If you think about your career and your life, you probably have some vivid memories of friends and allies—of the times when you worked with others to solve big problems, and the low times when your colleagues helped to lift you up. While writing the previous sentence, I had flashes of building out the security research publication process for IBM with 3 incredible colleagues, responding to a breach with a coordinated team—so in sync, it was as if we were a single organism, and of the wonderful person who saw me speaking about software and offered me my first professional IT job.
But while working together makes us stronger, that doesn’t mean we all have to think alike or agree on everything. One of the powers of collaboration is how diverse views make us stronger. This is especially true in the information/cyber security field where defenders face adversaries from different backgrounds, who are driven by different motivators. Cyber-criminals may focus solely on profit, cyber-terrorists on chaos and destruction, and nation-states on disrupting other nations’ command and control infrastructure.
Battling diverse threats means coming together with diverse and creative thinking. So, in preparation for the next BeyondTrust Women in Security virtual event, we thought it would be nice to dive a little more deeply into the ways diversity can bring us together and make us stronger.
Diversity of thought – flirting with fresh ideas
Agreeing on norms of behavior helps keep society running smoothly. Traffic flows on because there are speed limits, lane markers, and on ramps/off ramps that drivers respect. As drivers, we agree to obey these rules when we get our licenses. But sometimes, as situations and context change, those rules should be revisited and optimized. For example, as car and road safety increased, many states opted to increase their speed limits. Sometimes, efficiency means re-thinking outdated approaches and injecting fresh ideas.
Since humans are creatures of habit, it can be hard for us to break out of old patterns, especially if we’re working with groups that reinforce our ways of thinking. This is why diversity of thought in cybersecurity is so important and one of the reasons that I spend a good deal of time speaking with practitioners who are newer to the field.
Think about the global response to WannaCry—expert cyber teams were responding in a commonly accepted manner, which was to detonate the malware to observe its activity and then reverse engineer the code. But one researcher, Marcus Hutchins, looked through the code and found an unusual domain name. Turned out, that domain was a kill switch. By registering the domain and setting up a server to respond to heartbeats, Hutchins helped stop a large part of the attack. That’s the power of different viewpoints and diverse thinking.
Diversity of talent – opposites attract
What we know and what we’re good at also contribute to the power of collaborative diversity. Hearkening back to the research publication process I mentioned at the beginning, the diverse talents of the other team members is a large part of why implementing the process worked and that diversity carried over into the peer review of research publications. One of my colleagues had deep expertise with disclosure, which meant we were able to optimize the long, lengthy, and complex activity, while also ensuring that we were following all the appropriate disclosure rules (which often varied by geographic region and company).
If you haven’t submitted a research document for review, you may not be familiar with the concept of peer review. The name is quite descriptive, as it refers to the activity of sending research for review by other experts or peers. Diversity of talent drives this kind of review. In cyber, for example, a vulnerability in software may behave differently depending on the underlying firmware or hardware. Software security experts and hardware security experts have different sets of talent, but both matter when reviewing interdependent vulnerabilities. Without diverse reviewer talents, only part of a vulnerability may be understood.
Diversity of palate - a perfect pair(ing)
Even in a technical field like cybersecurity, not everything is technical! Which is why it’s so important to take time to step back and network with others, debrief, and share experiences. With that in mind, next month’s Women in Security virtual event will be exploring how different wines pair with chocolate.
Just as the right peer with a hardware background can make all the difference in understanding the true impact of an interdependent software vulnerability, the right wine (or NAB: non-alcoholic beverage) can transform how a piece of chocolate tastes. I’m really looking forward to the event and to getting to expand my own mindset by meeting new people and reconnecting with old friends in the networking session to follow.
Hope you can join us as we work to celebrate diversity Women in Security!
Diana Kelley, CTO, Executive Mentor, Research Analyst, Security Keynote Speaker
Diana Kelley’s security career spans over 30 years. She is Co-Founder and CTO of SecurityCurve and donates much of her time to volunteer work in the cybersecurity community, including serving on the ACM Ethics & Plagiarism Committee, as CTO and Board member at Sightline Security, Board member and Inclusion Working Group champion at WiCyS, Cybersecurity Committee Advisor at CompTIA, and RSAC US Program Committee.
Diana produces the #MyCyberWhy series, hosts BrightTALK’s The Security Balancing Act, and is a Principal Consulting Analyst with TechVision Research and a member of The Analyst Syndicate.
She was the Cybersecurity Field CTO for Microsoft, Global Executive Security Advisor at IBM Security, GM at Symantec, VP at Burton Group (now Gartner), and a Manager at KPMG.
She is a sought after keynote speaker, the co-author of the book Cryptographic Libraries for Developers, has been a lecturer at Boston College's Masters program in cybersecurity, the EWF 2020 Executive of the Year, and one of Cybersecurity Ventures 100 Fascinating Females Fighting Cybercrime.
