Diversity, Equity, and Inclusion: The Paradoxical Effect & Impact on Security by J. Carlos Vega

oh it is

deleted tonight that's okay okay um

[Music] and go here which one are you seeing there okay all right where's my SWAP SWAP SWAP SWAP

and then if you go to slideshow

uh click that and then it should ask you what to do somewhere [Music] which screen you want it I just can't see my screen well right now it's mirroring it yeah but when I go to the presentation

I am not seeing myself over here yeah is this touchscreen but well well okay so where's me no it's showing that because I don't know it's up here yeah I'm trying to get the switch screen where's this freaking screen uh well the problem is this is showing a different screen so this is showing your screen okay so the recording is showing the right thing all right

I gotta I gotta see this one up here yeah you gotta swap them yeah no I got it no I got it memory all right where's my mouse you see my mouse here oh yeah yeah where's my okay so uh okay all right here's here's my laptop you see my mouse up there no oh here's yeah not there okay no wait do you see it in my mouth yeah right there left oh yeah there we go all right

thank you for being outside all right

I'm ready you don't have a clicker so I'm gonna have to keep coming back here sure yeah yeah recording which I think it's a recording from the screen yeah all right hi everyone I hope you're enjoying the event so our next speaker here is um JC Vega he's a retired colonel in the Army and he was the first colonel in cyber right for the Army for the Army so yes okay hello everybody glad you're here uh we're not going to talk about cyber security per se the part that has to do with the technical part we're going to talk about that more important part of the human Dimension the leadership the organizational structure because we

don't do cyber security for security safe we do it to enable the operation I'm gonna ask you a favor okay anyone ask a question can you take notes for me YouTube in case she misses something oh sure yeah all right so diversity equity and inclusion there's going to be a testing here we're going to take a test the challenge we have with it and I think we all believe it's good right good yes but we're not quite getting it right go ahead so why do we do diversity Equity inclusion because it's the right thing to do anybody because it's the right thing to do and mm-hmm no we do it because just in these few little cases

we saw up there you see and I'm not bashing Merrill Lynch in all the times it's been acquired and changed hands and kind of see the progression there but since the 70s starting with Xerox and then kind of grow a little time with Merrill Lynch they've had to pay out close to a billion dollars in today's dollars in fines or uh in court somebody sued them in litigation to mostly lawyers but then the people who were the victims of their practice and where they were discriminated against so that's how Dei really got its started and there's three components to Dei and I bet you have all been a part of it so show hands who has had diversity

training who hasn't had diversity training people do you really need it do you no all right part of di is we need to recruit more people that are in those underserved communities that's not working either and then you get into the agreement system if you are wrong you have a way that you could uh challenge that and if it doesn't get fixed within your organization you can go to the EEOC right system's perfect

it's an utter failure a failure now I see there's a diverse crowd in here is it working for you now I got to tell you from the faces that I see here this is about as diverse as I've seen as any cyber security conference ever wouldn't you say Bryson okay and you're just a fraction and I'm not talking about it here I'm talking about when I'm walking out there we have come a long way so I'm not here to bash that we're not doing the right thing and we're not doing enough I'm just saying there's a better way and I'm going to go over six different ways that we can do better so first thing

let's start with a test recruitment and performance this was an actual test for an sat in the 80s by show of hands who thinks a is a correct answer who thinks B's the correct answer who thinks C is the correct answer who thinks D's the correct answer okay now what's wrong with this question right here someone from the inner city like me I didn't even know what a freaking ricotta was much less what enforcement is but C is the correct answer someone who knows a little Regatta this is from the research on this particular question you can look this question up and you'll find all kinds of research on that comes normally from someone who probably live by the

water but you all know about red lighting you all know about the other side of the tracks it's not by the water it might be by the sewer by the white premium implant but that's not the water I'm talking about it comes those terms there is identified as a person of privilege is most likely to know what that is not someone who isn't and I'll tell you I learned about a Regatta and an orphan and Rowing I'm not in your church is Regatta rowing or is that the sailboats solos I really didn't know January so if you don't know how can you answer this question this is an s-a-t question for you to get into college

next one all right I told you to be a test here this is an aptitude test where you got to score a certain amount to get accepted into a very technical program some would say one of the best careers there is in the armed forces there are more options in this but what do you think the right answer was okay hey show hands me anybody be C d okay in the early 90s the armies flight aptitude test to see if you had the ability to become a pilot you got extra points if you have entered C what the hell does that have to do with your ability to be a pilot this is where recruit an example of where

