McAfee CISO explains why diversity in cybersecurity matters

Improving the state of diversity in cybersecurity shouldn't be seen as a burden, but rather embraced as an opportunity to improve the state of the industry by expanding the experiences and points of view of the people doing the work.

The question of diversity in cybersecurity led to the success of OURSA, a one-day alternative event organized in response to a pronounced lack of diversity in the RSA Conference 2018 keynote speaker lineup. However, the question of how to improve diversity in the cyberworkforce is inextricably intertwined with growing concern in the industry over how to recruit talent to meet the ever-growing demands of the market.

In addition to being vice president and CISO at McAfee, Grant Bourzikas is also the diversity lead for McAfee's Plano, Texas, location. He also spoke at RSA Conference 2018 about the importance of building diversity into the cybersecurity recruitment process.

In this Q&A, Bourzikas speaks about some of the ways that diversity in cybersecurity can help security teams do a better job, as well as how to achieve greater diversity at all levels.

Editor's note: This interview has been edited for clarity and length.

Diversity in cybersecurity: What does it mean?

Grant Bourzikas: I interpret diversity as diversity of thought, diversity of thought leadership; that is my ultimate definition of diversity. The mechanics of diversity are race, religion, ethnicity, sex [and] different backgrounds.

Grant Bourzikas

I think diversity plays such a key role in the industry because I think we have to do things differently; we have to learn from our mistakes, apply new technology and apply new processes. That's really going to be driven from the people.

When I talk about diversity, I think it's, how do I build a team, and how does McAfee build a team that is diverse in the thinking to solve complex problems?

What steps can information security companies take to start adding more diversity in cybersecurity teams?

Bourzikas: We have to think differently about the talent model.

When my team posts roles, we may be looking for a super senior-level person, like a principal engineer -- and I've seen this in the job postings in my last two companies -- to find somebody who's had 10 years of security experience that's well in-depth on networking and firewalls or intrusion detection systems, that has done this a long time. But there are very few of them, and from what we see from an applicant standpoint is that they're typically white males.

When I think about diversity and how to build it I think we need to challenge ourselves about what we're looking for. Can we hire somebody from college that is diverse, with the desire to learn [about cybersecurity] to start to create [diversity]? What we tend to fall back on is that we want the experience, but what I found is some of the interns that have diverse backgrounds or first-year people coming from college are often very strong.

And then the second piece is, are there other people in the workforce that we can cross-train or teach cyber that will come at it from a different angle? If we wanted to build an endpoint person, well, let's make sure that person understands Windows or Linux or BSD or Solaris, and then we can teach them the security on top of it.

Then what we see is those people are often more successful than the people that have been here 10 years. And it helps build that kind of diversity of thought with a different angle on how to approach a situation.

It sounds as if you are working on training your own people rather than depending on the market to bring you candidates. Is that correct?

Bourzikas: Yes. I think the key message is that, by the end of 2019, there's that two million talent shortage of people, so we have the supply and demand problem.

And, actually, even if we could fill the two million people, the skills aren't going to be there because there's just not two million experienced people. So, as an industry, we have to have good development programs to build and then really drive what it looks like. And that can be training: soft skills, technical skills, diversity, different geographies and looking at different ways to solve the problem than what we've historically done.

What types of skills do you teach to a candidate who comes to you with IT skills in order to build them into a cybersecurity professional?

Bourzikas: One of the things that I like to understand, and it comes from my background, is vulnerability management and understanding how attackers think. I think the number one thing is around mindset, and instead of wanting to make a router or Linux or Windows box work, let's actually make it secure and workable. To make it secure is understanding how ports and services [work], how patches, how the various endpoint technologies or firewall technologies or IPS technologies [work].

I think that's the first way -- really understanding exploit paths and understanding how an attacker would drive at them, and that's something that I'm a big fan of understanding.

And then the second one is going to be really tailored for the position that they're there for. If somebody has a strong network background that wants to get insight, there are many classes, many books around secure architecture, understanding how firewalls work, understanding intrusion prevention and using the tools, whether they're ours, or Bro [network security monitor] or Suricata or Snort. And understanding why the technology is working the way it is because I think that goes back to the first statement: We have to understand the why and the how of attackers breaching a system. That's the key thing we're trying to get across.

What are some of the advantages of having more diversity in cybersecurity?

Bourzikas: Having a diverse team ends up in a better collaborative, working together, challenging kind of current state. One of the things I've seen in my background, whether it's critical infrastructure, banking or gaming, is sometimes culture can be a problem, so diversity can challenge this by challenging the culture on the way we've done things and doing them differently.

The other outcome of this is -- and I've seen a lot more of this as we've launched our intern programs and our rotation programs, and we take the SOC challenge or the security challenge for the last 20 years -- we continually see breaches and we continually see attackers in networks for months -- not hours or weeks -- and we're actually thinking about the problem differently because somebody had a different view of it.

For us security professionals that have been doing this for 20 years, we have a way of thinking about it, and what diversity brings is challenging the assumptions, challenging the process and challenging the technology on actually how to drive better outcomes. And I think that's where I've seen really good views on [questions like], how do we do things differently, how do we mature an organization and how do we move the needle, whether it's maturity or risk reduction? Diversity really helps in bringing that mindset.

How are information security companies doing at increasing the numbers of women and under-represented minorities in the workforce?

Bourzikas: This is a big priority for McAfee, and I'm the diversity lead for Plano, one of our largest locations here in Texas, and I don't think there's enough emphasis placed on it. The one theme that I started to see out of the RSA Conference this year was that it was starting to get into culture and diversity, which I think is long overdue.

The one theme that I started to see out of the RSA Conference this year was that it was starting to get into culture and diversity, which I think is long overdue.

The industry is very focused on technology and widgets and gadgets and not necessarily on how to build a diverse team that intrinsically will be able to bring the challenge of technology or process in an organization. The industry needs a stronger focus on it, and that could be minorities or women or any of the classes that are not part of the cyber industry today.

What is the ultimate goal for diversity, and how -- and when -- will we see sufficient diversity in cybersecurity workforces? Are there any benchmarks or quantitative goals being set? And what's the timeline for those?

Bourzikas: I think we need a goal. I'm not a big fan of quotas, on saying 30% or 50%.

Going back to the RSA Conference, if you go to Black Hat Conference or even our Mpower conference, it is a very male-dominated event, and I think optics -- if we see more females start to grow from a registration [standpoint], from just being visible -- I think that will be key.

But also, I think we have to make a concerted effort on hiring diverse people instead of only the experienced people. Experienced people are expensive and often bring the same capabilities that we've had for years, and diversity will help really drive that assumption out.

You spoke about recruitment and diversity at RSA Conference 2018. What else should people know about this issue?

Bourzikas: We've talked about how do we hire and build experienced cybersecurity people, how do we build entry-level people that are trying to get into cyber?

One thing [you and I] haven't talked about, which was about half of our presentation, was how do we engage colleges, how do we engage high schools, where we can actually start to build the talent pipeline?

There are kids who are 18 to 22, 15 to 22, who can be easily influenced by topics, so I think the thing that I look at is can we get that generation excited about cybersecurity? When you're 15 years old and somebody says, 'What do you want to do for a living?' the answer is 'I want to be a doctor, I want to be a lawyer, I want to be a politician, I want to be a writer.' Nobody ever says, 'I want to be a CISO.'

If we can start to build that, whether it's media or whether it's colleges or whether it's high schools, I think that will actually protect the national infrastructure much better. It will make the country stronger, and then I think, from an industry standpoint, it will make us even better at what we're doing.