March 20, 2019 By Bill Bonney 4 min read

The other day, I learned something that great French winemakers have known for centuries: It is often difficult to make a complex wine from just one variety of grape. It is easier to blend the juice from several grapes to achieve the structure and nuance necessary to truly delight the palate.

We are similarly relearning that building diversity into the cybersecurity workforce allows us to more easily tackle a wider range of problems and get to better, faster solutions.

Essential New Facets of Diversity

I don’t want to strain the metaphor too much, but we can certainly learn from our winemaking friends. Just as they search for juice with attributes such as structure, fruitiness and acidity, we search for ways to add the personal attributes that will be accretive to the problem-solving prowess and design genius of our teams. One of my personal quests has been to add the right mix of business skills to the technical teams I have had the honor to lead.

On my personal best practice adoption tour, I have made many familiar stops. I learned and then taught Philip Crosby’s Total Quality Management system and fretted about our company’s whole-product marketing mastery in the ’90s (thank you, Geoffrey Moore, author of “Crossing the Chasm”). Over the last 15 years, I implemented ITIL, lean principles and agile development (see the “Manifesto for Agile Software Development”), applied core and context thinking (“Dealing with Darwin”) to help my teams establish skill set development plans, and used horizon planning (introduced in “The Alchemy of Growth” by Baghai, Coley and White) to assign budget.

Throughout this journey, I kept trying to add the best practices that were intended for development, manufacturing and marketing to the mix. I was just not content to “stay in my lane.” I did this because I believe that speaking the language of development, manufacturing and marketing — aka the language of business — is essential for technology and security.

Innovation and the Language of Business

As a security evangelist, I have long advocated that chief information security officers (CISOs) must learn how to be relevant to the business and fluent in the language of business. A side benefit I did not fully explore at the time was how much the diversity of thought helped me in problem-solving.

We have been discovering the value of diversity of thought through programs such as IBM’s new collar initiative and the San Diego Cyber Center of Excellence (CCOE)’s Internship and Apprenticeship Programs. IBM’s initiative and the CCOE’s program rethink recruiting to pull workers into cybersecurity from adjacent disciplines, not just adjacent fields.

Toward the end of my stay at Intuit, I participated in a pilot program that brought innovation catalyst training to leaders outside of product development. Innovation catalysts teach the use of design thinking to deliver what the customer truly wants in a product. While learning the techniques I would later use to coach my teams and tease out well-designed services — services that would delight our internal customers — I was struck by an observation: People of different job disciplines didn’t just solve problems in different ways, they brought different values and valued different outcomes.

So, another form of diversity we should not leave out is the diversity of values derived from different work histories and job functions. We know that elegant, delightful systems that are socially and culturally relevant, and that respect our time, our training and the job we are trying to do, will have a higher adoption rate. We struggle with how to develop these systems with built-in security because we know that bolted-on security has too many seams to ever be secure.

To achieve built-in security, we’ve tried to embed security people in development and DevOps processes, but we quickly run out of security people. We try to supplement with security-minded employees, advocates and evangelists, but no matter how many people we throw at the problem, we are all like Sisyphus, trying to push an ever-bigger rock up an ever-bigger hill.

The Value of Inherently Secure Products

The problem, I think, is that we have not learned how to effectively incorporate the personal value and social value of inherently secure products. We think “make it secure too” instead of “make it secure first.” When I think about the design teams I’ve worked with as I was taking the catalyst training, the very first focus was on deep customer empathy — ultimate empathy for the job the customer is trying to do with our product or service.

People want the products they use to be secure; they expect it, they demand it. But we make it so difficult for them to act securely, and they become helpless. Helpless people do not feel empowered to act safely, they become resigned to being hacked, impersonated or robbed.

The kind of thinking I am advocating for — deep empathy for the users of the products and services we sell and deploy — has led to what I believe, and studies such as IBM’s “Future of Identity Study” bear out, is the imminent elimination of the password. No matter how hard we try, we are not going to get significantly better password management. Managing 100-plus passwords will never be easy. Not having a password is easy, at least for the customer.

We have to create a new ecosystem for authentication, including approaches such as the intelligent authentication that IAmI provides. Creating this new ecosystem gives us an opportunity to delight the customer. Writing rules about what kinds of passwords one can use and creating policies to enforce the rules only delights auditors and regulators. I won’t say we lack the empathy gene, but our empathy is clearly misplaced.

Variety Is the Spice of the Cybersecurity Workforce

As we strive to create products and services that are inherently secure — aka secure by design — let’s add the diversity of approach, diversity of values and advocacy for deep customer empathy to the cybersecurity workforce diversity we are building. Coming back to my recent learning experience, I much prefer wines that were crafted by selecting grape attributes that delight the palate over ones that were easy to farm.

More from Application Security

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Audio-jacking: Using generative AI to distort live audio transactions

7 min read - The rise of generative AI, including text-to-image, text-to-speech and large language models (LLMs), has significantly changed our work and personal lives. While these advancements offer many benefits, they have also presented new challenges and risks. Specifically, there has been an increase in threat actors who attempt to exploit large language models to create phishing emails and use generative AI, like fake voices, to scam people. We recently published research showcasing how adversaries could hypnotize LLMs to serve nefarious purposes simply…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today