New York City recently became the first city in the United States to open a cybersecurity defense center, with a physical presence in lower Manhattan. The NYC Cyber Critical Services and Infrastructure (CCSI) Project, which had been completely virtual for nearly two years, is a real-time operational center focused on proactive cybersecurity measures. This physical launch comes on the heels of a massive rise in cyberattacks hitting critical infrastructure of cities across the country. From small towns to major metropolitan areas, hackers are taking advantage of outdated legacy systems, ad hoc operation teams, and under-funded, internet-connected operations to turn a profit and cause serious damage.
Formed in alliance with NYC Cyber Command and Global Cyber Alliance, the NYC CCSI Project includes more than 280 professionals from private companies and public organizations including Amazon, the NYPD, IBM, and various New York healthcare systems. Taken together, the Project’s leadership teams, countries represented, and industry experts showcase a diverse set of practitioners in the cybersecurity space — not only in terms of experience and education, but also with regard to historically underrepresented groups based on race, ethnicity, nationality, and gender. This type of diverse hiring is critical for cybersecurity success.
A quick review of the NYC CCSI Project roster reveals significant numbers of women, racial minorities, and a variety of nationalities in c-suite spots, positions of leadership, and engaged staff roles. In fact, the Manhattan DA’s Office, which announced the project launch, highlights its commitment to diversity with an Equity and Social Justice Board and a Diversity Committee — both of which are directly connected to the Office’s recruitment and hiring procedures. As the Office states: “New York City is enriched by its diverse population, and by embracing its diversity we strengthen our ability to carry out the mission of our Office.” This makes sense: diverse teams are 87 percent better at making decisions, and inclusive teams outperform their peers by 80 percent.
Combating cybercrime requires respect for, and coordination of, diverse perspectives. Cities have experienced cyberthreats on all levels: in January, a hacker deleted treatment programs used by a San Francisco Bay water plant; in April, the Washington, D.C., police department was threatened with ransomware and a breach of internal administrative files and intelligence reports; and just last month, the administrative systems in Leonardtown, Md., were shut down by the REvil-Kaseya ransomware attack. Unfortunately, cybercriminals raged through the pandemic and are thriving even as we attempt to get back to normalcy, but cybersecurity hiring continues to lag behind.
This is in part due to the fact that the ratio of existing cybersecurity workers to cybersecurity job openings in the U.S. is 2.1:1, while the national average for all jobs is 3.9:1 (meaning, the cybersecurity worker supply is “very low” according to the federal government). But cybersecurity hiring also struggles with a sourcing problem: Talent exists in many forms and faces, and requires thinking outside of the box to achieve success.
High performing cybersecurity teams are made up of different perspectives and approaches. The field of cybersecurity is filled with positions and requisite skills that range from highly technical problem-solvers to effective communicators to inspiring leaders — and each type of role thrives on different behaviors, skills, and experience (existing or learned).
Hiring for cybersecurity roles requires a specific delineation of performance metrics and behavioral characteristics. The success of critical functions can range from the capabilities of a free-thinker or a routine data-cruncher. This detailed role analysis goes beyond a mere job description and creates an employee description, allowing employers to seek talent from a diverse array of backgrounds (the basement hobby coder, tactical academic, strategic leader with a few technical certs, idea entrepreneur, or curious compliance pro).
It should follow that pulling people from experientially different background leads to all manner of diversity. Not only can teamwork exist with cultural differences: It can thrive if built and guided correctly. Opening up what we have historically considered the “talent pool” to unconventional avenues allows the self-taught, brightly curious, highly trained, and academically inclined to work together and innovate. Studies continue to show that diversity breeds success: McKinsey found that companies in the top quartile for gender diversity on executive teams were 25 percent more likely to have above-average profitability than companies in the fourth quartile, and in terms of ethnic and cultural diversity, top-quartile companies were 36 percent more profitable.
As cyberthreats evolve incessantly, cybersecurity teams must advance accordingly. Unfortunately, many employers fall into the trap of hiring people based on the vague idea of “fit” or whether the potential hire is someone they “like.” Generally, we are comfortable with people similar to ourselves; but hiring similar people leads to uniformity. Uniformity leads to groupthink — and nothing makes cybersystems more vulnerable than a security team executing a plan built upon unwitting consensus.
The weakest security systems are those created by a team that always agrees and rarely debates.
When organizations run the correct analysis and search for the employees they need — instead of trying to fill openings they have, based on copy-and-paste descriptions — what happens most often is the process leads to hiring people who’d have previously been rejected (and rejecting people the CSO or hiring manager simply “likes”). This focus helps avoid the false correlation that presumes a person you like — a person like yourself — will succeed.
As the NYC CCSI Project leadership continually points out, dialogue across public agency-private company lines is necessary to defend against cyberattacks. Stepping back and viewing the entirety of the project, it becomes apparent that it’s not just the dialogue across government and corporate lines, but communication and debate across other meaningful diversity markers that makes significant progress in cybersecurity.
And the NYC CCSI Project boasts expertise across diversity lines. Inherently, it seeks to ensure that it doesn’t fall prey to groupthink and the fragility that follows. Diversity is not just the moral imperative of including a broad cross-section of society; it also means working with people who possess different ways of thinking, unique approaches, and unusual optics on common problems.
At the core, different personalities and perspectives that are unified by one shared goal will produce the best outcome. Inclusive companies are 1.7 times more innovative; innovation is critical to keeping up with and attempting to stay ahead of constantly changing cyberthreats.
The rest of the U.S. would do well to follow in the footsteps of New York City’s cybersecurity defense center, not only in recognizing the necessity of having a city-based cybersecurity project, but staffing it with diverse hires that allow for debate, critical analysis, and a vital community of perspectives.
NOTE: This post has been updated from the original to correct an editing error on the ratios of workers to job openings.
Leeza Garber is a cybersecurity and privacy attorney, lecturer at the University of Pennsylvania's Wharton School, and adjunct law professor at Drexel University's Thomas R. Kline School of Law.
Scott Olson served as an FBI agent for 21 years, working as a counterintelligence operations officer, a counterintelligence supervisor, and developed and implemented the FBI's Leadership Development Program.