 Well, welcome to my talk. My name is Keith Chapman and today I'm talking to you about the cyber security diversity framework or what I call an action plan for cyber diversity. I consider myself a lifelong learner. I've been very curious about a number of subjects growing up. And I find the problem solving creativity of information security to be particularly interesting to me. I have at different times been a teacher, an artist, and most recently I work in governance, risk and compliance. Previously, and information security have also been a lead in a sock where I would handle escalated investigations and also work with interns and other analysts. I'm currently on a cyber case cyber education board also where we work to give students education about information security. A lot of people ask me how to get into information security and it's very difficult entry level for cyber security positions is typically a pretty high bar. It tends to work better if you are going from IT rather than going from another field. But this is one of the things that I think can be changed if we approach things a little bit differently. If you look at these requirements, they're very high. So what do I mean when I say diversity oftentimes diversity means ethnicity or racial background. I believe that it's actually far larger than that and can also include diversity of thought, a diversity of experience, diversity of domains. So I believe there's many different ways to approach diversity. I am going to talk about racial and ethnic diversity because that is forefront of what most people think about when they consider what it means to be diverse and cyber security. But I do want to also say that it's much larger than that. One of the reasons why diversity is important is because the US is becoming a more diverse place. So diversity in the United States is reaching a critical mass where the census data says that in 2020 over half of the children born identify as minorities. In fact, by 2044 the projection is that over half of US citizens of Americans will be 50% or greater in minority status or minority identification. So that's one reason to consider it because it's changing and it's becoming the country that we live in. Another reason is this. These three particular groups, Black or African American, Hispanic or Latino and women are underrepresented in US tech occupations. So if Black or African American makes up 13% of the population of employees across all occupations, it's only 8% in tech field. Likewise, Latino would be 16% across US occupations, all US occupations, but 7% in the tech field and women would be 26%, whereas they represent 49% of all people in occupations. So these groups are by nature underrepresented. There are certain pockets such as District of Columbia where in all tech jobs 29% of the population is actually Black or African American and across all occupations is 34%. So there are pockets where this is not the case. In fact, it's very high. It's above average where typically US population is depending on what you look at 8% to 9% African American. So wide diversity. Another reason why diversity are these four other bullet points. If all you cared about was public image of your company or to drive innovation, or to increase profitability or simply to be more secure. Those are also reasons to become more diverse. I don't think they're the best reasons. But there are other reasons. There are many different reasons why diversity is important. So what does this have to do with hackers? Hacking, like many things is morally neutral. It can be neither good nor bad, or it can be something that is not necessarily criminal. I don't believe it is. I believe that hacking is the art of creatively problem solving, possibly getting around a barrier, possibly understanding something at a level where what you do looks amazing. Outside audience. So I think that hackers offer a unique and great opportunity to possibly change this problem for all of us. So let's talk about the action plan. This action plan is derived from what I have understood about design thinking systems thinking and risk management frameworks is kind of a. A jumble of those 3 concepts and put together into 5 actionable steps. Like many frameworks and information security, this one is a feedback loop. So it's not necessarily a linear progress. But for these purposes, we start with empathize and then align ideate model and deploy. And I'll talk about what each of them mean and then show examples of how they can be used in particular scenarios. Starting off with empathize. But empathize what I mean is to put yourself in the place of. So empathize and to discover patterns of behavior. What does the other person need? What does the company need? What does the job description need? What are they trying to feel? And then align, align your focus. Once you understand or believe you understand what the need is, how can you help? How can I help? What is it about your skill set or your gifts, talents, your background that makes you the ideal person to help? Ideate. By ideate, I mean to come up with creative solutions to come up with many solutions to come up with many different ideas. So ideate and to design solutions. This is something that is probably the most iterative step where you are going again and again and again thinking of different ways to make solutions. And what's driving this is you're thinking, what does change look like? Model. Once you have gone through the process of empathizing, focusing or aligning and ideating. What does a model look like for a change that can be proposed? And what is it? How does it stand up to being assessed? How does my thinking need to transform? You might find after going through this process that you either have blind spots about certain things or you didn't understand something fully. And your thinking might actually need to transform to come up with a good solution. Finally, deploy. Deploy the best model. And once you put it out there, look and see what works and what doesn't work. You might find after going through this entire process that you're right back at the beginning again and having to begin anew, but that's okay. That's the idea of the framework. So let's apply this to different scenarios. Let's say for instance you are not an information security, but you want to get into it. So you might find a job description. And from this job description, the first thing you would do is to identify the need and empathize. What are they