Camille: [00:00:00] Hey, welcome to What that Means. Today we’re going to branch out just a little bit and talk about diversity and inclusion in cyber security, to find out what that means. So today we have with us Isaura Gaeta. She is Vice President of Security Research at Intel. Um, what this means is she leads a team of offensive security researchers. You might imagine another word for that–could be considered “hacker.” She’s focused on all product hardware, security research–work including penetration testing, red teamwork, physical attack mechanisms, and as well as academic funding insecurity.
Before that she was VP and GM of systems engineering, where she was responsible for optimizing overall workflow to improve platform engineering, efficiency, and effectiveness. She’s actually been at Intel quite a while, more than 25 years. And notably, I think she has won the company’s highest honor–The Intel Achievement Award–five times. This is very, very, very uncommon. Um, she’s also the first from her family to graduate from college. She earned her bachelor and graduate degrees from Stanford University in Electrical Engineering.
And today she speaks frequently internationally on diversity and inclusion in the tech workplace. And she also serves on the board of directors at the Hispanic Foundation of Silicon Valley. She’s also previously served on the boards of Women in Engineering, Proactive Network and Stanford University’s El Centro Chicano Latino Cultural Center.
Isaura, it is really a pleasure to have you, uh, in this conversation today. You’re such a leader in Diversity and Inclusion, and I really mean it in the ways that I’ve worked with you. You’re such an inclusive person. It’s, it’s really interesting to see how you operate. Um, and also you’re just such a bad-ass when it comes to hardcore engineering. Um, so welcome to the show.
Isaura: [00:02:06] Thank you so much for inviting me. I’m really looking forward to our conversation today.
Camille: [00:02:12] Um, the first thing I want to do is just ask you, can you define Diversity and Inclusion in under three minutes?
Isaura: [00:02:19] Sure. So diversity are the attributes that we all bring. It could be for myself, I’m a cisgender female. I am Latina. My background is technical. I was born in the United States, although I speak Spanish. I’m five feet tall. These are all unique attributes about me. And each of us in the workplace bring in our unique attributes–so the mix that we bring into the workplace.
Inclusion is about how do you get this mix to work together? How do you take all these wonderful attributes and make sure that people can bring those attributes and add unique perspectives and make it all work together? And that’s what diversity and inclusion my definition means.
Camille: [00:03:13] Okay. Well that was very brief. And thank you. I think we can dive a little deeper now.
I guess the first thing is maybe it’s always asked, but why does it matter? I mean, really, we’re trying to focus on very specific goals when it comes to cyber security. Um, why do we really care about the diversity of the people that we’re working with? Um, and then ultimately, why do we care if they’re included?
Isaura: [00:03:47] Yeah, so at the highest level, when we look at the world’s population, as I mentioned, we all have different attributes. And so when we’re looking at any problem in science or technology, you want to make sure that you bring all of those perspectives so that unique challenges can be solved in different ways. We don’t know sometimes all of the solutions. You won’t find in a textbook. But by bringing people in that see the problem in little bit different ways, you may come up with something you hadn’t thought of yourself or something that like-minded individuals may not come up with by themselves. But as you bring in these different perspectives, someone might say, what about this? Or what about that? And suddenly, a breakthrough and new innovation can really come.
So it has been shown that diverse teams lead to better innovation because of this. So, if you’re a technology company, if you’re doing anything in technology, you definitely want to make sure that you have a very diverse workforce because it will lead to better innovation. Then of course, better innovation leads to better products, better sales. It’s this nice virtuous cycle that you will get as you, um, include diversity.
Camille: [00:05:10] Is is part of diversity when you’re dealing with cyber security or technology, including people who essentially are Luddites or not familiar with technology?
