Inclusivity In Security

From Daelphinux
Jump to: navigation, search

A collaboration with User:Fawkes.Lucius

There are a significant number of topics that overlap Cyber and Politics. I think one of the biggest ones is Diversity, Equity, and Inclusion. DE&I is not a thing that should ever be ignored by any organization, but setting aside the moral, ethical, and generally being a good person reasons to get behind DE&I, I want to take some time to discuss this topic from a specific Cyber Perspective.

What Is DE&I?

Diversity

Diversity means embracing what makes us all different. This includes, but is not limited to racial, sexual, cultural, and religious differences between team members. In security, a diverse team provides insight into unique challenges that some team members may not be naturally keen on, like identifying some risks or estimating risk impacts.

Creating a diverse team means seeking out team members who belong to different, particularly marginalized, groups of people. Including these perspectives provides direct looks at the attacks those groups face as well as in-depth consideration of the impacts attacks on those groups can have.

Equity

Equity on a team means fundamentally equal treatment and respect of all team members, from equal compensation for equal work to opportunities for growth and/or leisure. Equity fosters security by eliminating the perception of “weak links” or undue hierarchies amongst team members. For example, a diverse team with a gendered disparity in its team members’ compensation is exploitable by agents with the means to offer bribes to team members. A diverse team whose non-white members do most of the overtime demotivates the team members who are expected to do more for less.

Equity also means ensuring that the team is represented by and listens to a diverse group of team members and sources. Equal access to leadership and crucial roles keeps the team focused on the tasks at hand, instead of meta-level concerns about their place in the group.

Inclusion

Inclusivity is the practice of creating and embracing a diverse and equitable team. Mindfully creating a space where all team members enjoy the same, shared, mutual respect for one another fosters the free, open, and genuine communication needed in the security world. Ensuring that all team members can comfortably exhibit the parts of themselves that make the team diverse, from their cultural to their physical diversities, creates a team that can work together to become greater than the sum of its parts.

Remember that a diverse team means nothing if they are not also treated equitably, and included properly into the organization, and culture, they are working to defend.

Why is it relevant to Cyber?

Setting aside that almost Everything is Security, this is particularly important. It all boils down to what Security teams are supposed to be able to accomplish. The industry has moved past reactive security (although reactive security preparation and planning is *critical*). Security teams need to be able to fulfill the following functions:

  • Predicting Tactics, Techniques, and Procedures
  • Predicting adversaries
  • Predicting risks
  • Estimating risk impact
  • Estimating intrusion or breach impact
  • Determining Vulnerabilities on networks and systems
  • Understanding the current exploit landscape
  • Preparing Incident Response and Mitigation teams and procedures
  • Perform analysis on adversaries
  • Build profiles of common adversaries
  • AND MORE...

Ultimately, all of these things require five key aspects. The team has to have broad perspective, they have to be creative enough to think of the unique ways an attacker might find a zero day exploit, they have to be a close team who is able to work together well even in the face of conflict and adversity, they have to have a broad understanding of different cultures, socioeconomic groups, and the motivations that drive them, and, finally, the team has to be willing to constantly learn. We will address below how each of these key aspects of a good security team are reinforced by having a diverse group.

In this section, we are going to focus on the diversity of the team. Remember from above that a diverse team means nothing if they are not also treated equitably, and included properly into the organization, and culture, they are working to defend.

Perspective

Even the most cynical individual respects that having a diverse group brings about a range of perspectives that no individual could ever have. If you have a team made up predominately of the same group: Cis White Men, Cis AA Women, LGBTQ+ white mixed-gender, etc. They will have perspective flaws that will limit them in understanding the potential reasoning for an attack. It would not occur to a cis white male from rural Kansas who was indoctrinated at a young age, for instance, to fathom defacing a website to bring attention to racial disparity problems in any implicit way. A single AA/AAPI team member would have likely known that to be a very likely possibility instantly and inherently.

While perspective can be learned, it can not truly be understood. It is far better to have team members who have grown up in a different way, who lived different lives, to get inherent and innate understanding of different viewpoints that can be articulated in a way that conveys understanding, not academics.

