Organizations Need Strong Leadership Backing in Order Train Managers on More Inclusive Management Styles
Workplace demographics have evolved greatly in the past half century with women and minorities represented in much larger numbers than at any time previously. Gender, age, and ethnic diversity – among others – have become valued benchmarks for companies in gauging whether employee talent and executive leadership adequately reflects the overall population. Diversity is clearly good for business, but for reasons that go far beyond optics or good PR. Simply put, the more diverse your workforce, the more diverse their perspectives. Hiring people of varied backgrounds and views generates the kind of thoughts and ideas vital to working smartly and quickly, which is especially important in the cybersecurity industry where discerning an attacker’s motives and strategies is critical to staying one step ahead.
Cyber intelligence tradecraft is an integral component of cyber security. Security analysts daily collect and interpret data to direct strategic decisions and inform leadership. Successful cyber intelligence programs successfully synthesize data, research, trends and techniques to build useful actionable intelligence. However, doing this effectively requires that analysts interpret new evidence free from any cognitive bias that could lead to conclusions confirming existing ideas and positions.
Cognitive biases are mental shortcuts made to quickly process information and decide on an action. Not every cognitive bias leads to bad decision making, but many can. In fact, hackers and threat actors bank on cognitive biases to get their targets to download malware or give up protected data. Some examples of common cognitive biases include:
• Automation bias: Overly relying on automated systems to generate information and guide decisions.
• Confirmation bias: Interpreting, focusing on, or recalling information that confirms preconceptions.
• Selective perception: Letting expectations affect perception.
• Zero-risk bias: Preferring to reduce a small risk completely rather than reducing a larger risk by a bigger overall margin.
Maintaining objectivity and guarding against biases and reflexive group think is especially important to security analysts tasked daily with evaluating an ever-increasing amount of complex data. Distributive decision-making can help reduce cognitive biases that may lead to limiting group think, while building a diverse workforce of people with a multitude of different characteristics is a natural way to ensure diversity of thought. The more unique the experiences/backgrounds of the analysts who comprise your security team, the better and more comprehensive their ideas, intelligence and analysis are likely to be.
A Deloitte University Press GovLab report (PDF) points out that by increasing diversity of thought, employees are less likely to disregard new information or be afraid to challenge the status quo. Employees will feel safer to present new ideas and, more importantly, to disagree. In turn, this may also lower cognitive dissonance (e.g. believing one thing, but doing the other). The report details the many benefits diversity of thought may offer organizations broadly, and by extension security teams specifically, noting that “Even the slightest nuance of one worker’s thinking, if appropriately harnessed, could bring value to the organization.” such as:
• Guarding against groupthink and expert overconfidence leading to more thorough and innovative information processing.
• Increasing the scale of new insights to connect multiple tasks and ideas together in a new way.
• Helping organizations identify the right employees to align individuals to specific teams and jobs where their unique skills would be most beneficial.
Ultimately, diversity of thought fosters psychological safety, which is a shared belief among teams that they perceive they are safe to take risks, and is one of the core indicators of highly effective teams. While the benefits of promoting diversity of thought are clear, it’s not easy to make these changes.
Organizations need strong leadership backing in order train managers on more inclusive management styles and reconsider their organizational policies to ensure they cater to a diverse workforce. As a service-based company, we value constructive conflict, differences in opinion, and promoting the unique backgrounds and traditions our workforce brings. These diverse teams not only allow us to harness different skill sets for cybersecurity’s unpredictable moments, but are instrumental in getting the “best” out of our employees, not just the “most.”