Why diversity matters when recruiting cybersecurity staff
(Tia Hopkins is a contributing SME)
Putting diversity at the heart of your cybersecurity team helps you spot issues and problems that might not have occurred to you
As the threats facing governments and businesses from online channels grow, so too does the demand for talented individuals to work in and around the cybersecurity space. It’s one of the main areas in which there is a skills shortage; the International Information System Security Certification Consortium estimates that there are 3.4 million open roles for cybersecurity professionals, while the World Economic Forum’s Global Cybersecurity Outlook 2022 found 59 per cent of organisations would find it challenging to respond to a cybersecurity incident owing to the shortage of skills within their team.
The situation isn’t helped, though, by a distinct lack of diversity in the cybersecurity sector. Just 12 per cent of people who responded to The Chartered Institute of Information Security’s (CIISec) annual survey of the profession were women, while a quarter (26 per cent) of cyber security professionals could not say that their organisation offers equal opportunities.
‘Just 26% of those working in artificial intelligence are women’
This is not the only area where diversity is lacking. The Decrypting Diversity report by the UK’s National Cyber Security Centre and KPMG saw responses that included just 10 per cent from individuals with LGBTQ backgrounds, and only 5 per cent of those surveyed were aged between 18 and 24. The sector also remains overwhelmingly white in terms of ethnic make-up.
Why is diversity important in cybersecurity?
Aside from helping to alleviate the skills shortage, there are other compelling reasons why this is a problem for organizations.
“In general, diversity matters because it ultimately creates stronger, more persistent and sophisticated final products and solutions,” says Lucie Kadlecova, a senior associate at CybExer Technologies. “A team composed of a diverse group of employees brings different experiences, ways of thinking and backgrounds together.
“We are not just talking about gender diversity, but also about different age groups and backgrounds,” she adds. “For example, a person who has a degree in social sciences but then underwent a requalification course will think about a cybersecurity task in a slightly different way than a person with a pure technical background. This variability brings in different ways of thinking and perspectives, which ultimately help to develop a more resilient solution.”
Diversity x cybersecurity
Paul Baird, chief technical security officer UK at Qualys, agrees, pointing out that greater diversity can help ensure products do not have unintended effects. “Getting more diversity in our teams – from gender and ethnicity through to neurodiversity – means we are more likely to spot problems, come up with approaches to solve them, and deliver what our organizations want,” he says.
“Take the ‘find my phone’ service. This is a godsend to some, but it can be a tool for stalking in the wrong hands. While many of us would never have to think about this as an issue, our job as security professionals is to ask around how things might be broken or misused, then apply controls to prevent this as much as possible. This kind of insight is needed more than ever to keep security in place and effective.”
There are a number of steps organizations can take to help improve the diversity of their cybersecurity teams. Amanda Finch, CEO of the Chartered Institute of Information Security (CIISec), believes emphasizing the softer elements of jobs can help overcome misconceptions.
“Too often, there’s still a view that security is a purely technical discipline, meaning only people with an aptitude for tech, or the right technical qualifications, should apply,” she says. “But security is much broader – it demands social, managerial, investigative and even financial capabilities. By advertising the opportunities to use different skills, the industry can start broadening cybersecurity’s appeal.”
Part of this means making job advertisements easy to understand for everyone. “The jargon often used in cyber can become a barrier to those whose skills in the field may, for example, sit more in communication and developing training rather than in the technicalities,” points out Professor Simon Hepburn, CEO of the UK Cyber Security Council. “These soft skills are just as vital as coding to protect a company from all angles.”
Tia Hopkins, field CTO and chief cyber risk strategist at eSentire, believes organizations need to broaden their minds when it comes to the entry criteria for roles.
“Achieving diversity starts with encouraging diverse talent to pursue cybersecurity as a real career option,” she says. “They have to believe the pursuit of a career in this field can yield success, whatever the age, gender, ethnicity, neurodiversity or disability. To do this, recruiters must look beyond the CV. Do we need to specify years of experience for entry-level roles? We need to search beyond the IT security talent pool to find those willing to get trained, and partner with universities by offering industry placements.”
The post-pandemic trend towards remote working can also help organizations, believes Jim Tiller, chief information security officer at Nash Squared, by enabling them to access talent that would previously have been discounted. “Don’t fear hiring people from around the world,” he says. “Drawing from different regions, cultures and social frameworks deeply enriches your security team and can have measurable impacts to your security posture.”
Unconscious bias in cybersecurity
Better recruitment techniques can also help avoid unconscious bias or inadvertently discriminating against individuals. The UK Cyber Security Council, for instance, encourages blind recruitment, where the background of individuals is removed. “Removing any identifiers from applications means recruitment can happen without bias, allowing for more diverse teams and candidates who are assessed solely on their abilities,” says Hepburn.
Rob Demain, CEO at e2e-assure, advocates moving away from traditional, formal interviews, which he believes can lead some strong candidates to not give the best account of themselves. “We have had the best results from getting out there in person and attending events, where we can meet people in a setting which is more comfortable to them,” he says.
Getting people into the business, though, is only half the battle, and needs to be accompanied by an inclusive culture which will keep them there, and in the sector as a whole.
“This should involve showing the opportunities, excitement and career routes available to anyone from any background at any level – from school to university, to different stages of a career,” believes Finch.
Being able to showcase examples of people from different backgrounds building successful careers in the sector should, in time, help to break down the traditional image of cybersecurity. “Building a diverse team will help considerably in attracting more people from different walks of life and strengthen the foundation to ensure sustainability of a diverse team,” says Tiller. “We need to ensure we’re providing role models. Not simply examples of diversity, but highly successful people that have overcome barriers and have blazed new trails.”
Original Publication: Information Age