Isaura: [00:05:22] In some ways, yes. Because, you need to be able to talk about things in a way that people can understand. Then sometimes having someone say, “well, you’re using terms that I’m not familiar with. What does it really mean? What does it mean to me? Why should I update my computer? Why should I take this patch?” And explaining, you know, the bad things that can happen to your system, if you don’t do these patches is helpful. So having someone that may not be an expert in that field to ask questions, to make sure the understanding is clear is also helpful.
So, you know, in the space of cyber security, it’s a, it’s a very different field than where I grew up in. I grew up as a traditional engineer. And as an engineer, I was trained to solve problems, but also to build things. So I’m trying to ask for what are your requirements?, list them and then I can build something to solve that problem. In cyber security, we really need professionals that know how to break things. It’s actually a different way, cognitively, to approach the problem. So what are the weaknesses in this product that I just designed? What did I forget to think about? What did I forget to secure? What is it that is the weakness in this particular design?
Someone that can approach a problem in that regard is highly valuable, because as an engineer, I don’t see that perspective. I built it to the specifications and I’m done. And that different perspective–without that–I just don’t know what I don’t know.
Camille: [00:07:16] And you lead a team of these kinds of people. So our people with these, um, we’ll call them attributes in this case, how is working with them or managing them different than managing traditional engineers?
Isaura: [00:07:31] Yes. So I have to remember that my approach is not the same approach that’s going to solve a lot of these problems. And so I do have to provide an environment where there’s a lot of flexibility. Where I can maybe just state, generally, what we’re looking for. We’re trying to secure the products we make before they go out into the field before they get into the hands of the customers. And so giving that general problem statement, then letting my team go off and try to look at, you know, some of our technologies and the intellectual property that we’re developing.
Probably the most common theme amongst my team members is a sense of curiosity. Very strong sense of curiosity. How does this work? How can I break it? What did someone forget to think about and approaching it from that perspective, we do have to look at what are some of the highest priorities we have, you know, products that we have in very high volume–will have in high volume should be prioritized versus something that maybe hasn’t. Uh, hit the field or won’t hit the field until five years. So I give them the general guidance, but then let them go.
And, um, for me, the learning as a manager has been to not add too many rules. Just give guardrails. You know, “if you stay within these guardrails, we’re all going to be okay. You start bumping against these guardrails and I’ll come and talk and looking a little bigger out how to, how to work there.”
But, a lot of the, um, the approach is sometimes testing those boundaries on the product, which also leads to testing the boundaries on rules. So a big corporation, like the one that, uh, I work in, Intel Corporation, there’s a lot of rules, right? We’re a big company. We have to have some, some rules, but if you come with a mindset of how do I break something, you may also test some of the common rules. Why do we have to do this?
I’ll give you one example. So being in a tech environment, we use computers a lot. And so we’ve created a tool that helps monitor how much time you spend on the computer so that you don’t get any injuries. Right? You don’t want to get carpal tunnel and such. And so this tool was rolled out and we asked people to download it on their computers so that it reminds them after a couple hours, take a little break from your computer, do some exercises. When we pushed out that tool, my team immediately said, “Oh, what’s this? What is it recording about me?” And so they were very questioning of this tool and asking me, “like, do I really need to download this? What happens if I don’t? Are you sure that it’s not recording the, exactly what I’m typing?”
So it’s sort of like a paranoid mindset, which is very useful. In trying to find security flaws. If you think about what could go wrong, that mindset is very useful. But as a manager, when I’m trying to roll out a tool that’s going to help my employees getting to those kinds of questions back it’s, it’s very interesting. And so you have to be very open-minded about, they’re not questioning me. They’re just set-up to ask questions. And so what is the right response and what is the right uh, environment and the guardrails come in really handy for me.
Camille: [00:11:14] So I heard the other day a term and I’ve, I’ve done some work in diversity and inclusion, and I had not heard this term before. So I was just wondering if you could explain it. It was called neurodiversity. What is that?
