RSA Conference Panel Agrees: Building a Diverse Staff Isn't That Hard, But it Requires Intention

Posted on by Tony Kontzer

We hear constantly about the dearth of qualified cyber security professionals. Reports peg the number of unfilled positions in the U.S. as high as 3 million.

Meanwhile, cybersecurity — and IT in general — continues to gain a deserved reputation for being mighty white, and mighty male.

Maybe, at long last, the industry is starting to recognize that these two things are related.

During a panel discussion Thursday at the RSAC Conference in San Francisco, a lineup of heavy hitters from the world of CISOs brought some clarity to the issue of diversity and inclusion in cyber security, offering attendees advice, best practices, and stories of their experiences grappling with bringing diversity into their workplaces.

Emily Heath, CISO of United Airlines, offered that recruiting, interviewing and hiring a wider demographic of candidates is tantamount to delivering truly effective security.

"If we're going to get creative and solve problems we've never solved before, we have to hire people who think differently," said Heath. "We can't just keep hiring people who think the same."

Heath has been acting on those ideas as her team grows. She said United's security team has grown six-fold over the last 2 years, and she's hiring another 50 people this year. As she's built that staff, achieving diversity of cultures, experiences and modes of thinking has been baked into the process.

"We kind of mandated that every hiring manager have a diverse slate of candidates," Heath said. "It forces them to go beyond traditional means to find them."

The approach has worked. Today, United's cyber security staff is 46 percent female and 48 percent people of color.

Alissa Abdullah, CISO of Xerox Corp., has seen her focus on diversity swing the pendulum far away from tradition: Her entire leadership team is female. That didn't happen because she didn't want to hire men; it happened people gave her a chance, and she wants to expose other women to those same kinds of opportunities.

She also is motivated by the assumption that no one wants to be the one person in a room who checks off a box, and she figures that the more women and minorities are encouraged to consider careers in cyber security, the fewer boxes will need to be checked. Abdullah ended up in the field because someone at the NSA opted to stray from the usual strategy of visiting the biggest name schools, and added Savannah State — her alma mater — to the list.

The lesson from her story is that seeding the staffs of tomorrow by inspiring people of all backgrounds to pursue cyber security work is as simple as merely visiting a non-traditional school, or working with a local high school or youth group, or showing up at an off-the-radar event.

Such outreach is a snap for an organization like the National Football League, which has such widespread popularity among so many demographics, and the NFL has made a habit of reaching out to women and minorities, through visits to schools, partnerships with youth organizations, and hosting hackathons to get young talent working on cyber security projects.

"The talent is out there," said NFL CISO Michael Palmer, who mediated the session. "One thing we try to do in the NFL is get out in the community and let them know that there is opportunity."

Along those lines, Roland Cloutier, global chief security officer for human resources firm ADP, noted that the company sponsors the Women's Society of Cyberjutsu, a nonprofit dedicated to empowering women to succeed in cyber security, and its Cyberjutsu Girls Academy, which offers STEM workshops for girls from 8th grade through high school.

Cloutier said it's part of an effort to help develop raw talent, not just to seed its own recruitment pipeline, but also that of the industry at large.

He's also found the military to be a great resource for finding a diverse set of potential candidates and said he's had success recruiting people who transitioned directly into Department of Defense jobs and then looked to jump to the private sector.

More important that being able to check off those boxes, "you'll get a mission-centric person who has the basic skills to help protect your organization," said Cloutier.

Which speaks to the tricky part of this issue: Namely, that the key to building a diverse staff isn't to specifically look for diverse demographics, but rather to look for good candidates regardless of race, gender, nationality, or cultural background.

That's exactly what Jason Witty has done. During a long career in financial services that has seen him serve as a cyber threat prevention services executive at Bank of America, CISO of US Bancorp, and, as of the last six weeks, global CISO of JPMorgan Chase, Witty has developed a recruitment philosophy that has led to an effectively draconian requirement: Every cyber security manager must interview at least one candidate every week, whether they're hiring or not.

Without requiring that any of those interviews by women or minorities, the practice has had the desired effect of giving the company a wider array of people to pick from when jobs do open. At US Bancorp, where he led an organization with between 700 and 800 people, it led to a 50-50 gender split without any concerted effort.

"There was no program seeking to get that split," he said. "It just happened naturally."

Naturally or not, it happened on Witty's watch, and there's no debating the role CISOs and their lieutenants have in ensuring that there's sensitivity to diversity, and that people from every demographic are represented in recruitment, interviewing and hiring processes.

As the session opened, Palmer shared a video of Troy Vincent, a former NFL star and currently the league's executive VP of football operations, putting this simply during an interview about the NFL's hiring practices.

"Inclusion is a choice," Vincent said, "and it starts with leadership."

Tony Kontzer

, RSA Conference

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community