By Michael Daniel, CTA President & CEO, and Monica Ruiz, Program Manager/ Digital Diplomacy Strategist at Microsoft
As cybersecurity practitioners, we strongly support diversity, equity and inclusion (DEI) initiatives. Diversity in the cybersecurity field, and in the national security realm more broadly, is not where it needs to be. This statement is both normative and utilitarian. Although we have known for some time that more diverse ideas, experiences, and perspectives would improve our understanding of the threats, enhance our defenses, and enable more effective counter operations, we still lack necessary diversity and inclusivity. In recent years, multiple initiatives centered on improving the gender, ethnic, and generational diversity of the cybersecurity policy space have emerged, but the pace of change remains slow.
With that framing, we firmly believe that actively diversifying a field is not solely the responsibility of women, minorities or young people, but everyone. For those in the “majority,” this work is often uncomfortable or unsettling. It also makes the work of team building harder because you cannot rely on a shared worldview or similar backgrounds. However, we must embrace that discomfort if we are going to change the ecosystem to be more diverse and inclusive. We all have a role to play in creating a more representative cybersecurity space by using our own platforms and roles for positive change – even (especially) when it seems hard.
But a key question is how to do that. While many white, male leaders of small organizations want to improve DEI, they don’t know what specific actions they can take. If you aren’t hiring large numbers of people, what can you do? What steps can you take that go beyond “liking” a social media post? How does one walk the talk?
To help answer that question, we have set out to collect tips, best practices, and recommendations on a rolling basis that experts across the cyber community use to promote and operationalize diversity. Gathering these insights will hopefully provide a resource for individual action and also serve as motivation to learn from what others are already doing to make this space more inclusive.
Of course, these steps are certainly not the only viable way to support or expand DEI, and so we would value learning what you recommend. Feel free to share your best practices and tips with us and the broader community here. We intend to keep these suggestions available as a reference for anyone looking for ideas about how to take meaningful steps toward improving DEI in their organizations and the field as a whole.
To kick us off, we are delighted to highlight practical steps that can enhance DEI from Betsy Cooper at the Aspen Tech Policy Hub, Celine Bauwens at Citizen Lab, and Lorrie Cranor at Carnegie Mellon University’s (CMU) CyLab Security and Privacy Institute. Other individuals also contributed ideas but wish to remain behind the scenes. We have also included a few of our own thoughts as well.
Internal Management
Be intentional – it may not seem concrete, but the first step is to consciously factor DEI into decisions. That does not mean it is the only factor, but you should think about it. Intentionality in this context also means thinking about how others may perceive your words and actions and deciding to move away from those that reinforce stereotypes. You will not catch everything, but forethought and consideration go a long way to setting an inclusive culture.
Prioritize – even if you run a small organization, make DEI a priority anyway. The broader culture only changes through the accumulation of different behavior at the microlevel. No organization is too small to engage in this work.
Ask questions and listen to the answers – take the time to ask questions about your organization’s environment. Then listen to what you are told and be prepared to hear uncomfortable things. Not every single issue you hear about will require immediate action, but you have to be willing to confront inappropriate behavior.
Be flexible – almost everyone accepts that people learn differently – some are visual learners, some have to read, while others listen. Similarly, a diverse organization will have employees with different needs, whether it is work schedule, career development or networking advice. Clearly, organizations have to meet their goals, but how you get there can be, well, diverse.
Culture in the Workplace
Create safe and inclusive spaces – it is important to make the time and space to have one-on-one or group conversations with colleagues about DEI issues in the workplace. It may surface insights you didn’t know about and may provide the opportunity for someone to express their ideas.
Give credit where credit is due – recognizing meaningful contributions from individuals with a wide range of backgrounds and experiences is a sure way to build a positive culture in the workplace. It also helps elevate new voices and ideas in the short and long term, fueling productivity across the board.
Have a plan – put together a plan to foster a culturally safe environment for the team. A plan could include regular, confidential check-ins with each member of the team, educational activities to normalize conversations on structural inequities and opportunities to make recommendations to management.
Spotlight opportunities – there is a growing list of opportunities for engagement in the security and cyber fields. Levering your platform to highlight the great initiatives and work your teams (internally) or outside organizations across this space are offering is a good way to raise awareness and accessibility for others.
Hiring and Pay
Job Descriptions – there are many resources to help reduce the bias in job descriptions. Some steps include reducing technical jargon, focusing on capabilities and skills, and eliminating unnecessary certifications.
Hiring process – you can change your hiring practices to increase the likelihood that diverse candidates will apply, such as by widely circulating the posting or leaving it open longer. You can conduct blind qualification reviews, meaning that you do not know the applicant’s name, gender, or other personally identifying information during the decision process.
Pay interns – unpaid internships or fellowships favor those from wealthy backgrounds, which remain disproportionately white. Further, people deserve to be compensated for their work, regardless of their age or whether the job provides valuable “experience.”
Public Engagement
Examples in public speeches, documents, and other materials – when discussing examples and hypothetical situations, use names that are not associated with being male or white. This step helps normalize the idea that leaders, CISOs, and others involved in cybersecurity can be something other than white men.
Don’t participate on manels or wanels – several of the respondents indicated that they ask about panel diversity before agreeing to serve or decline the invitation if the panel is all male or all white. This step sends out a strong signal that conference organizers need to factor DEI into their invitations.
Engage the unexpected – encouraging curiosity and showing interest is a positive way to build morale and inclusivity. An example of how this can be operationalized is making sure everyone who wishes to contribute, can. Following a panel discussion, calling on participants who haven’t asked a question yet. Following an event, going up to someone who asked a question and showing interest in their work, expressing openness to learn more.
These steps are just a few examples of concrete actions that promote DEI. This Aspen Tech Policy Hub (Aspen Institute) resource also captures recommendations across themes of education, recruitment and hiring, retention, mentorship, and shifting the narrative: Diversity, Equity, and Inclusion in Cybersecurity/.
Ultimately, all of us can take steps to create a more inclusive field by serving as mentors, using diverse-conscious hiring practices, and leveraging the power of narratives to promote underrepresented minorities in this space. None of these actions by themselves will suddenly transform the cybersecurity ecosystem and the steps included above are not intended to be taken immediately and as a whole. Rather, they will collectively make a difference over time. We welcome your insights for this conversation, please consider taking a short survey found here.