Recruitment and performance evaluations fail okay I don't want to talk about everybody else's statistics or your personal life but that wasn't my background my parents were immigrants they were a that turned out I became an aviator still extraordinaire uh animals to watch so you can always tell an aviator we'll get to those jokes later but the idea is here we're talking about systematic testing that your cultural background where you came from what is actually going to help you or hinder you it highlights stereotyping and I kind of skipped over but through this slide where we talked about uh the removing the bias the diversity you're trying to remove the bias there's three outcomes for those tests

okay one you don't need to tell me about it like the this side over here said you don't need to tell me about diversity Equity inclusion I live it every day okay and there's those in the middle so you know I could learn something I'm willing to learn something but then there's that other side that oh my gosh here we go again and that's not the people of privilege that could be you that could be me it's like cyber security training oh my gosh here we go again I got to do this again and what it ends up doing is activating a bias you bring in some of those stereotypes so instead of making it more welcoming

you're actually creating frictions so the idea behind some of those things that it's not working quoted how many of you who may fit into this category have you felt or somebody told you you're a quota okay well in the Army the fact that I ran faster than you I did more push-ups than you I took a harder assignments in you but oh it's a quota unmeasurable things that's the excuse okay whether it's true or not I'm telling you right now I am not about quotas okay because what you find with folders is let's just say I recruit a lot of people who fit the demographics up please come on sit down come up front don't worry about it come up front uh

what ends up happening is they get invited to the party they get invite you to the job but they're not invited to the meetings they're not invited to the dance floor they're not asked to dance you organizations may think they did the right thing by bringing this diversity in but they're not utilizing it and one study shows where women were recruited to increase the numbers they actually had a higher attrition rate of women than the other demographics because they were treated as token so it's more than just numbers good sorry by the way we've got both answers right it's a smart person okay so we have the grievance process what's the problem with the grievance

process who has reported something on Facebook just to a group I have who gets it who gets that no it's not Facebook yeah man what eventually happen in your reporting I got kicked out of the group I got kicked out of the group so when you utilize a grievance process the research shows that you're more likely to get retaliated against that research is from the EEOC the federal agency where it shows that in 2021 it's 56 in 2020 it's like 55.8 but a steady increase over the last several years that if you report something you're most likely to get retaliated against and you're most likely to have a case that you can take the EEOC

that the grievance process that was supposed to help you actually escalated where he had overt and saw things okay what am I talking about over okay you're fired or you get reprimanded or we're going to do some diversity training for everybody now all because of you the subtle things is you don't get offered the training you are no longer on the dead girl and the key things that you need to do your job and you kind of get put aside and now you have a choice are you going to stay there or are you going to leave now you have a hostile working environment has anyone here ever experienced that [Music] okay you don't need diversity training like

this nobody needs diversity training like this okay what could we do better so why is diversity important to cyber security I was part of a research group to look at community colleges to find out what are the attributes that entry-level cyber security uh employers are looking for they're looking for critical thinkers and people who have an awareness of what's going on those are two things that you really can't teach you have to experience that you have to experience that of your disciplines that's like leadership I can teach you leadership all day long do you have to experience it so the idea behind cyber security and diversity why it's important to security is that you we demand we need

that diversity of thought we need people who can see the same problem from a different angle why do I have the Yom Kippur award there anybody know anybody know what that order was the young people the 1973. well what I'm addiction so I know that language read that were land back from Israel okay it was Israel was you all know the conflict in Israel it's been going on forever and they were attacked from the north to south and the east by their by their neighbors all of them it was looked at as an utter failure intelligence on the Israeli army or the Israeli armed forces or really government the Israeli intelligence communities why because they believed that this is the

tactics training and procedures this is how these enemies of Israel are going to fight and we know what they're going to do we know what they're how they're going to say we know everything about them and guess what they were wrong and initially they got their butts kicked but then they came back and we 've been a Kind of Love ceasefire I guess because it's after six hours yes so what they figured out at that time if they wanted people who were the Devil's Advocate they now have a formal process called the 10th math the 10th man if all of us agree on something that this is what something's going to happen who's that Devil's Advocate

who's that person who say well what if they do this this to challenge a status quo if we all went to the same school well at the same training we all saw the same we all had the same experiences we are potentially going to have this idea of group things and we're gonna have blind spot because we don't anticipate someone's going to do something like that when 9 11 happened shortly after that I went to a school and we were part of a strategic analysis discussion that we were having as part of a bigger project that was going on in the war and they said look at all these pictures what do you see what do you see

