Building a diverse security team

To stand in the shoes of customers and ensure their safety, we need to understand them and the different ways they view the world. There’s no better way to get that perspective than to build a diverse security team. Modern security teams need to reject the perception that they are a group of ninjas, and instead build a team of educators and nurses – we educate people to prevent them from falling into harm in the first place, and we support them and get them to safety when they do get hurt.

Why do I call out Diversity as a foundational element of building a security team?

I have had the privileged opportunity to build a security team inside a growing technology company three times. Each was a chance to learn new lessons on how to better bring together a group of people with a shared mission of preventing harm to customers.

One thing I figured out quickly is that security work has some unique challenges: 

• We have active adversaries. Unlike every other functional part of a corporation, we compete–against people with unlimited resources, unlimited time, no ethical boundaries, and significant economic incentives to disrupt and undermine our work.

• We have finite resources. Companies exist to generate revenue and financial models reward teams that generate revenue. They struggle to figure out how much to invest in managing risks that are intangible and evolving constantly. Every security team scrapes and scrambles for every resource and to get their requests prioritized.

• We don’t have simple answers to our problems. There are as many opinions about how to prioritize security work as there are people who work in the profession.

• We have to be right every time. If we plug all but one hole in the proverbial sieve, we still lose. The attackers only have to find a single hole in our defenses one time to win.

Given all of the above obstacles to success, it is important to bring together a team of people who are not only sufficiently technical enough to build good solutions inside a complex environment, but also smart about evaluating risks, willing and able to see things from many different angles, determined to fight for what is right, empathetic enough to see things through the eyes of customers, resilient in the face of adversity and failure, and strong enough to hold together when times are tough.

I’ve reached one concrete conclusion: the best way to develop a team that carries these traits is to build a diverse team. We can’t stand in the shoes of our customers if we don’t look like them and share their experiences. We won’t be able to debate an issue fully if we don’t look at it from many different angles. We won’t truly be empathetic if we haven’t struggled ourselves. We won’t build resilience until we are tested. And we won’t build a team until we learn to hold out a hand to help up someone who is different.