How working in cybersecurity can be like being in a real-life cop show. And, why a culture of inclusion is crucial in the fight against global attackers.
Diana Kelley bristles at suggestions that cybersecurity is a dry or dull career choice – after all, she’s dedicated most of her working life to protecting data and blocking digital wrongdoers.
“I think it is the most interesting part of IT. It can be a fascinating puzzle to solve. It can be like a murder mystery on that show, ‘Law & Order,’ except that when they find a dead body, we find a network breach,” she says.
“As we investigate, we go back through all these twists and turns. And, sometimes we discover that the real culprit isn’t the one we had suspected at the beginning.”
As Microsoft’s global Cybersecurity Field Chief Technology Officer, she wants to erase misconceptions that might be stopping people from more walks of life from entering her profession – which, she argues, needs new ways of thinking and innovating.
Successful companies know that by building diversity and inclusion within their ranks, they can better understand and serve their many and varied customers. Cybersecurity teams need to read from the same playbook so they can better anticipate and block attacks launched by all kinds of people from all sorts of places.
“Cybercriminals come from different backgrounds and geo-locations and have different mindsets,” Kelley says. “They collaborate and use very diverse attack techniques to come after individuals, companies, and countries. So, it helps us also to have a very diverse set of protection and controls to stop them.”
Knowing how attackers might think and act can be difficult for any cybersecurity team, particularly if it is made up of people from similar backgrounds with similar viewpoints. It is the kind of conformity that can even lead to a sort of “groupthink,” which results in blind spots and unintended bias.
The power of different viewpoints
“If people think in the same ways again and again, they are going to come up with the same answers. This only stops when different viewpoints are raised, and different questions are heard.”
Kelley says attackers come from, and operate in, many different environments, and cybersecurity teams need to match this diversity as much as they can. However, the make-up of today’s international cybersecurity community remains surprisingly homogenous.
“About 90 percent are men and, depending on where you are in the world, they are often white men,” she says. “In Asia, it tends to be a little worse. Only about nine percent are women.”
The need for change comes amid unprecedented demand for cybersecurity and a chronic shortage of skilled specialists across the world. Kelley sees this an opportunity.
“We’ve got this big gap in hiring, so why not create a more diverse and inclusive community of people working on the problem?” she said in an interview on her recent visit to Singapore, one of many global cities vying for talent in the sector.
One major concern is gender imbalance. Even though many well-paying jobs are up for grabs, relatively few women are taking up, and staying in, cybersecurity roles.
Fixing the gender imbalance
“When I got into the field almost 30 years ago, women had very low representation in computer science in general,” Kelley says. “Back then, I just assumed it would change over time. But it hasn’t.”
Studies show that girls often drop out of STEM (science, technology, engineering, and math) subjects in middle or high school. Some women university graduates do enter the profession. But a lot end up leaving – many for cultural reasons in the workplace.
“There is a high attrition rate. We need to promote the value of studying STEM. And, we also need to work for the people who are in the field now by creating inclusive work environments.”
Kelley joined Microsoft about two years ago. Since then, she has been struck by its strong culture of respecting diverse viewpoints and encouraging inclusion – things she hasn’t seen stressed in some other companies.
“Not every idea is a great idea. But that doesn’t mean it should be mocked or dismissed. It should be respected as an idea. I have spoken to some women elsewhere who say because they didn’t feel heard or respected, they didn’t want to stay in IT.”
Bringing in all sorts of people
Kelley says more can be done to build up diversity and inclusion beyond fixing the gender mix. Again, she is impressed by Microsoft’s efforts. “Yes, we need to engage more women. But we also need to bring in all sorts of people from different social and career backgrounds.
“For instance, our team – the Cybersecurity Solution Group at Microsoft – is looking for people who may not have worked in cybersecurity in the past, but have a great interest (in technology) as well as other talents. So we are creating diversity that way too.”
Kelley recounts her own sideways entry into the field. She fell in love with computers and software during her teens when she discovered for herself how vulnerable networks at the time could be.
Later she graduated from university with a very non-techie qualification: a degree in English. Her first few jobs were editorial roles, but being tech-savvy soon meant she became the “go-to IT guy” in her office.
“Finally someone said to me, ‘Hey, you know what? IT is your calling, and we are hiring.’ So, what had been a hobby for me then became a career.”
She eventually moved into cybersecurity after an intruder broke into a network she had just built. “I pivoted from being a network and software person to someone very much focused on creating secure and resilient architectures and networks to thwart the bad guys.”
We need diverse thinkers
Looking to the future, she wants a broader pool of job seekers to consider careers in cybersecurity, even if they did not like STEM at school.
“We need diverse thinkers … people who understand psychology, for example, who can help understand the mindsets behind these attacks. We need great legal minds to help with ethics and privacy. And, political minds who understand lobbying.”
The cybersecurity world needs individuals who are altruistic and have a little more. “We go into this field because we want to do the right thing and protect people and protect data. That is a critical part. And, it also really helps to have a sort of a ‘tinkering mindset.’”
She explains that when cybersecurity professionals create systems, they also have to produce threat models. To do that, they need to think about, ‘What if I was a bad guy? What if I was trying to take this apart? How could it be taken apart?’ That is the point where they can start to work out how to make their system more attack resistant.
Meanwhile, she is eager to debunk a few myths swirling around the subject of cybercrime.
For starters, the days of the smart lone wolf kid in a hoodie hacking for fun from his bedroom are more or less over. Nowadays, only a tiny minority of perpetrators cause digital mischief and embarrassment just for the bragging rights or are “hacktivists” who want to advance social or environmental causes.
Ominously, there are sophisticated state-sponsored actors targeting the vulnerabilities of rival powers. Governments around the world are rightly worried about their citizens’ data. But they also fear for the security of vital infrastructure, like power grids and transport systems. Accordingly, military strategists now rate cyber as a field of warfare alongside land, sea, and air.
That said, most of the bad guys are simply in it for the money and do not deserve the glory and headlines they sometimes get.
“They are not glamorous. Many are in big criminal syndicates that just want to grab our data – hurting us and hurting our loved ones.”