![The Edge Logo The Edge Logo](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt530eb1f4e672eb44/653a71690e92cc040a3e9d6d/Dark_Reading_Logo_TheEdge_0.png?width=700&auto=webp&quality=80&disable=upscale)
Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.
10 No-BS Tips for Building a Diverse and Dynamic Security Team
Advice from women and nonbinary security leaders on creating well-rounded security teams, stronger CISO leadership, and a more resilient industry.
June 1, 2022
![Diverse group of business entrepreneur people joining hands together outdoors Diverse group of business entrepreneur people joining hands together outdoors](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt7a80d09aa1472b15/64f152e32263b38969ad249b/diverse-team-xavierlorenzo-Alamy.jpg?width=700&auto=webp&quality=80&disable=upscale)
Source: xavierlorenzo via Alamy Stock Photo
Gallons of digital and literal ink has been spilled in the past decade over the skills gap and diversity problems in the world of cybersecurity that the discussion can feel monotonously nonproductive. So much of the talk tends toward hand-wavy, feel-good awareness pieces that are reductive and not all that helpful toward making meaningful changes. There's a whole lot of "cybersecurity skills gap, bad; diversity, good" but not much behind it.
So when people start offering hands-on, real-world, practical advice on how to intentionally change hiring practices, how to move the needle on collaborative work from security teams, and how to widen the net for talent in the security world, we sit up and take notice.
This is exactly what the recently published e-book Reinventing Security from JupiterOne Press does. The book is a product of a collaboration among 17 cybersecurity leaders — all of whom also happen to be women, nonbinary, neurodivergent, and/or underrepresented minorities. They offer meaningful strategic and tactical advice on leadership, collaboration, and team-building that's drawn from their own considerable frontline experiences.
For this slideshow we've dug through the text to excerpt and summarize a number of these experts. But the entire book is worth the read. It's a meaty guide that goes well beyond just stating security challenges. It actually provides answers for how to meet them.
"It is immensely important for the CISO to be creative in how they think about talent, which also includes considering individuals from non-traditional backgrounds. Vendor companies, government entities, audit and compliance teams as an example can be a great source of talent as well.
"Being creative about talent can also mean a conscious effort to optimize your balance of in-sourcing, co-sourcing and outsourcing. Managed services are a valuable way to augment key security capabilities, as are well-managed engagements with independent researchers such as bug bounty programs."
Uber CISO Latha Maripuri believes that to tackle the biggest security problems of today, security leaders must foster diversity. Different backgrounds, different mindsets, different skills, and different ways of approaching problems all contribute toward building curious organizations that are capable of meeting these security problems head on. She believes CISOs have the responsibility to foster that kind of diversity, which rarely happens unintentionally.
"I believe that diversity is the product of intentional efforts toward equity and inclusion, and that improving the diversity of talent and skill is another area where CISOs must think creatively," wrote Maripuri, who has held leadership roles at IBM and NewsCorp.
In addition to the suggestions excerpted above, she also believes intentional action from CISOs should include investing in community outreach programs for students and individuals from underrepresented backgrounds to fill out the talent pipeline. Similarly, she suggested boosting internal talent and building up rising CISOs with "a diverse set of rotations in technology and business roles as early as possible."
"I once attended a CISO dinner where a peer admitted he had never considered the idea AI could be biased. I was sitting in the corner with several other women security leaders; we all audibly gasped and started whispering in horror about how one cannot simply trust AI. To use security technology in safe and ethical ways, we need to consider a diversity of perspectives and consider how years of systemic privilege can create blind spots. We must become very effective at listening, considering new perspectives, and facilitating open dialogue."
This anecdote illustrates Jasmine Henry's belief that as technologies like machine learning and artificial technology (AI) come down the pike, security's advisory role in risk assessment and future-leaning problem solving will continue to accelerate. And in order to think through all the dimensions of risk, security teams will need a wide range of backgrounds to cover all the angles. Henry, field security director at JupiterOne, related the story of a woman in a wheelchair who was trapped on a curb by an automated grocery delivery robot because the technology wasn't programmed to account for accessibility challenges.
"Safe and accessible technology cannot occur in a vacuum," wrote Henry, who has led security in start-up land prior to her current role. "It can, however, occur when tech is designed and used by teams with a broad set of experiences."
She believes that it's the job of everyone in the security industry, not just leaders and hiring managers, to foster diversity. It can be done with something as simple as boosting and listening to other people's perspectives through social media or spending time reviewing research papers. It also comes through getting out of an ivory tower. At the advice of her CISO, she's planning on doing that through hands-on volunteer work to help secure a nonprofit.
