Echo Chambers in Infosec & What Can We Do About Them

long anyway so thanks a lot for coming along today my name's Colette and I currently work as a digital infrastructure project manager for DXE which was CSC up until April of this year and I'm looking to kind of transition into Mpho SEC some guys and girls I met in London I did my first rookie talk there and felt that I would like to share that pain again I'll try that pain again and didn't another solution in for today so thank you for coming and having a listen so today what I'm talking about is how I feel InfoSec is affected by echo chambers and hopefully it'll help everybody to think a little bit wider about what they're

doing within their own little bubbles will go with that so first of all what is an echo chamber if you haven't heard about them they were there came to kind of prominence around breaks it and Trump being elected and it's basically a description of a being inside a bubble of information and that is reinforced all the time because of all the people and all the information you're getting is giving you all the same kind of ideas that you already have and they are not challenged and basically those bubbles are around pretty much everybody and you don't get outside of your previously held beliefs social interactions are really central to how humans gather information and basically we gather

information and we pool ideas bring those together and to give us a kind of wisdom of the crowd and on Twitter it would be hashtag as Twitter and you can kind of get a much better broader section of ideas and information if you get together a diverse group so you're probably thinking well why is that a problem in info or anywhere for that matter I mean it's developed to help humans to get the best kind of results because social learning takes place through imitation of successful individuals groupthink help helps everybody to improve their decisions the problem is that as we get within our bubble that learning only occurs when the group has some diversity and the keith's is a good decision

making is learning from the successes and failures of others and you get better results from a diverse group thing than you do from a very restricted one so a quick poll bit of audience participation here so Houser if anybody in the audience has blocked somebody on a social media channel of some description yeah I'm not surprised because it's very easy to do and it's a very useful tool but it's something that we would probably need to consider very carefully I would suggest before you actually use it because within an echo chamber it's very easy to block out other people's thoughts and opinions and this makes it harder to understand why they feel the way they do about whatever it is that

they are discussing empathy and understanding are the cornerstones of civilized discussion and we're not going to convince anybody to consider a new viewpoint if you don't know anything about theirs so what I'm suggesting is that it's time to put yourself into the mind of the person that you are considering blocking just for a few minutes before you hit that blocking button maybe with a little empathy you can make them a supporter or perhaps even just neutral would be good and there may well be some angles that you've not considered or thought of that they're suggesting I appreciate that it's not always easy to keep listening to somebody who has very diverse views from your own but

sometimes it helps to understand and expand our horizons so how does the echo chamber affect me well I'm a woman I even wore a skirt today just to emphasize that point women are just one of many categories that are under represented in cyber security total number of women in the profession across the world is about 11% and in the UK we're doing really good we actually went down in numbers of women from 10 percent in 2015 to 8 or possibly Stuart says 7 percent in March this year and the reason well basically a lot of women are inadvertently screened out of the employers hiring criteria because that bubble circulates around their hiring criteria and they are not considered to

be the kind of employees that will expand their teams that are already there you're looking for candidates like the employees already have and that's not really very helpful so if you approach the same candidate pool that you've been approaching for the past 10 years you're going to keep hiring people like the ones who are already here and the industry really needs to think more creatively about this by breaking out of this echo chamber and actively looking at a more diverse group of candidates managers of successful diverse teams don't spoke as this they search only on the most obvious places they take time to discover and hire the best people that they can find and that's not

necessarily the people that have got a computer science degree a lot of women don't go into computer science because of all sorts of reasons and they have lots of other skills and backgrounds that will benefit the industry one way we could start to get some new blood into the industry I would suggest is to overcome the bubble that means that you can't get a job in the industry unless you've got some previous experience reports or studies shown stunning 93% of European and UK companies prioritized job candidates who have previous experience so when your bubble filters out 93% of the candidate pool you remove a lot of diversity and you get more people like you already

have and the lack of new people in the industry means that we miss very important product features that are really important to the people who are outside of the bubble consider for a moment signal whatsapp or viber each one of those apps requires you to register your phone number and use it as an identifier so that when you connect on one of those apps you're effectively giving out your phone number to whoever you give your details to now as a woman handing out my contact details to a stranger is a moderately risky thing to do it's a concern I have to weigh up the teams that have developed those apps with their mostly male groups of

developers didn't consider these security risks when they were developing them these are risks that largely affect people women vulnerable groups because and they're not considered because it is outside of this bubble this pool of developers that you've got here they've focused carefully on ensuring that the encryption works that you use verification is usable and that's all important but there are times when I don't want to give out my phone number that I've had for years and years and years to a stranger and those depths haven't thought about that because their team has nobody with that experience because guys you'll happily give your number to a complete stranger and you're not bothered so basically what we need is

for the industry to be aware of the effects of being in the bubble and that's what I'm trying to do today just kind of make you aware so I'm really glad that I'm not talking to myself in here today so thank you for coming we need some diversity and we need to make sure that we value everybody's voices insights and perspectives diversity in the hiring process will expand the bubble and encompass a larger proportion of the population we are after all 50% of the population and it will help open the door to entry-level applicants with limited experience who will bring with them a whole raft of new ideas and it will bring diversity of thought that

