 My name is Damien Grant and today I'll be discussing diversity, equity, and inclusion in cybersecurity. So a little bit of my background, I actually currently work within digital forensics and incident response for a large pharmaceutical company. My background is I actually spent 8 years in the Navy doing cybersecurity in the form of network plantation testing. And also working within counter cyber intelligence after leaving active duty, I actually went to the Maryland international guard and I am a cyberspace operations officer with them as well. Did consulting for a couple of years for a large consulting firm, mostly doing tax service illumination vulnerability assessment and also doing some incident response services for mostly federal clients and some commercial clients. I actually attended DEF CON a couple of years ago and was very, very fortunate with a team of four to actually win a black badge for a missing person's OSINT CTF. So I have some experience here at DEF CON. So let's talk a little bit about the problem. When we talk about the problem, what we tend to see when it comes to just applicants in general to any sort of job is that a black applicants are less likely to be content. When they are actually applying for jobs, there was a study that showed that if you took the same resume and put a white sounding name on the resume and then put a black sounding name on the resume, sent it out to all the same folks, you would get fewer responses for a black applicant. So, you know, there's a barrier there to entry when it comes to just the job market in general. When you look at STEM, STEM is a place where you're really likely to see fewer black faces. And, you know, part of that is the opportunity. Most lower income schools and lower income communities tend not to have any kind of dedicated STEM programs. And so you see that there are fewer opportunities for black students to actually be in those programs. Really, what you tend to see is, you know, the opportunity will be there for a lot of folks that are in, you know, higher income communities, but not so much in lower income communities where a lot of black people actually do live. And then you start to drill into cybersecurity in general. So, a computer science is a field of study that you just don't see a lot of black faces in. That's something that has been improving steadily, but it's not improving at the pace of the actual openings that are being seen within computer science. And then cybersecurity in general, you know, black practitioners do not make up a large part of information security analysts when you start to look at the numbers around the cybersecurity community. And then you actually really want to kind of dive into it as well in terms of the culture. So, recruiting, especially in a highly technical field is just somewhere where people are at a disadvantage in general. Recruiters tend to have a lack of understanding of the scope of responsibility of a cybersecurity practitioner. And also, there are multiple different ways to define skills. So when people write resumes, even those are those resumes might actually apply directly to a specific job within cybersecurity. Sometimes applicants are passed over because there are different ways to define exactly what a hiring manager is looking for. When you talk about certifications, for example, you might have a specific certification like security plus, and a lot of people don't know that certified ethical hacker is very similar to security plus in terms of the skills that it actually measures. And so if a recruiter doesn't see a specific certification on someone's resume, they tend to look that person over because they might not have the specific certification that's called out in a specific job posting. And when you start to get down to the hiring managers, so hiring managers have really some unrealistic requirements when it comes to some things that are going on within cybersecurity. They're looking for experience that is not necessarily realistic. They want a large breadth of skills and experiences and they tend to hire by tradition, right? I went through this process. I was a system administrator or I was a network engineer and you need to have these skills in order to be in cybersecurity. And that's not necessarily the case anymore. A lot of folks that are coming up in cybersecurity now come up as a pure cybersecurity practitioner as opposed to someone that has a background in something like network administration or system administration. And then when you start to get into interviews, a lot of folks kind of have the stump to chump mentality, right? They come in with very, very specific questions looking for a very, very specific answers. And that's not a really true gauge of someone's skill. Anyone can write up a technical interview and ask for specific answers. But in practice, the vast majority of people that are actually going through and doing any kind of cybersecurity work, you're not necessarily pulling that information out of your head. You have guides and all kinds of different tools at your disposal to be able to understand exactly what's going on in a specific cybersecurity discipline. And you're not necessarily memorizing all of this stuff, right? So it's just not a realistic gauge of someone's understanding of exactly what's going on within the space. And then sometimes, because cybersecurity is a very, very small field, folks post a position with a specific candidate already in mind and already potentially selected. So people are already behind the eight ball. And then when you start to talk about the actual positions that are out there, a lot of people point out the fact that there are no true entry level positions within cybersecurity. And all positions require experience, which is very, very challenging for someone that's just out of college or someone that might come straight out of the military with a, you know, a small amount of background in cybersecurity maybe four years and, you know, entry level positions they're looking for six, eight, 10 years of experience. And then a lot of hiring managers are unwilling to take a chance on someone that hasn't done cybersecurity in a production environment before, because the demands on cybersecurity practitioners are very high. And that's a very reactive business. So in other words, I don't have time to spend, you know, training someone to do the job. And that's, you know, a really challenging tack to take when it comes to cybersecurity in general. If you are unwilling to train someone into that unicorn that you're looking for, then it's going to be very, very challenging for you to actually find a candidate that can actually meet your requirements. And then you talk about the internal problem, right? So as an individual, imposter