The technology workforce has consistently lacked sufficient representation of women and underrepresented minorities. The challenge of creating and supporting a diverse cybersecurity workforce dominates the discussions of HR professionals and corporate leaders, who share a desire to move the needle on this issue. But what can be done?
On June 8, CLTC and Cyversity convened a panel discussion, hosted by Google Cloud, that addressed this challenge. Held at Google’s San Francisco Headquarters, concurrent with RSA Conference, the panel featured Ann Cleaveland, Executive Director of the Center for Long-Term Cybersecurity; Larry Whiteside Jr., Chief Security Officer for Women’s Care Enterprises and Co-Founder and President of Cyversity, an organization that seeks to improve the representation of women and underrepresented minorities in the cybersecurity industry; and Rob Duhart, Vice President and Deputy Chief Information Security Officer (CISO) at Walmart.
M.K. Palmore, Director of the Office of the CISO at Google Cloud and Cyversity Bay Area Lead, moderated the panel. Phil Venables, Chief Information Security Officer at Google Cloud, delivered opening remarks.
“The real importance of diversity has to do with risk management,” Venables said. “Group-think is the main killer of risk management…. The most effective antidote to group-think is having a diverse team, and diversity in all its forms that leads to natural good, healthy tension and different perspectives in teams. For me, diversity is a foundational concept for all of risk management, and especially security risk management.”
In his remarks, Whiteside noted that one of the key benefits of diversity comes from integrating a range of perspectives. “Every person views things via a unique lens,” Whiteside said. “If everybody’s looking through their own individual lens, based on their background, based on their upbringing, based on their demographic, they see things completely differently.”
Whiteside also noted, though, that the importance of diversity is well established, and leaders need to do a better job of transforming vision into reality. “We all have to figure out what is our individual role in helping to change that narrative,” he said.
Duhart noted that cybersecurity is a “human” problem that requires diverse viewpoints for maximum impact. “All of us in security realize that we are dealing with humans on the other side of terminals that are hoping to wreak havoc on our organizations,” Duhart said. “The more diverse our teams are, the better we can address those diverse threats that are coming from those humans.”
Ann Cleaveland noted that promoting diversity is woven into CLTC’s mission, which focuses in part on expanding who has access to and participates in cybersecurity. “If you’re going to deliver meaningful security, you have to always be asking yourself, for whom and under what circumstances is security being experienced and understood?” Cleaveland said.
Whiteside explained that he started Cyversity because “we felt there needed to be a conversation” and that “nobody was taking the action to own doing something.” He stressed the urgent need for change to come from all directions. “No social issue has ever been executed upon when it’s just the individuals being impacted that are raising their hand saying it’s a problem,” he said. “It’s when other, non-impacted individuals recognize the impact of the societal issue on them, and they begin to stand up and raise their hand and take some individual accountability.”
Cleaveland observed that the challenge of lack of diversity goes beyond the cybersecurity field. “Cybersecurity has a branding problem,” she said. “We need to shift the narrative in terms of actionable things we can do. It needs to be a sustained, multi-year, multi-pronged campaign, because people don’t recognize the variety of jobs that there are in cybersecurity, and we are not going to where those diverse people are with messages that resonate with them.”
“We have to move away from being bystanders to being participants,” Duhart said. “When we all become participants, it becomes exponential. We start to see the world change in a way that makes it different for not just people who come from various racial backgrounds, but also who are neurodiverse, or who are veterans or have disabilities.”
Whiteside emphasized the importance of partnership, but stressed that effective allyship calls for more than cutting checks. “We’ve heard the term ‘put your money where your mouth is,’ but that’s not allyship,” Whiteside said. “It’s not just cutting that check, but getting in getting your hands dirty and being a part of what change looks like.”
He also stressed that board of directors need to make diversity in cybersecurity a higher priority. “Until cybersecurity gets board visibility on a regular basis, and they recognize the impact of the lack of diversity in cyber and how it’s negatively impacting their bottom line, they’re not going to see it,” he said. “They have to draw that correlation to understand that the lack of diversity in cyber is making the gap between us and our adversaries grow so much faster, and that we’ve got to do something now.”
Cleaveland highlighted the role that cybersecurity clinics, such as UC Berkeley’s Citizen Clinic, can play in developing a diverse workforce, and she noted how collaborative efforts, such as the recently launched Consortium of Cybersecurity Clinics, can help make improvements at scale.
“We get more diverse students into cybersecurity when we connect with the sense of purpose that they already have,” Cleaveland said. “That can make an enormous difference in who we are able to attract and retain…. We think there should be a cybersecurity clinic in every state in this country, and every country in the world for that matter. And we think we can do it with a little bit of effort with a group of universities, colleges, and community colleges working together.”