Diversity, equity and inclusion in cybersecurity hiring

Cybersecurity hiring managers, and the entire cybersecurity industry, can benefit from recruiting across a wide range of backgrounds and cultures, yet many organizations still struggle with meaningfully implementing effective diversity, equity and inclusion (DEI) hiring processes.

Join a panel of past Cyber Work Podcast guests as they discuss these challenges, as well as the benefits of hiring diversely:

  • Gene Yoo, CEO of Resecurity, and the expert brought in by Sony to triage the 2014 hack
  • Mari Galloway, co-founder of Women's Society of Cyberjutsu
  • Victor "Vic" Malloy, General Manager, CyberTexas

This episode was recorded live on August 19, 2021.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

The topics covered include:

  • 0:00 - Intro
  • 1:20 - Meet the panel
  • 3:28 - Diversity statistics in cybersecurity
  • 4:30 - Gene on HR's diversity mindset
  • 5:50 - Vic's experience being the "first"
  • 10:00 - Mari's experience as a woman in cybersecurity
  • 12:22 - Stereotypes for women in cybersecurity
  • 15:40 - Misrepresenting the work of cybersecurity
  • 17:30 - HR gatekeeping and bias
  • 25:56- Protecting neurodivergent employees
  • 31:15 - Hiring bias against ethnic names
  • 37:57 - We didn't get any diverse applicants!
  • 43:20 - Lack of developing new talent
  • 46:48 - The skills gap is "nonsense"
  • 49:41- Cracking the C-suite ceiling
  • 53:56 - Visions for the future of cybersecurity
  • 58:15 - Outro

[00:00:05] CS: Welcome to our third episode of Cyber Work Live by InfoSec. As you may know, our weekly Cyber Work podcasts, I've personally talked with 150 different industry thought leaders about cybersecurity trends, the way those trends affect the work of InfoSec professionals, and offer tips for breaking in or moving up the ladder in the cybersecurity industry. And today, it's all happening live. I am Chris Sienko, Cyber Work Live host and InfoSec Director of Online Content. And as you can see, today's topic is diversity, equity and inclusion in cybersecurity hiring.

I'll introduce you to our guests in just a moment. But before we get started, view notes for the live audience. You are all on listen only mode. That means that you are muted, but you are still welcome to ask questions using the QA panel provided on the control panel. As questions come in, we will try to answer them on air.

And with that, I'd like to reintroduce you to our wonderful panel of guests today. I'll just mention here that today's panel was also the panel of our first Cyber Work Live panel, which was titled Your Beginning Cybersecurity Questions Answered. And the three of them just got on so famously in that first episode that they made plans mere minutes after the camera went off. They regrouped like the legion of superheroes and immediately decided to discuss today's topic. So let's meet them all. Mari Galloway is the CEO and a founding board member for the Women's Society of Cyberjutsu, one of the fastest growing 501 (c)3 nonprofit cybersecurity communities dedicated to bringing more women and girls to cyber. WSC provides its members with the resources and support required to enter and advance as a cybersecurity professional. With over a decade of information technology knowledge, most of which are in cybersecurity, Mari's experience spans network design, risk assessments, vulnerability assessments, incident response and policy developments across government and commercial industries.

She holds a variety of technical and management certifications including CISSP, GIAC, CCNA, etc., as well as a Bachelor Degree in Computer Information System from Columbus State University, and a Master of Science in Information Systems from Strayer University.

Victor, or Vic Malloy is your education ambassador currently serving from University of Texas at San Antonio Small Business Development Center and a retired military cybersecurity professional who has over 20 years of operational experience in government and private sector business application of cyber related solutions. Vic currently leads an organization that, among other things, develops and offers cybersecurity programs to enable small businesses to create system security plans and self-assessment resources.

Finally, Gene Yoo has over 25 years of experience in cybersecurity for some of the world's largest brand names such as Warner Brothers, Sony, Computer Science Corporation, Coca-Cola Enterprise, Capgemini, and Symantec. Founded in 2016, Resecurity, Inc. has been globally recognized as one of the world's most innovative cybersecurity companies with its sole mission of protecting enterprises globally from evolving cyber threats through intelligence and has developed a global reputation for providing best-of-breed data-driven intelligence solutions.

Mari, Vic and Gene, welcome back to Cyber Work Live.

[00:03:12] GY: Hey, folks.

[00:03:12] MG: Howdy?

[00:03:14] CS: How’s everybody doing?

[00:03:15] VM: Good afternoon, everybody. Hello. Good evening. Good night.

[00:03:18] GY: [inaudible 00:03:18], but I'm just saying.

[00:03:24] CS: All right, so we are going to get down to it. I see people are – The attendees are starting to come in. So I want to start with some of your own experiences and talk a little bit about the security landscape right now. Let's start with some stats. According to a report from Cybersecurity Ventures, only 25% of cybersecurity jobs are filled by women. And that's even double the amount from 2013. And the Bureau of Labor Statistics notes that the position of information security analysts is made up of 79% white workers, 5% Black, 6% Asian and 15% Hispanic Latino, and also only 11% of those are women. Similarly, it's predicted that the industry needs to grow by 145% to meet the demand for professionals. So I want to start today's event by hearing your stories and letting our listeners hear them too. Can you tell me about your respective experiences in the cybersecurity industry, which is an industry that, not to put too fine a point on it, is overwhelmingly white, male, able-bodied cisgendered and middle class to affluent in its makeup. Gene, you want to start maybe?