syndrome is a real thing. It is something that plagues a lot of people within highly technical disciplines, cybersecurity to be included. And so you start to really doubt yourself when you see a job description that includes this huge laundry list of requirements, and you think to yourself, can I actually meet those requirements? Can I actually do the job? And the challenge sometimes is a job description is written poorly, right? It doesn't really express the actual skills required to do the job. It's just essentially this heightened laundry list of requirements that really isn't something that you actually need to do the job. And then you start to talk about career path. Is there a defined career path for a cybersecurity practitioner? How many cybersecurity practitioners do you know that are out there that are actually doing the job? And then you start to talk about career path. Is there a defined career path for a cybersecurity practitioner? How many cybersecurity practitioners do you know that are out there that are self-taught, right? They don't actually go through formal training, but they can do the job. And then just think about it from a discipline standpoint, right? When you look at that word cloud over there to the right, how many different ways can you go as a cybersecurity practitioner? What are all the different things that you can do, right? If you don't have specific skill sets in understanding and reverse engineering malware, can you be a malware analyst? If you don't understand automation, can you be a SIM engineer? A forensic engineer, can those folks actually come into the discipline without 10 or 15 years of experience and do the job? And, you know, my thoughts about it is yes, those folks can actually come in with a baseline and learn the job and they might not necessarily be effective right away, but they can definitely get to a point where you can actually do the job. So, you know, a lot of the things that we look at as well is gatekeeping, right? People are just lax to really understand exactly how a person thinks and whether or not they have an analytic mindset, right? And so they will kind of write somebody off without even thinking about whether or not the person has the potential to do the job. And that's, you know, a very poor practice. So really what you want to do as an individual is you want to start to attack the problem. One of the things that you can do to attack the problem is train yourself to a standard set of skills. There are resources that are available to you by the nature of your demographics, right? An organization called Women in Cybersecurity will actually help women, black women that actually come in and actually help them to train and it's very low cost or no cost. SANS has, I think, no more, no less than six different academies that they run and they run those academies based on need, right? So if you are affiliated with an HBCU or if you're a veteran or if you're a woman, you can actually get into those academies at little to no cost and that will actually allow you to get certifications that will demonstrate your skill and also help you to actually get your start in the field. And then when you start to talk about things like programming, right? Black girls code and girls who code are a lot of different ways that you can actually get into the field and learn things that are going to help you in your career and do so again in a low cost or no cost manner. So let's talk about networking. So cybersecurity is a field that tends to attract people that are introverts. It just happens. That's just the way that it is. And so networking is a pet word to introverts. A lot of people really don't think about networking as a core skill that they need in order to do their job, but it is absolutely a skill that you need to do your job. So let's talk about my journey and the way that I kind of worked when it came to networking. So when I left the military and I went into consulting, consulting is an area where you have to be very, very networking focused. I went to a lot of different networking events when I first started in consulting, and I wasn't really comfortable. And I developed a strategy and that strategy was whenever I got to a networking event, I would immediately look to find the most gregarious and most, you know, very friendly person in the place. And I would introduce myself to that person. And typically what happens when you meet someone like that is they tend to drive the conversation. And the great thing about that is, I was able to talk to that person, get to know them, have them get to know me, and then I would use that person to actually meet everybody else in the room. So it's all about number one, finding a way to get face to face. While, you know, the pandemic has really kind of driven us into a virtual world, getting face to face really allows you to have more understanding about what a person's all about, and really connecting with that person when you're face to face. When you are networking as well, you want to make certain that you're offering help, you want to bring something to the conversation and you actually have a significant amount of value. I can't tell you how many mentoring or networking relationships that I have been in where that person's senior to me, but I can actually bring value to them by giving them a different perspective. So, you know, make certain that you're offering yourself up as help for anyone that's out there. It should be a symbiotic relationship. It should go two ways. It should be fearful when it comes to networking. Everybody wants to network and the reason why is because it's incredibly effective. So, don't feel like you don't have anything to offer when you enter into a networking relationship. You want to make certain that you're patient with a relationship, and that you don't expect too much right away. People tend to have a situation where they contact, they're contacting you and they might not necessarily have some front something for you right away. But you want to make sure that you cultivate that relationship because six months a year, two years down the road, that person might be the person that gives you the lead that you need in order to get the job that you really, really want. And you want to focus on the relationship, right? Make certain that you are not just in the relationship as an opportunity to network. You are in the relationship as an opportunity to potentially help this person out with something. To actually focus on getting to know more about them and having them get to know more about you. If you cannot express within that relationship exactly what it is that you want out of your career, then it's going to be very, very challenging for someone to help you to get that. Because if you don't know, they