air conditioned building in the middle of the desert that was in defilate which means it was like buried and controlled and all that stuff and everybody the instructor himself said I see a chemical weapons plan that's what I see a chemical weapons plan what do you see clearly the chemical weapons not in the middle of nowhere air conditioning is going to have that what do you see I see what do you see and everyone can this was I was working with a different group I was an army guy in a Navy School I was a little bit different though I wasn't I.T I was because I was a different experiences altogether yep that's me so they said they said to me

what do you see I said I see a building with air conditioning that's in the ground that's what I see you obviously don't see it I don't know what I'm supposed to see that's what I see and it was like oh boy do I like stick to my guns or do I call it like I see it they never found the weapons of mass destruction I'm not saying I was right I'm just saying I offered an alternative thought because I wasn't like everybody else in that room and that's what's expected from that tenth manner so when someone asks you for your opinion you're input on something you're asking do you really want me to Derek

what you believe to be true or do you want to hear my thoughts and if they want you to pair it but they really be true don't waste your time it's not worth it so why is that important because it's cyber security it's not like every other kind of Defense you are up against an active opponent a human being who is countering whatever action you take I can tell you from certain operations we anticipate this well if that happens we're going to counter it with this and what do we do when we counter something with this with a sniper we're going to counter it with a counter sniper what do you do with that sniper

if there's a counter sniper out there what do you do counter counter sniper and then you have a counter counter counter sniper and you're one up in it the idea is that you're with a adversary that is a thinking adversary that is watching what you're doing and they are reacting you have to be able to think through this because it's not gonna it's not gonna go as planned not at all I have been through multiple incident responses training and never once did the incident response happened the way I was training never once but all that knowledge all those different courses of action that you explore were there why does it matter to the company like I

said earlier you don't do security for Security's sake why is diversity Dei important to a company okay what about our discipline what did I say I swear to you say you know it used to be that where seven hundred thousand it went to a million what are we now two million three million four million shortage of talent some astronomical number correct you agree on that that we don't have enough cyber security Talent now why do we keep going the same well for the limited amount of talent we have to go to different Wells we have to go to different sources of talent about 50 of our population is different than me just identity we have to recruit that part of the

population into our discipline raised race ethnicity we have to recruit them not because it's just the right thing to do is we need that Talent and guess what that may give us a competitive Advantage but we have the talent but I'm also rich in markets guess what women spend money too people of color spend money too so from a business case hey there's something to be out there and I talk about the larger Council the cool firm so we're not going to do it for Security's sake and to a CFO if not because it's a nice thing to do so now I'm going to go over six things that you can do differently for diversity education

training go ahead so like I said our business but these are six different things you can do I'm going to go over each and every one of those I'm a tie it back to security good slide engagement what does engagement mean in this instance here it means being a champion out there not being afraid to talk about it wear that belt if it's gonna if you're supporting Pride LGBT lgbtq wear the pen how many times do we represent things by what we're wearing Tampa Bay ISC Square I don't even know what that is Network tough but the idea is you're gonna set the tone on what is okay and what is not okay now in cyber security

you're already setting the tone on what is okay and what is not okay and all of you are going to be if you're not already by virtue of you just being here by association and what you're getting into you're going to be the leader of tomorrow if you don't embrace it no one else will I'm talking about security I'm talking about culture organization I'm talking about this issue right here and I just told you why because it matters to security it matters the business it's their business opportunities there and if you're running a business if you're not making Revenue there's no feel good programs if you're not making money there's no feel good programs so you have to make a business case that

this is important again you set the tone slide all right this is a big one for me there's all kinds of different interactions you have with individuals okay there's mentee mentor there's your coach when I say coach I don't mean your football coach to your team Bryson Moore here he retired out of the army as a captain startup multiple companies a leader in his own right in cyber security the only guy who can wear a unicorn onesie and make it look good command command the rooms were you there for his team up this morning he's a pretty good guy he's fine he's good he's good at what he does I have my own career that parallels him

and on certain things you know where on par other things he's way above me and other things all the way above him but I look at him as a coach what do you think about this let me run this let me run this across you it's not immensely Mentor relationship we all know what the mentee mentor relationship is we all know the boss and subordinate but in this case here what I'm talking about is sponsorship put spin in the game bring people with you now do I do that I just take an example of that I came right here and I said take notes for me Derek We're In It Together here with me and you're with me too