[00:04:25] GY: Oh, you can always start with me. It's going to be – Everyday, these data seems to be more depressing. There's a lot, I think even in my own personal experience, and from my past employers, from the HR you hear about diversity, or going to places where we could have the difference, a menu of different candidates, right? And if you think about that, the fact that there's a mindset of HR or management, they're requiring you to go to these places I think speaks volume. It’s like why do you have a diversity problem in the first place, right? Why are there people of different color or race, whatever? The fact that the organization has to do it and they tell diversity and ethics, it's been depressing.

[00:05:33] CS: Yeah, Mari, do you want to jump in on that at all? Do you have any thoughts?

[00:05:38] MG: Apologies. I’m like in the middle of trying to get somebody from the airport to the house.

[00:05:42] CS: Okay. I can jump to Vic if you need to –

[00:05:45] MG: Yeah, go ahead and go to Vic.

[00:05:46] CS: Alright, Vic, you're on.

[00:05:49] VM: No problem. I'll be glad to jump in here. It seems like I've always been, I guess, the first. So I'll start with my military service. In my active duty service, I was the first African-American male and female, whatever, to be a squadron commander and duel had it as an IT Director for the National Security Agency here in San Antonio, Texas.

When I was in high school, I was the first and only person of color taking computer programming courses, basic at that time, using punch cards. Even throughout my college career profession, it’s always been I walk in the room and I'm the only one. And it's like why are there not more folks like myself? And, honestly, some of it is choice, but then some of it was based on, unfortunately, the ecosystem of America. And sometimes people have a hard time dealing with the no kidding reality of what has been going on here for hundreds of years. In that, in my lifetime, we’re coming up on 60 years from the Martin Luther King I Have a Dream Speech. I was one month old when that dream speech was given. And he was talking about that check that was marked insufficient funds, and where was equality for people of color at that time, and then even now? And then you fast forward to women in diversity. And I was talking too all about this before with Billie Jean King in this 70s. Why is it that a professional athlete has to go to such extremes in order to be compensated equally with their male counterparts?

And then here we are 2022 coming up, and women's soccer is still having to have this exact same discussion. Well, they don't have sponsorship. They don't have this. What? That should not be the case. And we have to do better. I mean, if women are 50% of the population, then it should be at least 50% or more in the workspace and in positions of leadership, and the same thing with people of color. But we just have to stop and reset the clock. And once again, pivot, pause. Let's take a fix on where we at, how we got here and let’s imagine a future that we want. And I love Albert Einstein says, “Imagination is a preview of life's coming attractions.” But at what point in time to that coming attraction become reality? Let's now operationalize and take charge and move out.

So that's why I'm so excited with efforts that Mari’s leading on with women in cybersecurity. That's making a difference. That's making a change. Blacks in cybersecurity, we're reaching out to minorities to make sure that they understand, “Hey, look, there're more than just sports.” There's nothing wrong with sports. But there's more ways to use your abilities and your talents that will contribute to the world that we live in. Don't be so one-dimensional or two-dimensional. Broaden your scope and your aperture. But it requires, once again, the digital immigrants, myself, to reach out to the digital natives, and that's those who were born after The Matrix came out. Let's make sure that they don't have to relive those same old lines from the past. And I’ll be quiet, Mari. Go ahead, Mari. I’m sorry. [inaudible 00:09:58].

[00:10:01] MG: No, you've got very valid points. Me being someone that's only been in the industry since 2009, my very first job, I was the only female on my team. And I was really hungry for that technical stuff, that hands-on, getting in there, the routers, and switches, and run the cables, and getting dirty and all that stuff. And it sucked, because I couldn't. My team would let me. And at that time I didn't know if it was because I was a woman, if it was because I was new, if it was because I was a minority. I had no clue because I wasn't thinking in those terms. And it wasn't until I went to my next job and I had the same experience.

My job is there're two women on the team, but one of the women was super tomboy. Like she'll pick up the toolbox and go fix cars with you. Me, I like to get my nails done and do other stuff. And so, that experience, the differences in experiences with leadership at that time was really – It was a completely different experience. My first boss, he had no clue how to – Because he was super technical, he had no clue how to manage people, how to encourage people, how to engage the team, how to get them motivated. The next boss was way better, right?

So those experiences kind of helped draw kind of where I go now. So now I'm looking to see, “Okay, you say you're about diversity as an organization. You say you're about equity. But what does that really look like in the makeup of your senior leadership? The folks at the board level,” right? If you're saying it, but not actually doing it, it's just lip service. And that does a disservice to people that are trying to come into this space. Because if they don't see themself in a position of running the organization versus just being the engineer at the organization, they're never going to strive for that. And so we have to – From the lowest levels to the highest levels, we have to start changing our mindset, shifting our perception of what a talented workforce looks like. We can't stay that status quo anymore. We have to continue to move forward.

[00:12:18] CS: Yeah. Now I want to stick with Mari here, because in our next slide, I saw a tweet from Cyber Work past guest, Alissa Knight, and said, “The message I received once from a man who told me a few months ago that cybersecurity is too fast-paced for women remains a shock to me. There are men who don't believe cybersecurity is an industry fit for women. I'll bring in as many women as I can to prove them wrong.”

How is this attitude so pervasive? I mean, and apart from disproving it, by welcoming lots of kickass women into this industry, how do we go about turning the tide on this type of sort of prejudice and stereotype thinking? I’ve just given you a huge [inaudible 00:12:59]. But it's mind-blowing to me that, yeah, especially the whole fast-paced thing, “Oh, it's too fast-paced.” That's insane.

