Building High-Performing and Diverse Cybersecurity Units


Posted on by Roderick Chambers, CISSP, CISM

The sudden rise of remote workforces started a digital transformation that expanded the threat landscape overnight. These rapid changes force organizations to rethink each role on security teams, from Chief Information Security Officers (CISOs) to practitioners. Now, more than ever, security leaders will need to bridge generational gaps, and build high-performing and diverse intelligence operations and cybersecurity programs to protect organizations.

 

Security and Diversity: Why It Matters

When I worked at a boutique consulting firm early in my career, a manager told me that I didn't “look like a cybersecurity professional.” This antiquated philosophy needs to change and has no place in an ever-changing industry that demands innovation. When thinking of cybersecurity professionals, many immediately think of either the mystical hacker wearing a hoodie in a dark basement, wreaking havoc on the digital world, or a male CISO with a pedigree education. These assumptions create barriers to entry and intimidate people from pursuing cybersecurity roles, especially when role models from underrepresented groups are scarce. Only 26% of the US-based cybersecurity industry identify as racial or ethnic minorities, and only 11% as women. This lack of diversity leads to diminished ingenuity, which benefits hackers who leverage social engineering, not just technology, to steal and exploit organizations and everyday citizens. This combination can only be defended against by talent, not technology.

 

When evaluating social engineering, its much more complicated than targeting technology. Threat actors understand socioeconomic disparities. They will assess the type of hardware, technology and even employment situation, stalking a persons social media feeds to prioritize targets. Those who are unemployed are more susceptible to social engineering, and as changes to data privacy laws, application security and underground slang abound, the traditional IT-focused, middle-aged male security teams will fall behind. To identify specific terminology or the most current TTPs used by threat actors or discussed in underground chat forums, organizations will need talent from diverse backgroundspeople who think outside the box perhaps because they have been outsiders themselves. The key to cracking social engineering is to hire people who can psychoanalyze and decipher phishing messages. In cybersecurity, those who can empathize and understand how fellow citizens are manipulated are underutilized resources.

 

Eliminating hiring gatekeepers

Gatekeeping by unqualified people, or recruiting from within your own pool of friends, prevents qualified people from being hired and handicaps your organization. Engaging with gaming hackers, digital problem solvers, psychologists, improv artists and veterans instead of having a singular focus on traditional education is essential to a high-performing team. By not mandating requirements, such as a university degree, and conducting skills-based, problem-solving tests to advance recruits, such as hacking downloadable content on their video games, can be a game-changer. Candidates can be taught business acumen, not how to problem-solve.

 

Self-taught hackers or gamers possess valuable problem-solving skills. Security practitioners should engage with them early and show them that theres a career path. Consider offering apprenticeships, mentorships or competitions with financial incentives to these brilliant and self-motivated individuals, who find triumph not in fancy titles but in discovering vulnerabilities or unresolved access points.

 

Bridging the skills gap in the security industry

Recruiting people from different socioeconomic classes has long been a challenge. Yet organizations that want a competitive edge can change the game by being proactive. Recognizing that most university students graduate with debt they cannot pay off within a decade, corporations can provide educational incentives with their jobs or start recruiting at vocational schools where hidden talent can be found.

 

Through work as a former federal government official, Ive had the opportunity to learn from, support and work with veterans, so I know firsthand they are fantastic candidates. Many are task-focused and will get the job done at all costs. However, many also struggle with mental health challenges, and it is on us all to encourage and support veterans as they transition from military to civilian life. Consider creating mentorships between your staff members, self-taught hackers, newly minted recruits and veterans in your community.

 

Create an inclusive environment

A high-performing cybersecurity unit requires an inclusive culture that welcomes people from all backgrounds. Teams represented from nontraditional backgrounds will win over homogeneous teams any day. We must remember that cybersecurity is a people business. People create technology and exploits, and people protect technology. That is why, at the core of it all, our security teams need to be as diverse as the problems we are trying to solve because diversity is how we get the best security.

Contributors
Roderick Chambers, CISSP, CISM

Information Security and Intelligence Advisor, New York State Department of Financial Services

Human Element

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs