Diversifying security hiring

[INTRODUCTION]

ANNOUNCER: Hi. You’re listening to The Secure Developer. It’s part of the MyDevSecOps community, a platform for developers, operators, and security people to share their views and practices on DevSecOps, dev and sec collaboration, cloud security, and more. Check out mydevsecops.com to join the community and find other great resources.

This podcast is sponsored by Snyk. Snyk’s developer security platform helps developers build secure applications without slowing down. Fixing vulnerabilities in code, open-source, containers, and infrastructure as code. To learn more, visit snyk.io/tsd.

[0:00:51.8] Guy Podjarny: Hello everyone, thanks for tuning back into The Secure Developer. Today, we have another special mix episode, and this time, we’re going to focus on diversity and security. As I think we all know, we haven’t really done an amazing job at making the security industry diverse, and myself and many others are very keen to help improve that. I’ve been fortunate over the course of the years to have some really smart guests come on this show and share their views on why it matters or how they think about diversity as a whole but also, pragmatically, a lot of techniques or approaches that they’ve taken to try and do better on this front.

Hopefully, this episode would help you not just relate to the challenge which hopefully you appreciate is important to address, but also, practically think about how you can do something around this.

To start us off, we’ll have Nitzan Blouin from Spotify who came into the world of security from QA and used that as an opportunity to really think about many of the core elements and security and the problems that you needed to solve from first principles as she does a great job doing that precisely on gender diversity and actually doing very well in tackling it. Let’s hear Nitzan talk about this challenge and how she approached it.

[INTERVIEW]

[0:02:09.2] Guy Podjarny: So you’ve had the luxury and the pain here of needing to build up a team and hire for it. The world of security isn’t well-known for its diversity, and I am sure you have encountered that as well. How did you approach that? When you have hired, you already gave us an inkling around this need for programming or for engineering expertise. How did you approach this type of hiring for diversity or their attributes that are important as you form your team?

[0:02:34.0] Nitzan Blouin: Yeah that is a great question. Security is at, I think in general the last time I looked at the data was at 12 percent diversity for gender. That is – and so that is very low. I think overall, it benchmark is 15 for diversity and more let’s say “progressive” organizations are at 20. Spotify is at 35 now, after investing heavily in diversity and belonging strategies. As a hiring manager, I feel that is one of my responsibilities, and it is actually one of the joys of being a hiring manager, is that you can help uplift people from underrepresented groups.

In this case, for me, the gender piece naturally comes to mind, but of course, it is not the only determination, right? You pick the best person for the job at the end of the day and, lucky for me, I happened to build a team that is 75 percent female. This is the first time in my career that that has happened. Yeah, and it is wonderful. It is a fun team to be a part of. It is a very different dynamic in terms of our interaction, but what I really looked for is – I think, and this might be a bold statement, and the more mileage on me in terms of security, but as a field in terms of people going to study to be a security engineer, or someone saying, “Hey I want to be a security engineer when I grow up.” I don’t think that that is very common or not common quite yet.

What I really looked for was people with strong engineering backgrounds, primarily backend, because that’s the domain, and then with passion for security. I have one person in my team that has a master’s in security and computer science. I have one person who has taken some courses in college. There was a mix in terms of the skillset between people who came from a tech background, people who came from a security background. I like to mix also the regulated/unregulated, especially when it comes to security because that brings a very different perspective into how good does your solution need to be or if someone who works at the bank or in a health organization has a different approach than someone who worked in another tech company.

I believe in building mixed teams and diverse teams, and take that onto different access in terms of experience. At the same time, I think also all of us who are privileged enough to be in a position of hiring people, we do have to think about underrepresented communities. How can we give people a chance? It does require more heavy lifting on the management side. If you take someone who is more junior then you would need to give them more attention in the beginning, but that always pays dividends, always.

[0:05:27.9] Guy Podjarny: Yeah, and how I fully relate to the importance of this, and some of the social responsibility. Also, as the white man here, like, I think feel even doubly responsible than my group, if you will, has sort of not solved or contributed to the problem before, even more responsible to kind of help be a part of the solution. But also, like indeed the challenge is often times successfully doing so, you can be committed to it conceptually.

You gave us one example with how we can approach it, which is you can hire people that are more junior and then invest in them. Are there other tips or examples of practices that people should embrace to help them do better in terms of hiring diverse candidates?

