As more organizations try to dovetail diversity, equity, and inclusion (DEI) efforts with the broader business goal of bridging the growing cybersecurity talent gap, diversity is gaining considerable attention in cybersecurity leadership discussions in 2023.
But security and workforce development experts say that the push isn't just about the staffing numbers game or the warm fuzzies of fairness. Those passionate about DEI in cybersecurity argue that bringing in a more diverse set of backgrounds and thinking patterns is also crucial to coming up with new ways of thinking about security problems.
"If we don't do it for empathy and our care for everybody else, then we should be doing it because our attackers are diverse. Do it because we won't win otherwise in this fight of protecting our business," says Deidre Diamond, CEO and founder of CyberSN, a cybersecurity staffing firm. "It takes investing, caring for, and developing people, and it takes going out of our way to do so. I do believe it needs to be done for everybody but certainly for minorities more."
As organizations develop their initiatives for bringing in a more diverse cyber workforce, they have to be mindful that the path to DEI failure is often paved with good intentions. While building a diverse and high-performing team of cybersecurity pros takes not only intentional recruitment and development of minority populations, organizations have to be wary that the very efforts that they're taking don't end up alienating the diverse people they're trying to attract.
"Understand that the words we're choosing could actually be sending out language that is turning folks away," says Christy Wyatt, president and CEO of Absolute Software. "The exact people you're trying to bring into the organization, you might be pushing away."
This might come into play in recruitment when the pitch to a highly talented recruit leads with diversity goals rather than a discussion of their skills or learning capacity. Or it could be more subtle cues after employment has been established that cause alienation — for example, by recognizing high-performers not for their accomplishments but their demographic identity. Or maybe it's a lack of communication altogether, such as by making all of those new diversity hires but failing to follow through with internal engagement and development so they feel like they're a contributing member to the team rather than a statistic.
"Think of it this way: If you're sitting in a room and you are the only person that looks like you or has your background, how are you made to feel like you have a voice?" says RegScale CISO Larry Whiteside, Jr., who is also co-founder and president of Cybersity, a nonprofit focused on supporting the academic and professional success of minority cybersecurity pros. "Once we get these people that we are looking to fill roles from these diverse communities, if we aren't reaching out internally, they're going to leave. Organizations have to be very purposeful in how they communicate and work with these people to make sure that they are getting their voice heard."
'Inclusion Is the How'
As a technology leader of 25 years who went through a computer science program during a time when she was often the only girl in the classroom, Wyatt has lived the good, the bad, and the ugly of diversity programs. She has spent a long time honing her technical acumen and business skills. She excelled in that room full of boys, climbed the rungs of the corporate ladder, and earned her seat at the boardroom table of numerous organizations. Along the way, certain programs and initiatives have helped and supported her — and others have decidedly not.
"My experience comes from being the target of those programs. I think that gives me a unique view," Wyatt says, "because in some cases that was incredibly empowering. Somebody saw me, and they valued me, and they gave me some support," she says. "In other cases, they identified me and isolated me, and it made me stand out. I did not love it."
As a leader at Absolute and a board member of several organizations, Wyatt is now on the other side of the fence, championing for change. One of the mantras that she tries to keep in mind is that "culture is a function of what you reward," she says. And while being transparent about DEI stats may be an important step in fostering trust both within and outside the organization, those may not be the metrics that organizations want to be tuning their biggest rewards against.
"Inclusion is the how. It's not the what," Wyatt points out. "We want to reward the performance. We want to reward that the business is getting faster. We want people to understand that this is a result of the investment we're making in our business by creating a more diverse organization — that's what's driving the performance."
At Absolute, Wyatt has pushed for a culture that values high-performing teams by rewarding the performance of the teams and not the individuals. People get paid the same for their role across the board, and when teams hit their profitability and growth targets, everybody gets a bonus.
"That's important because we need folks to make the connection that we all win when we have a broader set of perspectives, a broader set of approaches to solving problems, and we are doing it in one inclusive way," she says.
In addition to financial rewards, the way a company promotes and celebrates diversity successes will also set the tone for cultural values and can make all the difference in creating an atmosphere that retains diverse talent. Wyatt tells a story of how during the run-up to the last cybersecurity awareness month, her team was musing on the positive impact from building a cybersecurity team that is more than 50% female — comprised of highly talented individuals and many Ph.Ds. The initial proposal was to bring a selection of those women to talk about diversity at the company's all-hands meeting. Wyatt says she nudged a slight shift in that direction. She urged that they shouldn't focus primarily on the diversity but, rather, celebrate their cybersecurity work, their credentials, and allow them to "talk about the kick-ass job they're doing to protect our company."
"Now, of course, everybody saw who was standing on the stage. It's not that we didn't talk about diversity. It's not that we didn't mention it, that we didn't call it out," she says. "But it was a way of talking about this as a part of something that was fueling an impact on the business. It was a part of what was fueling the impact. It was a part of something that was fueling performance, that is something we want to share, as opposed to just making [diversity] the headline."