A (0:02)

You're listening to the cyberwire network. Powered by n2k. This exclusive N2K Pro Subscriber only episode of CISO Perspectives has been unlocked for all Cyberwire listeners through the generous support of Meter building full stack zero trust networks from the ground up. Trusted by security and network leaders everywhere, Meter delivers fast, secure by design and scalable connectivity without the frustration, friction, complexity and cost of managing an endless proliferation of vendors and tools. Meter gives your enterprise a complete networking stack, secure, wired, wireless and cellular in one integrated solution built for performance, resilience and scale. Go to meter.com CISOP today to learn more and book your demo. That's M-E T E R.com CISOP Foreign. Welcome to CISO Perspectives. I'm Kim Jones and I'm thrilled that you're here for this season's journey. We're bringing the deep conversations out of the conference, or more realistically, the conference bar, and tackling a single complex issue from every conceivable angle across a multi episode arc. As we continue our inaugural season, we're examining the challenges surrounding the cyber talent ecosystem. Today we explore Explore the question does diversity matter in cyber? Let's get into it. I thought long and hard before I put together today's podcast topic, going back and forth about whether or not I should discuss this in this current political climate. I understand that some will believe this to be a political statement. Be assured that it is not. I just can't see how we can talk about the talent ecosystem without addressing the issue of diversity and how crucial it is to our profession. Some of you might enter this discussion with preconceived notions about my views and opinions. My hope is that those who choose to listen to this podcast are by definition inquisitive and open minded. As CISOs past, present and future, we cannot pioneer creative solutions to thorny problems if we assume that we already know the answers before we even start the conversation. Given the potentially controversial nature of this topic, I've decided to do this podcast solo. This way, any slings and arrows regarding the content will be focused exclusively on me. So here goes. As anyone who has ever worked with me is aware, one of my favorite sayings is making lemonade out of lemons is easy. The job of a security professional is to make lemonade out of two apples, a grapefruit and a kumquat and make it look easy. The problems and situations we're asked to address are not ones whose answers can be found on Google. In a career where no might be the first answer, but how must be the last. Our ability to put forth creative solutions to thorny problems is one of our most indispensable competencies. When I find that security teams are failing to innovate, my experience has been that it's a result of a failure to think critically about the issues. Critical thinking is the ability to evaluate, analyze, and objectively incorporate information to develop a unique interpretation and synthesize an appropriate resolution. Via critical thinking, we can conceptualize solutions to truly vexing problems and circumstances. In a world where raw, unsynthesized data is at our fingertips, the need for individuals and teams who can think critically is at a premium. We need to sort through mounds of chaff as we try to divine where the relevant gold kernels are. And in most cases the kernels and chaff look almost identical. So where does one gain critical thinking skills? Optimally, these skills are taught in some type of structured academic program focused on problem based learning. However, the best critically thinking teams are ones made up of folks with exposure to diverse experiences outside of their primary areas of expertise. What is commonly known as thinking outside the box is in actuality remembering solutions to challenges unrelated to business or technology and wondering if those experiences can help solve a current problem. If everyone came from the same background, lived in the same neighborhood, and had the same teachers, dressed the same thought the same, and played the same games, how on earth could they be expected to suddenly, spontaneously have a unique thought? Multilayered perspectives about things outside of tech disciplines from human behavior, psychology, linguistics and cognition, philosophy, cultural belief systems and religious contexts to current events, economics, sociology and political science and certainly what the past has taught us history and how individuals and societies as a whole are sculpted, molded and influenced through cultural context promotes more creative security solutions. One example of anemic thinking concerns the implementation of email encryption software such as pgp. In the seminal paper why Johnny Can't Encrypt, the authors showed that great technology failed to be effective because its creators did not adequately factor in usability issues. Specifically, only 33% of users were able to properly sign and encrypt an email in 90 minutes, and 25% of users accidentally sent their secret email in the clear. In a follow up study done eight years later, these problems persisted despite upgrades to the software. It