Like many sectors, the cybersecurity industry is still not an inclusive workplace and is not meeting the needs of LGBTQ+ talent. According to a KPMG survey on diversity and inclusion in the cybersecurity sector, 88% of LGBTQ+ cyber workers do not feel comfortable in their environment and have reported inappropriate behaviour.
Here, DiversityQ speaks with Cloudflare’s Jen Taylor, who is an advocate for LGBTQ+ inclusion in the cybersecurity industry, and explains why firms should make diversity, equity and inclusion (DE&I), a top priority, and where to start.
You have over two decades of experience in the cyber security sector; how would you describe it?
As a gay woman, I feel lucky to be able to develop in this environment. There is so much thinking to do, but I am an optimist, and I think the cybersecurity and security best practice culture is not to keep secrets. Because secrets create risk.
In a way, the fact that security companies are focused on protecting customers really encourages them to build cultures where people can be open, honest and truthful. So that there is no risk, no liability, no cover-up.
I also think that, in general, cybersecurity is a community that draws on many different schools of thought. The attackers are probably some of the most innovative people within the technology community. So, in the cybersecurity industry, we really need diverse and curious people to bring different perspectives on how to stay ahead of them.
What advice can you give to LGBTQ+ talent looking to join the cybersecurity sector?
I want to give them the advice I wish I’d had at the beginning of my career, which is to be yourself. Early on, I spent a lot of time hiding who I was. I spent a lot of time separating who I was as a person and individual, from my professional identity. And, frankly, it was exhausting, because of how much inventory management I had to do, like what pronoun I was using. But it wasn’t just the exhaustion for me; all that filtering, I think, impacted my ability to be in the flow of the conversation and openly collaborate with other people. The advice I finally got from one of my mentors was to be all yourself, to bring your whole self to your work and to your organisation. What you are is powerful. That’s enough. And I also think that if an organisation doesn’t want to accept and celebrate who you are, it’s not an organisation that wants you to be part of it.
At the beginning of my career, in the late 1990s, I was working in banking and there was a kind of invisible community that existed; we all knew who each other were, but we didn’t know it. We supported each other, and we looked after each other, but in a very indirect way. It was a kind of mutual trust, but it wasn’t something you did. I always remember that moment as a critique of how I started to think about the importance of community.
And then, when I started at Cloudflare, I was in one-on-one meetings with different members of the organisation, and one of the engineers and I were finishing our one-on-one. He turned to me and said that ‘in fact, I am a gay man at Cloudflare. And I think it would have a real impact here at Cloudflare if we had a community that allowed us to have a greater sense of identity. Is that something you would be willing to help with?’ I was blown away because it was such a direct but sincere opening. And at that point, I realised how important it was for me, as a leader of the organisation, to be involved in creating this foundation.
Since I started it in 2017, with the help of a few other people, it has really flourished. It’s now an organisation with groups that meet around the world and our different offices in different places. We try to find ways to celebrate Pride. Every year during Pride Month, we stand up at the company’s general meeting and share with people a little bit of the history of Pride and the importance of community. And we really work to support our community and each other. I’m proud of a lot of things we’ve done at Cloudflare. The company’s and team’s growth especially, but one of my proudest moments at Cloudflare is Proudflare.
As an LGBTQ+ leader and advocate, what is needed to build a truly inclusive workplace?
In many organisations, they feel comfortable doing what they did yesterday, and they think that’s somehow sufficient. Sometimes companies don’t necessarily keep up with the times or the expectations of their employees. Sometimes it’s a lack of awareness on the part of organisations of how they show up with their employees, how the language they use sets frustrations, how important it is to create an inclusive environment, to move to gender-neutral language and to help employees express themselves.
I feel like it’s important for all of us in the community, especially those in leadership positions, to focus on advocacy, raise awareness of these issues and challenge the status quo to help create cultures and expectations where people feel fully welcomed and supported.
If it is a lack of understanding on the part of companies, what is the first thing they need to focus on if they want to change?
I think there may be two sides to the same coin. The first step is for organisations to demonstrate and be open about the fact that there may be an issue and that they want to create a safe space for people to share their voices and to share their thoughts. It’s hard to do that kind of thing out of the gate. It requires building trust with the employees to feel comfortable that they can come forward without penalising themselves. I have found that the sort of trend within organisations of creating an employee resource group and enabling communities of like-minded individuals and their advocates to create those safe spaces, for there to be a sense of community, is often a critical first step.
And one of the hardest things I found in my career, especially early in my career, was as a queer woman, feeling like I might be the only one like this in the organisation. And it’s not safe for me. And I think it was when I started finding a community and finding other individuals and being able to have a sense of community in conversation, that I started to feel a greater sense of safety. Feeling part of a community gave us a bit more weight in the organisation.
On a more technical level, can you explain clearly the specific cybersecurity threats faced by businesses?
They may be a non-profit, an organisation for queer youth, an after-school programme for kids, or any business that has an online presence via a website. Fundamentally, they all face threats and malicious actors that could launch attacks impacting their services.
For example, there are DDoS attacks, which are large volumes of traffic that they will use to flood the resources of an application and take the website offline. Firms don’t necessarily need to know what a DDoS attack is or what a web application firewall is; what they need to know is that they need to protect themselves.
The heart and soul of cybersecurity are providing tools and capabilities, whether it’s sites, applications, or networks, to keep them online, secure them, detect, and block those attacks, and keep those resources and voices online.
Services like Cloudflare are services that you can very easily put up that enable you to seamlessly protect your site or your application from these types of attacks to ensure that you can continue to offer these resources to your community.
Do you think that companies are aware of their responsibilities regarding users’ cybersecurity?
It’s important that organisations protect their users by providing their website and application through encrypted standards so that no one can snoop and see which individuals are coming to which website. This will establish a private connection between the user and the website, that’s the first task, and they can do that with Cloudflare.
Organisations need to be thoughtful and clear if they ask users to share their information. They need to be clear about why the information needs to be shared with the organisation, and the data needs to be stored securely in an encrypted way. And they should not ask for more information than they legitimately need. They must act and work with local regulations and comply with them.
In Europe, for example, we have a privacy regulation called GDPR, which allows an individual to ask an organisation to delete their information at any time, and the organisation must have methods and technologies in place to do this. Finally, I think organisations simply need to be clear and straightforward about their intentions and objectives to gain the end-user’s trust.
Do all companies have the financial and human resources to deal with such complex issues?
Cybersecurity can be confusing! Many of the organisations that most need these resources may not have the staff to be able to implement or manage them. They may not have access to the money to be able to buy them. One of the things that we’ve done at Cloudflare is create something we call Project Galileo, which is a project by which we provide our security solutions for free. As a leader within the organisation, I think it’s just another great example of the commitment that we have to diversity and inclusion, not just to our organisation, but to creating a more diverse and inclusive community around the globe and enabling these resources to stay online to foster dialogue.