looking for? Followed by aligning or focusing. What can I bring to what they're looking for? And then ideation. What are my ideas for how I can offer a solution to what the job is looking for, what the hiring manager is looking for? Model. You might find that you have an idea for a 90-day plan, what you would do if you were to get the physician. And then for deploy, once you're in your interview, all of your background research that you've done in preparation should give you a really good idea of what questions to ask, what to look for, and what to present as you are being interviewed. That's just one way to approach that. Let's say you're a parent and your child is interested in information security, cybersecurity. You might want to have them join a student group. And so you're thinking what do they need? They need to know more about this. They need to be around other people who are also interested. You find a student group, and then they will align their focus and find that there might be a particular part of information security that they most enjoy. As they participate in a group, as they get to the ideation phase, they might discover that there's different ways they can learn this skill. And so then they create a model or work on a project, perhaps with other people, and then test and see how it goes, see if it's something they are interested in, see if it's something they're not interested in. Finding the knowledge to either is great, in my opinion. Some things you want to explore to see if you like them or if you don't like them. And then you might not be aware of other things that you could enjoy about information security. So all of it has been official. Let's say you're an educator and you don't know anything about cybersecurity, but your students are interested in it. In this case, you might want to partner with existing organizations, such as ComTIA or Code Club. Code Club is a particular interest if the students that you work with are between 9 and 13 years old because they don't even require that you have coding knowledge to participate. But they offer really good resources for students who want to know more about coding. Or perhaps you're not an educator, but just know a student. And these are some resources that you might direct them to that have been curated so that you can narrow down some really good resources that they can explore. Or you might encourage the student to participate in a capture-to-flag CTF competition. Blacks and Cyber and other villages are doing them this weekend. Let's say that you are an employer. We've talked about entry-level opportunities are not always entry-level. Perhaps you can work with hiring managers, HR, under departments, and to either cross-train existing employees at the company or to look for intangibles and bring other people in who might not meet all of the requirements for a job description but have the potential for success. If you're a small business, you might approach things differently. And for that, perhaps what you need to do are to look at best practices and see who do you already know or who do you need to find to help you with cybersecurity and information security. Let's say an idea above fits and you just want to help. You can volunteer a few hours at a conference like a information security conference or a hacking convention or any number of different tech conferences. Perhaps you're skilled or proofreading and editing. Maybe you can review resumes. Maybe you know a lot about a very niche area or you want to share what you've learned. You can answer questions or support existing efforts. I would encourage you to remember what it was like to get started and to always be willing to share your journey or your skills with others. Now this article from CBS News says that U.S. has almost 500,000 job openings in cybersecurity. A lot of these openings are entry level. Some are advanced and some are very advanced. And it would be great if we can get more minorities or people who identify as underrepresented groups into these jobs. But getting them in is not the only difficulty. In this particular article, Tech Leavers, it found that a number of people up to 40% of black, Hispanic and Native American men left jobs for unfairness and racism in the workplace. So cybersecurity information security by nature can be a very difficult and stressful job. And having to contend with other barriers and other obstacles. A lot of people find they want to leave once they enter the job. So what can be done? I believe many things can be done. But one of the things that needs to be addressed is the cultures. The cultures of companies that are hiring people. And there are probably a number of fundamental things that will need to begin to change. So how can we make it better? Mentoring goes a long ways as far as keeping people in jobs like this, helping people to deal with obstacles. Building an inclusive culture is very important and professional development. It's not enough for someone to take a position and just be entry level for rest of their career. There need to be opportunities for advancement and growth. So I think this is bigger than any one company or organization can address. So what have we collaborated? There are technology innovation incubators popping up across the country. And there are several relatively new incubators or pathways for cyber in Southwest Ohio, Central Ohio, and other parts of the state. Also, I think cross industry partnerships might be a very good idea in the future. And cyber talent pipelines starting sometimes with students in high school or even younger. So what if we could create true entry level cyber positions? I would like to see this get to the point where one day there are cyber apprenticeships as a normal thing. Or where positions are scalable or mentoring is a recognized acceptable and beneficial part of the job. So to review cyber security diversity framework has five parts. Empathize and discover patterns of behavior. What do they need? Align your focus. How can I help? 98 and design solutions. What does change look like? Model and assess together. How does my thinking need to transform? And deploy the best model. What works? What doesn't work? Hope you can see that diversity makes us stronger and will all benefit from it. If you'd like to contact me, you can find me on the Waxon Cyber Discord. Or at LinkedIn. There's an archive of my previous talks, this talk, and also downloadable slides on my GitHub repository or you can email me.