Isaura: [00:11:30] You know, we all have different, um, abilities and how we approach things. Some of it may be how we are raised to address things and some, maybe just part of our nature. So for example, there is what we call the Autism Spectrum, right? And we have individuals that are very high functioning across that spectrum. A couple of people on my team are probably on the spectrum. And they, um, gives them a unique ability to be very creative and solve problems, but then also I need to ensure that they’re in an environment where they can thrive.
If I put them in an environment for, you know, there’s a few people that’s too much activity happening, it can really exhaust them, you know, it can really be overwhelming. And so, uh, working from home is actually a great environment for individuals that don’t like that constant stimulus of being interrupted at work or having too much going on. Um, and so just being aware that people work differently and people, their approach to how they do their work, you have to understand and create that environment so that they can be successful.
How do you set up a team when you might have someone that is, you know, potentially, uh, on the autism spectrum, you know, how, how can they interact with others? How do you create those communication mechanisms where they feel comfortable in the rest of the team understands how to interact with them. So just being aware of that and trying things. Sometimes we try things and it doesn’t quite work and we’d try something else, but just being very open to the fact that people approach problems very differently.
The, the paranoia that I mentioned before, um, that ability to look at a problem, to look at something and what could go wrong is very helpful. But it could also, you know, make someone wonder, you know, if I ask how’s the project going and someone responds “why you’re asking me?” (both laugh) It’s like, you have to be, you know, where that– You know, maybe I’m over tuned up to pick up those kinds of signals from you and to say, Oh, I may check in and say, you know, “just a normal check in, just see how you’re doing. How’s the project going?” would, you know, take that edge off for someone who might be tuned to be a little bit more paranoid about those kinds of things.
So just being aware of, you know, people operate differently and in cyber security you might find a few more people that are neurodiverse than you might in the general population.
Coming from a diverse background helps to put you- it’s a little bit easier to be in the shoes of someone who may think differently. You may approach things differently. And so for me, I think that’s, what’s helped me with my group, having been “the other,” having been the Latina, technical female, kind of the one out of a hundred when I’m in a group. And now Iwhen see my group being treated as different or individuals within my group, it’s, it’s easier for me to sort of be in their shoes and say, “well, how do I create an environment where I take all the goodness that they’re bringing and help them thrive?”
Camille: Do you get tired of it? I mean, you know, kind of always being the one that’s gotta be different and gotta stick up and being interviewed because you have that background?
Isaura: No, no, I think, um, I really that’s one of my superpowers. So I love being at the intersection of people and technology. So technology is, you know, growing is important, but how do you make technology work for people? How do you have people work in technology? How do you bring people who traditionally were not in technology to the table? That combination is exciting to me.
And I think it’s not tiring because I’m passionate about it. Then, you know, when you’re passionate about something, you could do it, even if you weren’t even being paid for it. It’s like, this is something I care about.
Camille: [00:14:30] This is a lot of work. Um, I’m just gonna put it out. Uh, is there backlash among managers and executives and other parts of the community to taking the time to embrace different working styles and different approaches?
Isaura: [00:14:51] I think it takes a lot of explaining to other managers that we work with. So for example, In a big company like ours, we have reward systems where we may give people a recognition. A recognition may be tied to, you know, $25, $50 and say, “Good job. Thank you for delivering that project.”
In general, my team is motivated by very different things. Those kinds of recognition systems are not top of their desire to receive. What they are really motivated about is the ability to gain recognition for the findings, for what security issues they found. So being able to, when this finding gets published, to have their name attached to it. And so then their sense of “I found this. I’m a security researcher and here’s something that I feel proud of that I was attached to.”
Now in a big company, sometimes as we do press releases and announced these things we need, we may not normally have listed each employee’s name on something like that, but it’s so important for my team members. So going to fight for, you know, we want to include the name of the researchers who discovered these issues. And that means more to them than if we give them a recognition and include their name at a department activity, right?
Talking to my peers and help them understand why this means so much to my teammates. Yeah, it takes a little more energy, but. You know, that’s, my job, as the leader of my team to make sure that I’m advocating for, and I understand what motivates my team.
