The importance of diversity and inclusion (D&I) in generating more creative solutions to business problems and enhancing performance and competitiveness is highlighted by many studies. D&I has catalyzed success and a foundation for innovation in so many industries, and tech is no different.
We had an intriguing conversation with Julian Waits, SVP & Executive in Residence for Rapid7. He recently received the North America Region (ISC)² Diversity Award Honoree and with more than 30 years in senior leadership roles at technology companies, specializing in security, risk, and threat detection, he shared some breakthrough views on diversity and inclusion in cybersecurity.
Please give us a peek into how you got into your current role?
I have a couple of roles. One, I work for Rapid7, I recently accepted the position of Executive in Residence. I connected with the CEO and COO team of Rapid7, to bring forth new businesses that are appealing. Second, I am the Chairman of the Cyversity. We focus on increasing the pipeline of people entering the field of cybersecurity. Cyversity’s core mission focuses on women, and people of color, wanting to come into cybersecurity.
What concrete steps can organizations take to prioritize diversity, equality, and inclusion to address the global cybersecurity challenges?
I will start with the ‘Why’ of diversity and inclusion in cybersecurity. If you believe the statistics of open positions in cybersecurity, there are about 3.5-4 million openings across the globe. It’s an opportunity that some people are aware of and take advantage of, but most people are not. Speaking from the US perspective, the diverse community of non-white males is primarily not aware of STEM-related jobs in cybersecurity. If there are a million openings and there isn’t awareness, people need to know. There are just not enough people in this fight to defend against cyber attackers.
The first step is for people to acknowledge it. We all tend to go with what we are comfortable with and things that we are familiar with. The first thing you recognize and do is, start recruiting for talent outside the normal places you usually go. High-class technology-oriented Institutions may not be the places where everyone can afford to go to. Look for an environment where you would know there will be diversity. Advertise in those areas. Next, let people know not only that you are interested in hiring diverse talent, but also make sure that they know they will be welcome in the environment and the culture and they will be celebrated for who they are.
Has the culture and diversity in the cyber world changed in the last two years?
During the covid-19, at least for the first part, it was the shock effect. I don’t think we have done a good job with D&I. I think the fact that people were remote only made the problems worse in terms of how we connect and realize what we need to do for the better good. Now we are going in the second phase, I see a new awareness. While talking to Entrepreneurs in large corporations, D&I is taking a whole new angle. I think we are going to see more and we will see it going to the forefront.
What changes have you seen companies make to adapt to cybersecurity vulnerabilities?
So many companies have many Security Engineers who are focused on the technologies, but they aren’t focused on ‘Why’ they are purchasing that particular security technology. I mean, things that represent a true risk to a given organization are not considered in the equation. Say, you are an insurance company, you want to protect the data of your customers, or if you are in the military defense industry, there are all kinds of information you want to protect. So, the first thing is to focus on things that are most important for them. That represents the greatest form of risk or liability and then work backwards from there.
What should be the top 3 preparedness measures for companies facing ransomware risks?
I think we just need to become more diligent. Typical cyber hygiene and monitoring for attacker activity, using technologies like those that we provide here at Rapid7 are the right things to do, but we’ve got to be more focused. But the key thing is, I don’t think there is any such thing as keeping the attackers out. It’s really about how quickly we can catch them before it becomes a material breach. That means, having a really tight security operations program and understanding that it’s a priority from the top down. And more importantly, making sure everyone in the organization is educated around the culture of cybersecurity.
What advice do you have for businesses venturing into the hybrid work world? How should they upgrade security strategies?
The biggest issue when we went through the shock of having to work from home due to Covid-19 is, security groups weren’t prepared for it, company infrastructures weren’t prepared for it. I remember one company where there wasn’t enough infrastructure to allow 10k+ users to connect every day, people were running just to get bandwidth. Now, we have adjusted to it. I think there’s a whole bunch of things that we lose in this world of virtual meetings. Thank god they exist, but they aren’t the same. But, I think a hybrid work environment will make us more effective when it comes to cybersecurity.
90% of what makes a great cybersecurity program human to human interaction, not machines. It’s not the technology, it’s the process and the people that make it work. Hybrid work is forcing us to become more efficient in the digitally distant landscape we currently live in.
The supply chain is becoming a magnet for cyber breaches. How can companies address and strengthen the response to supply chain attacks?
I think for a number of years, we will be following the attackers, there is no way to anticipate what’s gonna happen. DevSecOps is the answer to supply chain attacks. Especially when you look at what happened at SolarWinds. The first thing that companies who buy from security providers like Rapid7, and others in this field, is to make we’re SOC II compliant and follow industry-standard cyber hygiene protocols. Two is, ‘Ask us’ – what are you doing in your CI/CD pipeline? And beyond that it becomes diligence. Security providers can try and fill every hole possible, the issue is the attacker is always looking for the one that we don’t see.
With the rapid market expansion and increasing cybersecurity risks, do you think Artificial Intelligence’s inherent vulnerabilities are a blind spot for cybersecurity?
Artificial intelligence implies that at some level I’m an expert at everything that is happening around me. Therefore, I can now make intelligent decisions about what happens next.
If the nature of attacks is changing daily, and new families of malware come out; 100s of new attacks come out on a monthly basis, I don’t think AI is particularly effective in detection. AI for response can be done well in my opinion.
Now, using machine learning is an actual weapon we have in our arsenal. But you can only train it to do so many things. So, inherently, there will always be blind spots. The hope is that the ML modules can quickly highlight what’s different or an anomaly.
What is the one cybersecurity lesson learned in 2021, you would like to exercise in 2022?
The number one lesson I learned about cybersecurity in 2021 is, do not forget about the human side of it. We all got so isolated, at first, we were fearful. And then that isolation turned into depression and caused all kinds of bad things that made us ineffective at their jobs. No matter what the world goes through, do not lose the connections of the people that are most important to you.
Thank you, Julian, for your time and for sharing your thoughts. It was a pleasure speaking with you and I am sure our audience will highly benefit from your valuable viewpoints.
As Julian mentions, we are making steady progress, but we must be more diligent in creating opportunities to increase diversity across the industry. For every under-represented individual or group who’s looking to work in information security, a perfect qualification isn’t the key to success. Instead, focus on strengths and pursue opportunities while not being afraid to try something new. Look for managers and recruiters who can aid your journey in the cybersecurity industry.
Encouraging diversity in the cybersecurity community will not only strengthen our overall security posture but improve our capabilities.
