The Need For Diversity In A Cyber Security Workforce
Leading High-Performance Cyber Teams As A Recipe For Success
On this week’s Task Force 7 Radio podcast, guest host Andy Bonillo welcomed Devon Bryan, the Executive Vice President and CISO for the National IT Organization of the Federal Reserve System, and Co-Founder of the International Consortium of Minority Cyber Security Professionals (ICMCP) to talk about diversity in a cyber security workforce. The pair discussed how multiple forms of diversity contribute to successful teams. Several diversity programs are moving the needle in industry participation by women and minorities. One area where the value of diverse perspectives is making a difference is in leading high-performance teams and the duo discussed how former military men and women possess the skills desired in diverse teams. Dramatic industry change can occur one life at a time.
As EVP and CISO at the Federal Reserve, Devon is responsible for ensuring the Fed's information security policies, architecture programs, and instant response teams remain effective and efficient. “He's, in essence, protecting our way of life,” said host Bonillo of his guest and former security colleague. Prior to the Fed, Devon worked as the CISO at ADP, where he led ADP's information security strategy. Devon also served as the Deputy CISO for the IRS and he began his information security career in the US Air Force's Air Combat Command.
Devon is also co-founder of ICMCP, a 501(c)(3) non-profit, which he launched in 2014 and geared toward improving the under representation of women and minorities in the field of cyber security through academic scholarships, certifications, mentoring, and networking opportunities.
Cyber’s Diversity Problem
Both women and minorities are considered under-represented at the highest levels of corporate America. In the 2018 release of McKinsey’s Delivering Through Diversity research study, 39% of the U.S. population classifies as a minority. However, only 12% of minorities occupied executive positions and 15% were part of the board of directors. “Clearly, there's a diversity problem in cyber,” remarked Bonillo.
“No one would disagree that cyber security is one of the most critical risks we face from a national economic and a national security perspective,” said Federal Reserve CISO Bryan. “And certainly a woeful lack of participation by women and people of color, especially when you juxtapose that against the number of unfilled jobs each year and against what we know to be a dramatic rise in cyber crime.”
High-performing teams typically constitute folks from diverse perspectives, which include diversity of thought, diversity of opinions, and diversity of backgrounds. With the reality of cyber security challenges today, we have to approach that problem in a significantly different manner than how it was done in the past to try and keep abreast of what the bad actors are doing, explained Bryan.
The threats are constantly changing for commercial, non-profit, and government organizations. Multiple programs exist to encourage women and minority participation. Bonillo questioned if these programs are making a difference in the percentage numbers.
A recent CNBC story highlighted that there is now a female on the board of directors at every S&P 500 company. While this is a significant milestone for women, “you go down the line of female CISOs, minority CISOs, and in a lot of the conversations that we're involved in at the executive level, there's usually only one in the room; the syndrome is real,” said Bryan.
Programs Making A Difference In Diversity
The ICMCP co-founder further suggested that the best way to change the dynamic of under-representation is to build a robust pipeline, starting in middle school and high school. Questions he suggested for organizations and industries to ask include:
- How are we making this career field more attractive for young women and people of color?
- How are we whetting those early appetites going back to middle school?
- And not just attracting women and people of color, but how are we retaining women in the field of cyber security?
The Girl Scouts of America offers a Cyber Security badge, which Bryan sees as a significant step towards helping chip away at the under-representation of young women in the field of cyber security by tapping into that pipeline very early. “There isn't such a program, however, for students of color,” noted Bryan. “And that introduces additional complexities. But we also need to change the perception and change the stereotype of who a cyber security practitioner looks like.” Bryan went on to encourage the current cyber security practitioners to make an impact on a young life and observe the ripple effects that it will have in their immediate community.
Grassroots organizations that are transformational in creating equity and balancing the numbers include:
- Black Girls Code
- Executive Women’s Forum
- Hour of Code
- Women’s Society of Cyberjutsu (WSC)
- Women in Cybersecurity (WiCyS)
From a tops-down view, movement is occurring within legislation and U.S. Executive Orders specific to the cyber security workforce too.
Recipe For Success: Leading High-Performance Teams
Diversity goes well beyond meeting a quota, said Bryan. “You might be meeting the spirit, but are you really meeting the intent?”
“The simplest recipe for success is leading high-performing teams,” continued Bryan. Everyone wants to feel valued, irrespective of race, gender, religious, sexual affiliation, and age.” He explained that organizations must embody the various dimensions of the diversity spectrum, including:
- Everyone wants to feel valued
- Everyone wants to believe that their opinions and perspectives matter
- Their voices can be heard
It is critically important for leaders of teams to make sure that women and minorities are invited not just to the table, but to also participate in what's happening at the table. CISO Bryan said that cyber leaders need to demonstrate that, “they are valued, and that they're actively participating in supporting the mission, driving the organization forward and helping the organization grow top line revenue.”
The ICMCP organization was incubated from sitting in several year’s of RSA conferences. Keynote speeches and sessions were all the same. The only place you would find a significant representation of women, unfortunately, was at the exhibit booths. And the same conditions extended to underrepresented minority groups.
“We wanted to leave this industry just a little bit better than we found it,” said Devon Bryan. “And so, that gave birth to the International Consortium of Minority Cybersecurity Professionals.”
“In order to meet the national security risks that we face related to cyber security, we need to have diverse perspectives and diversity of talent,” added Bonillo.
Creating Pathways For Service Members Into Cyber Security
Internet research firm Cybersecurity Ventures forecasts that damages related to cybercriminal activity will cost the world $6 trillion by 2021. It is important that all the resources that can be marshaled to help to protect private sector companies be brought to bear.
A lot of talented folks are in the military that have a very intimate knowledge of how to fight other nations, noted Bonillo. “What’s the ICMCP vision to bring them into the private sector in cyber security?”
“One of the core pillars of ICMCP's go-forward strategy is a war warrior to cyber warrior program that creates a pathway for our service men and women,” said Bryan, “to pivot from military service to protecting the core industries that are critical to the national economic security of the United States.”
Transferable skills to cyber defense include the laser-like focus on the mission, having the back of the people around you when you're in a foxhole, and the focus on protecting the vital interests of your country or your corporation.
How To Make Dramatic Change In The Industry: One Life At A Time
Closing out the podcast, host Bonillo asked CISO Bryan what advice he would offer executives who are leading the cyber security charge in their organizations. “If each of us, as cyber practitioners, was to reach out and change one life – just one life – we'll see a dramatic change in the industry,” Bryan summarized.
Bryan believes that everyone has relatives who are looking to cyber leaders as role models. These leaders owe it to them and to the generations that follow to break some of these stereotypes. “I certainly implore our existing practitioners to just spend a little bit of time; change one life,” said Bryan.
Guest host Bonillo ended the show commenting, “We all owe our success to someone else. We've stood on the shoulders of others who came before us. And so, we got to keep paying it forward.”