[00:13:08] MG: So that part, I will never understand anybody that says something is too fast-paced for a woman. And I say that because women are multi-taskers women. And it’s not even like an intentional thing. Women just like to do a lot of stuff. Like we like to be able to show that we can do a lot of things. There're moms in the industry that have three and four kids that are senior VPs at organizations. I think they know how to deal with fast-paced and how to work under pressure. You know the saying.

But the only thing that we can do is continuously say this is not true. We continuously show it, right? It's hard to change somebody's mindset, especially somebody that's been set in their ways for 20 or 30 years, because a lot of those comments that are said come from – It's not necessarily from the newer generation of folks. It's not necessarily from the millennials, the newer folks that are getting into this space. It's from people that have been in the space since whenever, the 80s, the 70s, and 60s, and they still carry that mentality into what they do.

Aside from violence, really, it’s just we just have to keep pushing and saying, “Hey, no, this is not true.” Hey, look. Look at the results. Look at the records. Look at the track, the receipts of everybody. Women want to do this. We have almost 4000 members in our organization now. You mean to tell me that those women are wanting to do this? They're not wanting to be in the fast-paced life of cybersecurity? Every aspect of cyber is not fast paced either.

[00:14:49] CS: No. Oh, that's such a good point. Yeah. Yeah. Yeah, it's not that sort of like fast clickety clack hacking or whatever where it's like –

[00:14:56] MG: Exactly.

[00:14:58] CS: But also, when I hear a story like that, “Oh, it's too fast-paced for women or whatever.” Like, I'm just so curious. Do they even have a story in their past where they had like a woman on their team and she was just like, “This is too fast-paced for me.” Like, I doubt it. That just sounds too sort of like cut and dried of like, “I don't want to deal with it. So this is the story that I'm telling,” or something like that.

[00:15:23] VM: Yeah. The next time a guy makes a stupid comment like that, you got to say, “Look, you need to race Usain Bolt. And then let's go from there, with the fast pace.”

[00:15:36] MG: What does that even mean?

[00:15:38] GY: Yeah, right? Those are the exact people that is causing the problem with Asian exclusion, diversity, because [inaudible 00:15:49] unless we get rid of that layer, and I'll just call it that layer, is where all the problem is. Like with the whole like fast – It's kind of like a nonsense anyways, right? Because I think there's a problem with even those people making the industry with a different kind of view. Like, Mari, you just said it. Is cybersecurity in all aspects really like fast-paced? No. I mean, this is all 80-20. This is all nonsense. You and I, everybody knows [inaudible 00:16:29]. We sit on our butts for hours Googling [inaudible 00:16:33]. Let's look at what's coming on next. But that's the reality.

Now, is there a lot of work? Sure. But you know what? I rather be monitoring firewalls and making sure the server has enough disk storage. That's a lot of work. [inaudible 00:16:54]. So I think there's a problem with individuals or groups, high and low, where people misrepresent traumatic [inaudible 00:17:07] and being the gatekeeper. They need to just retire.

[00:17:14] CS: Yeah. Yeah. Yeah, yeah, absolutely. Now I'm going to want to come back to something Mari said earlier about not just having diverse people in the sort of engineering pool, but also in leadership. I want to come to come back to that later, because I have other things we want to talk about them in the meantime. So like some of the points that we want to talk about are what I would say are kind of like some of the reasons that people give, “Well, this is why. This is why diversity is so hard to do or whatever.”

So the first one that we hear all the time, and I hear this on the podcast all the time, is what I call HR gatekeeping. So, Ian McShane, Field CTO at security operations software provider Artic Wolf said that, “Unconscious bias, poorly written job descriptions and preconceived notions of what is required for security jobs are not only deepening the skill shortage but causing a diversity shortage in the industry as well.” And that's from an article called A Diverse Cybersecurity Team Can Help Alleviate the Talent Shortage from TechRepublic.

So firstly, the issue that’s been well-documented is that men will apply to a job post in which they have maybe only 50% of the requirements listed figuring that at least give it a shot, whereas women often won’t even apply unless they can demonstrate over 85% of the required qualifications. And I think these types of unicorn positions might even be more restrictive to BIPOC and other candidates. So can you talk about the ways that overly restrictive job requirements can stifle diverse hiring? And can you offer any suggestions for changing up the way jobs are described or marketed that would encourage diverse hiring? So I know, Gene, you talked about some of the sort of hiring things that you do. Do you want to start with this maybe?

[00:18:55] GY: People with comments like this is why we have a problem. Because if you think about what it's saying, it's like, “Aren't you the one that's supposed to be writing this stuff?” And yet you talk about like, “What's the problem?” So let's ask Arctic Wolf. Like, “Okay, what is your diversity numbers look like?” Talk the talk. Walk the walk, right?

And I know we had lots of email exchanges about this. The HR – Everybody from HR, and IT, and security, they need to just stop with this job requirement stuff. That's the reality. All this certificates is great. All this experience is great. We get into this quantitative numbers of checkboxes. That is just completely useless, because you're not hiring somebody’s experience. You're hiring somebody’s desire and passion. This is our industry. I mean, this is my own perspective.

So to Mari's point, when you talk about the skills of a man versus woman, we're not trying to fulfill a genetic disposition of a job, because one genetic does it better than the other. It's really about are you inquisitive? Are you here to solve a problem? Technical [inaudible 00:20:23].

