How the Security Industry Can Avoid Groupthink

When it comes to matching wits with attackers who aren’t boxed in by rules and reputation, why not borrow a page from the adversary and think outside the box?

That may sound like boilerplate advice. But in an industry where most folks often look alike, it can be a challenge not to also wind up thinking too much alike. 

All the more reason why several leading executives say now’s the time for the security industry to do a lot more outreach to add voices and perspectives that have been left out of the security conversation until now.

“We’re in a field that really depends on diversity of thought,” said Hugh Thompson, Symantec’s Chief Technology Officer.

With the annual RSA security conference just a week away, Thompson and other members of the RSA board of advisors gathered recently to talk about how to diversify the ranks of the security industry to challenge convention – a goal that Thompson said can become “one our greatest weapons” against attackers.

That message comes as a survey that Frost & Sullivan conducted on behalf of Center for Cyber Safety and Education and the Executive Women's Forum on Information Security found that women comprise just 11% of the U.S. information security workforce, the same percentage it was in 2013. Meanwhile, the Bureau of Labor Statistics estimates the percentage of African-Americans in the industry at 3%.

“There’s no question that as an industry we have a lot of work to do here,” said Dmitri Alperovitch, the co-founder and CTO of CrowdStrike Inc.

“It's absolutely critical,” he said. “The enemy is only getting more ingenious and entrepreneurial. And we need all the talent we can harness as an industry to face these threat actors - and for that we need a diverse workforce. That includes woman and other minorities as well.”

Alperovitch and the other board members participating in the talk underscored the importance of alternative or even dissenting perspectives. They said it was another way to avoid groupthink and force security teams to revisit old assumptions about the way that attackers may try to penetrate their organizations.

In the end, they agreed that hiring a more diverse workforce is going to be in the security industry’s enlightened self-interest.

“It’s not just important to have diversity of thought in doing defense - but also, we need to remember that the community of technology users that we’re serving is global now,” said Wendy Nather, Principal Security Strategist, Duo Security.

She harkened back to the earlier era of the security business, when the industry was a relatively small and homogeneous community in which “everybody had pretty much the same background and level of knowledge and understanding.”

“Those days are long, long gone and you need to consider not just what we are bringing to customers and users in terms of technology,” she said. “In order to make the best user experience and the most effective security that (customers) will want to use, we have to represent and keep researching that diversity of thought and bring those diverse voices in. Representation matters. Not in the sense of saying, look let’s celebrate female CISOs - because that says what, as opposed to `regular’ CISOs? We don’t want to treat people as others or exceptions. We want this diversity to be so unremarkable in the future that there’ll be no point in remarking on it.”

Fellow board member, Benjamin Jun, CEO of HVF Labs, suggested that security companies which move more rapidly to diversify also are more likely to get a leg up on their competition.

“Our job is to avoid bad things and so we have to look at all facets of the problem,” Jun said, noting that security threats are generally hard to sniff out.

“The job of everyone on this board is to find corner cases where something is going to go awry and so on a daily basis, we are constantly triaging this information. How can we give each piece of information, each observation, the correct level of attention given the fact that we have hundreds of these things? It is by doing this better that we’ll win. As an industry, we’re going to fail if we don’t keep our eye constantly focused on this topic.”