will enable the development of secure products that work for everybody not just the people inside that bubble the industry needs new blood because in the next five years so by 2022 we will sure face a shortfall of about 1.8 million workers globally already in the UK 50% of employers say that the lack of personnel is having a significant impact on their clients now so recruitment is only part of the bubble it issue with InfoSec retaining workers would go a big way to maintaining and growing a diverse workforce number one reason for women and underrepresented groups to leave the industry and they are leaving is because of mistreatment women are less likely to stay where they're not valued and they

are more likely to stay where they're valued and they have a good support system or as my mentor said women have less tolerance for so when the company has clear view that sexist comments will not be tolerated that's a good start but it really goes further than that and I don't just mean that those that expressed those views should be booted out so I'm sure you're aware of what I'm referring to the guy at Google personally I don't think he should have been booted out I think they should have worked with him to try and expand his bubble a little bit because he had a very tunnel view basically we need to make sure that everybody is

aware that they're inside a thought bubble and that we've moved on from biology determining whether you're good at writing code or not the 24/7 culture that quite a common de Burgh accompanies a job in InfoSec is not really good for women with families but then it's not good for dads with families either or anybody with some kind of caring responsibility it makes it very difficult to kind of maintain the to and burnout is a real issue for this industry and it's one of the reasons why people coming into the industry or looking to come into the industry decide to go and work somewhere else flexibility is attractive for both men and women and increasingly we have to

work around children or aging parents and by addressing some of these issues and just widening our bubble to make sure that we kind of accommodate those we're more likely to retain a diverse workforce so what can we do well the main thing that drives echo chambers is our tendency to associate with people like us and I'm talking at a cyber conference where everybody has an interest in cyber and so yeah we're in a massive bubble here today basically you're more likely to make connections with people who are just like you ethnicity age gender education occupation are all groups that will you will associate with those people and recognizing that you have a problem is the first step to recovery as people and

as an industry we to actively think about associating and talking with people outside our bubble I'm not in cybersecurity at the moment I'm outside that bubble and I'm trying to get in and that was my talk when I was in London and you can see that on on YouTube if you're interested sharing across social networks has the potential to break down the echo-chamber effective and decisions don't happen in a vacuum the best ones rarely do they come from deep pondering and communicating with other people in the group when people learn and draw on experiences of others the process helps to make the results better and when you gather through social exploration you widen and diversify your train of thought and you

become a more rounded individual so I'll let you into a secret everyone has their own bubble you have a bubble I have a bubble and the trick to overcoming it is that you know that it exists my first brain dump of this talk was me in my bubble the bit that's in the brochure today was the bubble that I was that I filled in at some stupid o'clock in the morning so it was all about girls and women in IT and that was my bubble and but I needed to think a bit wider because it's not just women and it's not just girls it's any group that is underrepresented and momento was my sounding board that helped me to think

wider and I hope one of the keys to making this a bit more balanced an interesting talk you too can validate your inputs by fact-checking and diversifying your media consumption you probably go to the same sites every single day to get your information and news so click on some links from other people that might be sending to you and actively search out for opinions outside of your bubble we need to grow up as an industry and as people and realize that it's not healthy to surround ourselves only with folks who share the same views opinions and lifestyles we have so many amazing opportunities in this industry but confining those opportunities to people like the ones who are already here is

stopping it from being the best that it can be your team should even integrate diversity of all kinds to ensure that they get fresh perspectives and those diverse perspectives will prompt innovation creativity which can only benefit the industry in the long term so what can you do as people sat here in this room from today onwards simple things anything would help number one be a stem ambassador expand your bubble about your industry to include young people because we need to market this industry as a viable career choice in schools colleges universities and to everyone if you're not already and you have the opportunity to sign up to be a stem ambassador then do it I haven't got my badge on today but I do

have one at home somewhere tell everyone how else Amit is to work in this industry if you're a coder start a code Club they are crying out for people to volunteer be a mentor help somebody who is just starting out in the industry second thing you could try is that we need to highlight the successes and benefits of diverse teams studies show time after time that companies perform best financially when they have the greatest numbers of women in leadership roles and we're only talking like 30 percent those companies with 30 percent of women in leadership roles not just the CEO but all the way through are the ones that perform towards the top end of

all of the markets so we need to shout about that and tell everybody that those teams those diverse teams are the ones that are being successful shareholders and leaders love better results so it's expanding the bubble and widening the diverse nature of our teams has this positive effect then we should highlight that that every opportunity that we have because you don't want to be a blockbuster whose decision makers stayed in their echo chamber focused on VHS and DVDs and miss the opportunity to be a Netflix and that is really easy to do when you are just listening to the same people third try is that you need to support those who like confidence so that they're able to feel that they are

able to share their insights so I'm really glad that you supported me here today thank you because absolutely no use having a diverse team and then not listening to them this requires emboldening women and underrepresented groups to back themselves more and doubt themselves less empathy allows us to create bonds of trust and it gives us insights into what others may be feeling and thinking it helps us to understand how and why others are reacting to the situations and it informs our decisions because we're not living within our very small confined bubble conversations where the mentor will help you to expand that bubble and figure out what works for you and be able to be a role model for