So, in the past, I basically stopped HR from doing anything. Here's my job description. And believe it or not, the only thing I changed in the job description is level of experience. So the jobs description look exactly the same. Analyst, administrator, or analysts, engineer, architect, those are my three basic levels for every job, network system or whatever. And the only thing I changed is zero to three, three to five, five plus. That's the only thing I changed. They say, “Well, it looks the same.” I was like, “Because you're going to pick and choose about their technology. How do you know?” So your job is to make sure, tell me where they fall in their experience level so I could box them in and then actually have a phone screening with them, because it makes my job easier. I don't need to make a decision for me based on paper. They're all useless. Did I just say that out loud?

[00:21:25] MG: That's a great point. There're been jobs that I wanted to apply for that. I don't. Because I'm like, “Oh, but I don't have that specific thing right there. That one thing.” It's like, “Yeah, but why not? What do you have to lose?” Job descriptions are poorly written. They're going to be poorly written for a very long time. People are trying to use technology, and AI, and machine learning to kind of help with that. But apply for the job, and then go out and find the recruiter and talk to the recruiter. Talk to folks at the company, right? Use your network to get your foot in the door, right? Because the application is not going to help you showcase, “Okay, I've got these skills. I can do these things. I have this interpersonal thing. I do these extracurricular activities.” It's not going to show that, right?

So if organizations start moving away from solely looking at an application and look at what are they doing on social networks? What are they doing in the community? What are they doing to continue to learn? Are they taking the initiative to do these things? Then they're like, “Okay. Well, maybe this person would be a great fit for the team.” A great culture add versus a culture fit to the team. You can actually use them in other ways. And they can start to see potential for leadership positions, and growth, and education, and training. And then they can start investing in those people.

People stay if you invest in them. So, organizations, it's not solely on the organization. But they have a big piece of it. It's also our responsibility to say, “You know what? Let me get over this and let me just apply, because all they're going to do is say no.” Because waiting for job descriptions to like change across the board, we’ll be old and gray by then.

[00:23:24] CS: Yeah, yeah. I think that's a good point, too, is we're just going to have to do the end run around the side of it and figure it out too. Okay.

[00:23:31] MG: Right. Keep that back door. That’s what we do. We’re in tech.

[00:23:37] VM: Yeah, I like the observation that Gene made yesterday when we're prepping for today's session. We always talk about the IT security shortfall. It's not a security shortfall. It's you don't even look within your organization to see the talent that you already have resident within your talent pool. And give them the opportunity to shadow. Give them the opportunity to be an intern, and mentor them in so that you are building your own talent pipeline process so that you're just not defaulting to, “Well, I have to go out and look for this unicorn out in society, or that has been working with another company and poach talent from them.” Don't do that. That is not a successful winning model. And that's why I say, let's make sure we're building a bridge to those digital natives. And we reach back into K through 12 and teach some teachers some tactics and some techniques, some principles that you are using in business so they can teach that to the students and then they can find some interest there and spark that and say, “Hey, I have this13-year-old that likes to build remote access tools.” Dude, bring them to a camp. Get them a certification. Invest in them and encourage them. Mentor them. Bring them into your company for a summer internship. What can you spark in and inspire out of that.

So don't just get back to this, “Well, I've got to follow this broken process of trying to recruit and hire,” looking for the needle in a haystack. And then, Mari, to your point, we need more women and more minorities to stop with the imposter syndrome. You see something out there, and you've got a passion for it, and you've got an interest, and you're willing to commit yourself to it. Raise your hand. Put your hat in the ring and hopefully someone will acknowledge that and sponsor you.

[00:25:58] CS: Yeah. All right. So I got a question from the audience that I wanted to add in here about neurodivergent employees. This is from Lucia. What measures do you have in place to protect the privacy of those neurodivergent employees in your organizations who have not yet identified as such?

As the discussion about diversity, the scope widens. We’re starting to hear more about disabled people and neurodivergent people and differently abled people as also these underserved areas. And also in terms of problem solving, in terms of approaching problems of cybersecurity from different directions, can any of you speak at all to neurodivergent employees or experiences you've had?

[00:26:44] JY: So given that I have a son with autism, high-functioning and Asperger, and being around the whole community – Here's a reality check. No school system, workplace is ready for any of this. All this training, talks, webinars, teams, those town halls, in practice, I mean, just imagine what parents or family had to go through when there is a change in some kind of the pack. Organization as a whole is just not ready for it, the privacy, none of that. Honestly, from what I've seen, that water cooler talks, the bullying, the email, the kind of innuendos. Unfortunately, unless we have the old kind of regime and the mentality, we talk about it, but let's just be frank here. We're not ready for any of this stuff. [inaudible 00:27:52] years. And this whole privacy idea, come on? Whether it's a record. We're so naive in thinking that, “Hey, we're going to get there.” No. It’s going to take years and years.

[00:28:08] CS: Yeah. Sorry, Gene. Your answer kind of – You got broken up.

[00:28:12] VM: We lost you, Gene.

[00:28:13] CS: Some Wi Fi wiggliness there. So I don't know if you could start over from the beginning. Welcome to Cyber Work Live. We're going to start [inaudible 00:28:23].