[0:06:03.9] Nitzan Blouin: Yeah, I think the other path that has worked well, specifically for my team, was really looking at the talent pool of backend and assuming that someone – I mean every hiring manager has this set criteria of what has to be there. In my case, it was the coding skills and then you take that side-by-side and you say, “Okay, I maybe have a very strong backend engineer, who is passionate about security, but doesn’t know much. Can I train them?” And that has worked again for us.

We knew we would have a strong engineer who can start executing on engineering tasks right away, and then we also knew that we would be able to level up the security knowledge and best practices etcetera, with specific trainings.

[0:06:48.6] Guy Podjarny: I love that. Basically, look at hiring pools, or the queues for other teams that, for one reason or the other – well, maybe they did fit that team and you might steal them away, but you know it could also be that they didn’t have any specific knowledge for that team but they were great candidates otherwise, and then tap into that resource, and bring them in. Skill them up in the areas that you need to build them up. Does that sound right?

[0:07:09.2] Nitzan Blouin: Yeah exactly, and there are no perfect candidates, but I think what you need to make sure there is, is that spark or that curiosity or that passion to learn about security. If someone doesn’t care about security, this doesn’t work, right? You need to have that base level. I think sometimes people get very hung up on finding a perfect candidate that ticks all the boxes and, at least in my experience, that doesn’t exist. Then you think about where can you compromise. If you do prioritize diversity, you often hear like, “Oh this pipeline is not diverse.” There is a lot of ways to make that pipeline more diverse and then to find again the best person for the job.

You don’t have to limit yourself to diversity on the gender axis. There is race, there is age, and you build those diverse teams and those are the strongest teams because your customers, guess what, are exactly going to be a mirror of that team. If you are going to have a bunch of people who are just like you, you are probably not going to be able to solve for the problems that your customers are going to see.

[0:08:11.4] Guy Podjarny: Next up, we’re going to hear from Vandana Verma who is actually, fortunately now, at Snyk, when I was interviewing her, she wasn’t here yet. Vandana talks a bit more broadly and just emphasizes how diversity isn’t just gender diversity but then also, as we dig into gender diversity, has some good perspectives about how to think about it and maybe normalize it a little bit so we can approach it better. Let’s hear Vandana tell it.

[0:08:38.8] Guy Podjarny: I know one of your recent keynotes has been about women in security and I know you are also involved, you mentioned quite a few different organizations that are doing it. Let’s dig into that a little bit. It is always a complicated topic. Before I dig into specific questions, what do you feel is kind of in the world of AppSec, is the current state of affairs around diversity and specific new gender diversity?

[0:09:01.4] Vandana Verma: Right, so my keynote was about when we talk about diversity it is not gender diversity. It has to be different forms as well because we kind of only think about gender diversity and it actually creates a lot of concerns for the other gender as well because when I started to dig more into the topic, and I have been in the industry for quite some time, and I can see that there are people which are less, that’s why we talk about diversity and it is very important.

If I have to talk about AppSec, not just AppSec, I would say the whole security. It is like the diversity is very less. I would say that is one of the reasons wherein we have a lot of constraints wherein people are less in security. If we start including people from diverse backgrounds, we will have diverse perspectives and the job, the concerns that are there, wherein people say that, “We have so many jobs open but we are not able to find the right set of people.”

[0:09:59.3] Guy Podjarny: And this is – I am fully there with you around the fact that diversity is a broader topic you know? Whether it is location, whether it is background, whether it’s age, you know every perspective brings a new skill to the mix. You gave one tip there, which is maybe judge based on skills versus just the resume, what other techniques or methodologies have you seen to work well to help break through the fact that it is sometimes hard to find the diverse candidates?

[0:10:27.1] Vandana Verma: I would say that sometimes organizations target people to hire from the top schools, top business schools, top institutions. We can actually partner with some organizations to include engineers from different colleges, artists, mathematicians and other creative professionals from a broad set of experiences rather than only looking for bright millennials, how about hiring some veterans, older professionals who are highly skilled?

Because when we say diversity, it goes far, far beyond education and gender. If we hire those people, I am sure we will have diverse perspective. So let us say you and I are working in the same team, you will have a different perspective, I will have a different perspective. And I am sure when there is a situation come in, we will put forward our own views rather than just going with the same flow.

[0:11:20.1] Guy Podjarny: Again, sort of spot on and I think the value of diversity is great, specifically allowing me to stereotype a bit here and so still dig into that sort of the gender diversity bit, right? You work a lot with Infosec girls and all of that. In this sort of white men-dominated surrounding, sometimes I know like a common complaint like real concern is maybe surroundings. What have you seen through these organizations to be sort of good best practices?

