: 2021-05-13
In the AMD SEV/SEV-ES feature, memory can be rearranged in the guest address space that is not detected by the attestation mechanism which could be used by a malicious hypervisor to potentially lead to arbitrary code execution within the guest VM if a malicious administrator has access to compromise...
PUBLISHED: 2021-05-13
A Denial of Service due to Improper Input Validation vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially to prevent any new user connections.
PUBLISHED: 2021-05-13
A Remote Code Execution vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially cause the spreadsheet application to run commands on the victim’s local machine with t...