top of page
  • Writer's pictureJFK

D&I is the Cyber Security Risk

OpEd published on 10/12/2021 at the Association of Independent Agents

Over the years, the language of “diversity” has evolved from its origins in the 1980s which were rooted in Title VII of the 1964 Civil Rights Act. The diversity between every individual is just a fact of reality. That evolved to talk of equity and economic inclusion, which again evolved to trying to define inclusion in the corporate spaces of the 2000s, which has now evolved to a conversation about creating a sense of individual belonging within growingly complex organizations.

In 2021, in short, “D&I” stands for diversity equity inclusion & belonging. We should get used to thinking about all four of those concepts from here on. That is how the authors of the new International Standards Organization (ISO) understand the diversity industry of old, if we can call it an industry at all. This past May, the ISO published a new guidance standard for D&I across the 163 nations that participate at the ISO. If you are not familiar this organization has been standardizing how we interact since the end of the second world war. They’ve created consensus standards on everything from the tangible ways in which we move water and oil to the seemingly intangible ways we measure process quality control.

It might seem ironic that as we seek inclusion of the other than normal, we’ve created some normalcy in how we seek it. It’s a communications problem that will always exist, as long as we are evolving into the messy collective of professionals that we will be tomorrow.

That stated, I’ve spent nearly 20 years in engineering and technology management, looking at a lack of inclusivity from a personal data standpoint. One thing that I’ve noticed is that our institutional products and services have become more synonymous with our consumer markets’ identities. Further, that people’s data or people’s decisions are becoming synonymous with risks, including cyber security. Lastly, a lack of belonging or D&I at the organizational level leaves every kind of organization vulnerable to cyber security penetration. As every industry has to use technology to deliver goods at the speed of 2021, our people’s commitment to our mission becomes increasingly critical to managing our financial and legal risks.

We have been hearing a lot about humans being the weakest link in cyber security management for decades now. We have also seen a lot of surveys and research reports on this fact. The example in the graphic above (from IBM) says 95% of all successful cyber attacks are caused by human error.

While IBM identifies 95% of cyber problems as people problems, Willis Towers Watson identifies the people as 66% internal and the rest third parties. We call it Third Party Risk.

At the World Economic Forum (WEF) this past year, Willis Towers Watson executives identified the most significant cyber insurance category as “negligence or malfeasance of employees.” In the modern business climate, it is critical that firms assess their bureaucratic D&I capabilities, including their supplier/partner’s capability, just as they would assess their cyber security capabilities. A firm with a lack of a sense of belonging is more vulnerable to leak confidential information either deliberately from a disgruntled person, or involuntarily by a careless person.

As integrated industries, we must start looking at D&I as a series of risk categories that require internal policy. This is not new, we’ve spent the past 10 years doing this for cyber security, and the 10 previous years doing this for information technology.

While we all ride the wave of digital transformation to create new — or modify existing — business processes, culture, and customer experiences to meet changing business and market requirements, businesses that are slow to adopt cease to exist. Digital transformation has not only exposed but also amplified the inherent vulnerabilities of our businesses and primary among them is human resources.

When we ask 10 people What D&I Means, they can’t give us 10 different answers. We have a global consensus based on the 10 risk domains identified above.

239 views0 comments

Recent Posts

See All


bottom of page