If you’re an organization leader or security organization leader and you want to make sure that when you bring people that don’t look like everybody, they stay comfortable.

[0:11:56.3] Vandana Verma: See I would tell you upfront that there are problems for sure. We have seen and heard the cases. Let’s say if I have to talk about gender diversity, as a woman there are a lot of concerns that everyone has seen in some or the other way. But sometimes there are points or concerns which the other gender also has. It is like there is a term called alienating or alienating men, right? Wherein the other gender also feels that they are trying to dominate them.

Which is not the case. Because when I had a conversation with the friends who I have or the mentors, because I have a lot of male mentors, they also feel sometimes nervous or a bit concerned when the term ‘diversity’ comes into picture. Why? Because it’s like they think 100 times before saying anything because it might raise some concerns. The diversity concerns are from both sides and both have to be worked upon and we have to talk it out.

If there is a concern, we all have to talk it out and as a man, if they see that there is some hesitation the other gender has, they have to make the person comfortable that, “This is my perspective. It is not bring you down or it’s not to bully you,” and the same goes for us also because I work with a lot of white men and I do a lot of discussions around diversity. I do a lot of discussions about technical topics especially for my keynote, I had discussions with a number of people. From all genders, from all colors, from everywhere so it is kind of a topic wherein if I say my perspective, somebody else might have a different perspective altogether.

I would say it is a topic of discussion wherein if you feel that there is something which is not going right, talk it out. Raise your voice and people are hearing. It is not that people don’t hear. People do hear.

[0:13:48.3] Guy Podjarny: Yeah well, I am always in favor of communication. It was interesting to hear about you know diversity and soliciting opinions about diversity over there as well, which is a good inception model there.

[0:13:58.4] Vandana Verma: Yeah, I have to add something to it. I do support all the men and platforms but I don’t resonate with just the gender diversity, to be honest, even being a woman, I don’t just resonate to it. I have friends from different backgrounds. I know people who are differently able so I wouldn’t just say that it is just gender diversity. I try and see that if there is a knowledge-sharing platform it has to be for everyone, not just for a specific gender diversity.

[0:14:26.7] Guy Podjarny: The next couple of sessions are going to get pretty pragmatic, the first one is from Tad Whitaker, who talks about Day of Shecurity or She Security, which is a great program that he’s been a key player at getting going and running at scale, so that’s a great program that you can think about and then we’ll have Tanya Janca from We Hack Purple, who we’ll talk about mentoring and maybe at a slightly smaller scale not just raising a program, but rather just mentoring and doing something on your own, how you can participate and help nudge this needle in the right direction.

Let’s hear Tad, and then Tanya, share their stories.

[0:15:07.0] Tad Whitaker: That very first meeting that I went to at OWASP, I sat down next to this big, burly guy wearing all black and he had all these DefCon patches and everything and his head was the size of a bowling ball and was all bald and he looked as menacing as they come. He was this super cuddly guy named Matt Torbin. I mean, that’s who I sat down at my very first OWASP meetup and we just became friends.

He was a front-end developer at RSA, who really wanted to get into security. He made this big leap at the same time that I did to switch over to security. He started working at a company as a security engineer. I think he was their first one and when they wanted to hire another one. All the candidates were just white men and he was frustrated by the talent pool because diversity and inclusivity was really important to him based on his background and his history.

He was telling the head of hiring over there, I think the company is Look Out. He told him, he said, “You know, if I could just get a roomful of 10 women who came out of boot camps and teach them how to use Burp Suite over the course of about 10 hours, I would probably hire one of them. They would have enough skills to get going to handle what we need here.” They said, “Well, why don’t we just do that?”

They organized this little 10-person hacker day, where he showed about 10 women how to use, I think it was Burp Suite and they wound up hiring one of them. He was telling me about that and I was like, “Dang, why didn’t you let me know about that?” I used to do a lot of mentoring through something called Mission Day, where I would go into public high schools here in San Francisco and teach JavaScript to low-income students.

