SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Interview: Microsoft's Diana Kelley talks talent gaps and D&I
Wed, 27th Nov 2019
FYI, this story is more than a year old

Diana Kelley is Microsoft's cybersecurity field CTO with a mission. She guides enterprise security executives to make better security decisions. She recently spoke at Microsoft Asia's new Experience Center, where she talked through her experience as a security CTO, as well as IoT security, what's ahead in 2020, and diversity and inclusion both in the cybersecurity sector, and in technology.

I spoke to her about the cybersecurity skills gap, and how Microsoft incorporates diversity and inclusion into its core business.

Kelley's presentation on the cybersecurity talent gap underscored the message that reskilling will always be an important part of managing the workforce. As old jobs are lost, new ones will be created.

“Technical skills like cyber - IT are going to grow in importance. No matter what job you do, 80% of the population in 10 years will need some kind of technical skill set,” she says.

She notes that many of today's school and university students will graduate into roles that don't exist yet – which in some ways contradicts the ways of entrenched, traditional education.

What can educational institutions teach in terms of technology, particularly since the roles they're training for may not even exist yet?

“I think the basics are powerful and important. If you look at society, and especially science, we tend to stand on the shoulders of giants. We've learned from the past and we continue to build on that,” says Kelley.

“When I first started getting interested in technology, I taught myself how to programme with BASIC and nobody uses that anymore. But the fundamentals of how to use programming language are similar and they translate. I had to learn a new language, but I had also learned the fundamentals of coding.

So even though future jobs may not exist, some skills can be reapplied to new roles. Kelley started with skills in networks, before she became a security specialist – proof that skills can be transferred to entirely different areas.

“In engineering and computer science, for example, understanding how networks work is one of the most important steps for understanding how to be a cybersecurity expert. Because if you know how the network works, you know where the potential holes are and where the bad guys might get in.

Kelley says that the evolution of the data scientist role proves how older skills translate to new roles. They may not have been too many data scientist roles 10 years ago, but people have understood data and how to use it for much longer than that. Now, data science is a role unto itself.

She adds that technical people who understand business are in the ‘sweet spot' because they can work in both worlds.

“I think that it's not so much ‘don't go to school because everything you learn may become out of date', it's more about trying to get an education where you do get the basics that help you build onto whatever the next generation of job will be.

Education is far from limited to formal training institutions, and on-the-job training is a necessary way to bridge the skills gap.

But training comes with its own challenges, like how mentors and trainees find the time, particularly when they have their own roles and responsibilities. They're also working longer hours, facing burnout and bigger workloads. So how do organisations fit in the time to provide training?

“We are understaffed, especially in cybersecurity. This is where employers can make a difference,” says Kelley.

“By understanding and recognising that it's important to keep your employees fresh and skilled up, you're able to acknowledge continued learning and education. There can be space within those roles for training and mentorship or support programmes, regardless of whether an employee is mentor or mentee. That space can help with skilling up and keeping knowledge fresh.

Organisations will continue to be challenged by the skills gap in cybersecurity and the wider tech industry. How does Kelley see the skilling, upskilling, and reskilling process going in years to come?

“It will grow as jobs are changing, and as people want to find a new career. There are a vast range of ways to help people do that – on the job as an apprentice, or through a certificate programme. I have friends who have gone back to school and achieved PhDs in cybersecurity - they're already practising but they want to take their research to the next level.

Microsoft promotes education as a strong part of its employee programmes. Kelley says the company has educational goals, and jobs are designed with education as a core role.

“There's a really strong culture of respect and diversity and inclusion. We listen to other people's opinions and engage in conversations, and we're good at collaborating in a variety of different ways.

"We collaborate in person, we collaborate online, we collaborate internationally; and we leverage our own tools very strongly. Teams is a great collaboration platform, and it helps us stay connected with each other. It's important in a very large organisation like Microsoft, where there's so many of us who are able to have that that collaborative aspect and these spaces to collaborate in.

With a strong focus on collaboration, Microsoft also takes diversity seriously. One of the reasons for the talent gap is that some people are simply missing out, because organisations aren't hiring widely enough. Diversity isn't just limited to gender diversity, but also background, geography, language, and cognitive diversity all feed into the wider picture.

Kelley says it's important to understand how people perceive things differently in business. While Microsoft runs diversity and inclusion programmes, not all organisations go that far. Kelley believes there are several factors that could influence whether organisations will implement such programmes.

For example, some organisations may be small enough that such a programme isn't necessary, perhaps they haven't been educated about diversity, or perhaps they don't have the time or resources.

“There's a perception difference as to whether or not opportunities are equal, and so it really helps organisations understand diversity. I believe it's good for organisations to think about these programmes and even start up one of their own,” says Kelley.

Microsoft runs several diversity and inclusion initiatives. Outlined in the Microsoft 2019 Diversity and Inclusion report, one initiative is called Mancode. These workshops are hosted in Microsoft locations and schools in under-represented areas, where young racial and ethnic minority boys experience hands-on learning and career-readiness discussions in areas such as coding and cybersecurity. Microsoft says almost 15,000 boys have participated in Mancode since May 2017.

Kelley also explains Microsoft's programme called Diversity in Technology, which is an online community and mentorship programme. Community groups are a great way of inclusion and retention, she says.

“We also do a lot of outreach.  We speak at lot of events around diversity and inclusion, and we speak the importance of it. And then we as a company try to be as diverse and supportive in terms of hiring.

“Most important of all, we think very much about if we being as open and diverse as possible within our own hiring practices,” concludes Kelley.