The Importance of Diversity in Cybersecurity & the Dangers of Homogeneity
Why it’s a good idea to hire diverse candidates from both a security and business growth perspective
Calling on the same people over and over won’t get you the same results over and over. Last year’s solutions are not reliable in a field like cybersecurity. What was airtight five years ago may be a sieve by now.
If your team takes what they see in front of them for granted, they’ll hit a wall.
Groupthink comes up in all kinds of organizations. It’s not always a big deal! But when your job is to not get complacent, you can’t afford groupthink. Teams make better decisions than individuals — and diverse teams make better decisions than homogeneous teams.
Ideally, your team is a reflection of your users.
Threat analysis isn’t just about spotting threats — you have to distinguish threats from ordinary behavior. Behavior that seems suspicious in one context may seem perfectly innocent and ordinary in another. Is someone entering several variations on the same password launching a dictionary attack? Or are they just trying to remember numbers they switched in when they stopped using “PassWord123”?
Anomaly detection is a delicate art. If your training data has only one example of an email from Nigeria, and it’s a prince scam, should you assume every email from Nigeria is spam? Of course not. But common forms of region blocking do basically that. When customers hit unexpected and unnecessary security obstacles, they often try to evade them in ways that get them flagged as more suspicious. Companies lose customers and revenue by interpreting unfamiliar benign behavior as dangerous.
This is why a diverse team is crucial. It’s true that when your cybersecurity team is small, it cannot be as perfectly varied and unpredictable as all your customers. Users will always come up with ways to surprise us. But a more varied team will have more contexts they recognize.
“When you hear hooves, assume you hear horses, not zebras,’’ is an adage in medicine. It’s advice to look for common problems before rare ones. But if you look around and see acacia trees, hooves probably mean zebras. If you look around and see tundra, hooves probably don’t mean horses or zebras. Maybe reindeer? So the argument of “Occam’s razor” only works in certain contexts. Technology has shrunk the world so that cybersecurity cannot exist in only one context.
Human errors — and the social engineering attacks that exploit them — cause nine out of ten data breaches in the cloud. So a crack cybersecurity team needs to be able to understand predictable user errors as well as what cyberattacks look like. In order to predict human errors, you must hire diverse humans who understand diverse human errors.
“Hi, I’m calling about your car’s extended warranty.” My New York friends get a lot of calls like this. They know these calls are all spam immediately. Because they do not have cars with extended warranties. Because they live in New York, where everyone rides public transit. But if you assume “no one would ever fall for this,” you need to have someone on your team who owns a car. In most of the country, those spam calls are a lot more plausible than they are in New York.
Similarly, scams coming from the Chinese embassy prompt most of us to hang up without a second thought. But those scams stole $40 million in 2018–2019. If you have a team member who speaks Chinese, and has friends or family who aren’t 100% certain they understand how their visa works, you can probably see how these scammers scared so many people into giving up so much.
A homogenous team will have a hard time keeping the broad perspective needed to detect novel threats — and to not flag novel customers. This is especially acute if your company serves users worldwide. Since you’re on an international platform right now (LinkedIn), you probably do reach international users.
Diverse companies are 70% more likely to capture new markets, and broadly perform better, compared to companies that don’t try to reflect the full variety of customers they serve. To foster creative problem-solving, aim to have women and men, young and old, people from different educational and occupational backgrounds, and people from both northern and southern hemispheres.
On a personal note, I’m half Somali and half Yemeni. My siblings, cousins, and their kids give me a lot of different windows into that region and the diaspora. I am tapped into the pulse of those people; I know what the youth in that area want, their hunger for western goods but also their anger and resentments. I have seen teams fail to understand these regional nuances and so I can personally attest to the importance of a diverse workforce.
Diversity is not about division. It is about bringing people together to a common goal: to democratize cybersecurity, to minimize the digital divide, and allow everyone to safely access all that the digital world has to offer.