Diversifying cybersecurity: why inclusive hiring is the answer to the skills gap
Today, cybersecurity professionals are tasked with the challenge of responding to a wider range of threats than ever before. According to McAfee, 81% of global organisations experienced increased cyber threats during Covid-19. Now, two years on, cyber criminals have become increasingly sophisticated, combining various strategies to launch attacks that are harder for targets to identify and defend against.
In the background, there is one more issue that cannot be overlooked: security departments are understaffed. A recent DCMS cybersecurity labour market report found that the demand for cybersecurity jobs increased significantly in 2021, with 44% of posts deemed ‘hard to fill’. With this in mind, it is clear that organisations need to devise and embark on initiatives designed to attract new recruits and identify untapped potential. Driving diversity and inclusion is a key way of achieving this.
Bolstering your security strategy with diversity
Historically the cyber security sector has not drawn from as diverse a range of backgrounds as it could and should. Traditionally those in cyber security roles have either made the transition from an IT perspective or started in a technical discipline and fallen into cyber security.
It’s encouraging to see a growing number of initiatives designed to create entry-routes into cyber for women and ethnic-minorities, such as Code First Girls and CyberFirst. Such initiatives will lead to a considerable shift, but for now jobs in the sector are predominantly held by white (85%) men (64%), as found by the National Cyber Security Centre’s Decrypting Diversity report. Changing this will unlock a host of opportunities, allowing security departments to enhance their intelligence and respond more dynamically to the rapidly changing threatscape.
Fundamentally, diversity is the best defence against today’s range of cyber threats. In previous years, cyber-attacks were more commonly technically-sophisticated, whereas today we’re seeing them emerge from a much broader range of capabilities such as social engineering, such as the recent Uber cyber security attack. On one end of the spectrum, we see highly-sophisticated nation-state attacks, but this year’s ClubCISO Information Security Maturity Report found that for businesses, the most common outside threat is social engineering (15%), which can be executed by relatively unskilled individuals yet still cause considerable disruption.
Diversity of experience, breadth of response
While devising a security strategy, it’s important not to forget that cyber attacks are caused by people and solved by people. Often the focus is on the technology used, but people are always at the wheel, so organisations need to base their strategy on this. Thinking in this way makes the value of diversity even clearer: if cyber attacks can come from any background, anywhere in the world, then the security team responding to them should too.
When it comes to predicting attacks, your team is your greatest asset. The more social backgrounds it represents, the more valuable it becomes for predicting and responding to attacks. Security threats are ever-evolving and the skills required to predict these cybersecurity threats require individuals that think differently. This comes down to recognising the vital importance of diversity of experience.
Considering the current lack of diversity in cybersecurity, it’s fair to say that as attacks become increasingly culturally-nuanced, cyber teams which lack diversity will be several steps behind those which represent a variety of social, ethnic, age and educational backgrounds.
In many cases fixing this starts with reassessing the recruitment process. For example, if an organisation regularly hires based on referrals, this can lead to an echo chamber wherein all employees have very similar qualifications and experiences. Inflexible entry requirements can have the same effect – a security certification need not be the only essential requirement for cybersecurity professionals. Instead, organisations should look to foster diversity of thought by hiring through apprenticeships or searching for transferable skills from other sectors and roles, instead of an overly prescriptive focus on previous cybersecurity experience and formal qualifications. This year’s ClubCISO report also found that 26% of organisations are actively seeking recruits from other backgrounds, demonstrating that organisations are already looking further afield and trying to think outside of the traditional security box.
Unleashing talent and fostering inclusion
It’s critical that diversity initiatives don’t begin and end with the recruitment process, and this is particularly true in the case of hiring from outside of the cybersecurity sector. To unlock the full range of benefits associated with diversity of thought, it’s important that new and existing employees are supported in their transition into their new role. Education and ongoing training are the most important aspects of this support, and can come in the form of comprehensive onboarding and upskilling processes.
Cybersecurity roles can be highly stressful – while security departments work hard to pre-empt and prevent attacks, and while many positive strides have been made in providing security professionals with support, there are many factors beyond anyone’s control regardless of how well-prepared they are. Culture is key in making sure that the cyber skills gap can not only be filled, but stay filled. Professional networks and forums are a hugely valuable tool in welcoming new recruits into the fast-paced and sometimes overwhelming cybersecurity world. They provide opportunity not just for peer support, but to learn and develop skills such as public speaking and active listening. This kind of intra-organisational knowledge-sharing helps increase diversity of thought, and encourages a culture in which ideas are freely and confidently shared and debated – both of these aspects are instrumental to hypothesising future attacks.
Overall, there’s reason to feel very positive about the future of cybersecurity. Driven by internal business initiatives as well as intra-organisational and governmental initiatives, the sector is set to become more open and diverse, and to reap considerable benefits from this shift. Enhanced threat detection and response capabilities are the core benefit, but this is accompanied by a host of business advantages, such as increased employee retention and improved client relationships. As the cyber threatscape continues to rapidly evolve, there has never been a better time to enhance your organisation’s capabilities by narrowing the skills gap.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.