Inside Deloitte’s push for cybersecurity diversity

he insular world of cybersecurity has a reputation as a bit of a boy’s club.

That’s not the case at Deloitte, which is pushing to attract more diverse candidates to this vital line of work. It’s about more than diversity, fairness and representation, however. The world simply needs more women in cybersecurity. A cyber industry study found that the global digital security workforce will need to grow more than 145% to meet current demand. In other words: If we can’t attract enough qualified pros to this daunting but exciting arena, global security will be in dire straits.

To drive more gender equity in this emerging field, Deloitte Cyber has launched a global awareness and recruiting campaign to attract more women with diverse skill sets and backgrounds into the cyber profession. It also highlights those who already working behind the scenes to thwart hackers and prevent damaging data theft.

Emily Mossburg, Deloitte’s global cybersecurity leader, is one of those behind-the-scenes heroes who’s orchestrating the great digital chess match of our era. It’s an in-demand industry with limitless opportunities, and she wants to make sure more women get into the game. That starts with communicating a clear vision of what cybersecurity is and is not. She says:

“We have to expand the vernacular used today around careers so that when asked, ‘What do you want to be when you grow up?’ the answers include roles like ethical hacker, data privacy professional and cyber strategist. We have to break down the common misconceptions about the type of work that exists for cyber professionals and the type of experience you have to have to do that work.”

Mossburg believes cybersecurity is about much more than just preventing data breaches. It’s about preserving trust.

“Cyber is connected; it is ultimately about people understanding and trusting those connections and empowering our society to innovate and move forward safely,” she says.  “That seems to describe a career many people would want to have.”

Emily Mossburg

Mossburg recently shared insights into Deloitte’s recruiting campaign, which features 14 professionals who hold different cybersecurity roles across the globe. From creative development to production to promotion, the campaign was produced by women.

We asked Mossburg to share a bit more about this campaign and how communicators can be better partners with those who are on the frontlines of the nonstop cybersecurity battle. Here’s what she had to say:

Ragan: How was this campaign promoted internally at Deloitte?

Mossburg: We heavily promoted this campaign with our global network of marketers and communications through calls, newsletters and a toolkit hosted on our internal brand site. The toolkit contained the background to the campaign, strategic positioning, advice on using any materials, and a comprehensive list of print, digital, video and social media assets. Our internal channels reached more than 31,000 of our marketing and communications colleagues. We also used internal channels such as Yammer to engage in conversations about the campaign.

We connected with DE&I leaders, talent teams, and Women in Cyber councils across our member firms, which leveraged their connections internally and externally to shed light on the campaign and promote it at all levels and within all practices at Deloitte and to senior leaders around the world. Our senior leaders have been very interested in promoting the campaign, including our Global CEO, who has mentioned it during his internal calls.

This is a continuous, multi-year campaign. The first phase is scheduled to wrap up around International Women’s Day in March 2022. We will release a new layout every few weeks during this current phase, highlighting a different video and story—and continuing to engage with our Deloitte professionals.

Ragan: What are your chief objectives for this campaign—both internally and externally?  

Mossburg: We created this global awareness campaign to highlight Deloitte’s women in cyber and all the powerful work they do to keep us safe while bringing greater attention to the need for more women in this industry.

While there are many opportunities for young women in this profession, there is a disconnect between people understanding what cyber professionals do and the skills needed to work in this industry. This campaign intends to spotlight and share insight into the women currently leading cyber in hopes that other professional women and younger generations will better understand what a cyber expert looks like and are inspired to explore the many facets of this crucial and exciting industry.

Deloitte is a people business, and this campaign speaks to that. Internally, the campaign will empower women within the organization to share their experiences in cyber and how they got to where they are today. The campaign highlights women with diverse backgrounds, including anthropology, chemistry and psychology. Celebrating the current diversity in cyber and the progress achieved brings to light what can be accomplished.

For example, Beth Dewitt, a partner at Deloitte Canada, did not start in cybersecurity. Beth has degrees in international development studies and anthropology and spent the early part of her career advocating for women refugees and better health policy. It was her work in policy that led her to where she is today.

Externally, the campaign dispels myths about cyber careers and highlights the opportunities available to women. It can inspire and encourage others to think, “Maybe I can have a career in the field and be an ethical hacker or cyber leader.” It’s about promoting diversity of thought and how it can change and enhance cyber as a whole.

For example, I turn client challenges into client opportunities and empower them to come out stronger in the end. What we do in cyber has a huge impact on our families, societies and enterprises, and really how the globe interacts. Our cyber team is focused on making the world a more secure place and instilling safety and trust. And my colleague, Sasha Cheah, an ethical hacker for Deloitte’s Singapore’s Detect & Respond Cyber team, found her way into cybersecurity while studying Information Technology in college. She was attracted to the field because of how broad it was and the opportunities to work with different industries and people. She loves working in cybersecurity because she can make a positive impact on society.

Ragan: What role can communicators/corporate messaging play in correcting the “gender deficit” in the world of cybersecurity?

