sb-au logo
Story image

Interview: Microsoft's Diana Kelley talks talent gaps and D&I

27 Nov 2019

Diana Kelley is Microsoft's cybersecurity field CTO with a mission. She guides enterprise security executives to make better security decisions. She recently spoke at Microsoft Asia’s new Experience Center, where she talked through her experience as a security CTO, as well as IoT security, what’s ahead in 2020, and diversity and inclusion both in the cybersecurity sector, and in technology.

I spoke to her about the cybersecurity skills gap, and how Microsoft incorporates diversity and inclusion into its core business.

Kelley’s presentation on the cybersecurity talent gap underscored the message that reskilling will always be an important part of managing the workforce. As old jobs are lost, new ones will be created.

“Technical skills like cyber & IT are going to grow in importance. No matter what job you do, 80% of the population in 10 years will need some kind of technical skill set,” she says.

She notes that many of today’s school and university students will graduate into roles that don’t exist yet – which in some ways contradicts the ways of entrenched, traditional education.

What can educational institutions teach in terms of technology, particularly since the roles they’re training for may not even exist yet?

“I think the basics are powerful and important. If you look at society, and especially science, we tend to stand on the shoulders of giants. We’ve learned from the past and we continue to build on that,” says Kelley.

“When I first started getting interested in technology, I taught myself how to programme with BASIC and nobody uses that anymore. But the fundamentals of how to use programming language are similar and they translate. I had to learn a new language, but I had also learned the fundamentals of coding.”

So even though future jobs may not exist, some skills can be reapplied to new roles. Kelley started with skills in networks, before she became a security specialist – proof that skills can be transferred to entirely different areas.

“In engineering and computer science, for example, understanding how networks work is one of the most important steps for understanding how to be a cybersecurity expert. Because if you know how the network works, you know where the potential holes are and where the bad guys might get in.”

Kelley says that the evolution of the data scientist role proves how older skills translate to new roles. They may not have been too many data scientist roles 10 years ago, but people have understood data and how to use it for much longer than that. Now, data science is a role unto itself.

She adds that technical people who understand business are in the ‘sweet spot’ because they can work in both worlds.

“I think that it's not so much ‘don't go to school because everything you learn may become out of date’, it’s more about trying to get an education where you do get the basics that help you build onto whatever the next generation of job will be.”

Education is far from limited to formal training institutions, and on-the-job training is a necessary way to bridge the skills gap.

But training comes with its own challenges, like how mentors and trainees find the time, particularly when they have their own roles and responsibilities. They’re also working longer hours, facing burnout and bigger workloads. So how do organisations fit in the time to provide training?

“We are understaffed, especially in cybersecurity. This is where employers can make a difference,” says Kelley.

“By understanding and recognising that it's important to keep your employees fresh and skilled up, you’re able to acknowledge continued learning and education. There can be space within those roles for training and mentorship or support programmes, regardless of whether an employee is mentor or mentee. That space can help with skilling up and keeping knowledge fresh.”

Organisations will continue to be challenged by the skills gap in cybersecurity and the wider tech industry. How does Kelley see the skilling, upskilling, and reskilling process going in years to come?

“It will grow as jobs are changing, and as people want to find a new career. There are a vast range of ways to help people do that – on the job as an apprentice, or through a certificate programme. I have friends who have gone back to school and achieved PhDs in cybersecurity - they're already practising but they want to take their research to the next level.”

Microsoft promotes education as a strong part of its employee programmes. Kelley says the company has educational goals, and jobs are designed with education as a core role.

“There's a really strong culture of respect and diversity and inclusion. We listen to other people’s opinions and engage in conversations, and we’re good at collaborating in a variety of different ways.”

"We collaborate in person, we collaborate online, we collaborate internationally; and we leverage our own tools very strongly. Teams is a great collaboration platform, and it helps us stay connected with each other. It’s important in a very large organisation like Microsoft, where there's so many of us who are able to have that that collaborative aspect and these spaces to collaborate in.”

With a strong focus on collaboration, Microsoft also takes diversity seriously. One of the reasons for the talent gap is that some people are simply missing out, because organisations aren't hiring widely enough. Diversity isn’t just limited to gender diversity, but also background, geography, language, and cognitive diversity all feed into the wider picture.

Kelley says it’s important to understand how people perceive things differently in business. While Microsoft runs diversity and inclusion programmes, not all organisations go that far. Kelley believes there are several factors that could influence whether organisations will implement such programmes.

For example, some organisations may be small enough that such a programme isn’t necessary, perhaps they haven’t been educated about diversity, or perhaps they don’t have the time or resources.

“There's a perception difference as to whether or not opportunities are equal, and so it really helps organisations understand diversity. I believe it’s good for organisations to think about these programmes and even start up one of their own,” says Kelley.

Microsoft runs several diversity and inclusion initiatives. Outlined in the Microsoft 2019 Diversity and Inclusion report, one initiative is called Mancode. These workshops are hosted in Microsoft locations and schools in under-represented areas, where young racial and ethnic minority boys experience hands-on learning and career-readiness discussions in areas such as coding and cybersecurity. Microsoft says almost 15,000 boys have participated in Mancode since May 2017.

Kelley also explains Microsoft’s programme called Diversity in Technology, which is an online community and mentorship programme. Community groups are a great way of inclusion and retention, she says.

“We also do a lot of outreach.  We speak at lot of events around diversity and inclusion, and we speak the importance of it. And then we as a company try to be as diverse and supportive in terms of hiring.”

“Most important of all, we think very much about if we being as open and diverse as possible within our own hiring practices,” concludes Kelley.

Story image
Infrastructure-as-code, and how it can secure the cloud
Bridgecrew recognised IaC early on as one of the best ways for modern teams to delegate security ownership to individual contributors while distributing it across existing frameworks within CI/CD pipelines. This attribute meant that IaC was invaluable in securing cloud-native environments.More
Story image
Cloud services top threat vector for healthcare industry
"The coronavirus pandemic continues to highlight the unique cybersecurity needs of the healthcare industry, even as it has increased the number of threats these organisations face."More
Story image
Bank Australia rolls out voice biometrics designed by Nuance
After a successful test rollout at the end of 2020, the bank is now offering voice-based biometric protection to all customers. More
Story image
Cybersecurity budgets still not keeping up with threats — report
Executive teams are failing to recognise the level of damage cyber-threats pose to organisations, according to Sophos — many of them taking a ‘conservative approach’ to cybersecurity expenditure.More
Story image
Ransomware and Microsoft Exchange attacks surging 
There are global surges in ransomware attacks alongside increases in cyber attacks targeting Microsoft Exchange Server vulnerabilities, according to Check Point Research.More
Story image
Addressing the challenges of least privilege access
Enforcing the right privilege policies across the environment with the right visibility and observability will ensure that the policy mandates hold tight against any behaviour changes.More