{"id":2416,"date":"2025-03-20T06:00:00","date_gmt":"2025-03-20T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2416"},"modified":"2025-03-20T06:00:00","modified_gmt":"2025-03-20T06:00:00","slug":"how-cisos-are-approaching-staffing-diversity-with-dei-initiatives-under-pressure","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2416","title":{"rendered":"How CISOs are approaching staffing diversity with DEI initiatives under pressure"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

For many years, organizations have focused a lot on diversity, equity, and inclusion (DEI) programs and policies, seeing those efforts as the right thing to do as well as a smart business strategy. This is especially true in cybersecurity<\/a>, where dealing with complex threats requires creative and diverse solutions.<\/p>\n

But as the Trump administration rolls back federal DEI programs and political views shift, some sectors are cutting back on DEI support. This has left many organizations \u2014 and their cybersecurity leaders \u2014 wondering how to maintain DEI efforts or whether they should at all while balancing compliance and building diverse, effective security teams.<\/p>\n

Conversations with CISOs and other cybersecurity experts show that DEI is still considered important, but companies are approaching it in different ways.<\/p>\n

How DEI and cybersecurity can be complementary<\/h2>\n

Cybersecurity depends on spotting threats early, noticing unusual activity, and reacting quickly. Old security methods aren\u2019t enough anymore, especially since attackers come from different backgrounds, have various goals, and use diverse tactics.<\/p>\n

As Matthew Sharp, CISO at Xactly Corp, puts it, cybersecurity is inherently complex, and a diverse team brings a wealth of perspectives that drives innovative problem-solving.<\/p>\n

\u201cOur team\u2019s varied backgrounds have significantly improved our ability to both prevent and respond to threats,\u201d he says. \u201cDifferent viewpoints help us recognize patterns that others might overlook \u2014 for example, social engineering tactics designed to exploit specific cultural or behavioral norms.\u201d<\/p>\n

If organizations don\u2019t prioritize DEI in their cybersecurity hiring, they could miss important threats, Sharp says. Teams that all think alike are more likely to have blind spots and may not recognize new cyberattacks that take advantage of cultural or behavioral differences. In a fast-changing threat environment, this lack of perspective can slow down responses and weaken security.<\/p>\n

\u201cIf DEI and balanced team structures are deprioritized, organizations risk groupthink, operational silos, and diminished resilience,\u201d he says. \u201cA diverse, well-balanced team isn\u2019t just about representation \u2014 it\u2019s essential for driving sustainable, adaptive cybersecurity strategies.\u201d<\/p>\n

Staffing diversity can help avoid homogenous thinking<\/h2>\n

Similarly, Sam McMahon, senior manager of IT and security at Valimail, underscores the necessity of representing different backgrounds and mindsets.<\/p>\n

\u201cIn my experience, even small security teams benefit greatly from the variety of perspectives that come with different backgrounds and skill sets,\u201d he says. \u201cWe know that the majority of incidents have a human element. Having a diverse team means that we have a variety of experiences and backgrounds that avoids homogenous thinking.\u201d<\/p>\n

McMahon believes inclusion is both the right thing to do and a smart strategy because when people feel valued, they are more likely to share their ideas and speak up, which leads to better security and problem-solving.<\/p>\n

That bottom-line benefit is part of what also inspires Gutierrez, chief science officer at talent acquisition and management platform SHL, to champion DEI.<\/p>\n

Gutierrez argues that a diverse security team is better equipped to identify vulnerabilities, think like attackers, and innovate faster than a homogenous one.<\/p>\n

\u201cA common misconception about DEI is that it conflicts with meritocracy, as if prioritizing DEI undermines excellence,\u201d she says. \u201cIn reality, DEI enables meritocracy by ensuring that talent is recognized and rewarded based on ability, free from bias or systemic barriers. This is especially critical in cybersecurity, where diverse perspectives are essential to defending against an ever-evolving threat landscape.\u201d<\/p>\n

For Paolo Gaudiano, co-founder of Aleria, a tech company focused on measuring inclusion, the link between DEI and cybersecurity is crystal clear.<\/p>\n

\u201cRecently we collaborated with Women in CyberSecurity<\/a> to determine whether and how inclusion may also influence the risk of cybersecurity incidents,\u201d he says. \u201cThe idea is based on the fact that a vast majority of cybersecurity incidents result from human error, which in some cases includes malicious intent. It seems reasonable that employees who are less satisfied are more likely to make mistakes \u2014 or to act out against their employers.\u201d<\/p>\n

Gaudiano says the research shows a lower level of inclusion increases phishing attacks, internal security lapses, and even malicious insider threats.<\/p>\n

Shifting sands: the political climate and federal support<\/h2>\n

Despite these advantages, the broader political landscape has grown more complicated. Under the Trump administration, discussions around DEI have become more intense and divided.<\/p>\n

Some people and groups are pushing harder for DEI efforts, believing they\u2019re important for making workplaces and institutions fairer. Others, however, are pushing back against DEI efforts, calling them too \u201cpolitically correct\u201d or saying they forced certain viewpoints on society.<\/p>\n

As a result, the conversation around DEI has become more polarized, making it harder for policymakers, businesses, and institutions to work together on ways to improve inclusion.<\/p>\n

\u201cPolitical climates may shift, but our approach to assembling world-class cybersecurity talent remains steady,\u201d Sharp says. \u201cWe\u2019ll continue to focus on hiring the best talent and creating an environment where every team member can excel. Our philosophy is simple: diverse teams build better defenses, and our cybersecurity mission depends on a wide range of perspectives to anticipate, identify, and mitigate evolving threats.\u201d<\/p>\n

