A visible lack of diversity in terms of gender, age, ethnicity, disabilities and experience in the IT security industry could further worsen the existing skills gap in the sector and could also result in a stagnating workforce, the Chartered Institute of Information Security (CIISec) has warned.
A survey commissioned by the institute found that while an alarming 89 percent of workers in the IT security industry are male, a similar number of them are over 35 years old, indicating that the industry has been unable to include younger and more diverse talent in its fold even though the cyber security skills gap has been worsening since 2015.
As per Enterprise Strategy Group's annual global surveys, the percentage of organisations reporting a problematic shortage of cyber security skills has gone up from 42 percent in 2015 to 53 percent this year.
According to Nicola Whiting, Chief Strategy Officer at Titania, a lack of diversity in an organisation will result in "group think", a situation where decision-making will be unchallenged and will impact the organisation's ability to create new, innovative and beneficial solutions to respond to cyber threats.
"Most people would also agree that ‘to defeat an attacker, we must learn to think like an attacker’: and attackers are a diverse bunch. Therefore, for both innovation and defence, it’s essential that organisations look at diversity as a key metric for success," she adds.
Organisations are looking to hire workers with specific tech backgrounds
Many organisations that took part in the Chartered Institute of Information Security's survey said that look for employees with the right technical background so that they can develop specialist security skills. This mindset is common even though a majority of professionals in the IT security industry believe that the best way to develop security skills is to learn on the job.
The tendency to hire 'ready-made' talent with the required skills also flies in the face of the fact that many individuals have developed the skills necessary for security in other careers, such as identifying unusual patterns of behaviour, to the communication skills needed to drive security awareness and behavioural change in others.
"The expectation that security is purely a technical subject has led to a focus only on very specific individuals to fulfil roles. Even if we weren’t in the middle of a skills crisis increased diversity should be a priority, but the present situation makes it critical," says Amanda Finch, CEO of the Institute.
"Expanding the industry’s horizons isn’t only essential to make sure the industry has the skills it needs. It will give a whole range of individuals the opportunity to thrive in a new career, and in the long term protect the industry from stagnation by introducing more varied backgrounds," she said, adding that hiring a more diverse range of people will help in truly modernising the industry.
"A diverse workforce helps to bring a wide range of skills & perspectives, which is essential to address the range of opportunities and threats that an increasingly digital world provides. By actively raising awareness of careers in cyber security, and the types of roles & skills required, we can attract people from all backgrounds, age groups and experiences. This will be crucial to tackle the cyber skills gap and to enable organisations to meet the challenges of today and tomorrow," says John Amer, Security Architect at BT.
Lack of role models could stop diverse people from joining the IT security industry
A lack of diversity in the IT security industry could also result in fewer people from more diverse backgrounds from joining the industry in the future. As per a report from Kaspersky Lab, a lack of understanding about cyber security as well as a lack of female role models and influencers in the field are impacting women's participation in cyber security.
"We believe it all comes down to a certain chain of events and influences that must occur as soon as girls start thinking about their future careers. From advice and information given in school, to the guidance of friends and family members and interactions with businesses and the media – somewhere along the line, a link is being missed," the firm noted.
A study conducted by the security firm revealed that compared to 20% of men, only 16% of women had a clear idea of what cyber security experts did and only 36% and 7% of girls were inclined to choose mathematics and IT respectively as their preferred subjects at school.
The study also revealed that 57% of women did not have any experience of computer coding. On the other hand, 49% and 21% of men were inclined to choose mathematics and IT respectively as their preferred subjects at school, thereby explaining their dominance in the cyber security field.
"This suggests a need for young girls to have access to advice and information about the industry at a younger age, so that they don’t rule it out in favour of more traditional professions such as lawyers, medics or teachers that have long-established career paths," Kaspersky Lab said.