For a more effective IT security team, hire for diverse perspectives

Cybersecurity is stuck in a conceptual rut. Security professionals tend to believe if they had more people, technology or budget, their problems would be solved. Those calls for more of everything are sometimes answered, but there seems little correlation between getting more resources and getting more effective.

I’m oversimplifying a whole discipline, but as a rule, cybersecurity suffers from a lack of creativity.

Creativity is crucial to our work. We need to find new solutions by seeing problems in new ways. And we may be able to get there by seeing our people in new ways.

The benefits of diverse thinking in teams

One way to encourage creativity may be to increase the diversity of the people you hire. Diversity is not a strength of the industry; there’s much work left to do.

Here I consider diversity in the widest possible sense, covering for example race, gender and sexual orientation, but also things like neurodiversity and social background.

Instinctively it feels that a wider variety of people and the experiences they bring comes a richer pool of ideas. Scientific studies support it. “If you want to build teams or organizations capable of innovating, you need diversity. Diversity enhances creativity,” said the late Katherine W. Phillips in Scientific American, formerly Professor of Leadership and Ethics at Columbia Business School. Her article, based on decades of research, is a treasure trove of ideas, particularly on how diverse groups have better interactions.

How to look for diverse perspectives in new hires

Some in cybersecurity suggest, to solve the industry’s perennial recruitment problem, businesses should look beyond their usual sources for new hires.

So what should you look for? Ant Sharman, Director of Evocatus Consulting with a background in civilian and military management and training, says “For me, with my interest in wargaming, I look for people with different experiences understanding situations, seeing threats and opportunities, and coming up with alternative solutions.”

Diverse experience needn’t mean length of experience. With the pace of technological change in cybersecurity and all employees needing to learn fast, that “ten years’ experience” expected from a candidate to get an interview may limit a team’s potential. Differences in experience can come from, for example, growing up in a different generation. The candidates whose perspectives the team needs may come from backgrounds different than that of the hiring manager.

When I started in Infosec, I was the only one from a poor, non-white and non-university-educated background in the teams I worked in. The way I approached problem-solving was completely different.

Mario Platt, Independent consultant, Privacy Beacon

Expanding the skillset within program teams is also a way to achieve diverse and complementary approaches.

Jemma Davis, Security Culture and Awareness Consultant at JeMarketing Services, highlights the benefits to a security awareness program team. “Someone from marketing understands how to influence behavior, someone from privacy understands regulation, someone from security understands integrity and someone from IT understands availability.”

Davis feels you need different types of people to achieve everything you need, as creative people tend not to be good at execution, whereas “doers” focus on getting the task done before considering other options. Combining both, within or between teams, means benefits.

Your corporate rivals will be fishing in the same pool to compete for the same people from the same backgrounds. So instead, boost your team’s creativity by hiring someone different.