[00:28:25] VM: [inaudible 00:28:25]. Yeah, that's a very good observation that Gene made. And I have seen it work. And to Gene’s point. It is the exception. It’s not the rule. I don't think we should give up or quit on it. And now that we're in this hybrid works solution format, we should explore that more and look for ways to where those who are dealing with physical challenges, how do we empower them and enable them and give them that chance to get behind the keyboard and dive in on those challenges that a lot of us who are just “able bodied” are just too high-minded to deal with. But yet these people, with their talents, they can tune in on a solution, on a problem and they will go down, down, down, down, and they come up. Boom! Here you go. Here's your solution.

So give them a chance and then reward them. And then, also, look at it from a perspective of this. They are now helping you with those other audience members who are users who may be challenged and you're looking at it from your lens and your perspective. And that, well, I can see the screen and I can interact in the keyboard. Well, everyone can't see the screen. Everyone can't interact with the keyboard. Everyone can't do reverse malware engineering. But they have the mental capacity to go in and do that investigative research and thought process to solve that problem. And that's what we need to connect with. We're losing out on that intellectual capital. But we need to do better, to Gene’s point.

[00:30:27] MG: Yeah, I agree. So I don't have any experience in that space. But I feel like Covid gave a lot of folks opportunity. A lot of folks that can't go physically go into an office, that that can't be in the space for that long of a period of time for whatever reason. And so this time has definitely forced companies and organizations to reevaluate how they handle all types of employees. How they bring in all types of employees. So I see some positive progression from this in that space. But I don't have enough experience or exposure there to add any value to that.

[00:31:16] CS: Okay. So I want to jump on from there to what I'm calling a conscious and unconscious bias in resume filtering. So this is from another TechRepublic article about – And I apologize if I'm getting the name wrong, Sanjeev. I'm sorry. Cofounder and CEO of Naukri. He said, “I was actually applying to jobs, and I wouldn't hear back from employers. I have a long ethnic name with, which is Sanjeev. So my cofounder, Maaz, is like, “Why don't you just anglicize it?” And we went from a variation of Jacob, Jordan, Jason. And literally four to six weeks, I got a job.”

So this speaks not just to the unconscious bias of names, but also a pernicious form of winnowing resumes, which is to speak about whether this person would be a good “fit” within “company culture”. So can you speak to how the sort of idea of culture fit consciously or unconsciously excludes diverse candidates? And what ways you've seen or used to counteract this? You want to start, Vic? Or Mari. Sorry. Mari, go ahead. Go ahead. Yeah. I’m just rotating. But anyone who wants to jump in can jump in, yeah.

[00:32:25] MG: I was on a conversation a couple of weeks ago and they said – Maybe it was with you guys. I don't remember. But culture add. We say culture fit, then it's like, “Oh, you don't fit into this culture because it's a bro culture, or because it's this kind of culture.” But we should look at it as a culture add. How can this person add to the current culture? And the name thing? Yeah, that's been that's happened for years. We always tell folks, “Okay, use an initial, or don't use your full name, because the systems that are looking at these resumes, they're not developed by people with ethnic names,” if that makes sense. Which means they're not going to be looking for those names to bypass and go and look at the actual resume versus just looking at the name and stopping. We got to change the system. People shouldn't have to change their name to Jacob, or Jason, or Johnny, or Beth, or whatever to get a job. Like, you're still the same person.

[00:33:32] VM: But the struggle is real. I mean, and even with women. I've seen it to where a woman has a gender neutral name. And then they show up. And then, yeah, Gene. Yeah, exactly. So you were a female? Oh, is that a problem? And, oh, by the way, if that is a problem, maybe you should mean be there.

And then to Gene’s point to where he's been in meetings and they are interviewing him and they're doing discussions on potential business opportunities, and his technical folks are in the room and they're talking and then they say, “Well, what do you think, Gene?” And thinking Gene is one of just the admin. What do your boss thinks?” He’s, “Well, I am the boss.” And it’s like, “Oh, now you want to have a conversation with me? Oh, I’m a person.” I mean, the janitor and the CEO, you should treat everyone with dignity, dignity and respect. You don't know who you're talking to.

[00:34:46] GY: I think there's a bit of – I’ll just say this very bluntly. We are all racists in some way other form, no matter what. You may not realize that. I mean, that's still a topic, right? Conscious, unconscious.

But the problem, we get into this cycle. And I got to go back to this whole, we have this problem with people having this attitude who's been there and not adapting to change. Extending to what Vic's talking about. My first light into this – From the top down was actually a gentleman named Henry Schimberg, who was the CEO of Coca-Cola. And he actually started out as a driver. And he moved – Okay. Now, yes, I get it. He's obviously last name, it’s like the white powers, the Ivory Twin Towers like Coca Cola, it's exemplifies it. But the funny story is, is that he has a house up in some coastal county, as you expect a CEO. And he went to a market, and he saw a person that was not filling out the display correct.

Now, he was dressed like just like, a bum, I guess. Multibillion dollar company dress like – But he asked him like, “Hey, is this the right way?” And it's like, “Well, my manager said otherwise.” And the manager happened to be there and he’s like, “No. This is how we do it.” Not realizing the CEO of the entire company was there.

