When we started at Cloudflare in the summer of 2018, we joined a small security team intent on helping it grow quickly. Cloudflare was already a successful “unicorn” startup and its profile was changing fast, providing cyber security protection for millions of Internet-facing properties and moving towards becoming a public company. We were excited to help build the team that would ensure the security of Cloudflare’s systems and the sensitive customer data that flows through them.
Competing for security talent in the tech industry - where every company is investing heavily on security - isn't easy. But, in 18 months, we have grown our team 400% from under 10 people to almost 50 (and still hiring). We are proud that 40% of our team are women and 25% are from an under-represented minority. We believe from experience, and the research shows, that more diverse teams drive better business results and can be a better place to work.
In honor of International Women’s Day this Sunday, we wanted to share some of our lessons learned on how to build a diverse team and inclusive culture on a modern security team.
Lessons Learned Building a Diverse Team
- Our effort to build a diverse team starts from the moment we draft a job posting. We try to choose language that will resonate with a broad set of candidates, and question proposed “prerequisites” for a role such as college degrees or a minimum or maximum set of experience. For example, we choose language that invites people looking to grow, and avoid militaristic terms often seen in security job descriptions.
- We are open to considering multiple locations where a role can be based. Cloudflare has 13 offices around the world. We have been flexible in which office our team members can join.
- We don’t rely on one hiring source. We strive for multiple hiring sources. We appreciate employee referrals and do company-wide presentations frequently to keep our team’s open positions top of mind across our 1200-person company. We love candidates who apply through Cloudflare's online careers site because they read a Cloudflare blog post and find it interesting, or are a happy Cloudflare customer in some way. We help fuel this source of candidates by writing blog posts on a wide range of topics like here and here. We also believe in proactively reaching out to potential candidates (see more in the next point). Having three strong channels in which we are meeting candidates makes hiring a bit easier.
- Proactively reaching out to passive candidates can be hard for some hiring managers. We work hard to make everyone on our team better at this. We partnered with our recruiting team to train our security team on how to use LinkedIn and Eightfold to find potential people to reach out to, and we encourage our leaders to go to meetups and the networking components of conferences and to ask respected industry peers for referrals. Our hiring managers then reach out directly with a personalized message. Our response rate is over 10% when we take the time to personalize the messaging to fit the particular possible candidate.
- We think long-term about team-building and know that it might take six months to a year to close promising passive candidates. We build a relationship by sharing updates on the company as well as new problems we are trying to solve, and over time we have seen these candidates come to appreciate the company and work and then join our team.
- We do proactive engagement at a number of conferences and events such as the Grace Hopper conference, AfroTech, and the International Association of Minority Cybersecurity Professionals events. We also look to build relationships and hire through organizations dedicated to placing minority candidates such as Path Forward.
- We leverage our internship program to broaden our candidate pool and change perception about viable backgrounds for roles. It is easier to convince people to consider candidates from less “pedigreed” schools or with skills developed outside traditional educational paths through direct exposure to those who’ve taken different routes but share the same passion for security. We’ve found some amazing interns who’ve proven themselves on short intern stints with us, and already progressed into full-time roles.
- We make sure we put together the right interview panel for the candidate: that means not only evaluating the candidate thoroughly but also giving the candidate the opportunity to look across the table at someone they feel comfortable asking “can someone like us succeed here?” You are not just using the interview process to evaluate the candidate, you are showing the candidate who you are as a team.
- We hold ourselves accountable by reviewing metrics on hiring and retention. Our company leadership team gathers once a week to review data on how the entire company is doing, including looking at how we are doing at building a diverse workforce and what we can do to improve. And we don’t just look at diversity in general, we look at diversity across management, and for those in management, we also consider things like span of control.
- We also get great support from our co-founders and other executives directly in our hiring process. They are always willing to spend extra time introducing people to the company, our mission, and our values. One of them will always be the last person to meet the candidate on their final interview. You can’t beat a welcoming message from the top.