Attracting and retaining diverse cybersecurity talent in today\u2019s polarized climate requires a commitment to DEI principles and his company\u2019s business objectives, Sharp says.<\/p>\n

\u201cWe emphasize that diversity isn\u2019t just a value statement \u2014 it\u2019s a strategic advantage in combating dynamic cyber threats,\u201d he says. \u201cA range of perspectives helps us anticipate attacker tactics, design resilient systems, and respond effectively when incidents occur.\u201d<\/p>\n

A diverse team provides a competitive advantage by offering a broader range of perspectives, which is critical in the ever-evolving cybersecurity landscape, according to Sharp.<\/p>\n

Diversity can be an asset in keeping on top of the threat landscape<\/h2>\n

\u201cIn the end, a diverse, engaged cybersecurity team isn\u2019t just the right thing to build \u2014 it\u2019s critical to staying ahead in a rapidly evolving threat landscape,\u201d he says. \u201cTo fellow CISOs, I\u2019d say: Stay the course. The adversary landscape is global, and so our perspective should be as well. A commitment to DEI enhances resilience, fosters innovation, and ultimately strengthens our defenses against threats that know no boundaries.\u201d<\/p>\n

Nate Lee, founder and CISO at Cloudsec.ai, says that even if DEI isn\u2019t a specific competitive advantage \u2014 although he thinks diversity in many shapes is \u2014 it\u2019s the right thing to do, and \u201cweaponizing it the way the administration has is shameful.\u201d<\/p>\n

\u201cPeople want to work where they\u2019re valued as individuals, not where diversity is reduced to checking boxes, but where leadership genuinely cares about fostering an inclusive environment,\u201d he says. \u201cThe current narrative tries to paint efforts to boost people up as misguided and harmful, which to me is a very disingenuous\u00a0argument.\u201d<\/p>\n

Navigating policy shifts and industry response<\/strong><\/h2>\n

McMahon acknowledges the potential impact on federal customers who may align with new policies but insists that his company\u2019s internal approach at Valimail remains unchanged.<\/p>\n

\u201cWhile Valimail doesn\u2019t rely directly on federal funding, we do have a FedRAMP-authorized product, Valigov, and are seeing the impact on our federal customers,\u201d he says. \u201cThat won\u2019t change Valimail\u2019s people and security strategy. Maintaining an equitable, inclusive, and people-first approach is a powerful tool in building a resilient culture.\u201d<\/p>\n

Security is a team sport in any organization, and it\u2019s also a global effort \u2014 breaches at one company ripple across the world and have impacts on millions of people\u2019s personal data, McMahon says.<\/p>\n

\u201cFederal pressure to change tactics and not build a security workforce with a diversity of experiences changes the trust model in a connected world,\u201d he says. \u201cWe rely on vendors to have similar security postures to our own to effectively partner and securely deliver products to our customers. A large part of that chain of trust is the human factor, so if some organizations choose to reverse direction, they are limiting their compatibility with the global market and weakening their security postures in the process.\u201d<\/p>\n

Matthew Rosenquist, virtual CISO at Mercury Risk, is similarly not discouraged by changes in government support, saying his message about the importance of DEI in cybersecurity hasn\u2019t changed.<\/p>\n

Even without official mandates, Rosenquist maintains that building a more diverse workforce is a clear strategy. \u201cIf you lack any degree of creativity on your own side, you will not be very effective in understanding your adversary,\u201d he says.<\/p>\n

Cyber\u2019s adversaries benefit from diverse thinking<\/h2>\n

Rosenquist points out that women in cybersecurity have risen from a meager representation (around 11%<\/a>) a decade ago to a healthier \u2014 though still limited \u2014 20% or so today.<\/a><\/p>\n

\u201cAm I an advocate for diversity and inclusion? Heck, yes. have been for close to 30 years,\u201d he says. \u201cYou will not find a stronger advocate. But I\u2019m also a realist as well. And I\u2019m not going to fan fears until we actually have evidence to support that. So, I think there will be some negative impacts. There may be some positive impacts. I\u2019m not smart enough to know, to look in the crystal ball. And I would hate to fan fears if it\u2019s not realistic.\u201d<\/p>\n

His message to other CISOs: \u201cDiverse workforces make you stronger and you are a fool if you [don\u2019t] establish a diverse workforce in cybersecurity. You are at a distinct disadvantage to your adversaries who do benefit from diverse thinking, creativity, and motivations.\u201d<\/p>\n

Monica Landen, CISO at Diligent, says she has never relied on external influences or federal support to prioritize DEI with her cybersecurity teams.<\/p>\n

\u201cI have always believed having diverse perspectives is critical to avoiding groupthink,\u201d she says. \u201cIn cybersecurity, it\u2019s crucial for people from a wide variety of backgrounds (careers, gender, underrepresented groups, education, etc.) to be represented as their unique perspectives bring fresh ideas, challenge assumptions, and help solve hard problems. Establishing a diverse team has always been an important commitment and will continue to be regardless of shifts in federal support.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

For many years, organizations have focused a lot on diversity, equity, and inclusion (DEI) programs and policies, seeing those efforts as the right thing to do as well as a smart business strategy. This is especially true in cybersecurity, where dealing with complex threats requires creative and diverse solutions. But as the Trump administration rolls […]<\/p>\n","protected":false},"author":0,"featured_media":2417,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2416","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2416"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2416"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2416\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2417"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2416"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2416"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2416"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}