Diversity and inclusion bring myriad benefits to organizations, from unique perspectives in crisis management to fostering future talent to building a more resilient culture. Diversity, equity, and inclusion (DE&I) are more than a business imperative, however, they are a matter of survival, says James Pogue, PhD, an educator and speaker on diversity and CEO of JP Enterprises.

“When you talk about inclusion and how it brings value, it’s about relevancy,” he says. “Do you want to exist? Do you want your business to thrive? Do you recognize that by precluding the inclusion of inclusive business practices that you are relegating yourself to a second-tier, third-tier, or fourth-tier set of opportunities?”

The talent pool of people who are “just like me” is limited, Pogue adds, and recruiting within that homogeneous group not only limits an organization’s prospects—it limits the organization’s ability to manage a diverse and rapidly changing landscape.

“There’s a synergy that comes from somebody who has brilliance, expertise, and experience, but they’re coming at it through a different lens, through a different set of opportunities or challenges where they’ve learned how to win in a different environment,” he explains. “They can bring their expertise and mistakes that they made and successes they’ve had to an organization that has yet to experience those challenges.”

Especially for organizations attempting to grow outside their historical geographic footprint or market, Pogue says bringing in diverse, local, and international talent helps the business realize unique opportunities, pitfalls, and options. However, recruiting diversity is not enough—business professionals need to foster talent long-term both for retention and inclusion in key decision-making processes.

In a risk-based activity like cybersecurity, it’s important to have diversity of thought, which enables the security team to see problems from multiple angles, says Tony Spinelli, CIO of Urban One and former CISO for Capital One.

“There’s probably nothing that’s more important to have diversity of thought in as cyber because you have to see things from multiple angles,” he says. “Bad guys are always thinking in terms of how they penetrate that one weakness; even if you have a thousand activities per day, cybersecurity teams have to be right every time. The bad actors only need to be right once, just once. If you have everyone on your team from the same background, the same history, the same viewpoints, the same perspectives—the gap just widens on what your exposure is. But if you have tremendous diversity of thought, perspective, backgrounds, and history, that gap starts to close.”

A key phrase to emphasize, Spinelli says, is “raise more risks.” By empowering a diverse team to come forward, voice their opinions, and challenge traditional methods of thinking and working, a security leader can deepen organizational awareness into risks and reduce blind spots.

Many organizations confronted diversity and inclusion challenges over the past year, driven forward by employee activism and calls for racial equity following the killing of George Floyd in the United States and subsequent widespread protests. Employee activism and corporate pledges brought racial and gender equity discussions to the fore in many workplaces.

“We need to recognize first that we’re still toddlers in this space,” Pogue says. “For decades and decades, we have been uneducated as it relates to gender and race, religion and politics, all these big chunks of diversity.”

---

We need to find the geniuses in our backyards. If we’re not reaching out to them, no one will.

---

Many people were raised on ignorance, he adds, noting that up until recently people in the United States would be unlikely to know about key historical events like the Tulsa Race Massacre of 1921. Many textbooks left out most women or people of color who made significant differences in their communities, countries, or industries.

To maintain the momentum established in mid-2020 and to meet employees’ ongoing expectations around DE&I, Pogue says organizations need to take responsibility for the primary education of their teams around race and diversity, building structure and providing guidance around how to discuss race, breaking down us vs. them cliques, and promoting empathy.

That also requires humility from leaders—including those who previously considered themselves forward-facing ambassadors for DE&I—to recognize their own biases and weaknesses, he adds, and dedicate significant resources to reshaping company culture and the demographics of the workplace.

Recruitment

Some specialized professions—including cybersecurity—have invested recently in marketing and communications campaigns aimed at raising the profile of diverse professionals to attract new talent. The concept is “You can’t be what you can’t see,” and by making those professions more visible, they become more accessible for diverse job candidates. Pogue says, however, this can put pressure on people who already manage a disproportionate amount of emotional work around diversity to go and recruit more people who look like them.

“It ought not be the job of the woman to go recruit a bunch of other women,” he says. “It ought not be the job of the Hispanic guy to go create another avenue or pipeline for Hispanic guys. It ought not be the job of the Black person to go recruit at the historically Black colleges. No, what needs to happen is all of us—the people that are in charge of this hiring—need to get better at recruiting talent across the board.”

64

The percentage of cybersecurity professionals who report a staffing shortage, according to an (ISC)² study.

---

Leaders—whether the CEO, the CSO, or mid-level security professionals—can step forward into typically diverse spaces to recruit, dropping off business cards at the career center of a historically Black college or university (HBCU) or guest-lecturing at an after-school cybersecurity program for underprivileged students. For instance, SANS Institute partnered with the HBCU Committee to develop a “pipeline of Black excellence into the cybersecurity field,” providing scholarships, paid internships, mentorship and coaching, and access to cyber ranges and capture-the-flag events.

And the pipeline is necessary on many levels. Organizations are already operating on minimal cybersecurity staffing—according to (ISC)²’s 2020 Cybersecurity Workforce Study, 64 percent of cybersecurity professionals report either a significant or slight shortage of dedicated cybersecurity staff, which puts organizations at risk for missed cyber threats or attacks.

Looking outside traditional talent pipelines can uncover new sources of innovation, as well as diversity, according to Spinelli. Traditional cloud security, engineering, and cybersecurity talent from university powerhouses like MIT or Stanford is in high demand, but it also reinforces existing ways of thinking about cybersecurity, he says. So instead of joining the race to hire these specific graduates, Spinelli looked at how to attract and foster talent from the organization’s own backyard, recruiting people with specific language proficiency (Farsi, Russian, and Mandarin, for example), aptitude for cybersecurity, and other key business needs.