Lessons Learned Creating an Inclusive Culture
The work doesn’t stop with getting a great set of people with complementary skills to come work at Cloudflare. To us, diversity is a means to the end of developing a highly productive team, not an end in itself. And, it turns out that hiring a diverse team is not a moment to celebrate success, it is a moment where leadership responsibility increases. A diverse team - made up of people from various backgrounds who don’t automatically feel at ease with one another - is not a guarantee of success. To cultivate a truly productive team requires a culture of openness to differences and a willingness for people to share their unique perspectives with people who are different.
We obsess over making sure all these great people who decided to join will also decide to stay for the long-term. We identified a number of ways we could build a community that welcomes people from different backgrounds and celebrates open debate.
- We’ve moved on from the media-favored image of security professionals as “hackers” and instead focus on innovation and empathy as our core values. We believe our role is more akin to a scientist designing a cure for a disease, a teacher helping a student solve a hard problem, or a nurse responding to a person in need of treatment. While we still need the skill to be able to break things and consider the attacker mindset we are responsible for combating, we will not succeed if we cannot stand in the shoes of our customers and empathize with their plight when we roll out painful security requirements.
- We talk regularly about how team members must have a stronger than usual commitment to developing the “psychological safety” necessary for everyone to believe their opinions are welcome and valued and will contribute to the greater good.
- We counter the risk that security work can become very reactive by promoting a spirit of innovation. That has led to us already open sourcing multiple solutions, contributing to development of Cloudflare products, and presenting at security conferences. We are strategic about what solutions we should build ourselves and what we should buy from other vendors, always staying current on what’s new.
- Our team decided to pick a logo, and we ended up choosing an orange-to-pink hued phoenix because they represent resilience and optimism: A phoenix never dies; instead, she always rises from the ashes and becomes more majestic each time around. This embodies the security mindset -- we help Cloudflare bounce back from attacks and security incidents, reemerging stronger and more secure than ever. It's easy to feel like you never "win" against constantly evolving adversaries. Knowing that we are the phoenix, destined to bounce back from whatever setbacks we face, helps us stay optimistic no matter what we face. And of course, the image of a phoenix also fits well with the core Cloudflare name and brand. Not your typical security imagery, but something that we are proud to wear on our t-shirts because it represents our team.
- We encourage every member of our organization to work on something that is outside their sub-team’s subject area so they interact with the broader team and also have a sense of personal career development.
- We take our work very seriously and know when to say “Let’s get down to business” like Mulan in the Disney movie (which we’ve heard team members sing), but don’t take ourselves too seriously. We keep it light around the office.
- We change our seating arrangements regularly to encourage expanding relationship circles.
- We ask team members across the organization to lead meetings and give presentations to the whole group.
- We promote from within. Five team members have been promoted into first-time manager roles.
- We have open-ended manager round-tables to discuss vulnerable topics relating to growing a diverse team.
- We support our team members playing active roles in company Employee Resource Groups such as here and speaking up on topics outside our core areas of expertise.
- We take time for team-building activities. Some of our best practices are to keep the events during business hours and limit those that include alcohol.
- We celebrate success. In the security world, external recognition is more often given for failure than success. Most companies don’t celebrate the prevention of harm, they celebrate new products and new business. If you are not careful, a security team can feel isolated from the rest of the company because its work is not directly tied to generating revenue and even worse can be perceived as blocking progress.
One of our favorite meetings was an informal risk review session we had with our engineers during which we white-boarded what we all thought were our biggest risk areas. It was great in the moment because it was such a collaborative session where everyone felt comfortable speaking up about their fears. No two people saw things the same way, but all were open to hearing other perspectives and many of us in the moment changed how we thought about priorities. And what made it an all-time experience was how even though we may have left the meeting a bit discouraged about all we needed to do, within a week every team member had stepped forward and volunteered to work on one of the hardest challenges. Looking back a bit over a year later, we have made strong progress in reducing all the risks identified in that meeting, and we did it together as a team.
Security is hard work, and the work is never done. But bringing together a diverse team with a positive culture has helped our team get a lot of hard and stressful work done well. There is a lot more we can do to keep things moving in the right direction for our team members and company and we welcome additional suggestions for improvements in our approaches.