definitely will not know. I'm not a huge fan of social networks, but LinkedIn and other things like that are ways that you can actually use social networking as a force multiplier. So make certain that you are connecting yourself with people in that medium so that you're not losing that relationship. And you want to make sure that you absolutely follow up. Networking should be something that is a scheduled activity on your calendar. You should be setting aside time for networking because what it allows you to do is ensure that you are actually doing it and doing it in a purposeful manner. So if you are brand new to cybersecurity, you need to understand that you are not going to hit a home run with your first position in cybersecurity. It's just not going to happen. And the reason behind that is it's hierarchical, right? The way that the cybersecurity kill chain works is you're going to have people in the sock that are doing jobs that are a little bit more menial and repetitive. It's going to happen, right? So you might have to spend some time in a security operations center doing long hours, 24 by 7 schedules, right? So you might have to pay your dues. So you want to be cognizant of that and not try to hit a home run with that first job. Take the entry level position, get your foot in the door, and what it's going to allow you to do is see the entire cybersecurity kill chain and understand, hey, listen, I love working with malware. I want to be a malware analyst or I love working with computer forensics and I want to be a forensic analyst. That huge word cloud that I showed you a couple of slides back. It's going to help you to understand, okay, where do I fit in the cybersecurity kill chain and what job can I do that's actually going to energize me? And you want to pick a job, not necessarily that you're good at, you want to pick a job that energizes you. I see a lot of people get into cybersecurity and they get burnt out because they pick something they're good at, but they're not having fun doing what they're doing and it leads to burnout. If you pick something that energizes you, you will never work a day in your life because you're always doing something that you have a lot of fun doing. So let's talk to the senior leaders within cybersecurity in the room. We have to be willing to reach back and pull people along with us when we get to a space where we feel like we're successful and we have some influence. Unfortunately, it's not an equitable field, right? You have a lot of folks that are in the field that are getting a lot of hands up from folks that have been in the field for an extended period of time. And those folks tend to pull people along with them that look like them, right? We have to do the same. You have to be willing to reach back and pull people along with you and make certain that they are on your bench, right? So if you know for a fact that you have people that you're going to need in the future because you're building a team, you want to make certain that you're staying in contact with some of the junior folks that are in the field to ensure that when you have a position that's something that they can slide into, that you can offer that to them, give them the opportunity to come in and apply and actually have an opportunity to get that resume looked at. And engage with others within the field and your peers as your leader, if they have opportunities that are out there, you have to be willing to reach into your network and say, hey, listen, I think you might be a great fit for this job. And here's what I'm going to do is I'm going to give you a warm introduction. That's incredibly important, right? It's something that if you have a friend that's in the field that is looking for someone, you can't just point someone that's within your network to that job and not actually do that warm introduction, right? So reach out to your buddy that's looking for someone within the field and tell them, hey, listen, I want to give you this resume and I want you to talk to this person. Same situation with that practitioner that you're actually giving the resume for, right? Make sure you reach out to them and say, hey, I know someone that's looking for somebody that looks like you. Would you reach out to this person? Here's their phone number. Here's your email address, right? And consider your influence. So make certain that you, when you have that connection to someone within your network, you are forwarding that connection along. And you also want to make certain that you are visible within the field, right? So when you have the opportunity to volunteer and provide your expertise, you should do that. When you have the opportunity to be visible, you should do that. Studies have shown that children do things where they see themselves represented. So if a black child does not see themselves in a cybersecurity leader, all they see is white faces or all they see is male faces, you want to make certain that they see other faces, right? If they see black faces, they see female faces within the field and that's going to be incredibly beneficial. So if you have an opportunity to volunteer, if you have an opportunity to mentor, if you have an opportunity to do something good for the community, you should do that. So really, you know, the things that we talked about today are the challenge and the culture associated with cybersecurity, right? There is, you know, implicit bias when it comes to getting hired within the field. And there's a culture gap when you talk about getting folks into cybersecurity that are black faces. We talked about upskilling, ways that you can actually improve your odds of actually getting a job within the field. Networking is probably the most important thing that we spoke about during this presentation, and that's because it's the most effective thing. There are a lot of gatekeepers out there and one of the ways to get past those gatekeepers is to use your network. And you want to make certain that you set the right expectations. As a black face in the field, there are already so many barriers to your entry. You want to make certain that you are doing the right thing and taking the right positions to ensure that you have a chance within the field. And as a black leader, you have to reach back and you have to help others within the field to ensure that they have opportunities that you may not necessarily have had. Thank you so much for giving the opportunity to speak to you today. And I want to make certain that you have the opportunity to reach out to me. So if you have something that you would like to ask, something like you'd like to talk about, feel free to reach out to me on LinkedIn, feel free to reach out to me on Twitter, and I'll be happy to help you on your journey within cybersecurity.