The defensive power of diversity in cybersecurity

There are plenty of barriers to entry for a career in cybersecurity — or so the workforce of today believes. At the (ISC)² Security Congress 2021 event, panelists noted that individuals are put off because they believe they need to have advanced technical abilities gained in further education.

Not only do such hurdles hinder equality, but they could also hamper an organization’s ability to defend against an attack.

There is a massive range of complex issues open to abuse by attackers. They don’t care how they gain access to an organization — just that they do. This ultra-pragmatic mindset liberates them and gives them purity of focus that transcends everything. Unbounded by factors such as group politics, gender, appearance, regulations, geographies and social standing, they don’t want a particular person for the job — they just want the best skills.

Take, for example, the dark markets where attackers scout for team members. Picking from an anonymized and globally dispersed talent pool, people are evaluated purely on capability. If someone with standing says you are the best malware distribution person, phisher or web app hacker, you get the job. No certificates required, no four-stage interviews to see if you have the same worldview as your colleagues — just a job.

This eliminates the subconscious hiring bias that counterparts on the defensive side of cyber are conditioned into. Education, certifications, years in the role, shared experiences: It is a puzzle made up of a vast number of pieces, many of which are largely irrelevant and limit the talent flowing into organizations to people who fit a certain “type.”

The way attackers work naturally breathes more diversity into their ranks. If the only qualification required is whether you can do the job, geography, economic background, gender, race and neurodiversity become non-issues.

This provides an edge. In cybersecurity, where success often relies on doing the unexpected, diversity of thought is a valuable weapon. If the defensive team is standardized, but the attack group is diverse, it has a larger pool of perspectives from which to draw.

Diversity as a defensive weapon

For this reason, the need to attract new and different types of talent in cybersecurity is crucial. It surfaces new types of thinking, which, in turn, provides problem-solving skills that could help regain the competitive advantage.

Diversity in defense is about bringing together a wealth of different perspectives, solutions, experiences and ideas, all of which are absolutely vital to keeping ahead of threats. Ultimately, cybersecurity needs an approach to diversity that’s as pragmatic as the attackers — one that focuses on breadth of skills first and does away with long lists of expensive certifications and qualifications.

We all have different ways of looking at things, which has a significant impact on the way we react in times of crisis. Put simply, one person could fail to see a solution that’s glaringly obvious to another. Studies have shown that diversity has a huge practical application to problem-solving in the workplace, as it brings a wealth of different knowledge, skills and judgment to the table. When organizations have this breadth of knowledge and thinking in crisis scenarios, it gives them the upper hand to fend off the sophisticated attackers that make up today’s environment of threats.

Prioritizing skills when hiring and retaining talent

We need to remove the myth in cybersecurity that candidates must tick off a range of qualifications and certifications if they hope to enter the industry or advance their careers.

Aside from the fact that certifications are made obsolete very quickly by the pace of the threat landscape, they are also out of reach of many people. This introduces an artificial barrier to entry that undermines diversity in cybersecurity.

Instead, why not copy the hackers? Hire based on the ability to do the job. Put candidates to the test to uncover unique problem-solving qualities and capabilities. Whether they have a piece of paper has no bearing on whether they can spot a vulnerable application at 50 paces.

HBR research suggests that unconscious biases underpin many hiring processes, pulling the wrong candidates into organizations’ recruiting funnels. This has to change because it holds defensive teams back by introducing the kind of flat approach to problem-solving that brings risk.

Encouraging new and different talent to join — and stay in — the field

As with many things in technology, new disruptive ways of thinking are required to address the problem. There is a need to instill platforms, funding, policies and processes that diversify the talent pool in cybersecurity, opening it up to as wide a range of backgrounds as possible.

Intelligence and law enforcement agencies are leading the way, keen to reclaim the edge from attackers. What started with the FBI grappling with whether to hire hackers who smoke cannabis in 2014 has turned into more formalized programs with open arms to diversity.

Organizations such as GCHQ, the U.K.’s signals intelligence agency, are leading the way by actively hiring neurodiverse individuals for their unique ability to spot patterns in data. As with anything in cyber, what starts in intelligence agencies has a knack of achieving mainstream adoption with those defending large corporations.

Those in cybersecurity need to recognize that diversity is about more than just equality. It is about optimizing defensive capabilities by having access to the widest possible range of problem-solving abilities. In a space defined by pragmatism, this means getting a head start on initiatives that measure and hire based on knowledge, skills and judgment — not pieces of paper.