"There's real value in leaning into you and what you can bring to the table. I owe a lot to the male leaders I've learned from, who have given me opportunities by making room at the table. But as a woman leader or entrepreneur, don't try to lead like the man leads. You lead how you lead; that might mean being softer, more of a collaborator, or a caregiver. Success comes down to knowing what you're doing and building the right team."
Lonye Nicole Ford would much rather be acknowledged for her cybersecurity skills and experience than her identity markers.
"It doesn't come naturally to me to talk about myself in those terms. When you come up in the government, you don't necessarily talk about your differences," wrote Ford, who is co-founder and CEO of Arlo Solutions, a cybersecurity, intelligence services, and program management firm focused on the defense and federal government sector. "You don't talk about sex, race, religion, or color. You talk about your knowledge, skills, and ability."
Nevertheless, as a successful woman entrepreneur in cybersecurity, she believes it is important to acknowledge the implications of identity in the field. People who didn't fit the traditional profile of the profession needed to conform to fit in for a long time, she said. Her advice for up-and-comers is when it comes to relating with the team, the best bet is to lean into their unique talents and leadership styles — this is why they've been given a seat at the table to speak up.
With that comes the implication that those who invite talented and diverse team members should find a way to listen to alternative perspectives and embrace different leadership and collaborative styles. The secret ingredient to making it work without conflict may be creating the safety of repeatable processes so that the team is working from the same playbook to carry out their work. This applies not only across the security team but the entire organization.
Ford specializes in building cybersecurity risk management frameworks for defense sector organizations — she's the co-author of the Air Force Fast Track Risk Management Framework (RMF), among others. Frameworks are the solid ground that an organization can use to make the best decisions by taking into account the perspectives not only from security, but also from other parts of IT and the business at large.
"Integrating developers, ops personnel, and decision-makers to create policies and thresholds is a complicated landscape," she wrote. "Frameworks help by providing a context to navigate those choices with a full understanding of their implications."
"The further I get in my security career, the more I understand that it is part of my responsibility to ensure security learnings are demystified and more accessible to those that desire to learn more, no matter at what stage of their career the learners have found themselves. When I find something especially inspiring, useful, or have a story about teaching you'll find I use #NextgenInfoSec hashtag on social media — I invite you to join me in sharing your learnings with the community, and sharing the responsibility for bringing up the next generation of security professionals — demystifying the trade, and making security for all a reality."
Removing the mystery surrounding cybersecurity is crucial to making it more accessible to not only other people across the business who could use awareness of risk implications in all they do, but also to potential talent who could be drawn to the team. This is the ethos of Dr. Meg Layton, head of security architecture and engineering at Children's National Hospital.
Layton is an advocate of the philosophy that security is a shared responsibility. She believes that teaching and training play a huge part in helping different people across a business understand their roles and responsibilities in securing code, securing accounts, securing processes, and so on.
"Educators can help ensure that the connections are made beyond the technical 'here is how to do this' checklist and skills to the human side of the technology and explore security with all four styles of the Kolb (learning) models (experience, observation, abstract conceptualization, and active experimentation)," Layton wrote. "With everyone connecting and continuing the lessons to allow for lifelong learning, cybersecurity can truly become a shared responsibility by everyone."
This applies equally to security leaders trying to build up a talent pipeline for their organizations as well as the broader cybersecurity community. As she put it, a community is developed by shared experiences and values. For cybersecurity experts to sustain their community, she believes that they have to fully participate. If they want to get qualified candidates, they must be willing to also share their knowledge with the community.
"First, establish a shared vision. If one has been written down already, revisit as a team since everyone in the organization and the effort must support and believe the vision. Second, define your language together. Recalibrate and redefine when necessary, breaking down barriers and forging new ground together. Look at the makeup of the team and think like a coach. Do we have both breadth and depth with cross over? If not, recruit! Finally, build trust using the trust equation. Be bold in modeling your behaviors and even more so, mentor others by taking them aside and helping them grow."
Transforming IT departments to build cross-functional and risk-aware teams takes incredible amounts of soft skills and relationship-building from cybersecurity leaders and security champions in other technology leadership roles. Because these activities are so squishy compared with the very concrete world of designing systems, it can be hard for leaders to formulize and explain how this is done well.
As a chief architect and software engineering leader with a solid understanding and awareness of cybersecurity and cyber resilience, Tracy Bannon tries to make these concepts more concrete when she helps organizations transform themselves. The senior principal in MITRE's Advanced Software Innovation Center said weaving security activities across an entire team — whether they call themselves adherents to DevOps, DevSecOps, Agile — takes four crucial ingredients.
"Cultural building must balance a shared vision, common language, blended teams, and trust to enable success," Bannon wrote.
