At this year’s RSA Conference, the theme “Many Voices. One Community” is a reminder that cybersecurity isn’t just about technology—it’s about people. In a field driven by constant innovation and rapid response, the strength of our defenses often depends on the breadth of perspectives behind them.
We asked our panel of cybersecurity experts two key questions: Is the community doing enough to elevate individual voices and welcome diverse perspectives? And how can we create more space for those who aren’t always heard? Their candid responses highlight both the progress we’ve made—and the opportunities still ahead.
Identifying Gaps in Security
Cybersecurity is an industry that not only benefits from, but depends on a diverse field of individual voices with varied experience and perspectives in order to accurately identify gaps in security. Whether that is in an application, in a network, or in a people process requires looking at it from multiple angles and the more diverse the experience on a team doing that in analysis, the more likely that potential issues will be identified.
So says Zoe Lindsey, security strategist at Blumira. “However, as to whether the community can make space for more voices, there’s always more that can be done.”
Yes, but it’s Not Perfect
Paul Davis, Field CISO at JFrog, says: “Yes, I believe it does, but is it perfect? No. The cybersecurity community recognizes that security is a team sport. For example, JFrog’s threat intelligence team uses multiple vulnerability intelligence sources, and our own research (as a CNA) to discover new threats, providing the community and our customers with a more holistic view of real threats. The process of protecting organizations against threats and vulnerabilities begins with the commitment and passion of individuals who discover and report their findings.”
Davis says we must acknowledge, encourage, and enable the ability to listen. “It’s this diversity of skills, knowledge, and focus that enables innovative, outside-the-box thinking. As was recently highlighted, we do have potential single points of failure (Mitre funding debacle), but the community came together, and there were people prepared to step up to the plate to ensure all voices had a channel for communication around this critical aspect of vulnerability reporting.”
Ian Thornton-Trump, CISO of Inversion 6, believes that, in many ways, the cybersecurity community is doing more than enough to encourage and listen to individual voices. “From hundreds of BSides conferences to specific recognition of diversity groups within Cyber, most people with different life experiences, different levels of education, and different cultural backgrounds are, I think, well represented. From advocacy for women in cyber at the UN, at Davos and the World Economic Forum, as well as at community resiliency centers, I think diversity of thought, opinion, and opportunities to speak up are ample. Most cybersecurity conferences have a “new speaker” or “rookie” track, and active mentorship and support are provided through folks volunteering their time.
Anyone can write a blog, post on social media, find a voice, or publish technical content, continues Thornton-Trump. “I think the barriers to entry are minimal to the profession and are amply assisted by the community. Whether or not the individual voice has something of value to contribute is, of course, in the ears and eyes of the audience. Good content will be liked, shared, and promoted. Poor content, factual inaccuracy, or inconsistency will likely be ignored at best and mocked at worst.”
Pushing the Wrong Agenda
Having said this, Thornton-Trump says some confuse political, ideological, and social issues with cybersecurity content and use cybersecurity as a platform to intimidate others or push misogyny, racism, or their own superiority as an agenda. “In any profession or industry, there will be the outliers whose content is thinly disguised as an attempt to silence diversity of thought and opinion. Like any platform or tool that allows content creation, everyone has a duty and obligation to assist in “Troll-killing” when it’s clear the content and interaction are of a particularly low character. From the thousands of organizers, volunteers, career mentors, coaches, and mentors within the cyber security community, if a person has a voice – and something interesting to say – there is plenty of help in the community to amplify it to other ears or eyes.”
Underrepresented Communities Not Prioritized
Unfortunately, despite some progress, the cybersecurity community has remained relatively stagnant in truly embracing diverse perspectives, adds Chloé Messdaghi, Founder of SustainCyber. “While there are efforts toward inclusivity, many voices—especially from underrepresented communities—still aren’t being prioritized. Diversity conversations often feel more like a checkbox than meaningful change, and there’s still much work to be done.”
For Gary Hibberd, Co-Founder of Consultants Like Us, the simple answer as to whether enough is being done is no. Although there is a lot of talk about diversity and inclusion, and there are initiatives to introduce new people into the industry, there is still more to be done. The RSA event highlighted how diverse perspectives, expertise, and experiences come together to strengthen security efforts. Yet, the field is still dominated by those who emphasise the need for ‘technical expertise’, without actually defining what they mean. My guess is they mean expertise in ‘tech’, which broadly means technology.
