Saturday 3 December 2022

How Cybersecurity Might Become More Diverse, Equitable and Inclusive

One of the benefits of working in the same home office as one of the top teacher librarians in the country is that we're able to bounce ideas off each other. Making cybersafety awareness a part of every educator's professional standard of practice isn't a nice idea in 2022, it's a necessity, but the industry continues to have trouble attracting talent and many teachers have little or no training in it.  Alanna has listened to me lamenting the lack of diversity and engagement in the field for many years but this week she offered a solution by linking the DEI research she has been doing to develop an inclusive information management system with the lack of diversity and engagement in cyber.

You might not think that creating a digital media cataloguing system would require much in the way of equity awareness, but it does. How we categorize and deliver data requires a working awareness of DEI or it quickly becomes another means of systemic discrimination. Having used it, Alanna suggested Building Movement Project's  Social Change Ecosystem Map as a tool for challenging some of the masculine cultural cues that usually define cybersecurity as a discipline.

Considering diverse talents and motivations could work as a way to bring more diversity into the field of cybersecurity.

Characteristics of the Roles

Weavers: I see the through-lines of connectivity between people, places, organizations, ideas, and movements.
Experimenters: I innovate, pioneer, and invent. I take risks and course-correct as needed.
Frontline Responders: I address community crises by marshaling and organizing resources, networks, and messages.
Visionaries: I imagine and generate our boldest possibilities, hopes and dreams, and remind us of our direction.
Builders: I develop, organize, and implement ideas, practices, people, and resources in service of a collective vision.
Caregivers: I nurture and nourish the people around me by creating and sustaining a community of care, joy, and connection.
Disruptors: I take uncomfortable and risky actions to shake up the status quo, to raise awareness, and to build power.
Healers: I recognize and tend to the generational and current traumas caused by oppressive
systems, institutions, policies, and practices.
Storytellers: I craft and share our community stories, cultures, experiences, histories, and
possibilities through art, music, media, and movement.
Guides: I teach, counsel, and advise, using my gifts of well-earned discernment and wisdom.

Cybersecurity had strong ties to the military early in its development, which attracted the 'frontline responders' already working there. Military roles are traditionally male dominated and so cyber began as a predominantly male field, but applying these other roles would open cybersecurity to a more diverse range of interests, skills and motivations, but it requires a significant rethink of the assumptions that surround the subject. If you consider cybersecurity as a combination of security and computer science, both fields have a history of male dominance, though in the case of computer science the patriarchy was a recent event (it happened just as computer science was becoming profitable because that's how glass ceilings work).

The problem with clinging to this cultural predisposition in cybersecurity is that it continues to create a male focus in hiring. Women may struggle to see how they fit in a field that presents itself with such a masculine bias. Getting away from the military/first responder mindset might be a way to recast cybersecurity in a different light.

Looking at the less represented roles in the social change ecosystem, weavers would bring connectivity and communications to the field - something it currently lacks. Visionaries would bring the perspective and scope needed to move cybersecurity out of its often reactive stance, though that would also mean giving up the unquestioned control that accompanies emergency response; that may be the hardest ask of all.

Recasting cybersecurity in terms of caregiving and healing was where Alanna saw the most gains. Cybersafety is a foundational skill in an increasingly connected world, yet its treated (if it's acted on at all) as an emergency response after the fact, becoming a self fulfilling prophecy for the first-responder mindset. By finding a place for caregivers and healers on cybersecurity teams, the approach to user training and even post-breach response would be significantly different. Can you imagine cyber support that isn't emergency response defined? Neither can many of the people in the industry because they can only conceive of it through their own motivational approach which also happens to align with cyber-culture.

Digital skills remain poor and continue to represent
the most successful opportunity for cyberattackers.
Other atypical motivators also have a role in cybersecurity. Storytellers and guides are motivated by sharing narratives and teaching complexity and empathy rather than fixating on problem solving. The vast majority of cyber-incidents are the result of user ignorance and error. Most malware ends up on a network because a user mistakenly put it there, not because a 'super hacker' got in. If we hope to address this primary form of ingress (atrocious user digital literacy), we need to bring in people who can create meaningful narratives and engage with learning because it's their primary motivation.

Of course these roles aren't absolute, no one is just one of them, but by applying the social change ecosystem we identify biases implicit in cybersecurity culture that disclude anyone but those interested in heroic intervention or technical response. By valuing alternate motivations and the specialized skillsets that accompany them, hiring practices in cybersecurity would become more inclusive and the workforce more diverse. That inclusivity does more than check a DEI box. A diverse workforce offers a richer range of approaches to problem solving and prevents blind spots based on a privileged monocultural beliefs. This diversity would make the critically important discipline of cybersecurity more resilient, accessible and effective.


Resources


We're currently working on CYBERBYTES at ICTC & Knowledgeflow CyberSafety Foundation: www.cyberbytes.ca  We are creating easy to complete micro-credentials that provide educators with a working understanding of the technology that makes our networked world work, the key elements of CyberSafety and online privacy and how you can bring these important skills and understandings to your students so that they and their families can safely and effectively use the networked technology that surrounds us in 2022.

The Building Movement: https://buildingmovement.org/ supports and pushes the nonprofit sector to tackle the most significant social issues of our times by developing research, creating tools and training materials, providing guidance, and facilitating networks for social change.

THE SOCIAL CHANGE ECOSYSTEM MAP (2020)https://buildingmovement.org/wp-content/uploads/2022/04/Ecosystem-Guide-April-2022.pdf

A History of Cybersecurity: https://cyber-security.degree/resources/history-of-cyber-security/

Empowering women can help fix the cybersecurity staff shortage: https://www.weforum.org/agenda/2022/09/cybersecurity-women-stem/

Occupational digitalization trends in Canada, 2006-2021: https://fsc-ccf.ca/research/race-alongside-the-machines/

Global Digital Skills Index, 2022: https://public.tableau.com/app/profile/salesforceresearch/viz/shared/NNRKYDH37

Future Skills: https://temkblog.blogspot.com/2022/10/2022-tmc7-research-symposium-table.html

If we would redefine digital skills through a media literacy lens, we would also open up these pathways to a wider variety of learners. Defining digital skills as 'coding' is reductive, unhelpful and excludes a number of alternate learning motivations.