Harnessing the Power of Diversity
By Bronwen Aker | 11 January 2020
Last October I wrote a post for my personal blog about diversity and what I think it means in relation to information security. Looking back on that article now, I see that I didn’t fully unpack why diverse teams are stronger and more effective than teams with high levels of conformity. I’d like to correct that oversight.
For many people, diversity is all about gender. Others focus on sexual orientation. Still, others talk about culture or nationality or religion, but none of those aspects of the human experience captures the core of what makes people diverse. To better understand the heart of the matter, let’s start by taking a closer look at the words “diverse” and “diversity” themselves.
Merriam-Webster defines “diverse” as 1) differing from one another, or 2) composed of distinct or unlike elements or qualities.* “Diversity” is defined as 1) the condition of having or being composed of differing elements; variety; especially the inclusion of different types of people (such as people of different races or cultures) in a group or organization, or 2) an instance of being composed of differing elements or qualities; an instance of being diverse.**
With these definitions in mind, it becomes clear that the key to diversity isn’t any specific feature of a given population. Rather, it is when a group or population has members who differ, one from another. What we care about for this discussion is how diversity impacts perception, and how differing perceptions within a security team is a benefit to be embraced and utilized.
On the one hand, it’s pretty obvious. People who are different perceive the world around them differently. It can be something as simple as a difference in height, or as dramatic as having been raised on different continents, but even subtle differences can cause dramatically dissimilar perspectives. For example, I am short (5’ 2”), so when I put items on top of my refrigerator they are pretty much “out of sight, out of mind.” When friends of mine who are tall (as in over 6’ 3” in height) come over, those same items are at eye level to them. So is the collected dust and grime on top of my fridge. The fridge and the items on top of it do not change, but my ability to see those items is unlike that of my tall friends.
We can expand this idea, acknowledging that women perceive the world differently than men do. Ditto for people who are LGBTQ. Similarly, Asians will have a different perspective than Westerners. Ditto for people who are black compared to white compared to red compared to green compared to purple. These dissimilar perspectives are incredibly valuable for a security team because they allow members of that team to see problems from multiple angles.
For example, before I dove headfirst into the world of cybersecurity, I worked for years as a developer, writing and editing code in various languages for websites, mobile apps, and software for different platforms. Because of that background and those years of experience, when I read a vulnerability assessment that includes a list of servers that need to be patched, updated, isolated, or hardened, I empathize with the poor schmoe who will receive that report and who will have to go through all those servers, one by one, correcting those issues.
To a penetration tester, it is easy to say, “You need to update your systems to use the latest version of [fill in the blank].” To a developer, updating those systems may involve going through tens of thousands of lines of legacy code, running uncounted tests and quality checks to make sure nothing breaks when those updates are applied. The reason those systems were never updated in the first place is because updates are expensive, both in terms of licensing fees and in terms of labor hours required to accommodate changes in the systems to be updated. Because I understand these issues viscerally, I strive to make sure the reports I review and edit contain clear and useful information for the developers who will have to implement the changes required to make their systems more secure.
Other people I work with have experience with large, corporate networks. They understand the issues around configuring routers and firewalls, setting up a DMZ, and so on. Still, others understand systems administration or any one of a dozen other aspects of information technology to a far greater depth than I do. Each one of these focus areas within information technology has its own issues, challenges, and associated security problems. Because I understand and value the fact that other members of my team will see things I won’t, and they understand and value the same thing about me, when we work together our collective efforts are far greater and more comprehensive than what any one of us could have achieved on our own.
THAT is the power of diversity. By harnessing the different perspectives available in a genuinely diverse team, organizations can anticipate a greater number of potential hazards and formulate solutions for dealing with them. Likewise, when an incident occurs, a diverse team is better equipped to respond to that incident, rolling with changes in the situation as the incident evolves.
Diversity isn’t just a buzz word with a lot of hype around it. It is yet another tool we can and should use to improve our security processes and practices. Given how rapidly threat actors evolve their attacks and campaigns, we need every advantage we can get.
* Diverse. In The Merriam-Webster.com Dictionary. Retrieved January 11, 2020
** Diversity. In The Merriam-Webster.com Dictionary. Retrieved January 11, 2020