Camille: [00:16:48] So I want to shift just a little bit. I have this question. I don’t know if these two things sort of dovetailed, um, sort of the, uh, some of the trends of the day and some of the trends in cyber security around shifts in language and, uh, just old terms that have been embedded for a long time. Um, what I can think of specifically is some agreement among the tech community, and I hope you can go into a little more detail on this, on removing language or replacing language used to describe coding hierarchies, like “master,” “slave,” and also, um, “white” and “black”– as sort of like a “whitelist” or a “blacklist” and on and on. I’m wondering if you can talk just a little bit about that.
Isaura: [00:17:37] Yeah. So definitely there’s a lot more sensitivity now to the language that is used. A lot of those terms were probably 20, 30, even 40 years ago developed. And at that time, when you think about the engineering community, it was predominantly male; it was predominantly white. And so a lot of that terminology was common terminology that was used.
But as you expand and broaden the workforce, some of those terms feel different. So if I hear “master slave,” and I came from an environment, for example, where those terms are very traumatic or, you know, they may make me feel that, you know, it’s tied to my heritage, to my family, when I see them show up in engineering terminology, it’s hard for me to overlook it. It has that extra, uh, impact on me.
So that awareness, that terms, that when they originally created didn’t have that intent, but yes, they don’t need to be listed that way. So, you know, instead of using a term like “master slave,” you have the “dominant factor” and then you have like a “secondary factor.” So can you use terms that describe without being loaded like that? Or you say “this is on the white list and this is on the blacklist.” And supposedly the white list is good and the blacklist is bad. No let’s use other—“this is the good list in the bad list.” You know, why, why do you need to, to use those terms?
Generally, you know, I I’ve been aware of these kind of, uh, differences because as a female growing up in an engineering culture now for more than 30 years, there’s a lot of terminology that is really based on males, sports, military, uh, kind of terms. And you know, the first time I heard a lot of those terms, it’s like, “well, that’s kind of a, you know, why do we use that term?” But I put myself in the shoes of the workforce of 30 years ago and being mostly male just seemed like they pick up on a term, they start using it and it’s very natural.
But, you know, you really start thinking about all the terms that we use today, “going into a one-on-one,” “let’s have a huddle,” lots of supports for criminology that, you know, if I’m not a sports person, that terminology would feel uncomfortable.
But going back to original question. The terms that we’re really trying to avoid are terms that hurt people; terms that have a meaning that bring back feelings that we just don’t need to, to, to use those kinds of terms in our work environment. And so those are the ones we’re trying to eliminate from our language going forward.
Camille: [00:20:46] I imagine things like this might take a while to become widely adopted and used. How would you recommend somebody at the lower level, say, in an organization or a company, bring it up if it’s not been changed yet in their area?
Isaura: [00:21:02] Yeah. So I think we’re getting to a place where people are feeling more comfortable to bring it up. So if I were to see a term like that, and I’m a new engineer in a on a team, maybe I bring it up to my manager and say, “you know, we’ve been talking about this term. Um, it doesn’t feel comfortable to me. Is there something else we could use? Is it possible for us to change this document and not include that because it just, I’d prefer to see a different term.” And having people just listen and be open to change it.
I think we are now at a point and I think 2020 really opened eyes for a lot of people of inequities that we have. We have inequities in the corporate system inequities in society. And if we can feel comfortable to bring up things that we see that are not equitable and when we bring them up that management, that leadership is receptive to make those changes, then we’re going in the right direction.
Camille: [00:22:30] Isaura, this has really been an interesting conversation and I really appreciate your time and thoughtfulness, um, during the conversation. So thank you very much for joining.
Isaura: [00:22:41] It’s been my pleasure.
Camille: [00:22:43] And if you’re interested in this topic, Tom Garrison, my co-host and I interviewed Simeon, the founder and CEO of ViVidia about diversity and inclusion and storytelling in that environment.