Why diverse recruitment is the key to closing the cyber-security skills gap

Against today’s socio-political landscape, the cyber threat faced by businesses is evolving every day. However, positive strides are being made to mitigate this. ClubCISO’s ninth annual Information Security Maturity Report found that 46 per cent of chief information security officers have extended their influence in their respective organisations since the pandemic, and 75 per cent report either positive or no material change in the attitudes to security from increased remote working.

To be able to compound this, it is important that businesses have the resources they need. A recent report by McKinsey found that there were an estimated 3.12 million unfilled cyber-security jobs in 2021. In order to maintain and further the positive progress made so far, businesses must look at sourcing talent from more diverse pools.

With the UK National Cyber Security Centre’s 2021 ‘Decrypting Diversity’ [PDF] report indicating that 64 per cent of cyber-security practitioners are male and 85 per cent white, it is clear that the industry has a lot of work to do to increase its demographic range. By considering how to attract and retain a more diverse workforce, businesses can open up a wider pool of talent to recruit from and reap significant benefits.

Research from McKinsey found that gender diversity and ethnic diversity directly translates to improved performance in comparison to less diverse competitors. Companies where more than 30 per cent of executives are women were more likely to outperform those where the proportion is lower. The findings for ethnic and cultural diversity were similar, but with an even wider gap in profitability between more diverse and less diverse companies.

When it comes to mitigating the ever-evolving cyber threat, diversity is a crucial, but often overlooked, factor. As cyber attacks are becoming increasingly culturally nuanced, it is important that we meet the challenge by drawing from a wide range of backgrounds and life experiences. Cyber attacks come from everywhere - from a wide range of ages, locations, and educational backgrounds - so our responders should too.

Perceptions of cyber security often see it as revolving around highly complex technology and driven mainly by this. While tech clearly plays a crucial role in mitigating cyber attacks, successfully countering them would not be possible without the role performed by people. This is enriched hugely by having a workforce which covers as many educational and socio-economic backgrounds as possible. In making a concerted effort towards a more diverse workforce, the cyber-security industry will be able to gain a deeper awareness of the cultural nuances that underlie cyber attacks.

It’s important to fully understand what we mean by diverse hiring. Considering entry routes into the industry is a big part of attracting a broader range of demographics. Again, perceptions of the cyber-security industry impact this. Cyber security is seen as highly specialised and complex, and while this is true, it doesn’t mean that it is inaccessible or abstruse.

In reality, cyber security is multidisciplinary, including a wide range of mathematical and scientific skill sets, but also requiring knowledge of psychology, policy and social sciences. If more people are aware of this, then more people can feel confident that there is a place for them in the industry. It also allows us to respond more intelligently to the labour shortage.

There are many initiatives in place to encourage young people to join the industry, such as CyberFirst, but this can only help fill entry-level roles. With millions of cyber-security jobs currently open, we also need to find ways to fill more senior roles. To do this, we need to tap into other industries in which mid-level employees are likely to have already developed transferable skills that will allow them to fill the range of gaps in the workforce.

ClubCISO’s 2022 Information Security Maturity Report indicates that following a conscious drive towards diverse hiring, there has been a considerable increase in recruits from non-infosec backgrounds. This has seen an uplift in candidates from risk-management backgrounds, for example, as well as graduates and apprentices.

It's clear that in order to mitigate the cyber-security skills gap, businesses need to implement a well thought out diverse hiring initiative. This has the twofold advantage of not only filling jobs but also introducing new abilities, skills and perspectives for teams to leverage. However, getting new employees through the door is only the first stage. Especially when it comes to onboarding employees who are new to the industry, businesses need to make sure that they develop the optimum culture for success.

It can take time to grow into a role in cyber security, so businesses need to be attentive to how they can unlock their new employees’ potential by making sure they feel supported. For employees to be able to hypothesise attacks they need to be able to collaborate and share unusual ideas with confidence. This is made possible by a culture attuned to these issues, which adapts to recognise the needs of security teams as people rather than purely users of technology. This involves clearly implementing a number of initiatives or policies designed to encourage diverse talent to thrive, such as public speaking training. For this to be possible, business leaders need to work on identifying the needs and priorities of the entire range of their employees, so that they can ensure these are met. Especially when recruiting from non-traditional backgrounds, it’s crucial to provide the training and support needed to make a successful transition.

As the cyber threatscape is constantly evolving and changing, it’s time for security teams to do the same. By considering how to attract, train, and retain a wider spectrum of talent, the cyber security industry can make serious strides in mitigating threats from as wide a range of sources as possible.

Manoj Bhatt is head of security and advisory at Telstra.