The Cybersecurity Problem No One Wants to Talk About
And now a bit of encouraging news from the job market: The cybersecurity sector is booming, and they need talent, stat.
The good news comes with a bit of a twist, however. This particular corner of the tech world is even less diverse than the general tech sector, with women making up only 10% of the cybersecurity workforce, and Hispanics, African Americans, and Asian Americans making up only 12% combined. But Shamla Naidoo, IBM’s Chief Information Security Officer, is determined to change that.
It’s an industry that lends itself to diversity. “We know that this field is evolving so quickly, that each individual cannot know what it’s going to take to fight the next threat,” says Naidoo.
And she’s on the hot seat: Her job is to protect all of IBM’s digital assets from any threat, internal or external, and to support a rapidly changing array of functions that extend far beyond traditional engineering, into every business unit and strategy decision. Think about the internet of things, an exciting future in which everything – from shoes and shirts to medical devices and weapons – can be cyberized. “The cybersecurity industry is looking at as many as 1.5 million open and unfilled positions by 2020,” she says. “We want a fully integrated workforce that is inclusive of people with a diversity of thought and backgrounds. It’s a mutual benefit.”
IBM recently co-hosted a conference with the International Consortium of Minority Cybersecurity Professionals (ICMCP) where Naidoo and colleagues from places like the NSA and payroll firm ADP, discussed how to find and support qualified, diverse candidates. “There is a concerted effort to cast a wide net,” she says. “It’s not uncommon to have open positions for a year before we can fill them. If I find a candidate that brings me the right aptitude, right attitude and right kind of thinking, I am overly excited to hire them without any kind of bias.”
Naidoo herself looks for talent within IBM’s many intern programs. For bigger assignments, she seeks out subject matter experts who bring deep knowledge of their fields. “I can teach you what you need to know about security,” she says. But she needs candidates who can demonstrate that they can learn new skills.
To that end, part of her job is to help people learn to think in non-traditional ways, which diverse teams tend to do for each member when they work well together. Naidoo amplifies this effect with a development technique that other firms could adopt to help diverse teams succeed. “We create small, agile teams of ten or fewer people that are pretty self-directed. They stay together over time, but the work changes constantly.” The teams are carefully curated so that all the skills they need are built into the group, but not within any one person. With each new project, some people will find they’re the experts, and others will become the novices.
“Over time as they evolve, everyone learns skills they didn’t have before,” she says. And that’s where personality is revealed. In addition to curiosity and creativity, she’s specifically looking for people who are self-reflective. “You have to be able to look in the rear view mirror at the product you created and be willing to identify and fix what didn’t work,” she says.
It’s a technique that systematizes learning and collaboration, but also fortitude. “We are looking for people who can solve the problems that don’t exist yet,” she says. “And you can’t be fearful.” In cybersecurity, the bad guys only have to be right once to claim success. “But the good guys have to be right every single time.”