It’s no secret that cyber security has a diversity and inclusion problem. The industry’s female workforce comprises a meagre 11% globally (8% in the UK) and ethnic minorities are slightly less than 12%.
There’s also the challenge of solving the cyber skills shortage, estimated to be 1.8 million by 2022 according to ISC. And yet, a report by McKinsey found that companies with better minority employment records had a 35% greater financial return than the industry average.
We know the facts, we are having the conversations, but are we seeing any improvement?
I sat down with Jenny Chuck, Information Security and Compliance Manager at Fieldfisher and Mark Walmsley, Chief Information Security Officer (CISO) at Freshfields Bruckhaus Deringer LLP, to talk about why the "man vs woman" debate is an outdated concept, the way the security industry is changing and how we can improve our recruitment methods.
Also of interest: How to turn your people into your best defence
The diversity problem
The “man vs woman” debate irritates both my interviewees.
“The fact that part of my USP is that I’m a woman shows that there’s still a problem in the industry,” Jenny states.
Mark agrees saying that too many organisations try to “retrofit the problem” by finding more women to fill the roles which can be detrimental to the business. “We should be thinking about what are the skills and personalities that we need and start investing in them now."
They both feel that businesses should be asking: Who likes this kind of work? How are we going to find them? How are we going to get into schools and say there’s no need to do A-levels and you don’t need a degree?
“We need to be going to schools and saying that we have an opportunity for you and it's open to everyone, of every background,” Mark adds.
Also of interest: Getting more girls into cyber
I wonder whether we should re-frame the whole “diversity and inclusion” conversation. Should we be using different language? How should we alter the way we approach the topic?
For Mark, that’s not where the focus should be. “This isn't something that you can theorize and come up with a perfect plan for. It's about saying we can make a difference right now - if it doesn't work out for me then fine - I know that was less than perfect but I can get it right with the next person I look at,” he says. Some employers, in his opinion, like to be seen having the “right” conversations about diversity and inclusion for personal credibility. However, very few people actually want to make a difference through action. Ultimately, he says, when you start to do things - you figure out what does and doesn't work very quickly.
How to hire better
“When I hire people - I don’t hire other Mark Walmsleys,” Mark points out, adding that many people hire candidates similar to themselves out of ease. “It’s a way to avoid conflict and having to micromanage that person, they just know that’s another person like them,” he explains. Mark hires people from a variety of age groups and backgrounds and less than half of his team comes from an IT background. “We've got police officers, people from HR, project managers and others who sought a career change,” he says. At the moment he is interviewing an ex-gym instructor who has self-invested in learning cyber essentials. “Why not? What have I got to lose on a short-term contract with someone who’s got the right level of ambition?” Mark asks.
Jenny says that diversity is only part of the problem. If you narrow your search down to candidates who must have a masters, some form of degree or at least 10 years of experience on their CV, it’ll ultimately lead to a very small pool of people. “Sometimes it's really hard to find all of those things in one individual,” she adds. So employers must be more open-minded and inclusive in the way they recruit.
Positivity, energy, enthusiasm and the desire to learn are among the top attributes that both Jenny and Mark look for when recruiting candidates. “We need to know that they are ambitious and that they want to work as part of a team, as well as independently. Other than that, bring me your best,” Mark states.
“We have two opportunities: a resourcing opportunity and an opportunity to make sure the world is a safer place by having different personalities in our team,” he adds.
Also of interest: Considering a career in cyber security? Read this job report
Don't pick the job, pick the boss
Like with many things, change starts from the top down.
“I think it’s quite easy to feel threatened in this industry the more senior you become. Then you turn the Old Boys’ Club back on again and you become inefficient,” Mark points out. If, however, you are open, you attract better people who stay for longer and deliver a much better service. “Then you start to look like you’re very progressive which is what good thought leadership is about,” he stresses.
Jenny says “transparency” is key in an organisation. “Until the leadership at the very top believes it and pushes it down, I don't think it can change,” she says.
She feels that a good leader is somebody who recognises the value of what you're doing and allows you to speak freely, have a seat at the table and pass comment on issues and events happening in the organisation. “I think you need to have a boss who brings you into the conversation as opposed to consult with you afterwards when a decision has already been made,” she emphasises.
The changing industry: getting the balance right
Part of the problem is not just recruiting talent, but in keeping it. Jenny highlights that employers cannot be too complacent because there's much more choice now on the job market; regardless of whether the money is good, if people are not happy and satisfied, they’ll leave. “You have to allow employees to be creative and the ability to have open and transparent dialogue,” she says.
“I think firms need to recognise that if they are to retain talent they need to offer balance to their team and allow them to do things outside of their core business hours,” Jenny suggests.
She says an atmosphere of mutual respect needs to be nurtured where “everybody is comfortable saying what they think without feeling restricted, within reason.” Once people can feel that they can be themselves then they can be open,” she explains.
Where, when and how you work has also changed. Mark points out that “the traditional ‘9-5pm in the office in London’ is a disastrous idea in our industry.” Offering flexibility to staff about how they work will create a more loyal team, he thinks. “I make everyone in the office work from home at least one day a week. Furthermore, they need to be able to turn off their laptop and have dinner with their family,” he advises.
Jenny agrees. “Productivity does not increase with the number of hours that you work. Firms really need to abandon the idea that the person who comes in the earliest and is the last to leave is the most productive because it's just flagrantly untrue,” she states.
Also of interest: What if Hitler had access to my Facebook data?
Investing in the future: an inclusive revolution
So how do we bring about change?
Jenny feels that children should be introduced to cyber skills and cyber security as young as 4 or 5 years of age. “4 year olds start learning foreign languages at school, why not do the same with cyber and coding?”
Parents also have a role to play: Mark reveals that when he goes to schools and talks to parents, he is often confronted with blank looks when he tells them he works in cyber security. “Your children are the next generation of people who will hold the baton,” he tells them. Data hacks and breaches are splashed all over the news yet they’ve got no idea, he adds.
“I think any revolution has got to be embedded within the culture that these kids are living. It’s about communicating through symbols, cultural references and words they can understand - like how a CISO communicates with the board,” Jenny states.
“Inclusive revolution, you heard it here first,” Mark affirms.