What a wonderful world
How often have you heard the term “cultural fit” as it relates to employees of your or another’s place of employment? Have you, personally, ever uttered the term when acting as part of a hiring committee or when describing certain members of your security team? Hiring for “cultural fit,” or firing for lack thereof, is not uncommon, but what has always struck me as odd in the security field is that many industry professionals would describe ourselves as slightly “off center” by nature. We weren’t the kids who fit into tidy boxes growing up; we had diverse interests, proclivities, and friends.
As humans are wont to do, however, (as the saying goes) birds of a feather flock together, and as we grew into our adult lives, we found a community of like-minded people: security professionals.
Looking at the security community today, it’s easy to see how some people “fit” better than others. Women in security make up anywhere from 11% - 18% of the industry, depending on whose study you’ve read. Hispanic/Latino security professionals comprise just 5.2% of the industry, and Asian and Black/African American security professionals represent just 3.4% and 3.0% of the industry respectively.
Considering these percentages, it’s easy to see that somewhere along our paths we’ve forgotten that being different and surrounding ourselves with others who are different, too, can be fun, liberating, and eye opening. On the other hand, one could look at this and say that surrounding ourselves with like individuals reduces friction and allows our organizations to move faster, feeding corporate goals such as agility and low time-to-market.
Regardless of which side of the diversity argument you, personally, land on, it’s important to point out that the percentages, above, represent only what’s on the surface; true diversity is much deeper than gender identification or skin color, but gender and skin color are indications of what’s happening in the industry. They are also a good place to start seeing opportunities for greater inclusion and success.
Getting back to how our companies operate, naturally, the idea of reducing friction is compelling (who likes confrontation?), but when it comes to marketplace success, carefully considering contrasting perspectives provides a broader view which allows companies to build solutions for customers, who, themselves, may not have one overriding characteristic. Whether you’re a practitioner working for a security vendor that sells to external buyers (e.g. hospitals, financial services firms, retail brands) or an internal security team member who needs to deliver security to the business, you’re building your “product” for many types of individuals. These individuals—consumers—come from varying backgrounds and experiences, have distinct thought processes and workflows, and leverage technology in unique ways. Security practitioners must consider this aspect as the industry expands, and start looking at how we can alter our organizations to better reflect the diverse world around us. We need to always be asking: What can we do to include heterogeneity of thought in the building/development/creation process?
Dug Song, CEO and Co-founder at Duo Security, thinks about the security industry’s lack of diversity a lot. He and partner Jon Oberheide founded Duo seven years ago with the intention of building an atypical kind of company—one that is “fundamentally different” from the many revenue-driven organizations they saw popping up around them. The founders’ goal from day one was to “build better security, not just more,” said Song during a recent interview with Infosec Insider. One of the chief ways the duo set out to accomplish this was by hiring strategically for growth, and not just looking for someone with a stellar security résumé.
Today, the company employs more than 400 people, nearly 20% of which are minorities, said Song. In addition, they actively recruit people who have experiences outside the security field, grew up across the country (or world), think and act differently than your “typical” security practitioner, and may be able to contribute an entirely different approach to a problem. By doing so, he asserts, the organization gains more creativity and better ideas than organizations with a homogenous culture.
The name of the game is inclusion, and it’s paying off. Duo is in “hypergrowth mode,” said Song, proudly touting that his company has far exceeded revenue projections every year. The secret is hiring for cultural contribution rather than cultural fit. Hiring teams look for potential employees who can provide an outside-in point of view and help the company “increase capabilities and improve the world around them.” It isn’t about finding people that fit the mold for Song; it’s about enhancing the company’s ability to service customers. What better way is there to achieve this than to hire people who reflect the broad backgrounds and needs of one’s customers? Oh, and by the way, that hiring burden the industry is struggling with, much of that load can be alleviated by simply expanding one’s notion of “best fit” by simply thinking about “What can we learn from a candidate’s unique perspective and experience?”
For Song, though, maintaining a diverse workplace is about more than selling products. He and Oberheide were tired of seeing companies approach cybersecurity challenges in the same way, failing to meet customer needs but reporting dazzling profits. The pair felt they had a moral responsibility to build a company that would change the way products are built, marketed, and sold. The focus needed to be on the consumer—truly, not just in word—which means new, sometimes outrageous, creative ideas. Getting to this place of flowing creativity and continuous change required purposeful diversity, which is where the company is today.
The amazing thing about how Duo has grown is that expanding the concept of what makes a “good” or “effective” security practitioner allows the company to be more agile and develop for people and their unique needs. To illustrate, Song explained, “Security challenges are about people. Attackers don’t go after technologies; they go after people. The reason we’re successful is because we make things easy for people to use systems. It’s all about user experience design and interaction.” As an industry, he said, security hasn’t taken the time to understand how people use technology, to understand that consumerization has honestly changed the market. By employing a diverse workforce, Duo has been able to look at security through a fresh lens and adapt quickly to customer needs and habits. Additionally, a diverse workplace helps everyone learn and grow both personally and professionally. It’s a pretty satisfying position: creating pathways to success and security offerings that help people do better and be better.