One of the core truths of cybersecurity is that regulatory compliance isn’t enough. I’ve emphasized this point before, and so have many others.
The logic here is straightforward: Regulations – necessary as they may be – are too inflexible and too slow to address the full spectrum of potential hazards.
If you’re looking for real security, you need to build it from the inside out, weaving it into every layer of your organizational culture. That way, smart security practices emerge naturally – no matter what happens. In a sector as fluid as ours, it’s the only way to play.
This principle holds true for another swiftly evolving business challenge: How to help traditionally male industries recruit and retain a more diverse workforce, ultimately embracing every facet of diversity.
Here too, compliance box-checking won’t cut it. If you’re just looking to satisfy the regs, you’re essentially telling your team that diversity is a hassle to be managed with minimal effort.
In many cases, this results in lowering the bar for hiring practices to achieve compliance – and not in the development of a thriving and diverse team.
Diversity should be seen as a must for cybersecurity firms – and a company’s failure to establish such a culture should be seen as a threat both to its own future viability and to its clients’ security.
That’s a pretty strong statement, I know. But here’s why I say it: The cyber realm is ever-changing and ever-evolving, and the threats never sleep. The only way to keep up is to maintain a workplace culture that is totally open to new ideas and diverse voices.
And by ‘totally open’, I don’t mean ‘kinda open’. I mean so open that you’re willing to accept the mistakes, bad ideas, and occasional outright failures that inevitably happen whenever you’re genuinely challenging the status quo. I mean so open that you’re actively destroying all barriers – both obvious and subtle – to the emergence of genuinely innovative thinking.
I know our sector mouths such nostrums all the time. But look around. How many companies are acting on the realization that one of the biggest barriers to innovation is the chronic underrepresentation of so many talented pools of potential innovators? (That would be the all pools except the male one, in case you’re wondering.)
It’s quite likely that a lot of companies are avoiding this because it requires an awful lot of work. Well, I won’t lie to you – it does. But I can tell you from firsthand experience that the effort is totally worth it.
This became apparent to me early in my career. I got lucky. I spent my early days in cybersecurity marketing with some really solid – and entirely male – research teams that just didn’t care that I was a woman. They cared about whether I knew my stuff; it’s how they judged everyone around them.
Once I met that bar, these colleagues invested generously in my professional development. It was all very empowering – and very illuminating.
Unfortunately, time and time again I have heard stories from other women of early-career experiences that shattered their trust, set back their progress, and in some cases chased them out of the tech sector entirely.
These women are not incompetents or shrinking violets who deserved to be weeded out of a competitive marketplace. They are highly talented individuals with much to offer, and the ultimate losers are the companies that treated them so shabbily.
When I became CEO at IOActive nine years ago, I was determined to instill an inclusive, status-quo-challenging mentality throughout the team. For us, it’s an absolute imperative. We have offices (and clients) around the world, and literally cannot afford to allow any barriers to the open flow of information and ideas – from anyone and anywhere.
The approach we’ve taken is less about ‘diversity programmes’ per se, and more about a culture that abhors all blockages to the development and dissemination of good ideas, no matter the source.
In such a culture, communication is of paramount importance. As an executive team, we try to talk to everybody as much as possible so that we are aware of any formal or informal practices that might make our company less hospitable to smart ideas – and smart people, regardless of gender identity.
For instance, we often use meeting facilitators to make sure that good ideas aren’t getting suppressed or shoved aside just because the people who have them happen to be introverted, soft-spoken, or otherwise inclined toward a communication style that male business cultures traditionally disfavor.
It’s just one way of ensuring that all participants – of all genders and backgrounds – can present ideas for broader consideration. This not only widens the aperture for worthwhile thinking; it signals our seriousness about maintaining an open, welcoming corporate culture.
As a female executive, I obviously have a personal interest in seeing the cybersecurity field become more open to women. And make no mistake: While I’ve seen vast improvements throughout my career, there is still plenty of room for improvement.
I’m reminded of this every time I go to a cybersecurity conference. As a woman, I am a minority in almost every room I step into. I’m also reminded of it when I go to a CEO roundtable and folks from other companies initially assume I’m one of the event planners. It has happened more times than I can shake a laser-pointer at.
Are these experiences a bit frustrating? Sometimes more than a bit frustrating? Sure. But over time I’ve come to a resolution: My best response is to be myself; to own my identity without apology; and to know that my voice has purpose.
And that’s what I want for everyone in our company. It’s also what I want for everyone in the cybersecurity sector. We need wholly inclusive business cultures that sustain and propagate themselves, and that organically generate superb outcomes for the daunting task at hand.
This matters, because our work matters. At a time when our skills and ideas are more urgently required than ever, we need to see all artificial barriers to talent for what they truly are – a threat to our companies, a drag on our sector, and a dangerous impediment to the attainment of security in cyberspace.