An Echo Chamber
A prime example, Hibberd says, is where ‘Cybersecurity’ groups, running ‘Cybersecurity’ events, aren’t interested in hearing about GRC (Governance, Risk and Compliance). Broadly speaking, they want to get their hands on ‘tech’ and are quick to dismiss behavioural sciences, as well as the human side of security (including legal, regulatory, and policy writing).
“This is seen as the ‘fluffy’ and less interesting side of security and is most certainly not seen as ‘technical expertise’. If proof of this were needed, just look at the conversations around whether or not a CISO needs to have a ‘technical background’, yet no such questions are asked to check if a CTO has an understanding of risk management, strategy, legislation, and regulations. “All of this leaves us in an echo chamber where diverse voices, coming from a broad landscape, are ignored or marginalised, and our focus is narrowed on technology. This is akin to trying to improve road safety but only asking mechanics how to do it; Yes, we’ll end up with ‘stronger’, more ‘robust’ cars, but accidents and incidents will continue to rise because we aren’t listening to road users,” Hibberd says.
Skewed Responses
Responses to this can seem skewed, according to Ross Moore, an information security researcher. “Those who have jobs may say a) it was a hard road, but with perseverance, taking responsibility, networking, and meeting just the right person, they overcame, and are thankful for the outcome, and b) they see lots of work being done by so many groups and individuals among many industries to help people, just like someone helped them. And then there’s the view of those still searching for jobs – maybe for a year or more – and have done all those same things with no hope in sight. To the latter, it could seem that not enough is being done.
An issue that can arise with overly encouraging individual voices and diverse perspectives is that an organization naturally has a focus, continues Moore. “If the org is trying to make headway on the ABC initiative, then it can be counterproductive to take recommendations on the DEF initiative. DEF might be on the roadmap, or it could be detrimental to the current course; so, any focus on what an org is not doing, does not plan to do, or undermines the org – that input only detracts from the mission and vision, or at minimum distracts from current org goals.”
Different isn’t Bad
However, all the while, an org needs to be able to distinguish between what’s detrimental or distracting, and what’s beneficial. Just because it’s different or even opposite doesn’t automatically make that input bad. It may come to nothing at all, being just an idea borne out of brainstorming. On the other hand, that individual and diverse perspective may actually open up a new avenue for a product, Moore adds. “Finding the right allowance of the freewheeling of ideas from all perceptions and perspectives while keeping the mission in sight is admittedly hard, but it’s certainly not solved by a) disallowing all other ideas or b) allowing all input to be given the same weight.”
Moore says he sees many orgs that have free and open groups on Discord, Slack, and other platforms, and those groups have very open forums with good rules for guiding discussion, so they have what appears to be a good groundwork for open discussions of ideas. “This particular line of inquiry can also slant some of the discussion – Is it about being open to ideas? Or is it also about hiring and career advancement? The first seems to have a good representation; the second – that’s beyond the realm of just the cybersecurity community to tackle. That angle requires discussions within each org to determine precisely what they’re looking for in hiring and upskilling – there’s widespread confusion about the particulars of information technology, information security, and cybersecurity: if they don’t know what they need themselves, then that lack of direction and guidance daisy chains in a downward spiral of confusion for all involved.”
So, What Can Be Done?
To make genuine space for diverse voices, Messdaghi says we need to start by acknowledging that the current system isn’t elevating these voices effectively.
She says there are several ways the cybersecurity community can improve:
- Creating Safe and Inclusive Spaces: We need to provide spaces where people from all backgrounds feel comfortable sharing their thoughts and ideas. Too often, underrepresented groups feel sidelined in conversations, and it’s important we create an environment where everyone feels encouraged to contribute.
- Reevaluating Barriers to Entry: The cybersecurity industry has historically been structured to favor certain qualifications and experiences. We need to reassess the skills and backgrounds we value, making the field more accessible to people from different walks of life.
- Moving Beyond Performative Actions: It’s not enough to just have diversity quotas or surface-level initiatives. Real change requires tangible steps to bring in these voices, whether by adjusting how we recruit, hire, or train new talent.
