The topic of diversity is one that should be talked about amongst every organization, for us, the cybersecurity industry is one that needs work and specifically how to go about it in security awareness training. The discussion of diversity is not a comfortable one. However, in light of the many movements such as Black Lives Matter, #MeToo, Stop AAPI Hate, Equal Pay, and many more, the cyber industry can’t ignore the glaringly obvious need for more diversity, equity, and inclusion (DEI).
Since the founding of Curricula, diversity has been baked into our training content and people. We wanted to be transparent about our process of how we approach diversity, create our security awareness training content, and encourage inclusive learning for all employees. Hopefully, this will help pave the path for organizations looking for security awareness training content that supports their DEI efforts, not because they have to but because they want to. If this is the first time you’re hearing about diversity in security awareness content, read on to see what you’re missing and how you can improve.
Breaking Cyber Security Stereotypes
A 2021 report on diversity in cybersecurity shared that only 24% of the workforce identified as female, while less than 22% is made up by minorities (with 9% self-identifying as Black, 8% as Asian, and only 4% as Hispanic). This confirms the still overwhelming portion of the industry that is made up of white males. This problem isn’t about one individual, but rather not understanding the bigger picture. Diversity in cyber security is important because we want to encourage people of all genders, backgrounds, and races to look at problems through a different lens. Security is all about unique perspectives and trusting each other as a community.
We intentionally don't hire security experts, but rather people of different backgrounds, cultures, and industries to make our content resonate with everyone.
The white-male stereotypes of IT managers or CISO’s might still be predominantly true, but change is slowly happening. We just need to figure out how to facilitate a faster pace of change. On the opposite side of the spectrum, there’s also the idea of what a hacker looks like. Someone in a dark room, wearing a hoodie and lurking over a computer screen. But in reality, hackers come from all different backgrounds and can be of any race or gender. So depicting a CISO or a hacker in one specific way would be inaccurate to the goals of the industry and the truth about cybercriminals.
Personally, I’ve been in the cybersecurity/tech industry for a few years now and have always been outnumbered from males to females. Positively since the start of my career, I’ve noticed growth in the diversity of employees, both gender and race. However, it still has a long way to go not only in terms of numbers but also in how people are treated. This experience is similar to our fellow Curriculoo Jaymie who not only has experienced this herself but works with organization’s that also encounter these problems:
There seem to be more females in the IT Director role than I would’ve originally thought. However, they’re rarely ever the decision-maker and it seems their ideas get bulldozed, especially when trying to get buy-in from management.
Another circumstance I come across a lot is condescension from the men in IT roles. There have been numerous times where on a demo men will talk to me like I’m dumb or intentionally try to stump me with unanswerable questions and make it very difficult for me to communicate with them.
Breaking down what Jaymie said above, just because numbers for different genders and races are increasing it doesn’t mean treatment towards them is too. One roadblock we’ve seen with this is the compliance-focused diversity in organizations. While understanding businesses face mandatory compliance for diversity, that shouldn’t be the reason to change. This leads to the exact situation above. There might be more women and minorities in the industry but that doesn’t automatically make all the other diversity roadblocks go away.
Diversity is more than just 'checking the box'. Our vetting process for hiring is simple: we seek those looking to solve a mission from their own perspective, will treat others with respect regardless of position or background, is good at what they do, and for lack of better words isn't a jerk. We care about genuine diversity because it lives and breaths in our mission.
So the question to ask ourselves is how can we do better to continue to break these stereotypes and actually do something about the industry’s diversity without compliance forcing everyone to do so?
Diversity within Training Content
Since the start, diversity has fueled Curricula and its creative team to consciously make decisions on how to be inclusive to all employees and add new value to organizations’ security awareness training. A few years ago we began getting unsuspecting feedback from customers saying they loved how diverse our training is. This was something we never thought would go noticed by customers as we just wanted to actually represent what the workplace looked like (or should look like).
