Diversifying Cybersecurity Pays Dividends – We’re the Proof

Security Innovation’s 20th year in business is a major milestone for any company – especially one in cybersecurity – and we’ve been reflecting on some of our biggest accomplishments. While many of those memories are about innovative tools, techniques, products, and services we’ve developed over the years, some of our proudest accomplishments have nothing to do with making companies and clients more secure.

When we first opened our doors in 2002, our biggest concern was spreading the gospel of software security and proving our business model was sustainable. But as we established ourselves and spent time working with countless teams across large and small companies, something became impossible to ignore: cybersecurity had (and still has) a major diversity problem…and we were not immune to it either.

Around 10 years ago, we decided to do something about it. We felt this work was extremely important both for the industry as a whole and for our own company. Putting diversity and inclusion (D&I) top of mind was not just the right thing to do, it was imperative for the success of any further security efforts. The last decade in cybersecurity has been the worst in history. Finding a way to solve this won’t just come from tools and tech. Security Innovation has been doing that work for over half our history – and committing ourselves to advancing D&I has evolved into a core part of our mission and a significant portion of our impact.

Making a Social Impact That Matters

When we started getting proactive about this issue, we knew the solution couldn’t come from the top-down (that was part of the problem in the first place). Instead, we needed to let our employees identify the causes, issues, and organizations that were important to them. The people on the frontlines of cybersecurity have the best perspective on the problems in the industry. And whether they’ve been affected by bias, prejudice, open hostility, or witnessed it happen to someone else, our employees care deeply about this issue because they are the closest to it. The solution had to come from our people.

So we solicited our entire team to learn what they wanted our social impact to look like. Overwhelmingly, they wanted us to use our resources and influence in service of people who have often been excluded from cybersecurity: women, people of color, members of the LGBTQ+ community, and similarly marginalized groups. They also made it clear they wanted more than a few token donations – they wanted us to have a real, immediate, and lasting impact. And they had lots of creative ideas for how.

Some of our team joined nonprofit boards or opened new nonprofit chapters, in both cases helping organizations dedicated to diversifying cybersecurity extend their reach and advance their cause. We had people provide free security testing to minority-owned businesses, lead free security training classes, and chair capture-the-flag events for underrepresented audiences. We also did plenty of old-fashioned fundraising among our team, combined with major donations (of money, expertise, equipment, and more) from Security Innovation itself.

We wanted to hold ourselves accountable and cultivate the diversity we were advocating for in other organizations within our own. We created the Security Innovation Diversity & Inclusion Committee (SIDIC) long before such a thing was standard. Also unusual, we gave the committee a meaningful budget, empowered it with decision-making capabilities, and put employees (not senior management) in charge so the SIDIC could be honest, bold, and challenging in how they critiqued our organization. The committee researches, recommends, and oversees all our D&I initiatives. One example was doing a detailed sweep of all our training materials to remove offensive or insensitive language still present from a less-enlightened era of cybersecurity. In everything they do, the SIDIC emphasizes both what they are doing and also why so that diversity becomes a central part of our culture and a collective commitment across all levels of Security Innovation.

Pushing Cybersecurity in a Positive Direction

Since we prioritized diversity a decade ago, we’ve partnered with countless fine organizations, including:

  • American Indian Science & Engineering Society (AISES)
  • Women in Security & Privacy (WISP)
  • Executive Women’s Forum (EWF)
  • Cybersecurity Non-Profit (CSNP)
  • Girls Who Hack
  • Grace Hooper Conference
  • Pueblo Community College
  • Shaw University
  • Stillman College
  • Infosec Girls – India
  • AppSec JOB Challenge – Ghana, Zimbabwe

Our partnership with Cyversity, a group that supports minorities in cybersecurity, illustrates how we blend our own assets with those of our partners. Through Cyversity, we’ve worked with Google, Intuit, and TikTok to put hundreds of people through an intense training and certification program, after which Cyversity provided them with mentors, resume-writing workshops, and job placement assistance. Together, we helped these promising but often overlooked and under-supported professionals make meaningful strides in their career while changing the face of cybersecurity.

We are honored to do this work and committed to getting it right. But, admittedly, our agenda isn’t entirely altruistic. Striving to make a social impact and putting employees in the driver’s seat has helped us achieve some of the highest retention rates in the industry.

Our team feels like their work matters – because it does.

Bringing new talent into cybersecurity – by sponsoring scholarships or paying for 15 women to attend DEFCON – has also helped us (and plenty of other organizations) address skills shortages and recruiting struggles. Working to diversify cybersecurity has undoubtedly made Security Innovation a stronger organization in the process.

As our experience has shown, diversity is good for all. Now it’s time to get the entire industry to agree.

What is the one step you can take to start effecting change?