April 5, 2022 By Jennifer Gregory 4 min read

This is a time of major changes for businesses and agencies. That includes the move to the cloud and the shift to being digital-first. So, cybersecurity has moved to a front-and-center position in many companies and industries.

When talking about security, it’s easy to focus on the tools and technologies. After all, they’re what we use to keep apps, data and infrastructure secure. And when we do talk about people, it’s often about the skills. Once in a while, we focus on how employees often contribute to cyberattacks with poor cyber habits and need ongoing cybersecurity training.

But at the core of all cybersecurity programs and efforts is a team of people. They work together to design the processes and strategy. In short, people are at the heart of the larger digital transformation and the related digital safety efforts. And many cybersecurity discussions overlook the importance of creating a diverse and inclusive team.

Why add a diversity and inclusion program in cybersecurity

We spoke with Dimple Ahluwalia, IBM’s VP and managing partner, security consulting & systems integration, to understand more about why a Diversity & Inclusion (D&I) strategy is critical to organizations’ success both in terms of employee retention and cybersecurity effectiveness. She shares how we need to expand our view of recruiting and hiring to improve D&I in the cybersecurity industry.

 Q: Why is it important to add diversity to cybersecurity teams?

A: Cybersecurity starts with solving problems. People analyze situations differently, based on their own perspectives. For example, if we are trying to tackle social engineering, we need diversity of experience and thought to view the situation through different lenses and explore what we may be missing. Different people may also interpret information and communicate things differently. Having a strong communicator on the team can help translate technical info into terms that both employees and business leaders alike can easily understand. This can provide a clearer understanding of an organization’s security challenges and help drive desired outcomes, including improving cybersecurity posture.

We also need neurodiversity simply because different minds think differently. Some people are gifted with the ability to see patterns in seemingly unrelated data that could potentially show signs of data breaches. Others are more detail-oriented, which could come in handy when looking at test cases for applications. Having security team members with unique skills may provide additional insights and correlations that validate findings and could help further tune automated systems. 

We need to go back to taking a good look at people’s strengths. Cyber is not just about technology. It involves people, processes and technology. The people aspect is huge. Process, which is making sure people are involved who have the ability to think through situations sequentially or how things will be influenced, is crucial. While technical skills are important and helpful, they can be taught with time and effort. We shouldn’t limit ourselves to only hiring those with top training on the technology side.

Q: What is the first step that cybersecurity as an industry should take to improve overall D&I?

A: We need to start by expanding the application pool to a much broader range of potential cybersecurity professionals. Cybersecurity is one industry that benefits from being able to recruit individuals who don’t have a four-year college degree — and we need to capitalize on that. I believe we need to continue with traditional activities, such as adding cybersecurity curriculums in schools, helping students find and engage in practical opportunities and providing apprenticeships. But we need to go even further, especially in terms of assessments that help people determine what opportunities are available and how their skills translate.

We, as a community, need to get out of the mindset that new hires for cybersecurity should fit neatly into one box or another. We need to start thinking outside of the box and looking for raw, untapped talent in a variety of places. For example, I recently met with a client who is not allowed to hire anyone who doesn’t have at least a bachelor’s degree. This very specific requirement and closed-minded thinking could be costing the organization tremendous talent. I also worked with a professional who gained unique skills related to threat hunting while serving multiple tours in the military. When he left the military, he was advised by transitioning services that he should work in hospitality as a waiter. Luckily, he ignored that advice and applied to an IT company that took a chance on him. He eventually served on their internal threat team.

We need to find a way to identify and nurture talent from unconventional fields. We need to look beyond the roles we need to fill today and be more open-minded to fill the roles of the future.

Q: What tips can you give for improving D&I efforts? 

A: D&I starts with challenging the way the organization functions. Many leaders want to pursue D&I but don’t know how to go about it, let alone influence a change. We need the cybersecurity industry to push the effort to meet the interest of people who want to pursue a career within the industry. We need to help people take advantage of the resources that are available.

We need to ask ourselves how we can push the envelope, even more, to see if we can reduce the skills shortage. I’m not suggesting we hire people without the education that’s needed for their position, but many cybersecurity roles need the practical experience that’s often learned on the job more than they need a four-year — or even a two-year — degree. I think IBM is on the right track with its ‘New Collar’ approach backed up by SkillsBuild and Digital Badging.

While we all have the responsibility to serve our own organizations, we can do more as an industry — by looking at existing opportunities for companies to come together or platforms to help companies collaborate. We need to look at how to improve D&I throughout the industry, not just within our company.

For example, IBM SkillsBuild wasn’t created just to train future IBM employees, but to help improve the IT workforce overall. After individuals use SkillsBuild, they often go on to careers in cybersecurity and other IT fields that likely wouldn’t be possible for them without the education and enablement they receive through the program.

This is about more than not competing for the same resources — it’s about collaborating to create new thinking, expanding the talent pool and really coming at things a little bit differently. I think our adversaries are far more creative in how they look at talent early on and look at more propensity rather than applicants’ formal education.

To learn more about how your organization can improve D&I, watch the session “Security + Diversity and Inclusion: How it Can Supercharge Your Transformation” from the Executive Women’s forum.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today