we are going to get this the idea is the people that you support are the ones that are going to be successful in your discipline in your ecosystem so if you're not if you look at I hope all of you here are mentors to somebody yeah I hope all of you here are a mentee of somebody and I hope you're a coach look at the pool that's out there do you have the diversity in that pool or does everybody look like you does everybody think like you if that pull is you know ducks go to ducks ducks nothing wrong with that very natural if you're a duck but in our space we have to reach out to

these other communities because we don't have enough why do we have younger people here because we don't have people in the discipline There's jobs that they have to film this is we're opening the gates but you got to invite the people in and I say when you're when you're climbing that ladder I look at this I'm gonna run on that ladder I am both pulling somebody up but I'm also hanging on because those of you who are here and hopefully you're going to stand on the shoulders of that next generation of that generation before you that's the only way we're going to raise the bar for all of you that means creating those opportunities people say you can apply for a job

you're going to sit there and send resumes out to everybody you're going to get a job that's not how it works okay I don't like it but that's not how it works if I got all resumes from all of you for a particular job and they all looked uh plus or minus 80 some maybe in the 90s some maybe in the 70s and if you tell me because we have a long relationship that she's the one I'll take the chance you're the one who's going to be creating those opportunities you're the one who has to take that chance well you say well you know the best qualified person is this person over here and they look like this and

you pick this other person over here who doesn't get token quota I'll tell you what in every job I had regardless of race color creed anything there were people who were a hell of a lot better than me who could have done that job and there were people doing my job someplace else that were a hell of a lot worse than me so I don't buy that yes there could have been someone better but why did you go hire them well you got to take a chance on people you have to train them you have to develop in the military which I think you guys all figured out I was in the military is we train two levels down I write

these valuations for two two those that are supervised immediately and the ones below them I write their evaluation and if I'm not mentoring training and develop developing this they can one day hold my job I'm hurting the pipeline so in your job that you're in right now who are you mentoring two levels down and you have a diverse tool and I don't mean if you're a woman you're mentoring a bunch of women do you have a diverse tool that you're mentoring okay contact what does that mean that doesn't mean us being here in the same room that's the example I gave you where you get invited to the to the party but in this case here

I'm going to invite on the Dance Floor dance I'm going to invite you to come in to be part of that discussion that was a better example of asking you to take a stride take notes for me Edwardian you're now part of this you're now engaged you want to know how to bring someone Junior I always bring Junior people so they get exposure how we think at the next level why because I always wanted to be in that room I want to why do I take some of these classes I have I'm not a programmer but why do I want to know you know what's python compared to Java compared to this compared to that

I just want a little lingo so because these are a conversations are going to come up but if I'm not in the room where they're talking about these things the Strategic objectives of the organization not the day-to-day but the big picture how do you invite someone very simple one right now invite someone in with you to take notes for the medium so you can focus on the meeting they can take notes one of the things we had is an aide in the military for senior officers an avicant most likely that eight account is a very Junior person compared to the senior has a better chance of becoming a general officer than anyone else because he was or she they're exposed to

that higher thinking so so that's how you make the contact meaningful not just be there I've got like little leadership games that you that I'm sure some of you have done that's some of it there but the idea is that make that contact meaningful all right next slide self-organized and self-selected teams why is that important here so I didn't tell anybody where to sit here but if I had a signed seating it'd be fixed well you're going to sit that's your contact but if I said break up into groups your group may form by themselves self-organized and you might self-discover what some of that Talent is without reinforced now you got to be careful with this here

because docs like to hang out with ducks all right I met a guy who was from my hometown where I grew up in Orange County California oh my gosh we hit it off next time we're together I want to I want to sit next to him if I gotta realize I can't just sit next to him I gotta sit next to him I gotta sit next to her I gotta sit next to these other people make sure that that diversity in there because when I'm not forcing the Dei and I'm letting it happen naturally those barriers tend to fall but you have to let it happen in your organization and a lot of you come from organizations

we have group projects you have things that you have to do all the time so be aware of that is create those opportunities where it's rewarded that these groups form now the impact on security this is a big one here who in here has ever responded to a incident not cyber any incident like something major in your life how many of you solve it by yourself

it must not have been a big incident foreign because with the exception of his huge incident you probably needed help from somebody else and you have to coordinate collaborate incidents in cyber security are not the cios ctOS technical teams problem it's a whole of business response and if you're not out there engaging with those other teams and those other aspects of it how are you going to build that trust I say in crisis you look at the speed of trust you're going to develop that in advance so next slide learning the business operations uh Robert Lee I had him on a program that I run and I asked them if somebody wants to get into

