As cyber threats increase, security becomes more important for all industries and organizations. As a result, the demand for application security talent is also growing: security professionals, people who create and manage technologies that protect other people and organizations.
Tools help and support AppSec processes, however, it is the people who ultimately make the critical security decisions. Diverse and plural teams that work to find vulnerabilities or manage incidents, and that also seek to correct these flaws in the code.
As in other corporate contexts, work environments in security teams also suffer from a lack of diversity and inclusion. It is important to take into account that if an entire team thinks the same way or lives in similar conditions, the organization loses the opportunity to obtain the diversity of perspectives to solve problems.
Companies with a healthy gender balance are 21% more likely to outperform their competitors. If there is a good mix of races and ethnicities, that number increases to 33%. And teams with a diversity of gender, age and ethnicity make better decisions 87% of the time. In this regard, it is increasingly important to emphasize that security teams need to be as diverse as the problems they are trying to solve, as it is through diversity that we achieve optimal security.
Connected to this and other following data, we highlight the importance of diversity in security teams and how its absence can impact the resilience of application security systems.
Current context in security teams
According to the 2021 National Cyber Security Center report, more than 85% of cybersecurity professionals are white, compared to less than 15% from black, Asian, or mixed ethical groups. Two-thirds of respondents identified as male, compared to 31% who identified as female.
It is important to note that 15% of the security teams at the participating organizations did not have women. Few women hold security leadership roles and nearly two-thirds of women are paid less than men.
Other minority groups are similarly underrepresented in cybersecurity. More than 84% of respondents identify as straight, compared to 10% who identify as part of the LGBTQ+ community.
Diversity opens up a world of possibilities
If everyone on your team thinks the same way and does the same, you will still assume that the user will interact with the system in a certain set of ways, which is a limited way of thinking. Indeed, the lack of different perspectives and creativity to deal with user behavior on the system can lead to the loss of threat vectors.
In this case, we can exemplify with a person who does Pentest (Penetration Testing) and who needs to think about the mindset of an attacker to find an application vulnerability. It is noticed that the absence of diversity creates more limited processes, in addition to making it more difficult to identify and deal with threats and process innovation.
According to Bodin’s (2021) thesis, a homogeneous team makes it difficult to build a safety culture for everyone involved in the software development process, with diversity being an essential factor to contribute to this process.
Empower your security team through diversity
In this way, ethnicity, sexual orientation, gender and socioeconomic background play crucial roles in creating a more diverse, innovative, collaborative and effective work environment. This rule applies to all technology sectors.
Knowing this, how can we make a difference?
Efforts in this direction should not be limited to recruitment alone, although it is important. We need to consider how we can encourage minority tech groups to consider working on security too!
This requires thinking about different ways for these people to enter and approach this area, as well as building inclusive training and capacity building. In addition, it is necessary to show acceptance of everyone who wants to enter the security sector, hiring for skill and passion, and not just for specific certifications. This is the responsibility not only of companies, but also of professionals in the field.
Gender and Sexual Diversity Education and Awareness
Furthermore, it is imperative to identify unconscious biases, a problem that is often embedded in our culture. The key is to recognize it and develop new ways of thinking.
In many organizations or selection processes, it is easy to ignore people from different backgrounds or representatives of minority groups. Often recruiters are biased and don’t recognize it. Cultural assumptions influence our decision making in ways we often don’t recognize.
Therefore, educating and making security managers and recruiters aware of diversity issues can be of great importance, generating results not only in hiring, but also in retaining these people.
One way to deal with this is to meet organizations looking to attract underrepresented groups in the security industry. We also have the example of Microsoft, which sponsors the Blackhoodie Workshop, an annual Bluehat safety event aimed at women. Conviso also has a number of affirmative action vacancies for different minority groups.
Increasing diversity in the application security industry by investing in hiring LGBTQ+ people and other minority groups can help improve security for everyone. The quest for diversity will foster new defensive thinking, as well as attacking concepts and techniques not previously considered.
Diversity brings wealth and innovation to every organization
It has been evident thus far that improving the diversity of security teams should be a key objective for organizations across the industry as it helps protect individuals and businesses from a wide variety of cyber threats.
It is worth remembering that diversity favors and enhances the connection of teams from different sectors. LGBTQ+ people from different cultural, socioeconomic and/or linguistic backgrounds have an enriching influence in a diverse work environment by presenting different approaches and perspectives to a given issue.
In addition, these people can also help to better understand how malicious hacking works through other experiences and perspectives. Therefore, we need to avoid the risk of homogeneous groupthink. Heterogeneous teams help find new answers to questions and bring in even more questions.
Through diversity, we can build a security team passionate about what they speak, point out issues and bring a wide range of experience and understanding to dealing with them.
Gabriel Galdino – Developer Advocate
Estela Faust – Communication Analyst