Why even well-balanced in terms of gender & ethnicity CISO panels are not diverse and what we should do to fix it
There is a lot of talk in the industry about diversity and inclusion, and rightfully so: security is still predominantly white and largely made-focused. A lot needs to be done to change it, and despite our best effort, we are still in the very early stages of this shift. However, not everything is doom and gloom, and in the past decade, we have seen a rise in diversity-focused initiatives, scholarships, events, mentorship programs, and the like - efforts that are destined to result in positive changes over time. From the outside, it looks like we are moving in the right direction, and to a certain degree, we are.
The real issue is that even with all these initiatives, security is bound to suffer from thinking that is anything but diverse. And, unless something changes, there is little that is going to change about the perception of the industry. Let me explain why that is the case.
Layers of diversity and inclusion in security
I think of diversity from the perspective of barriers and representation: 1) how can we ensure that there are no systemic barriers that prevent people from pursuing their dreams, and 2) how can we ensure that we encourage representation in a particular profession that is reflective of the society? The first part is simple: people should be given the chance to aspire and achieve, and therefore they should be judged based on their skills, and abilities, and not other factors that are either inherent to who they are, where they were born, or what socioeconomic class they belong to, and so on. The second part is also straightforward, and can be best illustrated by an example: if women represent 50% of the population, it is not at all acceptable to see three or four women at a security conference of 100 people.
What we are doing about diversity and inclusion today
In the past five to seven years, we have started to see a shift when it comes to the problem of diversity in cybersecurity.
Organizations such as are working hard to support underrepresented people and those with non-traditional backgrounds to break into the industry and then advance through the ranks. Although the is probably the most prominent, many more groups and activists are pushing for progress, including , , , and others.
More and more companies are starting to recognize that security teams benefit from having people from different backgrounds, professional experiences, and walks of life. More and more speakers refuse to participate in all-male panels, and more event organizers are being mindful and intentional about inviting people with diverse perspectives. Although the problems of gender, age, ethnical, and other layers of diversity are far from being solved, we are well on the right track. Having said that, there is one problem that didn’t get enough, and I even dare to say - any attention in the industry.
The biggest gap as it relates to diversity and inclusion in security
As a product leader, I get to attend many security conferences, and as anyone who attended at least one security talk, or panel discussion will notice, 99% of them focus on buyers, sellers, and funders of security, namely:
- CISOs
- Security vendors (CEOs, founders, vendor CISOs)
- Security practitioners working for buyers or vendors themselves
- Investors - predominantly VCs, but also individual angels, angel syndicates, and the like
Although there are several broad groups the perspective of which tends to get lost in this cacophony of buyer-seller-funder debate such as academics, think tanks, and offensive security groups run by the state, I would like to focus on the largest gap. We do not get to hear from less security-aware groups that do nonetheless greatly affect and are affected by the security efforts. I am talking about a broad range of stakeholders working in enterprises such as sales, customer success, legal, operations, development, finance, and the like, as well as individuals and small businesses.
Security conferences today offer a one-sided opinion of those in charge of providing security - CISOs, security practitioners, and vendors. However, if security indeed is “everyone’s problem”, we urgently need to start including “everyone” in the conversation about how security is done.
Getting out of the siloed thinking: overcoming the problem of diversity and inclusion in cybersecurity
We’ve heard enough of what CISOs and security providers think, and it’s time that we give others a voice. As a product leader, I know that when building a product, we cannot only cater to the needs of one type of users - we need to hear from everyone who affects or is affected by what we are doing. Security is no different.
Security needs to become a conversation, and for that to happen, CISOs, security practitioners, and vendors alike should be open to listening as much as they like talking. In practical terms, this means that when we assemble a panel to discuss how to secure enterprise, we could also invite a head of sales or a customer success manager. When talking about DevSecOps, we should be interested in hearing the perspective of developers and infrastructure teams. When talking about insider threats, we need to include finance, human resources, and even marketing. When talking about securing SMBs, we need to hear from founders and entrepreneurs trying to get their ideas off the ground.
The only way security can become everybody’s problem is when everyone is engaged in finding a solution. This means we need to demystify security and make it digestible to those who aren’t deeply technical. This means we need to look for solutions that work for business, not for security teams alone. True diversity and inclusion can only become a reality once everyone - and I mean it - everyone - is included in the conversation about how to do security. We cannot afford to make statements like “security is everybody’s problem” and “people are the weakest link” if the only way we engage these people is mandatory, and let’s admit - incredibly boring videos twice a year.
So, where do we start?
I think that organizers of leading industry events can set a precedent by going beyond CISOs and investors and starting to invite people from different business functions on panels. We were able to figure out how to get the gender-diverse panels going, and we can replicate the same approach here.
Vendors can start spotlighting their customers - not just CISOs, but the broader group of people who are ultimately affected by their products and services. Journalists can start sharing the stories of regular people, and highlighting that everyone plays a part in security.
A lot of this sounds like a utopian, naive idea; the same was said about many other approaches that now underpin how our society, and the security industry, run. Just because it’s not easy does not mean we can afford not doing it. At the end of the day, we are all in it together.