Our training content includes men, women, and children of all races and is set in unique work environments everyone can relate to — we even have a few whimsical characters including a talking sheep and an alien family. The theory behind our training is to go beyond the industry norm and create powerful content that makes every employee watching feel seen and benefit from their cyber security education in a new, entertaining way.
One thing I love about Curricula’s training is all of the creative work is done in-house. All of the characters and stories are thoughtfully developed with cultural emotional intelligence in mind. I spoke to a few members of our highly skilled creative team to get some insight into what it’s like creating our episodes with diversity in mind.
Don, who started early on with Curricula, helped shape Curricula into the company it is today. He began with the mindset of making our training something that everyone can relate to and identify with and set the precedent going forward.
I feel that diversity is a major component in our content. With the many forms of cyber attacks around the world, there's a vast, diverse population of people vulnerable to them that should be represented. That representation is what helps connect the viewer to the training and our characters while giving them a more personal experience in the process.
Ray, a production artist on the team, has been focusing on creating a diverse cast of characters in every episode. His background as a children’s book illustrator has given him a fascinating take on diversity and how we should continue to embrace this strategy through our training.
Children are like sponges and what imagery is fed to them is taken and solidified as the norm. It's the most natural way of reinforcing diversity without a sense of faux representation. You can tell when diversity is being forced versus naturally incorporated.
The entire creative team went on to validate their efforts to go above and beyond when building out episodes, including the importance of not only having diversity but accurate and genuine diversity. For instance taking the extra time to build out a backstory, strategize individual quirks and show the culture of each character. We’ve seen other organizations take the easy route of leaning on stereotypes in their training. Simply changing the color of a character’s skin, is clearly a compliance-focused effort. We know that isn’t the answer.
Years ago we were at a trade show and a security awareness competitor of ours came up to me and said how much they loved how diverse our content and characters are. I'll never forget that because not only was that message coming from an industry peer, but it was showcasing how powerful our training program is.
We’re aware that we may not be able to please everyone, but we hope viewers take comfort in knowing how much thought, research, and attention goes into developing each character and storyline we tell, no matter how minor.
While something like security awareness training seems like such a small piece to the very big puzzle of diversity in the workplace, it matters. Training is for employees and therefore should be relatable and representative of those employees.
Diversifying the Way We Teach
Typically security awareness training can be categorized as dry, long, and boring. Still, today organizations use infrequent, hours-long training of being talked at (usually with the dreaded PowerPoint). We thought it’s time to change the way security awareness is taught.
When creating Curricula this was all at the top of our minds. We use interactive phishing simulations and story-based learning through animation to help people of all skill sets become more cyber aware. Allowing them to learn in a fun and engaging way was just icing on the cake. With the help of a passionate team and insightful customer feedback, we continue to improve and stay true to this.
Organizations who’ve switched to the Curricula platform have talked about how transformative it was for their employee’s cyber IQ and security culture. Once their security culture began to develop, it helped everyone learn, connect and communicate better to protect against one common goal, cyber threats.
What Can You Do Going Forward?
Diversity should be integrated across all aspects of the workplace, including something as seemingly small as a training program. Management should not undervalue this because it will create a healthier work environment, help bring your employees together as a community and find a common goal between everyone.
Going forward if there’s one thing to remember when it comes to DEI it’s this: C-A-R-E. Care about your employees. Care about increasing the number of different races and genders within your company. Care that people are treated the same regardless of race, ethnicity, gender identity, or sexual orientation. Care about those who struggle with training. Care without compliance telling you to.
What can we do to encourage this positive change? Some action items that we do that can help get your organization started are regularly examining your current diversity procedures, evaluating your employee hiring process, using vendors who support diversity, and asking for employee feedback. Curricula is in no way perfect at this, but we are constantly trying and re-accessing our DEI efforts to ensure we are going the extra mile for both our animated cast and our real-life Curriculoos.