"I don't believe in hiring brilliant assholes because the cost is always so much higher than any supposed benefit. Over the last few years, my approach to interviewing has come to reflect this. The best way I've found to ferret out qualities that don't support the kind of work I've been explaining is to ask questions that require vulnerability or copping to knowledge gaps. In technical questions, I try to find the edge of the candidate's knowledge in a non-adversarial way, which means framing the interview from the start as a fun conversation about shared computer interests between peers. This means that when I keep asking for further explanations and find the edge of the candidate's knowledge, I'm looking for curiosity instead of defensiveness."
The increasingly repeated advice to create a security culture of "yes" is another one of those phrases that often gets lip service without a whole lot of substance as to how to actually make it happen. When security teams have the reputation and the reflexive muscle memory of denying requests and squashing new features due to security problems, how do they overcome that?
Lisa Hall, CISO of biotech research firm Color, has some very definite steps and advice on how to get there.
"A culture of 'yes' doesn't mean agreeing to everything people suggest; we all know that a secure product, infrastructure, and culture are impossible to achieve that way," she wrote. "But we have to say yes to our colleagues."
That means saying yes, that security can work with people, listen to their opinions, try to understand their problems, and display a positive willingness to come to a meaningful and risk-mitigated solution that works best for everyone.
"Especially when you're actively transforming a culture, try erring on the side of very positive," she wrote. "Yes, we want you to tell us what you've observed. Yes, we know you're the authority on your area of work within this company. Yes, we cannot see everything, and we need your observations to do our work at all. Yes, you're important, and we're here to serve you."
Establishing that kind of culture is no small feat, but maintaining it will take zealous attention from managers — especially as they're hiring for their team, she said. This is why she puts so much effort as described above into understanding the attitude with which new recruits take to learning new things and solving problems they've never seen before.
"Cybersecurity and DevSecOps teams at organizations can learn a lot about being more inclusive from open source communities, including how to better include neurodivergent individuals such as myself. One way to help individuals from underrepresented backgrounds succeed in global technical teams is to write stronger and more inclusive technical documentation, also known as developer docs, contributed guidelines, or simply docs. Many neurodivergent people prefer clear instructions and can struggle in an environment where there is little guidance on how to get started. Well-maintained docs may have particular benefit for underrepresented backgrounds, but they also benefit everyone."
It may not always get top billing in the diversity discussion, but neurodiversity can play a big part in building up the skills and capabilities of a high-functioning security team.
"We need full participation among individuals from diverse backgrounds to solve tomorrow's greatest cybersecurity challenges, including individuals with Autism, ADHD, Tourette's, dyspraxia, dyscalculia, specific speech conditions, and sensory processing conditions," wrote Rin Oliver, a software engineer at US Bank who is themself a neurodivergent person with dyscalculia, dyspraxia, ADHD, and autism.
As Oliver explained, neurodivergent individuals can be huge assets to cybersecurity and DevSecOps teams, often bringing to the table advantages like nonlinear problem-solving and hyperfocus.
According to Oliver, not only do open source software (OSS) projects provide an important pathway for people from underrepresented backgrounds to gain hands-on experience and break into paid work in their field, but the way which these projects are managed can also offer some important tactical insight on how to be inclusive of neurodivergent talent. OSS projects are usually globally run, decentralized, and worked on asynchronously. The level of detail in documentation is a huge factor of success in the best OSS projects, and it can serve as a shining example for security leaders who would like to most effectively leverage the talents and skills of neurodivergent team members.
"We need to seriously reconsider our bias toward individuals with a college degree as an industry. There are some hidden politics that no one wants to talk about or touch, but the reality is getting a degree sets an income bracket more than it establishes your skillset, technical or not. The brightest cybersecurity minds I've encountered while teaching can often struggle in a traditional classroom but shine in groups or classes infused with project-based learning."
Getting creative and intentional about cybersecurity inclusivity means rethinking old paradigms. One of the biggest ones with regard to credentialing is reconsidering the requirement for a degree for certain cybersecurity roles, according to Joyous Huggins, founder of Defender Academy and Hack Joyously.
"Considering new pathways to cybersecurity training can help us create a more dynamic and diverse workforce for tomorrow, and provide opportunities for kids who struggle to focus in a traditional classroom setting," she explained in the book. "We are overdue for meaningful conversations about creating a more diverse and dynamic workforce."
Huggins suggested that in order to fill in the cybersecurity skills gap, security leaders need to reevaluate which cybersecurity jobs in their organization are professional and which are vocational. The latter needs more hands-on, skill-based tradecraft training than a traditional bachelor's degree.