So he actually picked it upon himself and he made – There was a comment that was made that was related to some ethnicity, but he made it a point from that experience to announce to everybody, and this is 90s, to retrain all the managers, management. And they have this program called MBO, management by objective, and to reiterate the diversity, the proper training into managements, manage ability to do their job correctly or get out. Because the end of the day, it's the workers that's going to come in. And honestly, like, who cares about what background they have? The thing is, is – I know, Vic, you said the whole culture thing is like the culture is do your job. [inaudible 00:37:12]. And it’s like if we start building into that, it's just going to be like high school again. You're the varsity, you're the geek. It’s like [inaudible 00:37:23] again. I'll be [inaudible 00:37:24]. Obviously, I'm the vendor all the time. Behind this little fiefdom, and it's going to create the same problem. Like I think we should literally hire everybody as like 001. Of course, somebody's going to say, “Oh, my God, you're like completely an ignorant to [inaudible 00:37:41].

[00:37:41] MG: The challenges of everything.

[00:37:44] CS: You may say I'm a dreamer. So I wanted to jump a couple slides ahead here. We're having a great conversation, but we're circling around to the 20 minutes left mark here. So I want to make sure we don't miss anything. But one of the things, and I'm sure you've all heard this at conferences before. And I know I've heard it, but it’s the old, “We didn't get any diverse applicants.”

So a common refrain from hiring managers is that they understand the importance of seeking out diverse candidates. But despite their best efforts, they just don't get any diverse candidates. So we've, we've spoken about biases in job description write-ups and descriptions of company culture. But can we also speak about the places where hiring managers and HR seeking candidates? Do you have any advice for hiring managers who want to look past blasting the usual job sites with your job listings? And we have a point here from [inaudible 00:38:36] from this TechRepublic piece saying that leaders should also partner with HR to look outside of their traditional hiring networks by casting a wider net and broadening their search to less traditional environments. Security leaders can conduct a more equitable and less biased job search. These include historically black colleges and universities, disability networks, better networks and women-led networks, such as Cyberjutsu perhaps. And in so doing, the potential for diversity in security is quite high. Can you talk about some other places or confirm/deny things like this in the ways that hiring managers don't think to look for new talent?

[00:39:12] GY: Can I add something about this? So does that mean HR is going to hire minorities or diverse people so that they could go out into it? Or is HR actually saying that they're going to do it? [inaudible 00:39:26] example of a problem. HR talking big about, “Oh, we need hiring networks expand on it.” Sure. You want to go to, let's just say, confidence house, our school over here in Southwest. You know what? I know I'm pontificating here. I’m get off the soapbox. Yes, there's many –

[00:39:48] CS: Soapbox is there for a reason, Gene. Go to it.

[00:39:51] JY: There're many outlets. I think we all know the route. Like how many HR, diversified HR group do you actually see at those areas? Or do they hire contractors to go out there?

[00:40:04] CS: Right. Yah.

[00:40:07] VM: Put your skin in the game, yeah.

[00:40:10] CS: And also, what is the actual sort of search function, say, other than “Well, oh, yeah. These things are out here too.” But did you actually do anything with them?

[00:40:19] GY: [inaudible 00:40:19] for a while. I'm not going to be going and applying for jobs for a while. I think – Go ahead, Vic.

[00:40:28] VM: Yeah, put some skin in the game. Put some gender in the game. Walk the walk. Talk the talk. Like I was saying, in our lead up to this, what's disheartening to me is that, in the military, we have a history of being a leader in integrating and being diversify. But with that, we still have our challenges inside. So mindsets is always going to be one of those things. How do you change someone's mindset? And I have biases, and I'm working on that, and I'm conscious of that. So I'm making it an effort to work within myself because that's what I control. What we need is more professionals to acknowledge that you have a bias and you need to work on that. Don't justify your bias. Identify it and adjust. Correct it. Fix it.

[00:41:30] CS: Yeah, I think – Vic just mic dropped this with a freeze frame there.

[00:41:40] VM: And make sure that [inaudible 00:41:43].

[00:41:47] GY: I think he’s saying, “Why is there no army recruitment center in Beverly Hills?”

I think we all need to stop lying and then be like blunt truth as like this is a problem that's been around. We need to work on it. Anyway. Sorry.

[00:42:06] CS: Right. No. Yeah. And yeah, and I think there's also – Maybe this is just me saying this, or whatever. But there's also like the easy way and the right way to do this, where it's like I think a hiring manager knows if they just blast Indeed and Zip Recruiter and whatever else. Like they're going to get enough candidates to fill the position, but they're also going to get the same sort of same candidates and the same monoculture and the same – All of that. But it is going to be harder especially at the outset if you're like, “I just know that 1, 2, 3 steps will get me a pool of candidates.” If you're going to start looking for like different people, like it's going to put more work on your plate. And it should. Like I say, it's difference between easy and right. Yeah, sorry, Vic. We lost some of your last point there. Okay. Oh, now your mic. You have no mic now. You’re muted.

[00:43:08] VM: Apologize about that. I guess my mind is like saying, “Enough, Vic.”

[00:43:15] CS: Yeah. Yeah, sometimes technology just steps in. So there was a comment on a Reddit post that I kind of like by a user named [inaudible 00:43:25]. And it said, “It's easy to say that you'll hire a black gender fluid bisexual in a wheelchair when they have a PhD [inaudible 00:43:32] and 20 years’ experience at the NSA. But there aren't going to be many of them if there's nowhere for them to get started.” And so I think there's also – That moves on to sort of like my next point here that I want to jump into, which is a tweet from a past podcast guest, Alissa Miller. She said, “Hey, security leaders in large orgs, you can't complain about how InfoSec needs fix the skills gap and then brag all the highly skilled and expensive folks you hire while having no program for finding or grooming new talent. You're part of the problem. Should I do better? Be better?”

