Diversity metrics can help provide businesses the impetus they need to create a more inclusive cyber workforce, but organizations must not allow these metrics to limit their thinking about what constitutes diversity, warned a panel of security experts Wednesday.
Jerry Davis, former CIO at the NASA Ames Research Center, said he sees metrics as providing useful initial guidance to an organization to ensure they are achieving at least minimal diversity goals. But he doesn’t think organizations should look at diversity strictly as a numbers game.
Too many organizations “look at it a metric of some number that they need to get to – particularly when we talk about diversity among gender and race and ethnicities,” said Davis, who participated in the panel as part of SC Media's RiskSec Digital conference. “Here in California, I've worked in organizations where to reach our diversity numbers and [inclusivity] numbers they looked at the state… and said, ‘Well, you know, based on the demographics in California, we're right where we need to be in the sweet spot.’ I think that's an absolutely wrong approach to take.”
Register for RiskSec 2020 Digital to watch all of the sessions on demand
Davis did however, encourage organizations to openly engage in discussions about diversity. "You really have to understand your organization. And I think one of the key pieces is to acknowledge that you're not as diverse as you think you are," said Davis. "Another key point... is to understand that it's going to take dialogue and you have to be comfortable being uncomfortable in that dialogue."
Fellow panelist Camille Stewart, head of security policy at Google Play and Android Google, said that in an ideal world, thinking about diversity in terms of metrics and quotas would no longer be necessary. “But the place that we are today, metrics might be what makes sense."
"We have to incentivize leaders to make sure that they have a diverse representation amongst the ranks at all levels,” Stewart continued. “And we have seen that when there is no accountability, no system in place for folks to actually prioritize diversity, it doesn't usually happen in a way that is fully representative.”
Stewart recounted how Microsoft in 2016 decided to tie executive compensation to diversity objectives, resulting in an increase in women joining the company’s intern classes. “It is proven that incentivizing the outcome that you desire at all levels is really effective,” she said.
Still, Stewart recognized that metrics do come with certain drawbacks, especially when hiring managers are looking to “check a box.” For instance, if a company requires two percent diversity, “you might just stop at two percent rather than continuing to look for qualified candidates that are outside of whatever your normal demographic is,” she explained.
A third panelist, Edna Conway, vice president and general manager of global security, risk and compliance with Azure at Microsoft, said that in order to apply diversity metrics correctly, companies need to rethink their definition of what constitutes a diversity metric.
“When you say, 'Here's a statistic, I've met this statistic,' there is no way to actually have one statistic,” Conway opined. “There needs to be an approach that rigorous, that you use every single time. That's what's going to really bring differentiation.”
“Sometimes you have diversity that you may not always know sitting on your team,” said Conway. And you may not necessarily come to realize this “until you've gotten to know that individual or seen the way they interact… So a little open-mindedness goes a long way.”
For instance, organizations might consider being inclusive of employees with disabilities, but “not all disabilities are visible,” she said. “And not everyone chooses to actually verbalize affirmatively and voluntarily what their disability is. So, sometimes a metric can be: Are you thinking about and giving people a way to expand their world of what constitutes inclusion, as they're going about the search for candidates, the hiring process, the interviewing?”