We just started talking about it and there was a recruiting company that just focuses exclusively on security engineers who had been recruiting me. I said, “Hey, I don’t want a job somewhere, but are you guys interested in trying to build out a little workshop that would just help train women into security engineers?” And so, that turned into a full-day event with 200 or 250 attendees. We had a bunch of people from HackerOne teach a full day on Burp Suite and a whole bunch of that stuff and we’ve now had five of them. We’ve had three in San Francisco, one in Boston, one in Toronto and we’ve got a couple of more scheduled this year.

[0:17:50.9] Guy Podjarny: That’s excellent. That’s a great story, creative thinking and fundamental initiative from it. Do you keep track? Do you have a Slack for all the alumni of this program?

[0:18:03.7] Tad Whitaker: We do. Yeah. We have a dedicated Slack group to it, the Day of Shecurity and anybody who’s gone and attended gets to be in there. We have a job board and we have a mentoring system in there. We’re really trying to build it into a community, more than just a workshop at this point. We’ve also started branching out into doing every other month meetups. They are called Day of Shecurity Presents and those are all led by women.

[0:18:31.9] Tanya Janca: I joined security because I had a mentor, and quickly I found new even more amazing mentors, and I am really lucky that people seem to see possibilities and potential in me and then I have noticed that if I pay my attention to someone else and show them the things that I know, that they can blossom in ways I never even dreamed or they never even dreamed.

So people start asking me to be their mentors, and I said, “I already mentor four women.” And I honestly, I feel like I don’t even give them enough of my time, and I still haven’t figured out how to make a cloning machine. So until then, I thought, “I’ll just find you a mentor.” I started introducing people to each other one on one, which took a lot of time.

Then one day I just tweeted this hashtag Mentoring Monday, like “Are you looking for a mentor? Are you willing to share what you know with someone new to you?” Then people started matching themselves, and people started searching the hashtag each week so people that are maybe less public about their offerings, they’ll see someone’s call for a mentor and then they’re messaging them directly. They’re having private conversations and branching off, and several people have written me the most wonderful messages about how “I now have these two people in my corner who are giving me advice. One’s giving me career advice and one of them is giving me technical, things like ‘Read this book,’ or ‘You should ask for a raise,’ or ‘Have you tried applying here?'”

All these people that are senior in our industry who didn’t even realize, if you’ve done your job two or three years, you know enough to teach someone else because otherwise you’d be fired, right? If you still have this job it’s probably because you’re good at it. So a lot of people who thought “I don’t know enough to be a mentor,” I was like “Do you know enough to do your job?” Because there’s someone who wishes that they could have a job like yours. There’s someone who wishes that they knew when they looked at the sim, what all of that stuff means. There’s so many people who are interested in pen testing, and then a lot of them end up learning like I did, that they actually want to work in AppSec, or they actually want to build cool tools to help people do testing, right?

The more people you have in your corner that are willing to give you just even an hour of advice one on one, it’s so valuable. Just so many senior people have told me that is so rewarding to see the person they’re mentoring breakthrough every goal that they had.

[0:21:08.4] Guy Podjarny: Give us some examples and sort of inspire the listeners a little bit. Maybe some examples of topics that people kind of reached out to mentor on or to be menteed on.

[0:21:19.7] Tanya Janca: A lot of people are interested in learning about forensics. Like, “How do you break into that?” Or people want their very first AppSec job. A lot of people who used to work in networking, they want to work on a sim. They want to be an information security analyst and they just have no idea where to start.

They’ve got a demo of a sim and they’re like, “What does that mean?” Or a lot of people come to me and they’re like, “I want to be a badass hacker,” and I’m like “You probably shouldn’t ask me because I’m a Care Bear hugging AppSec person.” But when they learn just how to run a scan for the first time, I’m like “Okay, so now what do these results mean?” They look at me with these wide doe eyes, and I’m like “Go. Go off and try to figure them out. I want you to try to fix a bug” or a lot of people are interested – They’re security people, and they’re like “I want to learn about DevOps. There’s like 5 million books, which one do I read?” I’m like, “Okay, read this book, then watch this talk, then read this book, then follow this guy.”

[0:22:14.5] Guy Podjarny: Last but not the least, we’re going to have Rinki Sethi from Twitter talk about her views. She talks about how she’s evolved her view over time when she thinks about diversity and really, if you go out to the macro level, how do we not just perpetuate the problem and solve it at the company level but actually try to solve it at an industry level.

[0:22:36.0] Guy Podjarny: I know you’ve been on the Women in Cybersecurity board. Just kind of using the stage a little bit, if you’re thinking, I kind of have these two audiences, there might be sort of women listening, looking to get into security, looking to grow in security, do you have any tips for them but also similarly, for all us guys on it, is there any tip of what we should start or stop doing to help encourage more diversity in this industry?