Creativity

A diverse team is a creative team. There are many reasons for this but a striking on is that those who are differently-abled, who are neurodiverse, or who are LGBTQ+, all tend to have something in common: they were generally socially ostracized at a young age, albeit for wildly different reasons. A wheelchair user may have been unable to participate in sports, and spent their PE time in school reading books, or making art. A neurodiverse individual would not have fit in socially, and instead done very deep dives into random topics over the years (this one is a personal anecdote), leading to further ostracization as a "nerd" or "geek" for the things they found that they enjoy. An LGBTQ+ teen may be ostracized at school, especially if they went to a rural school with limited diversity perspective.

Now, that is only one of the two ways I want to discuss that having a diverse team can encourage and foster creativity. You will likely be incorporating members of your team who, for better or worse, were forced to develop creative pursuits to fill a void left by socialization. However, simply having diverse individuals on a team will foster creativity.

Members of many marginalized communities (AA, AAPI, and other minority groups; neurodiverse, differently-abled, etc.) have to do things like Code Switching (changing linguistic choice based on the current social group), Masking (hiding an activity, often to discomfort, to appear more normal), Scripting (playing through the same situation over, and over, and over, and over, and over, and over again until you are reasonably certain you can predict the outcome), and other such tasks. While these are problematic in themselves, they do lend themselves to creative thought. This is a situation of an adversity becoming a strength. While these are becoming, thankfully, less and less necessary as society adapts to our existence, people who have had to endure these activities have an added strength. When you live your life performing one of the aforementioned tasks it forces you to reconsider every aspect of your interactions, often in novel ways. We can turn these skills into thinking outside the box about any given situation.

Please note: that we, as diverse individuals, need to perform these actions, and suffer this ostracization, is abhorrent, deplorable, and generally fucked up. This is a way for members of our communities to turn their mistreatment and misunderstanding by society into tools that will allow them to succeed in a space where these skills are required and in desperate need.

Team Tenacity

For many of the same reasons above, almost every marginalized group is going to be inherently more tenacious than their more conforming counterparts. Growing up in a society that does not quite accept you, or does not allow you to express who you are fully, leaves you with a much bigger sense of depression that it might seem. It often feels like a physical weight stopping you from being you.

This kind of difficulty is seen and dealt with by marginalized groups every day for one reason or another. It manifests as mental illness, lacking confidence, and natural suspicion, among other things. Marginalized groups are, because of this, far more capable when faced with adverse and difficult situations. We often do not even need much encouragement to succeed in these environments because they are not all that different from our day to day lives. This ability to persevere is absolutely an asset in a field rife with situations where the only way to succeed is to fail repeatedly to rule out possibilities.

Understanding

The inverse of the above reasons causes groups with more diversity to be more understanding. When everyone is welcome at the table to share experiences, and feelings; to laugh, and play with their coworkers; and finds themselves integrated into a community it tends to lead to everyone becoming more understanding. This understanding helps us not only build stronger teams that work well together, but also broadens our understanding, and fosters professional empathy, for other human beings in general. When we stop seeing each other as "us" and "them" and start seeing everyone as us it becomes easier to make assessments of an individual.

This professional empathy allows security practitioners to step more readily into the shoes of their adversaries, and even sympathize and empathize with them. This deep understanding of an adversary can help us determine motivation, but will also remind us that there is a human being who was pushed into this by some motivation or another at the other end of the interaction. We must have compassion for our adversaries, as well as for our allies. Too readily, and too often, do those in security practices become drunk on the power and responsibility and forget to have compassion.

Learning

Learning is one of those things that every group needs to do, but diverse groups do better. When a group is built to be diverse you will, naturally, get people of varied interests, varied academic backgrounds, and varied skilled backgrounds. These teams often can learn in intimate ways from each other (such as through pair programming, paired assessments, and team exercise) by seeing each other perform highly capable skills, but also in that they can help each other provide context of things that the rest of the team must know or learn to do. It is much easier to explain a highly technical and difficult concept to another individual if you can meet them at a common point first. Having a strong and diverse team can foster that better than homogenous teams can.

Conclusion

Ultimately, Diversity is at the core of humanity by almost every measure. The recent trend in business environments to have Equity and Inclusion for Diverse populations is laudable, and a natural social evolution of humanity. Again, setting aside the myriad moral, ethical, and generally humane reasons to support DE&I, we have addressed a number of reasons why it also makes good business and security sense to have diverse teams with proper equity and inclusivity measures.