would be a fallacy to believe that the designers of PGP were inept. Rather, the problem was their frame of reference regarding usability. The designers made a great tool that made sense to a technologist. But how do you make a tool intuitive enough so that non technologists whose priorities are not security based, can and want to use the tool. A critically thinking team might have considered different perspectives to help the developers envision a more user friendly solution. If innovative solutioning is enhanced by critical thinking and critical thinking is boosted by a variety of perspectives and experiences, it stands to reason that a more diverse team in gender, ethnicity, cultural viewpoint, age, foundational education, physical abilities and sexual and gender orientations will provide more innovative solutions to problems. A 60 year old black man raised in New England has a different set of outlooks and priorities than a 30 year old woman raised in Kansas. A first generation immigrant who attended college part time while supporting her family has a different perspective from a fourth generation trust funder with influential parents who went to school on family money. A combat veteran will have a different viewpoint than a conscientious objector. The issue is not whose outlook is correct or better. Rather, it's that collective experiences and contexts help feed the innovation engine, resulting in more varied and creative solutions. In theory, Cybersecurity should have no issues with diversity Most of my peers would describe our profession as one of the last great meritocracies in the technology field. As one of my colleagues said, I really couldn't care less about your race, creed, color, religion or sexual orientation. Do you like hard work? Do you like whooping up on the bad guys? Do you like keeping people safe? If you answered yes to those questions, then I've got a job for you. Indeed, I've built all of my CISO teams with this philosophy, using those same three questions as my final interview questions for job candidates. While I've never set out to create highly diverse teams, my teams have always been the most diverse in the organizations in which I've worked. This is a bit surprising given cybersecurity's less than stellar diversity track record. Reliable demographic data for the cyber profession is hard to come by on the best of days. Today is not the best of days. What statistics can be gathered are quite disheartening. Over 65% of our profession is white. This is followed by Asian, African American, and Hispanic or Latino, which hover around 9% for each group. For comparison, in the United States, the demographic analysis says that 19.5% of the population identified as Hispanic or Latino and 14.4% identified as African American. Women make up about 26% of all cybersecurity employees, although they represent 50.5% of the population and less than 25% of cyber executives self identified as non white. Have you ever imagined how you'd redesign and secure your network infrastructure if you could start from scratch. What if you could build the hardware, firmware and software with a vision of frictionless integration, resilience and scalability? What if you could turn complexity into simplicity? Forget about constant patching, streamline the number of vendors you use, reduce those ever expanding costs and instead spend your time focusing on helping your business and customers thrive. Meet Meter the company building full stack, zero trust networks from the ground up, with security at the core, at the edge, and everywhere in between. Meter designs, deploys and manages everything an enterprise needs for fast, reliable and secure connectivity. They eliminate the hidden costs and maintenance burdens, patching risks and reduce the inefficiencies of traditional infrastructure. From wired, wireless and cellular to routing, switching, firewalls, DNS security and vpn' every layer is integrated, segmented and continuously protected through a single unified platform. And because Meter provides networking as a service, enterprises avoid heavy capital expenses and unpredictable upgrade cycles. Meter even buys back your old infrastructure to make switching that much easier. Go to meter.com CISOP today to learn more about the future of secure networking and book your demo. That's M e t e r.com CISOP. When I spoke at RSA in 2018 on diversity in cybersecurity, Changing the conversation, I opened the talk by mentioning that in 2017 I had spoken, sat on or moderated panels, participated in or otherwise attended seven diversity sessions and or diversity conferences here in the United States, either as individual sessions at large cybersecurity conferences or at smaller venues devoted specifically to diversity. I ended 2017 with the opinion that cybersecurity was not ready to take diversity seriously and vowed never again to attend a seminar focused solely on diversity. When RSA approached me politely to speak on diversity in 2018, I explained my position and was told that I had an obligation to come and talk about why I felt the industry was not prepared to take diversity seriously. At that time, women made up only 10.5% of cyber professionals. Black and brown people made up less than 12%. Since then, we have focused on the issue and the numbers and innovation have improved. When we diversified, we thought more critically and solutioned better than ever. You still with me out there? Haven't run away yet? Well then, let's talk about how we create diverse, critically thinking teams. Here are some starting points. 