While conversations about diversity and inclusion can sometimes be viewed differently depending on perspective, Messdaghi adds that the primary focus here is on improving the cybersecurity field by making it more inclusive. “This is an important professional and ethical consideration—one that can help the industry grow stronger and more innovative. The stagnation in addressing diversity and inclusion in cybersecurity is concerning, and it’s a challenge that needs attention. The industry will benefit immensely from greater inclusivity, and it’s up to all of us to help make that change.”
Invite People from Outside the Community
This is such an easy question to answer, says Hibberd. “Invite people from outside our community to talk about their experience with security! How many conferences do we attend where the agenda is filled with experts in the industry, yet there’s little to no space for people outside of the technical space? Yes, there are some exceptions, but not enough. To put it simply, we need to broaden our perspective and make space for people.
“If you’re organising an event, why not invite customers to talk about their experiences? How about victims of cybercrime? What about the HR director talking about the difficulties in getting people to follow poorly written security policies, and forcing people to endure dull, uninspiring security training? Sadly, it’s just easier to blame the end user for not being engaged, and we’d rather trot out the tried and tested “Think before you click” message. It’s simply not good enough, and we need to do more,” Hibberd says.
A Non-Traditional Entry Path
Lindsey adds that some practical measures include encouraging teammates and, as leaders, making space for direct reports to engage in mentorship, mentoring, self-development, and guidance to those who are just getting started. Having some good bias-removing practices in hiring, like blind resume screening and diverse interview panels, is also key.
“Also, a great idea, hard consideration of what is listed as requirements is a good indication as well. Security has a much higher than average non-traditional entry path, and so arbitrarily adding requirements around a given number of years of experience or a given level of education, or given familiarity with a specific practice or programming language,” says Lindsey. “All of these may help winnow down the pool of applicants, but may also add unnecessary barriers for folks that could succeed in the role. For people who have those diverse backgrounds and have found success in the industry, speaking up is also very important. Showing people that people like them have a place here is important and gives people hope and something to look forward to, and see their dreams as more viable and real.”
“Am I Doing Enough?”
Moore says each person in cybersecurity might consider asking themselves, “Am I myself doing enough to encourage and listen? Do I encourage input from diverse perceptions? Do I see and seek the benefit of other perspectives?” We can’t make others do or say the right things, but we each can do and say the right things, listen to others, and avoid discouraging others.
For those who feel left out, take a chance (yes, it can be intimidating) and join one or more of the free Discord and Slack groups, Moore advises. “There are plenty of groups out there ready to help out, and by joining groups, one gets to provide their own insight (the cybersecurity community includes those who don’t have jobs, but are at any point of the cybersecurity journey!) – sometimes, one has to insert oneself into a conversation. Perhaps some groups struggle with member participation or retention. It may help to question one’s assumptions before going too deep into long-term studies or in-depth reviews.
It’s a Small, Yet Enormous World
In many ways, it’s a small world, adds Moore. But in many ways, it’s an enormous world out there. A Platinum album is one that sells at least one million units. That’s a big number, but percentage-wise, that’s a tiny fraction of the ca. 340 million USA population, not to mention the world population. A cybersecurity group may think they’ve opened themselves up, but if they are “testing” in a narrow field, then it’s time for the group leaders to do some more behind-the-scenes research.
Hard and Soft Skills
Security professionals today need a combination of what Davis would characterize as hard and soft skills. “We all need to know the science behind securing software, but having the ‘soft skills’ of listening, empathy, and interpretation of people vs. code enables security professionals to better collaborate and communicate with one another. By leveraging the soft skills associated with empathy (active listening, articulating ideas and concepts in their own words), we can start to understand other people’s perspectives, pressures, and how they can understand and benefit is key. We need to understand each other in order to create better security systems.
In terms of creating a space that encourages sharing and embraces diverse perspectives within teams, Davis says CISOs and DevOps leaders should host both team meetings and promote office hours for one-on-one feedback sessions because not all people feel comfortable sharing insights in group forums. Encouraging informal conversations and casual meetings fosters confidence and personal connections. Most importantly, these sessions don’t always have to be about business. Get to know your team – who they are, how they work, what makes them tick, their strengths, weaknesses, aspirations.
“Suppose you think of cybersecurity as a battlefield. Don’t you want to know all your soldiers, their pressure points, knowledge set, or muscle, so you can confidently assemble them in a way that always achieves the best outcome? Understanding and investing in people is the best foundation of a fortified cyber defense strategy today – hands down,” Davis ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.