This is a time of major changes for businesses and agencies. That includes the move to the cloud and the shift to being digital-first. So, cybersecurity has moved to a front-and-center position in many companies and industries.

When talking about security, it’s easy to focus on the tools and technologies. After all, they’re what we use to keep apps, data and infrastructure secure. And when we do talk about people, it’s often about the skills. Once in a while, we focus on how employees often contribute to cyberattacks with poor cyber habits and need ongoing cybersecurity training.

But at the core of all cybersecurity programs and efforts is a team of people. They work together to design the processes and strategy. In short, people are at the heart of the larger digital transformation and the related digital safety efforts. And many cybersecurity discussions overlook the importance of creating a diverse and inclusive team.

Why Add a Diversity and Inclusion Program in Cybersecurity

We spoke with Dimple Ahluwalia, IBM’s VP and managing partner, security consulting & systems integration, to understand more about why a Diversity & Inclusion (D&I) strategy is critical to organizations’ success both in terms of employee retention and cybersecurity effectiveness. She shares how we need to expand our view of recruiting and hiring to improve D&I in the cybersecurity industry.

 Q: Why is it important to add diversity to cybersecurity teams?

A: Cybersecurity starts with solving problems. People analyze situations differently, based on their own perspectives. For example, if we are trying to tackle social engineering, we need diversity of experience and thought to view the situation through different lenses and explore what we may be missing. Different people may also interpret information and communicate things differently. Having a strong communicator on the team can help translate technical info into terms that both employees and business leaders alike can easily understand. This can provide a clearer understanding of an organization’s security challenges and help drive desired outcomes, including improving cybersecurity posture.

We also need neurodiversity simply because different minds think differently. Some people are gifted with the ability to see patterns in seemingly unrelated data that could potentially show signs of data breaches. Others are more detail-oriented, which could come in handy when looking at test cases for applications. Having security team members with unique skills may provide additional insights and correlations that validate findings and could help further tune automated systems. 

We need to go back to taking a good look at people’s strengths. Cyber is not just about technology. It involves people, processes and technology. The people aspect is huge. Process, which is making sure people are involved who have the ability to think through situations sequentially or how things will be influenced, is crucial. While technical skills are important and helpful, they can be taught with time and effort. We shouldn’t limit ourselves to only hiring those with top training on the technology side.

Q: What is the first step that cybersecurity as an industry should take to improve overall D&I?

A: We need to start by expanding the application pool to a much broader range of potential cybersecurity professionals. Cybersecurity is one industry that benefits from being able to recruit individuals who don’t have a four-year college degree — and we need to capitalize on that. I believe we need to continue with traditional activities, such as adding cybersecurity curriculums in schools, helping students find and engage in practical opportunities and providing apprenticeships. But we need to go even further, especially in terms of assessments that help people determine what opportunities are available and how their skills translate.

We, as a community, need to get out of the mindset that new hires for cybersecurity should fit neatly into one box or another. We need to start thinking outside of the box and looking for raw, untapped talent in a variety of places. For example, I recently met with a client who is not allowed to hire anyone who doesn’t have at least a bachelor’s degree. This very specific requirement and closed-minded thinking could be costing the organization tremendous talent. I also worked with a professional who gained unique skills related to threat hunting while serving multiple tours in the military. When he left the military, he was advised by transitioning services that he should work in hospitality as a waiter. Luckily, he ignored that advice and applied to an IT company that took a chance on him. He eventually served on their internal threat team.

We need to find a way to identify and nurture talent from unconventional fields. We need to look beyond the roles we need to fill today and be more open-minded to fill the roles of the future.

Q: What tips can you give for improving D&I efforts? 

A: D&I starts with challenging the way the organization functions. Many leaders want to pursue D&I but don’t know how to go about it, let alone influence a change. We need the cybersecurity industry to push the effort to meet the interest of people who want to pursue a career within the industry. We need to help people take advantage of the resources that are available.

We need to ask ourselves how we can push the envelope, even more, to see if we can reduce the skills shortage. I’m not suggesting we hire people without the education that’s needed for their position, but many cybersecurity roles need the practical experience that’s often learned on the job more than they need a four-year — or even a two-year — degree. I think IBM is on the right track with its ‘New Collar’ approach backed up by SkillsBuild and Digital Badging.

While we all have the responsibility to serve our own organizations, we can do more as an industry — by looking at existing opportunities for companies to come together or platforms to help companies collaborate. We need to look at how to improve D&I throughout the industry, not just within our company.

For example, IBM SkillsBuild wasn’t created just to train future IBM employees, but to help improve the IT workforce overall. After individuals use SkillsBuild, they often go on to careers in cybersecurity and other IT fields that likely wouldn’t be possible for them without the education and enablement they receive through the program.

This is about more than not competing for the same resources — it’s about collaborating to create new thinking, expanding the talent pool and really coming at things a little bit differently. I think our adversaries are far more creative in how they look at talent early on and look at more propensity rather than applicants’ formal education.

To learn more about how your organization can improve D&I, watch the session “Security + Diversity and Inclusion: How it Can Supercharge Your Transformation” from the Executive Women’s forum.

more from CISO