So a lot of guests on the program, and obviously, you're all are saying the same thing. I don't care what your background is. As long as you can demonstrate passion and inventive thinking, we can train you. And I don't doubt that works for a lot of people. But that's clearly not the case everywhere as there's plenty of evidence for companies hiring people who have these power pack resumes or top notch qualifications or a mile of high profile context and references that they can draw on to the detriment of other candidates many of whom might have been shut out of the kind of prestige projects that would have put these types of qualifications on their resume. So do we have any thoughts on moving the culture away from scouting rock stars and towards hiring intriguing, inquisitive people of diverse backgrounds from outside of the sort of standard industry places?

[00:44:51] MG: So, just because you have a rock star resume doesn't mean you're a rock star. Look, my resume looks great, right? I've had it revamped and all of that. But if I can't do what my resume says and I can't provide value to my organization, it's just a piece of paper. It’s absolutely nothing. I've worked with folks that have some of the highest certifications, PhDs, all that stuff, and they were, excuse my language, shit bags. They barely did anything. You know what I'm saying? And all of the work was being put on everybody else.

And so for hiring, for recruiters, and I'm not a recruiter, but we have to not be lazy and just throw the net here. And you can't just say, “Hey, there's a free this,” and expect everybody to see it. Because the folks that you really, really want to see it may not be in those spaces that you're putting that advertising. So instead of going to the job fairs at Stanford's and Harvard's and Yale's, go to the career fairs at the Community College. Go to the rural areas where conferences and organizations aren't actually there, but there's people that are willing to learn and are learning technology and trying to get in this space. Think outside of the box. It's not that difficult. Go into go into the high schools and talk to the different high schools and talk to the students. Like if they don't know there's an opportunity for them, they're not going to go out and seek it. So you have to – We have to, organizations and people in the industry have to go out and say, “Hey, opportunity, come over, come over. Let's help you get to this point.” And that'll start to change the talent pool. But we have to just be willing to reach out there.

[00:46:39] CS: Yeah, and over a long period of time too.

[00:46:41] MG: Right.

[00:46:42] : Mm-hmm. Not just one month of the year when we want to [inaudible 00:46:47].

[00:46:49] JY: Look, I'm just going to say this [inaudible 00:46:51], okay? All this nonsense about reskills, gap skills shortage, I think it's all nonsense. We have enough resources everywhere. We just have a pointy haired boss and HR people who's not opening that door, right? So all these articles, marketing, shortage gap, skills gap. BS. It's not real. You know how many times I went to universities and, like, to Mari’s point, going to Community Colleges, they are so eager to have an opportunity. And sure, I've done Yale, and I had the best HR team from [inaudible 00:47:38]. I'll just give them the kudos. But behind this, everybody is – They're so hungry to work and to have an opportunity. I think we even talked about it before where we want to build this rock star team. It’s completely useless. We're going to have a person with 10 different jobs because they know it all? And I'm at fault for doing the same thing. I had a team of four core teams and all bunch of minions, but the four core team basically did everything. They loved what they do. But it's like I'm over – They over-utilized. And so I made a change in the latter part of my career where I rather have a bunch of minions that's more hungry who's going to step up. And my main four core people, their only job was to keep pushing them to think on their own and not ask for help, which is sufficient, right? Because we are in a jungle, we are in a battle.

But the problem is, is all of this mindset of having the somebody who has all these certificate, degree, lazy people, that's what it basically means to me. It means [inaudible 00:49:00]. I’d rather have somebody – And this is the mentality that we have to change, is like you don't need – If I had a budget of, let's say, $200,000, I'm going to hire four people or three people. I'm not going to hire a one person. I mean, we talk about we don't have enough staff. And what? Because you pay too much for something that you're not supposed to pay for. You're buying one versus building a team. So what are you trying –

[00:49:24] CS: Yeah, it's not a good return on investment either.

[00:49:26] MG: Or adjust your budget so you can pay people more.

[00:49:30] CS: There you go.

[00:49:31] MG: Adjust. If that's $100,000 budget, make that a million dollars.

[00:49:36] CS: Yeah. So we're getting close to the end of the hour here. I want to sort of extend out from there. And Mari, I teased this. You talked about at the very beginning. I want to come back around to this. If we start hiring diversity in lower level or entry positions, can we also talk about the strategies for promoting diversity? It’s one thing to build the bench in the soccer, in a blue team or whatever, but what needs to be done to crack the C-suite ceiling? I realized that's a real [inaudible 00:50:03] pickle here. But let's see if we can get it solved in 10 minutes?

[00:50:08] MG: That's a great question. I'm trying to figure it out myself. So I'm a customer success architect for the company that I work for. But I want to go into those C-suite roles. I don't know how, right? I don't even think the organizations really know how you transition someone from engineering background, to an architecture background, to a leadership background. So there's plans. Alright, from tier one to tier two, you have to do these things. From tier two to tier three, you do these things. Okay, well, what does it look like moving to the next level? Nobody knows because nobody goes the same route.

Sometimes people are just put in place because they've been there the longest and they're like, “Oh, okay, you're the leader now.” Other times it's like, “Oh, I know this person. I'm going to put them in a leadership role.” So building programs, I think, in the organization for those high-performing individuals, for those folks that have the desire to move into leadership roles and board positions and things like that, you got to have some sort of program that helps them navigate what that looks like to navigate what type of base skills they need, what their roadmap is going to look like. Having those kinds of exercises and activities will help you as an organization say, “Okay, let's build a program that does this.” Or send them to school to do this. And you're investing – Again, you have to invest in your people.

