Following years of concern, discussions and initiatives about bringing more diversity to the cybersecurity field are getting louder. And, with an ongoing social justice movement occurring in the U.S., IT experts said the time has come for cybersecurity professionals to move beyond talking about diversity to ensuring cybersecurity workplaces are inclusive.
A lack of diversity in cybersecurity is an issue around the world, despite efforts to address the problem. For example, increased diversity in the lower ranks is often not reflected in the executive suite, which creates a divide in an organization due to its noninclusive culture.
Tyrone Wilson, president and founder of Cover6 Solutions, a cybersecurity assessment and training firm based in Arlington, Va., said your company has already failed if it is just now creating a diversity plan.
"The mere mention of diversity, supporting diversity or supporting people of color is frowned upon in some organizations," Wilson said.
Diversity done wrong
The culture of an organization is driven by all employees throughout the hierarchy. Leadership must be diligent to ensure that new hires feel welcome, valued, heard and assured that their contributions will not be ignored.
This is not an easy task, and Camille Stewart, fellow at New America, a think tank based in Washington, D.C., advised consulting with diversity, equity, inclusion and justice (DEIJ) experts to ensure the organization prioritizes diversity.
"DEIJ is a discipline and science that deserves the proper investment," Stewart said. "Do not leave that work to your diverse staff."
These DEIJ initiatives begin in the hiring process, she added, including the development of job descriptions that don't discourage applicants based on background.
"We focus too much on degrees, certs and technical acumen that can and will be taught in the role, especially for junior practitioners," Stewart said. "Having a diverse junior workforce but a nondiverse leadership reflects a devaluing of diversity, impacts the bottom line and supports decision-making that breeds noninclusive culture."
The push for diversity has not been embraced in earnest and equally by all organizations.
Wilson noted that diverse candidates are out there and not hard to find if they are given the opportunity.
"The keyboard doesn't lie -- eventually, you are going to have to put your hands on a keyboard to show that you have technical skills," Wilson said. "The problem is that people of color don't get to the table. They don't get to the keyboard."
A more diverse workforce leads to more diversity in thought but only if everyone feels comfortable to speak up. Without an inclusive culture, that may not be the case.
The key difference between diversity and inclusion, according to Jules Okafor, CEO and founder of RevolutionCyber, a security awareness and training firm based in Annapolis, Md., is that diversity is a theoretical concept, but inclusion implies diversity plus action. This means not just adding people to a team, but "negotiating room for people physically, mentally, emotionally."
"Business leaders often fail to apply the concept of acceptance. Inclusion demands that leaders navigate inherent biases in their workforce, confront and remove barriers, then welcome the varying thoughts, perspective and experiences of new team members without retribution," Okafor said. "One cannot feel included in a discussion without having a voice."
Jules OkaforCEO, RevolutionCyber
Making employees feel heard not only helps to create an inclusive culture, but can lead to better outcomes for organizations. Inclusivity has been shown to reduce bias not just culturally, but in AI systems: If diverse perspectives aren't considered when vetting training data, inherent biases can be learned by AI models, and those models may be impossible to fix. For example, Amazon had to cancel use of an AI-powered job recruiting platform because it was biased against female applicants.
Stewart said diversity lets new voices into the room, but inclusion welcomes them by creating a culture where they feel able to actively participate.
"Having diversity in the room but too uncomfortable to contribute defeats the purpose," Stewart said. "An inclusive environment promotes retention, creates space for employees to bring their best to work and supports innovation."
In order to raise up Black security practitioners, Stewart began the #ShareTheMicInCyber campaign with Lauren Zabierek, executive director of the Cyber Project at Harvard Kennedy School's Belfer Center. Both Okafor and Wilson also participated in the event where prominent members of the cybersecurity community -- including Parisa Tabriz, Wendy Nather, Tara Wheeler and Craig Newmark -- amplified the voices of Black security practitioners for a day on social media. Stewart and Okafor also spoke about diversity and inclusion in cybersecurity at Black Hat 2020.
The difficult conversations
Of course, letting everyone have a voice inevitably will mean uncomfortable conversations.
Wilson noted that people need to understand that even asking to have a diversity conversation means "asking us to rehash the most negative moments in our careers and then evaluate which ones are feasible to tell you about."
He also pointed out that, "if these conversations seem overwhelming to non-people of color, that's by design."
"For what feels like the first time ever, we are getting the support that we have been looking for, for an entire lifetime," Wilson said. "We don't want to lose that. We want to use that momentum, so we don't ever have to look back again."
Okafor suggested investing in anti-racism and anti-bias training, while requiring action to ensure and protect diversity initiatives.
"Diversity is the broken American promise. Inclusion is what we see when the Constitution lives up to its promise," Okafor said. "First, assess the root of your own deep-seated principles and how they impact your decision-making. We all need to start by examining ourselves."
With the Black Lives Matter and social justice movements continuing around the globe, empty promises about diversity are no longer enough. Okafor said it is long past due that society and its institutions make room for diversity in all forms.
"Inclusivity requires that people see the beauty in color, in language, in culture and embrace it. More importantly, it must allow different people to see themselves in the common spaces that validate or reflect the status quo," Okafor said. "Inclusive culture recognizes the 'other' but doesn't weaponize it to maintain power."
Although change has been slow and filled with roadblocks, there is optimism. Wilson, for one, said he believes things are starting to turn when it comes to increasing diversity in cybersecurity.
"Tell everyone you belong, even though you may not feel like it," Wilson said. "You are worthy, and whenever you get a chance to present yourself, just remember that you may be representing for people who may look like you."