an industrial Control Systems OT what should they do first he didn't say learn I.T he didn't say learn security he said learn the operation learn what that water planet's supposed to do how does it run understand the business operation of wherever you're working wherever your challenge is being used understand why that business exists unless it's a cyber security company which they're out there that business is there to make revenue or do something that is not security unless it's a secretary company you are there to support them learn what that is go to those corners of the of your office or that organizations that you understand that because again it goes back to the crisis response it increases collaboration

coordination when you need then for something I.E Communications to go out we need to explain to them there has to be some level of expectation of what they're going to deliver what you're telling them and if you're talking bacon they're talking something else it's going to create a problem you don't want to get to know them and understand each other but more importantly you're exposing each other to your different experiences you're exposing each other to your frame of mind how you see the world and I'll tell you how to to a fault we see the world as this technical thing has to keep running and do this and yet no there's sometimes you have to shut

the system down but what's the impact operation sometimes you have to run it unsecurely unsecured not security door but you have to run it in a manner that's less than optimal because the mission matters right now and so you have to understand what that commission is why is it important what's your role in it what's the impact going to be and explain that risk if you don't know how to do that then your hurting organization this is a big one here this is a hard one this is by the hardest one here be transparent be transparent and what is it that you're promoting okay anybody here in sales okay what's the most important job in any organization

okay sales sales remember if there's no sales there's no Revenue there's everything else doesn't matter

true statement I had a meeting with the advanced former chairman CEO and president of Palo Alto Networks I was holding a conference at the top cisos and Senior leaders of the industry and the government and private sector and Academia in fact Bryce and I are going next week that meeting again and I told this senior person for Philadelphia Networks no sales people and he says okay I send someone else instead of me because I'm sales person number one said noted your sponsor got it we're gonna think we can do that but the idea is that without that you're not going to do it if you're not going to succeed because that's about that's what that's the business idea

that being said what you reward is a behavior you're going to get if you reward sales only then you're going to get people who are going to do whatever they can to sell anything to anybody oftentimes that's not sustainable one thing I will tell you about this transparency what I'm talking about here is that if I took this splatterative individual all of you here and I just say you all work for me and I gave bonuses to you I can say that you know you got two percents you got three percent you got 20 percent you got 15 and I can say okay this doesn't sell at all I can show the performance and how I reward it

but now if I dig into it I may see some patterns there patterns that I may not have thought of so a few weeks ago I'm having a conversation with a CEO with a multi 100 million dollar company and I said how do you decide because it's like the end of the year and he's excited that he gave this person a car for a bonus for this year and gave this person this and gave this person that he was ecstatic about what he rewarded you watch Undercover Boss all the money they give and all that stuff yeah I want some of that and then you look who did he give it to and he told me

mostly men yeah he had no qualms about it why why do you give it to mostly men anybody want to hear throw something out there again no no nope because they asked for a raise they asked for the raise I want to raise a lot okay to keep you happy I'm going to give you a raise because the women don't ask for races the women don't now that's where you gotta look at that like is your performance on par with his performance with her performance how are we Distributing this and every manager should have exposure that am I saying publish that openly to everybody yeah that's your call on that but you better see what you're promoting

what's your rewarding because that's the behavior you're going to get impact on security I say you don't if you have a crappy environment you're going to lose your people except some people are leaving one of Bryson's best and brightest great person just left his company and I asked Bryson Bryson what's going on this guy he said he got a great opportunity I I applauded it's going to do great you can't compete with that but if the guy's leaving actually I say you can't compete with that because you can offer them something you know I'll give you this in exchange so you have this opportunity you can't compete with that maybe not with this particular opportunity but if you're leaving to get

a little bit better over here and I want to keep you in here are you a great person we can negotiate but if you're leaving because you're in a crappy environment we can't negotiate you already left you already left so if you want to keep the best and brightest one have a culture where you promote that two develop the best and brightest with that I believe that was my last slide here that's a recap of the six I hope I inform you I hope I inspired you I hope I empowered you because you could look at your group right now who are you mentoring who are you sponsoring who is in your circle that you're picking up

putting them on your shoulders and launching them on their career who in your group are you doing this I'll tell you what everybody has done it for me at one point or another I did not get here alone thank you [Applause] if you have any questions or any comments I welcome them uh maybe between you and lunch thank you all for coming appreciate it

did it all record this was the backup solution so we'll see how it goes

thank you

thank you

that's the best way

at this point

again

[Music]

thank you

what would be fun for me today

yes

um

thank you

no problem

yes 29 totals