[00:51:36] CS: Yeah. Any thoughts, Gene, Vic?

[00:51:44] VM: All right, Vic.

[00:51:48] VM: Yeah, I was going to say entrepreneurism. So for those aspiring C-suite adventurers out there, if that is your desire, start your own business. Get your own signal. And demonstrate that you know how to take a concept, take a product, take a service, market it, develop it, scale it and build it. And then you get the attention of C-suite, the audience. You get their attention, and they go, “Maybe we didn't look at this person or look at capability in the way that we should have.” So where there's not a bridge or there's not a pathway through an internal progression, look outside. You work from nine to five. And from five until nine, you make your life. So invest in what you do from five and to nine to make your life. In other words, your purpose, and your aspiration. Invest in yourself. And then 5, 10 years, now you have this gift that you have, this deliverable solution that says, “Hey, you didn't think of me as a C-suite asset or resource. But look what I've done.” And others will have seen it. And then start merger and acquisition. And it's like, “Well, why didn't we look within to develop that talent?” That's just my out of the box. If there's not a bridge, then maybe there's a window and a door. You need to look elsewhere to expand your opportunities and capabilities.

[00:53:55] CS: All right, I'm going to wrap us up here. We got about five minutes till noon. And I know Gene has a heart out here. So I want to kind of give everyone final thoughts here, action items, visions for the future. Can we talk about like our visions for the future of cybersecurity? Can we look into our future-predicting crystal balls and talk about how a diverse, equitable and inclusive cybersecurity industry looks? Let your mind wander in any direction. How did we get here? How have these changes alter the direction of the industry? So let's end this episode by describing the future as we're looking forward to hopefully seeing it. Do you want to start, Gene, or Mari?

[00:54:37] MG: Go ahead, Gene.

[00:54:41] GY: No. I think there is enough people like Mari and Vic who is really changing way people need to think. I think there is going to be a time when all the completely useless tool people that's been managing and the IT regime is good to go away. And With the convergence of this new environment in digital transformation, likelihood that many of the CIO, CTO is going to really look at the ways to need to diversify. And let me rephrase that. It's not a matter of diversification. It's about building a team workable, no matter what color, skills, experience. Building a team, because it's going to be a global economy. It's going to be a global workforce. It's going to be remote and virtual workforce. And we need to maximize skills and not focus on anything else. And I think all of this seminar, hopefully, is resonating with HRs. And really, some of the managers to really step up or step down and realize that world does not revolve around them. And if not, we're going to crush them out anyways. But all kidding aside, I do see a lot of changes, positive impacts happening. It's a small step, but it's better than nothing.

[00:56:03] MG: I think my vision, what I want to see is I want to see more people that look like me in leadership roles, right? And there's a lot, but I know that I have to play my part and figure out how to get to that. Based on what Vic said, though, I’m probably already there since I running nonprofit. But I want to there to be more representation for the folks that are coming up behind all of us. Because at some point, I'm out of here. Like I'm going to be on that beach in Puerto Rico or wherever I'm going with my pina colada. And I need to trust that the folks coming up behind are going to keep us safe. So that's the vision that I have.

[00:56:54] CS: I love it.

[00:56:55] VM: The vision I have is I'm a mentor to the CompTIAs student chapter at UTSA. And I think if more of us who are digital immigrants invest back into the next generation, we can then project that future that they will have the ability and the power to change X. And X can be gender, X can be race. It can be sexual orientation. It could be physical abilities. So to the degree that we can, my call to action to all who are watching this is if you're a digital immigrant like myself, find a higher ed, a K through 12 organization that has competitions, clubs, students that are driven and have a passion to pursue information technology, information security, and invest in them. And make sure that we don't pass on the mistakes that we haven’t experienced in our lives to them so that they can realize a better, more perfect cybersecurity ecosystem.

[00:58:16] CS: And I want to wrap up with that. Thank you, all of you, for your great answers here. And with that, I'll just say thank you to everyone at home or work for listening and watching to the third episode of Cyber Work Live. If you enjoyed this and you enjoyed our guests, I'll point out that new episodes of the Cyber Work podcast are available every Monday at 1pm Central both on video on our YouTube page and on audio wherever find podcasts are downloaded. You can check out past guests including episodes, each with Gene, Mari and Victor. And you can also check out their first Cyber Work live, in which they answered beginner cybersecurity questions at infosecinstitute.com/podcast. Also, to read InfoSec latest free eBook, Developing Cybersecurity Talent and Teams, which collects practical team development ideas compiled from industry leaders, including professionals from Raytheon, KPMG Cyber, Booz Allen, NICE JP Morgan Chase and more, just go to infosecinstitute.com/ebook and start learning today.

We are planning to host Cyber Work Live once per quarter. The next episode topic and guests are still being finalized, but it will probably be in December. To get the latest updates of future Cyber Work Live episodes, go to infosecinstitute.com/events. And lastly huge, huge thanks again to our wonderful panelists, Mari Galloway, Vic Malloy, and Gene Yoo for joining us today, and to Gene for suggesting this topic. And thank you to all our guests for attending and asking questions behind the scenes. At the end of this presentation, a very quick survey will appear. If you would just take a moment to share your thoughts, it's appreciated and helps us produce more great content for the future.

Thanks and have a great day. Take care, everybody.

[00:59:51] MG: Bye.

[00:59:51] VM: Bye, everybody.


Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.