others I said I've got a superheroine so here here here they are my final thought is that superheroes of every description fight crime protect the public and battle villains and that sounds to me like a lot of people who are sat here in this room they're a diverse bunch and they each have their own ways of battling the bad guys and I think that InfoSec can only benefit from expanding our bubble and using a more diverse but first workforce - but do battle with our bad guys and so that's it thank you very much and I hope you found something of value don't if anybody has any questions it does make a big difference and it does it just bring in a whole

group of different ideas and and and you know I was talking to a guy at work and I said to him oh well yeah boss doesn't listen to what I said but he listens to what you say just listen to our conversations when we're in a meeting and he sat back and he said no no no that's not right it's not right absolute doesn't happen and then we were in a meeting and he was thinking about this and he came out after the meeting and he said yeah you were right he doesn't listen to what you say so he actually started to make a conscious effort to say ah Colette said this y-you know that's what she said I'm backing me up

which it's a bit difficult really because you don't feel like you want to be back to it you want to be recognized for the fact that you're being able to put in your contribution right from the beginning but it's a start and we've got to start somewhere so I don't want special treatment I just want to be the same as everybody else I just want to be one of the guys and have all the same kind of opportunities and that's it I don't want to be better or anything different just the same sir and that's all I'd like last year zoology degrees well with your degrees and you think.what know nothing about the different sets of skills and I

think at the end of the day businesses succeed when we use skills of all different kinds of people to come together and focus on the job in hand which is providing value to our customers and giving them the products that they want and the features that they want or perhaps the features that they've not thought of and we can only do that if we have a group that has lots of diversity within it and brings in lots of information from lots of different people and lots of different things

yeah I mean it's difficult I personally I I like to try and believe that you know everybody is a good guy and I start off with the fact that everybody doesn't do what they're doing purposefully they might do it through ignorant but I don't think that a lot of people go out of their way to be purposefully nasty or to be purposefully discriminatory I think quite often they've just are so enclosed within their bubble that it's just never crossed their minds so I think basically you kind of got to be softly softly I'm just gently gently say actually you know how he's just you know and say it with a smile and try and be nice

about and and and for me that's you know being satire that way forward I feel you know it kind of puts your point out that actually you're being a dick you know you are not actually being very inclusive in whatever you're saying or however you're running your meeting and you could do it better and you will get results if you do it a slightly different way but if you get really angry about it and start bashing people over the head I think you know you kind of just get people's backs up so I kind of try and do the softly-softly and trying to you know make people smile and then just it clicks and the thing okay

yeah she might have a point so yeah anything else hi guys okay don't worry I was a bit against some very stiff competition

[Music]

yeah that'll be great I'd love to have attacked it's difficult I mean my eldest daughter I definitely think is on on the spectrum she's very high-functioning very academic and has difficulty with kind of emotions and that kind of thing finds it much easier to be in the company of boys and males than girls and has done for quite a long long period of time because less kind of emotional baggage with the guys than it is with the other girls but the one thing that kind of sticks out with me and for me personally I have to think about the language that I use and and kind of the instructions that I give with her and she's very different to my

youngest daughter who's 11 who's very much more social and very sort of well she wants to break things and hack things completely different kettle of fish between the two of them but we were making pancakes for pancake day and my eldest daughter was following the instructions and the instructions said put the egg in the flour so that's what she did put the egg in the flour and my eleven-year-old was cracking her sides because she was at why did you just put the egg in the flat she was supposed to crack it yeah but the instructions doesn't say that and and I think you know your language that you use when you're talking to people especially it was

autism spectrum you know you have to be very mindful of the language that you use and to help them fully understand all of the clues and everything like that because it's very difficult sometimes for them to get everything and you know sometimes they're concerned and say things that perhaps you wouldn't necessarily think well you probably shouldn't say that but it's not done out of spite or malice it's just a slightly different perspective and I think sometimes we just have to kind of make that distinction and then just try and explain it my eldest daughter now knows she has to crack the eggs first

I want your spectrum and deadly size about five minutes is that going to let it sink in go it's all Mike for the other ones better so much and it you should see the ripple of that go to the room a bad break on inspection some absolutely it decides to choose you actually easier yeah and incorporates it and bring it together so that you need people kind of you know quite often I will describe myself as a translator and and you kind of need people to work in the middle between the people who find it very difficult to talk to the clients and the people who find it very easy to thought the clients because they almost

speak two different languages and you kind of need somebody in the middle to help that along so if you only got people over here working for your company how are you going to be able to talk to your clients effectively how are you going to be able to take their requirements and produce what they need and what they want

yes get some kind of integration really to adults and I would suggest that probably every single person in this room at some point has been called out because of the geeky nerdy tendencies and how does that make you feel it makes you feel like a bit of an outsider yeah I think that's what we do and we insulate ourselves in our bubbles and sometimes we just kind of have to think a little bit wider and and just expand out a little bit and yeah so if anybody wants to contact me I'm on Twitter a lot I tweet every morning and and then during the day and depending on how my life is going crazy but I usually get

back to you at some point so thank you very much for coming along today thank you [Music]