[0:22:59.7] Rinki Sethi: This is an area, Guy, you know I’m super passionate about. I just tweeted about this. My thinking around this topic evolves to I’m learning as well but one of the things I’m realizing is I think we need to recruit more from colleges. When you look at computer science classes now, not all computer science classes – in fact, I just talked to a student that told me that she was the only girl in one of her computer science classes and she was telling me that, “Hey, I can’t even get my thoughts across because the guys won’t let me talk on a project. I’ve got good ideas” and things like that.

But kind of, if you look overall, the number of women and men in computer science programs, there’s a lot of programs that have 50/50. But somehow, then when you go look at engineering teams, and especially cybersecurity teams, there’s like a huge issue, and I think we need to – What I tweeted was we need to stop trying to get more women into our company by stealing from another company because we’re not really helping with like improving the pipeline. So it’s almost like we need to make a commitment as an industry that we’re going to go bring in X number of more talent from colleges and I think that will introduce more diversity. That will introduce more women into cybersecurity. But also, maybe from other fields where there’s expertise, right? Like marketing, maybe those are folks that can help with security culture.

There’s I think a lot more work that we need to do. I always say this, it’s a fact that women don’t take as many risks as men. If we don’t feel qualified for a role, we won’t apply, whereas someone who’s not qualified for a role for men will apply. I think women need to take risks. Go out there, reach out to folks and leaders and I bet you that you would get like a reply back from a security leader, looking for talent in the security space.

We need more women in the field. I think we as leaders need to go and recruit more from colleges and also invest in younger – in kids because I see my daughter, who’s also just turned 13 a couple of days ago, this is when they’re defining themselves. They don’t define themselves when they’re in ninth grade or in high school. They start defining themselves when they’re at this age and they’re not introduced to technology in the right ways or programming, nor cybersecurity or privacy. I think it’s really important at this age that they get introduced to it, so then we have more girls entering colleges. I think anything people can do to teach more women, teach more girls, bring more women into the industry to increase the pipeline is going to be supercritical.

[0:25:17.9] Guy Podjarny: Yeah. That really resonates with me. I think it’s really great. We have to actually grow the community. It’s not just about sort of steal all the sort of the diverse candidates and sort of women into your company. It’s about help fix the community. I think I rarely do sort of team plugs over here, but I’m just really proud of this, with the leader of our SE Team at Snyk was we kind of woke up one morning and realized we have all men in our sales engineering team.

We talked about it, we set out to hire. It was really hard to find sort of qualified and experienced women in it and he started this sort of internship program to bring women that are – They might have come from backgrounds. They weren’t obviously qualified to it, an associate program, and that’s been super successful. The team is far more diverse right now I don’t know the exact statistics.

Then we doubled down on it and we did a whole program around mothers returning from maternity leave, kind of a return to work, people that – Not maternity leave but rather that might have been out of the career ladder for a bunch of years, coming into it. It’s an amazing, amazing kind of, women join the company through it. So I’m sort of super proud of it. It’s just from – I had nothing to do with it. It’s all kind of the team initiated inside of it, but just was so great to see it.

[0:26:30.3] Rinki Sethi: I would love to hear more about that. I mean, you need to share that in terms of that internship program and what made it successful because I think there’s an analogy on the cybersecurity side on, you might take some hits in the short term, right? Because they’re not going to be productive right off the ground, but here’s the long-term benefits of it and here’s how you got them up to speed. I would be super interested in hearing kind of that story. That’s really cool.

[0:26:54.0] Guy Podjarny: That’s it for today. I hope you learn something about diversity and approaches you can take. I hope you are as passionate as I am about tackling this problem and getting some of these bright minds that come from different backgrounds and specifically maybe different genders to help all of us make security as an industry, as a practice just actual results of protecting your customer data better and be a better community for it in the process.

Thanks for listening and I hope you join us for the next one.

[END OF INTERVIEW]

[0:27:27.3] ANNOUNCER: Thanks for listening to The Secure Developer. That is all we have time for today. To find additional episodes and full transcriptions, visit thesecuredevelop.com. If you’d like to be a guest on the show or get involved in the community, you can also find us on Twitter at @devseccon. Don’t forget to leave us a review on iTunes if you enjoyed today’s episode. Bye for now.

[END]