"The term impostor syndrome, while flawed, has given people a socially acceptable way to describe the ways they have felt doubt or marginalization in the workplace. Sharing these experiences and feelings is a healthy expression and can help identify issues within a work environment that may be contributing to an employee's feelings of self-doubt. Regardless, we need to stop focusing on the individual as the reason they feel a lack of confidence or unpreparedness and start looking deeper at their environment, access to resources, and those they often interact with in the workplace."
The term "imposter syndrome" has gained prominence in the past decade or so to help provide a vernacular shorthand for feelings of self-doubt in professional settings. But security managers and teammates shouldn't be so quick to affix the label to all of the concerns or feelings brought by talented folks about not fitting in, according to Angela Marafino, a customer product manager focused on security and compliance products at Microsoft.
Leaders should also be openly examining those concerns to look for potential root causes within a team's or organization's underlying culture that could also be contributing to that person's unease.
"Let's stop assuming that because someone voices opinions about self-doubt, being nervous in a new role or environment, or are questioning their own skills, they must have imposter syndrome," Marafino wrote. "This type of feedback loop does not provide any constructive actions to take at the managerial or the individual level to help a person understand their situation in greater detail and determine who or what is failing them."
"Hiring junior talent, specifically the career pivoters, takes less time and saves money every year you run the program. This investment saves the company money overall in both compensation costs and in time by shortening the time-to-hire, and all while building the pool of talent in the industry. Even if that role is vacated and needs to be hired for again, the company has still saved money and created a competitive advantage for itself by building a reputation of investing in team members."
Often, the best cybersecurity recruits are the ones who may not necessarily have many security credentials but who have IT or even business experience to bring to the table, wrote Rachel Harpley, a cybersecurity talent advisor and founder of Recruit Bit Securely. She's a big proponent of attracting what she calls "career pivoters" to fill the cybersecurity skills gaps. These are professionals who are not necessarily looking for a complete career change but instead want to break into cybersecurity from security adjacent roles. This could be people with a deep background in other areas of IT or business roles.
These pivoters can be a huge value add to an organization because they're usually able to come up to speed much more quickly than a college graduate with no real-world experience. Whereas an inexperienced but security educated candidate would take up to three years to ramp to effectiveness, many professionals with IT backgrounds can achieve the same in six to 12 months, she said.
"This is an advantage that our industry has not yet capitalized upon," Harpley wrote. "Career pivoters can quickly close the skills gap."
"Hiring junior talent, specifically the career pivoters, takes less time and saves money every year you run the program. This investment saves the company money overall in both compensation costs and in time by shortening the time-to-hire, and all while building the pool of talent in the industry. Even if that role is vacated and needs to be hired for again, the company has still saved money and created a competitive advantage for itself by building a reputation of investing in team members."
Often, the best cybersecurity recruits are the ones who may not necessarily have many security credentials but who have IT or even business experience to bring to the table, wrote Rachel Harpley, a cybersecurity talent advisor and founder of Recruit Bit Securely. She's a big proponent of attracting what she calls "career pivoters" to fill the cybersecurity skills gaps. These are professionals who are not necessarily looking for a complete career change but instead want to break into cybersecurity from security adjacent roles. This could be people with a deep background in other areas of IT or business roles.
These pivoters can be a huge value add to an organization because they're usually able to come up to speed much more quickly than a college graduate with no real-world experience. Whereas an inexperienced but security educated candidate would take up to three years to ramp to effectiveness, many professionals with IT backgrounds can achieve the same in six to 12 months, she said.
"This is an advantage that our industry has not yet capitalized upon," Harpley wrote. "Career pivoters can quickly close the skills gap."
Gallons of digital and literal ink has been spilled in the past decade over the skills gap and diversity problems in the world of cybersecurity that the discussion can feel monotonously nonproductive. So much of the talk tends toward hand-wavy, feel-good awareness pieces that are reductive and not all that helpful toward making meaningful changes. There's a whole lot of "cybersecurity skills gap, bad; diversity, good" but not much behind it.
So when people start offering hands-on, real-world, practical advice on how to intentionally change hiring practices, how to move the needle on collaborative work from security teams, and how to widen the net for talent in the security world, we sit up and take notice.
This is exactly what the recently published e-book Reinventing Security from JupiterOne Press does. The book is a product of a collaboration among 17 cybersecurity leaders — all of whom also happen to be women, nonbinary, neurodivergent, and/or underrepresented minorities. They offer meaningful strategic and tactical advice on leadership, collaboration, and team-building that's drawn from their own considerable frontline experiences.
For this slideshow we've dug through the text to excerpt and summarize a number of these experts. But the entire book is worth the read. It's a meaty guide that goes well beyond just stating security challenges. It actually provides answers for how to meet them.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024