Our biggest security risk isn’t our software - it’s our thinking
For too long, the cybersecurity industry has focused on defending the castle by building higher walls, when the real threat is a lack of diverse thinking inside them. We've strengthened our known defences while ignoring a critical weak spot: the similarity of our defenders.
In the world of cybersecurity, we face creative and unconventional threats every day. But our greatest vulnerability isn't a flaw in our software, but a flaw in our collective thinking.
An echo chamber of ideas
The challenge comes from an industry-wide habit. In the search for expertise, we tend to hire people who look, think, and have the same backgrounds as those already in the field. This creates an echo chamber where the same ideas and assumptions are reinforced, leaving the same blind spots.
Adversaries don't follow our rules. They look for the unexpected, the illogical – the weak spot that a uniform team would never see.
This is reflected in the industry's demographics. The (ISC)² Cybersecurity Workforce Study shows that women make up only 24% of the global cybersecurity workforce. This isn't just an equity issue, it's a strategic one. Facing a major shortage of cybersecurity talent, we simply can't afford to ignore most of the population.
Why different thinking is our best defence
The solution is to build teams with 'cognitive diversity' – in other words, different approaches to problem-solving that come from different life experiences and perspectives. It's not just about who people are, but how they think.
An artist sees patterns others miss. A historian understands how tactics evolve over time. A psychologist can deconstruct the motives behind a clever social engineering attack. When you bring these varied mindsets together, you create a security function that's more innovative and resilient.
Putting our ideas into action
At Xero, we feel a deep responsibility to champion diversity in cybersecurity. That's why this Global Cybersecurity Awareness Month, we've partnered with Secure Code Warrior and SheSharp to do something about it.
Earlier this month, we hosted Code Secure. Lead the Future, a hands-on cybersecurity event for women developers and engineers, focusing on application security and secure coding practices in an engaging and supportive environment.
By creating real pathways for women to develop critical security skills, we hope to not only broaden the talent pool but also strengthen the entire industry.
As I said to the attendees, cybersecurity is an industry that can take you around the world –but what's key is to have a growth mindset and never stop learning. There's a quote I love, from Danish philosopher, Søren Kierkegaard – "Life is understood backwards, but lived forwards". When applied to your career, I believe to level up, you first need to look back at what you've learned.
The future is in broader minds
The future of cybersecurity won't be won with higher walls, but with broader minds. The strength of our digital defences is directly linked to the diversity of the people who build and maintain them.
So here's a challenge to fellow leaders: look at your teams. Are they all looking in the same direction? If they are, your most critical vulnerability isn't in your code – it's in your culture.
