Zoe Edmeades, Managing Director of The Security Company, makes a strong case for diversity in the cyber security industry.
Some say that the case for diversity in security no longer needs to be made.
Becoming more inclusive has long since gone from being a ‘nice-to-see’ to a ‘must-have’. However, the discussion around the benefits of diversity in cybersecurity has been drowned out by a single clarion call - we need more people.
Some two-thirds of industry professionals say there are not enough cybersecurity workers in their organisations to meet challenges, according to the most recent Global Information Security Workforce Study (GISWS), with a predicted global workforce gap of 1.8 million by 2022.
A digital society is a diverse society
This, perhaps, shouldn’t come as a surprise.
The world has gone digital at a dizzying pace over the last two decades. Cybersecurity is no longer a concern just for the big players – corporates or national government. And it’s obvious that lack of diversity and the potential for groupthink present real risks, especially as the threat landscape becomes itself ever more diverse.
Improving the diversity of cybersecurity teams improves their ability to meet and address new challenges. It brings the opportunity to expand experience, points of view and understanding through collaboration.
It’s been proven that diverse organisations are more productive, but the solution is something that needs weaving into the fabric of our society.
Myth-busters and honeypots
So, what’s the solution? Well, we can start by breaking down barriers and rolling out red carpets.
For too long, the industry has played along with the Hollywood clichés of hooded hackers and nerdy IT staff, delighting in techno-babble and big-iron solutions. It’s time to start busting those myths, writing new scripts and painting a more reflective picture.
That means making our industry welcoming and accessible to more than just the current dominant demographic of white, middle-aged males. For years, women have made up just 11% of cybersecurity employees.
But remember that diversity is not binary, a point made by Meghan Stabler (who recently retired from The Human Rights Campaign's board of directors, and has been awarded the Bettie Naylor Award and the 2018 HRC Austin Gala):
“Diversity is not just limited to male vs. female, but includes adding people from the LGBTQ community, persons of colour, and even age or socio-economic differences.”
To truly address this issue, we need to deepen and broaden our conversations to include all those who make up our community, and be open to ever wider definitions of diversity, from neurodiversity to gender-fluidity.
Diversity as a people problem
Of course, as a professional who looks at changing attitudes and behaviours as my day job, I see everything as a people problem, with a people solution waiting to be found. But in this case, it’s undeniable that we need to start thinking in terms of cultural change if we’re to effectively move beyond hand-wringing to a broad embrace of diversity:
Start at the top: Change can be emergent, but when we’re looking for significant shifts in cultures, especially where attitudes have become narrowed and entrenched, we need leadership. It’s essential for senior management to pick up on this issue and very visibly make it their own.
Be positive about placement: we need to make sure those from diverse backgrounds aren’t disadvantaged at recruitment. Make job adverts and application processes accessible to all. Giving more people the opportunity to apply will encourage a more diverse pool of applicants. And take active steps to make CVs blind to gender, religion, race or background. It is astonishing how unconscious bias can impact recruitment decisions.
Become value driven: all too often the ‘why?’ is lost in the ‘how?’ with cybersecurity. Fundamentally, we’re in this industry to protect the things we value, the good things our people and ideas can achieve. Cybersecurity should be seen as a calling, as much as wanting to be in healthcare or law enforcement.
Diversity breeds diversity: where you can, bring people of diverse backgrounds to the fore: create representative panels at conferences, nurture the diversity balance up the promotional ladder and look to break down stereotypes at every opportunity.
Get them young: preconceptions and stereotypes are formed early. It’s paramount to reach into communities often left on the outside when it comes to the cyber industry. Schemes like the CyberFirst Girls competition in Manchester, NCSC Cyber Schools Hubs, or Cyber Security Challenge UK, are vital in drawing in those who may believe they are excluded.
Fundamentally, diversity in cybersecurity isn’t an issue that’s going to be solved by a few well-meaning initiatives. The skills shortfall is a powerful motivator right now, but to sustain change and build diversity into our culture will be an exercise in multi-generational commitment and energy.
A tall order, but a one to embrace if we’re to help create and secure the diverse digital society unfolding around us.
Zoe Edmeades is Managing Director of The Security Company (TSC). She leads a dynamic team of experts with innovative cyber security services that really make a difference to the organisations TSC works with. When she is not living and breathing TSC, she can be found curled up with her dogs by the fire, being tortured by her personal trainer, or gossiping with her teenage girls.
This article was originally published in The Security Company's infosec news pages.