The cyber security industry is still failing to attract a diverse workforce. Figures from non-profit organisation techUK show that globally women make up just 11% of the cyber workforce, while in the UK specifically only 15% of the digital tech workforce comes from a Black, Asian, Minority Ethnic (BAME) background. A recent study by the Chartered Institute of Information Security (CIISec) – formerly known as the Institute of Information Security Professionals – meanwhile, noted that 89% of respondents were male and the same proportion were over the age of 35.
According to the Enterprise Strategy Group, the number of organisations reporting a problematic shortage of cyber security skills has increased every year since 2015, with the International Information System Security Certification Consortium, or (ISC)2, estimating that businesses are currently suffering a cyber security workforce gap of over 4 million employees.
Unless the security sector can embrace greater diversity – in gender, age, ethnicity, disability and experience “it will face a stagnating workforce and be unable to keep up with the rapidly expanding skills gap,” says Amanda Finch, CIISec CEO. “Without fresh blood, the industry will have to accept reduced protection and overworked security staff.”
Demystifying cyber security
There are a number of reasons people from a wider range of backgrounds are reluctant to become cyber security professionals, including a lack of knowledge of where to start.
“As a relatively new field, the pathways into the profession tend to be poorly defined,” says Joanna Cox, head of policy at the Institution of Engineering and Technology (IET).
Not only does it need to be easier to understand the routes into cyber security, the role also needs to be demystified, according to Talal Rajab, head of Cyber and National Security Programme at techUK.
“When one thinks of a person who works in cyber, your instant idea is that of a ‘hooded hacker’ creeping over a computer. There are more roles in the sector than that of an ethical hacker and there exist multiple pathways for someone to enter the cyber security,” he explains. “More needs to be done to amplify this.”
Challenges for specific groups
There can also be challenges specific to some minority groups. For example, Cox has heard anecdotal evidence about the difficulties for those with neurodiversity entering the profession. The types of analytical skills required in many cyber security jobs are of a higher prevalence in people with neurodiversity but Cox says since UK schools are “generally failing this group”, frequently excluding them from mainstream education, many may not get the base level of qualifications needed to enter the job market.
“While this is party a funding issue in schools, it also represents a failing in the school system to adapt teaching practices for this group and to understand their value – particularly in sectors such as cyber security,” she says.
More generally, however, there’s a feeling that the biggest way to improve diversity within cyber security is by educating students and changing the perception of parents. This way people will start to see that the profession is a career option for everyone. Knowledge and understanding is key, and there are a number of initiatives and groups that have been created to help with this.
Report: The State of Software Security
This annual report explores important trends in software security
Promoting women in cyber security
A stark sign of the lack of gender diversity in the cyber security industry is shown at technology conferences where women are in such a minority that they rarely have to queue for the toilet – unlike every other public event they attend.
In 2018, techUK helped launch one of the most quirkily titled diversity initiatives: ‘Queue for the Loo’, which was made up of a series of events and online resources aimed at women in the cyber security sector.
“The initiative, spearheaded by Sian John of Microsoft, includes quarterly networking events for female cyber professionals to network, exchange ideas and find mentors,” says Rajab. “It looks to not only create a stronger network between women in cyber but also to encourage them to do more to get others to consider their options in this space. The aim is to increase the breadth of talent in our industry by encouraging more women to join, so that we are more included, and a sign of success will be when women have to start queuing to use the facilities at cyber security conferences.”
As well as supporting those already in the sector, it’s also key to engage with girls of school age, in order to inspire the next generation. One interesting project designed to do this came from a partnership between GCHQ and the National Cybersecurity Centre (NCSC). Working with Girlguiding South West England, they introduced a new ‘cyber’ badge that showcases how technology can work to keep us safe, aiming to inspire and ignite the girls’ interest in developing cyber skills.
Support from government
The UK government is also playing its part to improve diversity within the cyber security sector. This summer it launched the third round of funding through the Cyber Skills Immediate Impact Fund (CSIIF), which allows training providers to bid for up to £100,000 to work with employers to design programmes to retrain a diverse range of individuals for a career in the sector.
It has also announced a new Cyber Security Council, with the IET being put in charge of designing and delivering alongside an alliance of cyber security organisations. The council be charged with, amongst other things, creating clear pathways for people wishing to join the industry.
The business benefits of diversity
Work is needed to break down the barriers to entry in the cyber security sector and the business case is compelling. “A more diverse workforce can mean a wider talent pool, improved creativity and better customer insight,” says Jo Foster, IET equality, diversity and inclusion manager.
A Boston Consulting Group study found that companies with more diverse management teams have 19% higher revenues due to innovation, and according to Rajab, gender-diverse companies are 45% more likely to improve market share and 70% more likely to successfully capture new markets.
While the government and non-profits are playing their role, it’s also important for businesses to commit to diversity efforts in-house. As Foster points out, “Developing an equality, diversity and inclusivity strategy, and gaining top-level support in embedding it throughout an organisation, is key to addressing the skills shortage and promoting equality for all.”