Mossburg: Communicators are invaluable in correcting the gender deficit in cyber. It begins with being more deliberate and aware of unconscious biases around how to represent cyber.

Communicators should help evolve the narrative around cybersecurity and not allow entertainment to paint the picture of what cyber professionals do and who they are or what they represent. Common portrayals are women on the fringe of society. That is so far from the truth. Cyber should be seen as an enabler to a company’s success. When proactively integrated across the organization, cyber can help ensure understanding, connection and trust with employees and customers.

There are simple things communicators can do to help:

• Expand their pool of cyber spokespeople.
• Seek diversity of talent and thought to contribute to messaging.
• Pay attention to the photos and graphics used to represent cyber in eminence pieces.
• Work with talent teams to craft job descriptions that relate and attract more women.

Ragan: What are some cybersecurity basics every communicator should be familiar with—and thus be able to explain clearly?

Mossburg: Every communicator should know that humans remain the weakest link in the cybersecurity chain. Deliberate or inadvertent risky behavior by employees, third-party partners, and other stakeholders opens opportunities for system compromises. Therefore, a major part of reducing cyber risk is to look broadly at human behavior and apply the findings to new models for solving cybersecurity issues.

Ragan: What are some hallmarks of good responses to cyberattacks?

Mossburg: Many organizations respond well to cyberattacks.

The size and frequency of cyber threats have been intensifying rapidly, especially during the pandemic. Some industries have done an excellent job of detecting, responding to, and recovering from cyberattacks, mainly the financial services and life sciences/health care industries, which are among the most heavily targeted. Those that do it best are the ones who are diligent about understanding their cyber risk posture, know what they need to protect most, and proactively invest in the team and processes to ensure the protection of those assets.

Cyber should be an enabler to an organization’s business priorities. When done well, organizations embed cybersecurity into their application and innovation development, and physical and digital transformation efforts. As we connect more of our lives, work and society digitally, cyber risk only increases.

Not only are companies recovering from attacks, but they are creating a state of perpetual preparedness to respond, recover and repeat as threats become more frequent and continue to evolve. Strong cyber hygiene practices should be prioritized by organizations, regardless of industry, to reduce the threat of ransomware attacks, including workforce training on sound cyber practices. Chief Information Security Officers (CISOs), the executives primarily responsible for cyber, can no longer be simply compliance monitors and security enforcers. Today’s CISOs should be connected to and collaborate more effectively with the business to manage cyber risks, and work toward that culture of shared cyber risk ownership across the organization. The organizations that do this well are likely best prepared to protect their organizations, customers and employees from cyberattacks.

Ragan: What steps do you recommend companies take when they suffer a hack? What are some mistakes they should avoid in terms of responding to a cyberattack?

Mossburg: Every cyberattack is unique. Thus, each response plan must be different.

When an organization is hacked, it is essential to approach the attack through various lenses—underscoring the need for cyber teams to comprise individuals with diverse skillsets and backgrounds.

The first step is to quickly understand the nature of the attack to help answer and address the questions of what, where, how and how much. The type of attack will determine how teams respond. Communication is vital when handling a cyberattack to determine where the system’s fault occurred and understand how and why the situation took place. It is crucial to minimize the costs associated with data loss in terms of the cost of time, resources and diminished customer confidence. Once the attack’s origin is understood, teams need to educate those involved to explain how to prevent them in the future and introduce a heightened level of management and controls that can strengthen their IT and business processes.

Common perceptions about the impact of a cyberattack are typically shaped by what companies are required to report publicly—primarily theft of personally identifiable information (PII), payment data, and personal health information (PHI). Potential impacts that are less understood and rarely revealed to the public eye—many of which are intangible costs that are difficult to quantify—are damage to trade name, loss of intellectual property, or costs associated with operational disruption. Consider the cost of paying ransoms after cyber adversaries have locked networks. In many cases, like with recent major incidents, the operational disruption experienced by the victimized organizations can be devastating. It can take months to recover, as it often results in the need for organizations to rebuild systems, networks and more.

Executives should invest in risk-focused programs to gain greater confidence in their organization’s ability to thrive in the face of a cyber incident. It involves the ability to respond effectively and repeatedly, to plan proactively, to defend your critical systems and data assets vigorously, to get ahead of evolving threats, and to recover thoroughly when attacks do occur.

Common mistakes include:

• Limited coordination between operational technology (OT) and IT, leading to siloed views of cyber threats and segregated incident response and resiliency plans
• Lack of segmentation of OT and IT networks to confine an attack from expanding into critical networks and control systems
• Limited awareness of attack surface vulnerabilities and paths to critical systems and assets
• Lack of ransomware incident response plans to bring critical systems back online and enable business continuity

You can get more insight on the latest crisis communications best practices and strategies by joining Ragan’s Crisis Communications Virtual Conference on June 10. Top-level pros from brands like Carnival Cruise Line, Dow Jones, IBM, Amtrak, Barclays, Pace University, Comcast and more will share essential lessons on defending your reputation in a volatile world.