1. Be KSAE based as I've stated in the past on this podcast, our profession tends to complain about what is lacking in candidates rather than be specific and concrete about what they want. Getting specific around your knowledge, skill, ability and experience requirements provides objectivity around your searches for qualified candidates. Remember, a lack of objectivity creates false justifications for exclusion. 2. Diversify your interview panels. I'm going to single out my white male friends for a moment and ask you to visualize the scenario with candor. How would you feel about an organization you were vetting if everyone you interviewed with was a woman of color? Or if you, at nearly 50, faced a panel of all 22 year olds? Even if you were thrilled about the potential opportunity, how would you feel about the company and your prospects for employment and advancement? The phrase DEI initiatives has become code for the return to discriminatory philosophies that would impair our profession and stifle creative solutioning and critical thinking. Merely being a person of color does not automatically make me a DEI hire. A lack of a DEI program or policy should not become a cover to return to the days of biased hiring practices. For those not old enough to remember, these policies first came into being because their absence led to systemic inequities. 3. Interview for what you specifically want. Organizations using outdated interview tropes and formats are just as myopic and out of touch as those who insist that technical interviews are all that should matter. To the latter, having great technical prowess and an inability to communicate or function as part of a team make you less than optimal for a majority of the non entry level positions out there. Consider testing critical thinking skills by presenting the candidate with a Kobayashi Maru like problem to solve. The answer is less important than understanding the candidate's thought processes and their ability to unpack their thinking to the interviewer. Note that the next step in such an interview would be to vary the parameters of the problem and see what the candidates do and how they react. 4. Candidates show up. When I talk to young or aspiring cyber professionals, I often hear that they're reluctant to apply for a position in a company because there's no one already there like them. Every time someone says this to me, my answer is the same. How the hell is it going to get any better if you don't show up? Folks, being the first at anything is hard. Actually, it kind of sucks in most cases. But if no one steps up to be the first person, nothing ever changes. Worse, you provide individuals in that company the excuse to keep their hiring practices unchanged since they can't find underserved candidates to apply. The world doesn't change through complaining, it changes through direct action. That old story about everybody blaming someone when nobody did what anybody could have done is still true. Be the courageous hero. If there's no role model, become one show up. Sadly, the topic of diversity, equity and inclusion is currently a contentious hotbed, which is, in my opinion, sending some companies careening haphazardly in the wrong direction. I submit that teams are stronger, think better, and devise more creative solutions to today's thorniest problems because of a diversity of thinking, not despite it. We need a broad range of perspectives to figure out how to make lemonade out of two apples of grapefruit and a kumquat. Our ability to trailblaze visionary solutions to tricky problems is the unique secret sauce that makes the cyber profession extraordinary. Let's make sure we don't lose that. My two cents. And that's a wrap for today's episode. Thanks so much for tuning in and for your support. As N2K Pro subscribers, your continued support enables us to keep making shows like this one. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the show notes. Tune in next week for more expert insights and meaningful discussions from CISO Perspectives. This episode was edited by Ethan Cook with content strategy provided by Mayon, Plot produced by Liz Stokes, executive produced by Jennifer Ivan, and mixing sound design and original music by Elliott Pelsman. I'm Kim Jones and thank you for listen. Securing and managing enterprise networks shouldn't mean juggling vendors, patching hardware, or managing endless complexity. Meter builds full stack, zero trust networks from the ground up, secure by design and automatically kept up to date. Every layer from wired and wireless to firewalls, DNS security and VPN is integrated, segmented and continuously protected through one unified platform. With Meter, security is built in, not bolted on. Learn more and book your demo@meter.com CISOP that's M-E-T-E-R.com CISOP and we thank Meter for their support in unlocking this N2K Pro episode. For all Cyberwire listeners.