It’s widely agreed that a lack of diversity is a key reason for the four million global cybersecurity skills shortage. What needs to be done to change this?
The cybersecurity industry is still struggling with a lack of diversity, despite the benefits the area brings. According to the latest ISC2 figures, women make up just 24% of the global workforce, while ethnic minorities and neurodiverse individuals are also underrepresented in the sector.
According to the UK government, only 17% of the UK’s cybersecurity workforce are women – a drop on previous reports and lower than the 24% global average. Meanwhile 22% come from ethnic minority backgrounds and LGBTQ+ staff account for just two percent of the UK workforce.
It’s widely agreed that this lack of diversity is a key reason for the four million global cybersecurity skills shortage. There has been a push towards improving this, yet three out of 10 cyber professionals believe their organisation does not support diversity, equity and inclusion. So what needs to be done to change this?
Benefits of diversity
Boosting diversity is not just about looking good to investors. A diverse team offers a wide range of skills including different ways of thinking and approaching problems. Diverse teams are more adept at problem-solving and therefore make better decisions, says Hannah Roome, talent acquisition manager at Bridewell. “A more diverse workforce brings a wider range of ideas, solutions, opinions and ways of working, ultimately contributing to better outcomes.”
It is with this in mind that multiple different types of diversity are being considered in cyber security, with initiatives in place to support growth in the area. Take for example, the National Cyber Security Centre’s (NCSC)’s CyberFirst, encouraging young women and individuals from underrepresented backgrounds to explore cyber security careers.
Women in Tech, Women in Cybersecurity, She Can Code and The Code Pub in Germany are larger communities for women and non-binary people, working on areas such as education and mentorship.
In July 2023, the Cisco Networking Academy launched Cisco Cyber Camps in partnership with the Open University, designed for students in the UK aged 13 to 19 who identify as female or non-binary.
Ethnic diversity is another key area of focus. For example, CyBlack, a not-for-profit organisation, is committed to developing the next generation of black cyber security talent.
Meanwhile, ISC2’s One Million Certified in Cybersecurity initiative offers free training and exams to one million individuals, with half of opportunities reserved for minority groups, including tribal and women’s organisations.
ISC2’s charitable foundation, The Center for Cyber Safety and Education, promotes diversity by offering scholarships and educational programs specifically designed to support underrepresented groups, including women, minorities and veterans.
Neurodiversity: “A powerful asset”
Beyond gender and ethnic diversity, neurodiversity - including those on the autism spectrum- is regarded as an area crucial to strengthening the cybersecurity sector. Richard Bate, CTO at Goldilock highlights neurodiversity as “a powerful asset” in cybersecurity.
He cites the example of “the unique perspectives and rapid idea generation” that come with attention deficit hyperactivity disorder (ADHD) and autism spectrum disorder, which he says “can lead to creative solutions that neurotypical thinkers might not have considered”.
In addition to this, when deeply interested in a project, the ability of some neurodiverse people to hyperfocus can contribute to “high productivity and exceptional work quality”, he says.
Taking this into account, the organisation NeuroCyber focuses on neurodiverse individuals “whose skills are well-suited to cybersecurity”, says Jude McCorry, CEO at Cyber and Fraud Centre Scotland.
Issues to overcome
But despite multiple initiatives and drives to boost diversity in cybersecurity, there are still issues to overcome. Gender diversity has been an area of focus for years but despite some progress, women and people of colour remain “significantly underrepresented” – particularly in leadership roles, says Dwan Jones, director of diversity, equity and inclusion, ISC2. “The lack of role models and persistent gender and racial biases in hiring and promotion continue to hinder the attraction and retention of these groups.”
There is still significant under-representation of ethnic and racial minorities and people with neurodiverse conditions, says Aarthi Krishna, global security lead at Avanade. “The lack of diversity within such communities means these individuals don’t have the necessary role models and mentors, which can further hinder their career progression and ability to succeed.”
Companies often fail to make changes necessary to accommodate a more diverse team. For example, communication can be a significant barrier for neurodiverse individuals, says Bate.
Bates, who has ADHD, says he sometimes finds it difficult to properly communicate thoughts and ideas in a way neurotypical colleagues can fully understand. “I have the solution in my head, and it's very obvious, but how I came to that conclusion may not be easily understood. Quite often, neurodiverse individuals struggle to express themselves because of this, or because of comorbid conditions such as rejection sensitive dysphoria.”
Mentors and role models
It is possible to boost diversity and cyber security capabilities as a whole, if organisations are open to adjusting their processes. Part of this is about making the business attractive to diverse candidates in the first place.
Those already working in cybersecurity say mentors and role models are key. “As a woman in cybersecurity, I can say first-hand how important it is to have good mentors and allies – both male and female – that take the time to teach and provide a supportive place to grow,” says Laurie Iacono, North American threat intelligence lead, cyber risk at Kroll.
At the same time, firms need to ensure inclusive recruitment practices. To do so, organisations should implement and consistently review processes that ensure diversity, says Elizabeth Barr, head of the Cisco Networking Academy UKI.
This includes bias-free job descriptions, diverse interview panels, application process adjustments, and early-career development programs such as internships and apprenticeships “tailored to attract and support diverse candidates,” says Barr.
Jones advises goal setting, to ensure diversity targets are hit as quickly as possible. “The organisations most successful at recruiting diverse individuals have set goals for themselves, for example, striving to have their teams reflect the demographics of the workforce by a defined time.”
Written by
Kate O'Flaherty
Cybersecurity and privacy journalist