Spinelli built a talent pipeline, bringing 24 interns into Capital One for cybersecurity training and experience within the security operations center and other functions across the organization. The program was so successful that other departments wanted to pilfer the cybersecurity recruits.

Other department heads said they had “never seen such passionate, engaged, focused, excited people, and we need that on our team,” Spinelli adds. The recruits’ enthusiasm lifted not only their career paths but also the morale and outcomes of the entire organization, he says.

“If we don’t start growing the number of people we’re fostering, our industry will go extinct,” says Rob Duhart, Jr., global head of federated security at Google. “And often, these future geniuses will not look like what you expect…. As leaders, we need to find the geniuses in our backyards. If we’re not reaching out to them, no one will.”

A key element to programs like these is not just identifying and hiring diverse talent, however, but fostering it throughout career paths.

Mentorship

“There are systemic roadblocks to racial and gender equity in the information security industry,” Duhart says. It’s not always in bad faith, though, he adds—opportunity and exposure are often limited to our existing networks, and many diverse professionals do not have access to the same networks as those who come from typical technology industry backgrounds, such as those with degrees from high-tech universities, or demographics.

Fostering an environment that supports underrepresented employees and enables their success takes work—leaders must intentionally attack systemic issues and create opportunities to build a long-term path for diverse employees.

For example, Duhart says that as a Black man in cybersecurity, he finds there is a huge gap in mentoring opportunities between the entry-level and the CISO position, leaving mid-level Black security professionals in the lurch about how to climb to the next rung on their career ladders.

---

There are systemic roadblocks to racial and gender equity in the information security industry.

---

“I find myself spending a lot of time being that bridge,” Duhart says. He and his peers meet with mentees one-on-one to discuss what it means to break into security management and map out a career over three, five, and seven-year periods.

As a leader, it’s easy to focus on immediate tasks and spend 60 to 70 hours a week dedicated to the day job and internal team, he adds, but to advance DE&I, “we have to show up.” That means making the time to connect with people who are where you once were as an up-and-coming security leader.

When Spinelli was at Capital One, he made it a goal to spend two hours every year with each of his 650 employees, so that he could connect with them, share stories of past successes and failures, offer advice, and help them meet their professional goals.

While one-on-one meetings can be valuable, Spinelli adds that living by example—including supporting diverse role models and being a thoughtful, kind, and engaged leader who listens to alternative perspectives—is key to earning employees’ trust that you live up to DE&I principles.

Leaders need to flex their emotional muscles to support people, Pogue says, and that starts with humbly asking questions, being willing to learn, and giving yourself the time to let revelations about employees’ challenges and unseen labor sink in. Once professionals can empathize with each other, they begin to seek ways to level the playing field or at least respect each other more.

Even in highly competitive fields where professionals seek to advance quickly, Pogue suggests leaders ask employees how they want to get ahead—by talent and hard work on an even playing field or by taking advantage of systemic inequality?

“Some are like ‘Look, I just need to win,’” he says. “But some of them are like, ‘No, I want you at your best when I beat you.’ Those people often are the ones that they raise to the top.”

Retention

DE&I does not stop at hiring diverse talent. Recruiting diverse perspectives and retaining them long-term requires investment from leadership, especially in team members’ mental health and wellness.

“Burnout is at epidemic levels up and down the system, from leadership to analysts,” Duhart says. The travails of underrepresentation only exacerbate this.

According to December 2020 research from behavioral health benefits provider Spring Health, 76 percent of U.S. employees are experiencing burnout driven largely by increases in responsibilities at work and insufficient paid time off. Among burnt-out employees, 26 percent said “having a supportive and understanding manager at work would help them to reduce and avoid worker burnout.”

Duhart supports a compassionate leadership approach, where leaders regularly check in with others to see “how are you as a human?” not just as a worker. Resetting the conversation to allow people to have good days and bad days—and to ask for help when they need it—challenges people to give themselves enough space to recharge their batteries.

“Productivity will be a side effect of that wellness,” Duhart adds.

Whether it’s burnout or languishing—a feeling of stagnation or emptiness—2020 and 2021 were rough years for employee wellness, according to the New York Times.

“Languishing dulls your motivation, disrupts your ability to focus, and triples the odds that you’ll cut back on work,” wrote Adam Grant for the Times. “It appears to be more common than major depression—and in some ways it may be a bigger risk factor for mental illness.”

Some solutions for languishing include enforcing work–life boundaries, reengagement, finding new challenges, and diving into meaningful work.

In addition to compassion around wellness, Spinelli also recommends enhancing efforts on engagement, including slowing down the decision-making process to ensure that each team member’s ideas are listened to and appreciated. While not every piece of feedback will be enacted, knowing that you are part of a cohesive and inclusive team builds an esprit de corps in the workforce.

“If you think that number one, you’re going to keep your team or even you’re going to keep diverse talent on your team every year by providing them with a 1.5 to 2 percent raise—that’s not what keeps people,” Spinelli says. “It’s: ‘I’m doing interesting work. People value my input. I see a career path. People believe in me.’ Those are the things that you have to really think about if you’re going to really run a diverse and inclusive organization—it’s more about listening than taking action.”

Claire Meyer is managing editor of Security Management. Connect with her on LinkedIn or email her at [email protected].