The IT security industry is still failing to attract workers beyond a highly limited demographic, the Chartered Institute of Information Security (CIISec) has warned.
Unless it can embrace greater diversity – in gender, age, ethnicity, disabilities and experience – it will face a stagnating workforce and be unable to keep up with a rapidly expanding skills gap.
According to the Enterprise Strategy Group, the number of organisations reporting a problematic shortage of cybersecurity skills has increased every year since 2015.
At the same time, CIISec’s survey of information security professionals showed that 89% of respondents were male and 89% were over 35; meaning the profession is still very much in the hands of older men. If the diversity issue isn’t addressed, then not only security, but future development of the cybersecurity industry itself, will suffer.
Many organisations point to the need to develop specialist security skills as a reason for reduced diversity, as employees need the right technical background. Yet the majority of IT security professionals (65%) still believe that the best way to develop security skills is to learn on the job.
At the same time, many individuals will have already developed the skills needed in security in other careers, from attention to detail and identifying unusual patterns of behaviour, to the communication skills needed to drive security awareness and behavioural change in others.
We hear from a number of industry experts who offer their opinions on the importance of a diverse workforce in cybersecurity as the cyberskills shortage prevails.
Matthew Buskell, Area Vice President, Skillsoft: “Cybersecurity is consistently rated as one of the most problematic skills shortage areas in the enterprise. In 2018, over 50% of companies surveyed by the ESG (Enterprise Strategy Group) said this issue was impacting their business. A survey commissioned by (ISC)2 identified a glaring skills gap on the horizon, projecting that the overall cybersecurity skills shortage is set to rise to 350,000 workers in Europe by 2022.
“One of the most urgent requirements is to address the lack of diversity in the industry. According to a Frost & Sullivan cybersecurity workforce study, just 11% of women work in the cybersecurity profession globally. In the UK, that figure falls to just 8%, despite the sector experiencing double-digit growth and a huge demand for new recruits. This represents a vast untapped resource and organisations need to address the discrimination barriers that are disincentivising women from working in this field.
“There are some notable examples of progress in the right direction. The UK’s National Cyber Security Centre has created courses to encourage girls to consider studying the subject at an advanced level and university. Similarly, since 2013 the Code First: Girls organisation has been supporting young adult and working age women in the UK to develop relevant professional skills, such as coding and programming, and working with companies to help them capture top female tech talent.
“It’s also time for organisations to demonstrate a greater willingness to recruit for the traits required for cybersecurity – lateral thinking, problem solving skills, an understanding of risk management – rather than narrowly focusing on technical certifications alone. This requires a depth and breadth of vision that goes beyond traditional thinking.
“Organisations that fail to invest in training and development for individuals from non-technical backgrounds are taking a short-sighted approach. Considering that a significant proportion of executives and C-suite professionals have arrived in the industry via non-technical careers, companies cannot ignore the fact that employees from any walk of life can rapidly acquire the technical know-how and experience required to do the job.
“Implementing a clear career progression path for those taking on cybersecurity duties will help incentivise existing IT personnel to join the cybersecurity ranks. Forward-thinking Chief Information Security Officers (CISOs) are investing in increasing staff competences and supporting career development through mentoring and training in a bid to increase levels of expertise needed to counter today’s threat climate.
“In the face of a persistent shortage of cybersecurity skills, organisations must broaden their view of the workforce to developing new, previously untapped, candidate pools. Diversifying the workforce is a win-win for employer and employee alike – a concerted effort and increased investment will help make it happen sooner rather than later.”
Adam Philpott, EMEA President at McAfee: “Diversity is critical in the cybersecurity industry for balancing the make up of the future workforce to better reflect the communities they serve. By creating a mirror image, organisations can consult with empathy and genuinely understand the communities they work with. What’s more, diversity is also crucial for addressing the talent deficit in cybersecurity today.
“Building diverse teams should be a no-brainer for cybersecurity organisations, as doing so has clear benefits – from boosting creativity to achieving greater financial success. Companies in the top quartile for gender diversity are 15% more likely to have financial returns above their respective national industry medians, while having a wider bank of perspectives and expertise to draw on. Above all, diversity in the workforce is attractive to new talent and leads to stronger ability to both problem-solve and serve customers of all backgrounds and perspectives.
“Cybersecurity companies should aim to build diversity into every single process, programme and initiative to counteract unconscious bias – this is particularly important for businesses in the technology sector, given its diversity failings to date. Once aware of this, cybersecurity organisations can implement initiatives to promote greater diversity.
“This means thinking about different ways to access a more diverse talent pool, such as implementing flexible working practices. Alongside this, it’s important that companies are addressing the problem early – in the recruitment and interview processes. For instance, if an organisation is looking to recruit more women, it could change the wording in job adverts to make them more gender neutral or ensure that there is at least one woman on every interview panel making a recruitment decision on a candidate. In addition, at McAfee we are targeting talent from outside of IT and security for many roles – an approach that requires thoughtful support mechanisms for onboarding, but in return it sustains an ongoing success for all, from internal teams to customers.
“However, to really empower women within the business is gender pay parity. At McAfee, we implemented an annual study to ensure that male and female employees are recognised and rewarded equally. We have also developed a monthly review of gender statistics so that progress is constantly monitored and red flags are elevated, as well as mapping the available talent pool against available roles at McAfee to make sure that there are female candidates throughout the recruitment process.
“Any organisation looking to make this change and address the challenges surrounding diversity in the workplace will need to fully commit to the process and follow it through after introducing it.”
Thomas Parsons, Senior Director – Tenable Research, Tenable: “Diversity isn’t just a nice to have, it’s an essential key to innovation, particularly in cybersecurity. Put simply; a lack of diversity is a barrier to success.
“There are 2.93 million cybersecurity positions open and unfilled around the world, according to non-profit IT security organisation (ISC)². An influx of cybersecurity talent is important to tackling the ever-expanding attack surface and threat landscape. If the industry is going to be successful and close the cyber exposure gap, increasing diversity and inclusion must be a priority.
“Adversaries are diverse and as defenders, we need to have a similar breadth of experience and knowledge to draw upon in order to outpace the attacker and be prepared for anything that could come up.
“This can be as simple as the language we speak, right up to the way we think. The more real life, diverse experiences people can bring to the table helps offer a unique perspective when assessing risk and getting into the mind of a threat actor.
“Another benefit of a diverse workforce is avoiding subconscious bias and group thinking, which is critically important in an innovative industry like cybersecurity that requires bold, new ideas.
“When thinking about ideal skills, often you will see cybersecurity jobs – especially in areas such as threat intelligence – that require the ability to understand and decipher the languages that threat actors frequently use. This could be computing programs such as Python, Java, etc., but also spoken languages.
“Only through increased inclusion and diversity in perspective can we tackle the cybersecurity challenges of today, tomorrow and well into the future.”