In an increasingly digital world, cybersecurity has become a critical aspect of our daily lives, with our personal information, financial data, and even national security at stake. However, as the field of cybersecurity continues to evolve, a glaring lack of diversity persists. The underrepresentation of certain groups, including women, minority communities, and individuals with diverse backgrounds, not only deprives the industry of valuable perspectives, innovative ideas and thought leadership, but also poses a significant risk to our collective safety. Diversity matters in cybersecurity – the industry, and organisations within it must do more to drive diversity and inclusion in safeguarding our digital frontiers.
Diversity is a challenge but one we must embrace.
Diversity in a nutshell is the mix of people, which tied with representation, can be combined to describe a plethora of characteristics and behaviours including age, orientation, sex, gender, neurodiversity, ethnicity and lived experiences. Societal change, and a new empowerment in recent generations to better define their own authentic identities, has put a greater pressure on organisations to promote and discuss diversity and representation within their workforces, and to demonstrate inclusion as part of their decision-making processes. When we consider cybersecurity, this understanding and embracing of diversity can truly transform our ability to predict, understand and deter adversaries, and better enable us to defend our teams, communities and even our countries.
Cyber threats and malicious actors continue to advance, and so it has become critical to have a broad range of perspectives and experiences to best detect, protect and respond to cybersecurity threats. In years past, a more static and ‘traditional’ collective of university-created white cyber experts could have done the trick, but in an age of digital crime where the only barrier to entry is the access to technology, criminally minded individuals with an abundance of varied backgrounds, characteristics and skillsets, are fuelling a diverse and eclectic threat.
Sadly, the lack of diversity and representation in cybersecurity teams remain a glaring issue and one many cybersecurity firms talk to. BanklessTimes recently highlighted how 22% of workers across the broader technology sector identify as an ethnic minority, which appears mirrored across the cybersecurity sector. If we consider women in cyber, concerningly ISC2 reports that only 11% of the global cybersecurity workforce identifies as female, which is significantly less than the 50% benchmark many organisations strive for. To best get to grips with the cyber threats at hand, diversity and representation in cybersecurity must change.
Diverse cyber teams can approach problems from different angles, uncover unique solutions, and even identify specific risks, vulnerabilities and targets impacting key regions or communities that others simply overlook, this insight being driven by the variance in their experiences, background, and cultural awareness, but aligned in the ‘good’ in tackling cybersecurity threats. It is my belief diversity can also empower decision-making, innovation and foster diversity of thought through the inclusion of people from diverse cultures, genders, and backgrounds. By leveraging the thought leadership of under-represented groups, we encourage the sharing of varied ideas and approaches, and the challenging of assumptions and biases. The NCSC (National Cyber Security Centre) themselves state that ‘a more diverse and inclusive team is a more innovative team.’ But this powerful combination cannot be accomplished if the industry itself does not better elevate under-represented groups into cybersecurity careers and opportunities.
Hiring and empowering under-represented groups can plug the cybersecurity skills shortage.
It is well noted that the field of cybersecurity faces a significant skills shortage, with Microsoft sharing that 2.5 million cybersecurity positions remain unfilled across the cyber industry. Cybersecurity organisations can help bridge this skill gap by creating a wider range of opportunities and experiences within their teams for individuals from under-represented groups. Including:
- STEM and empowerment initiatives, such as that created by Empowering You, to appeal to under-represented communities,
- Mentorship and apprenticeship opportunities,
- Grants for access to equipment to better empower employees with additional requirements,
- Diversity, inclusion, and awareness training for management,
- Skills workshops such as that provided by CyberFirst to create a route for under-represented individuals into cyber roles,
- that give an individual the best chance for success,
- Tweaking the way job positions are written and advertised to better appeal to a wider candidate pool.
There are many accommodations, programmes and processes which can be leveraged to connect cybersecurity organisations with a diverse range of individuals from under-represented groups.
If the adversary has representation, then so should we.
When we think about threat groups and the adversary, we must remember there is representation there. The threat landscape is comprised of a variety of individuals and groups, all with their own interests and lived experiences, and with a societal and cultural mix of ethnicities, sexes, socio-economic statuses and languages (to name a few). With such diversity supplementing the various ‘adversaries’ in their successes, cyber defenders should look for ways to build diversity into their practices and techniques. By creating a wider and fairer set of opportunities for under-represented individuals to bring their own thoughts and experiences, by creating an equal and open cybersecurity ‘playing field,’ we can leverage an untapped diversity of thought and cyber expression to rise to the ever-evolving challenge of the global cyber threat.
The tides are changing but we must keep pushing.
More and more cybersecurity firms are pushing the diversity conversation and looking to create equal opportunities for all groups. Secureworks CEO Wendy Thomas had made a public commitment to have ‘women make up 50 percent of the company’s global workforce by 2030’, with this messaging mirrored by many other large cyber organisations.
There are more and more training courses becoming available to encourage access to STEM education and development for under-represented groups including courses run by Tech She Can , STEM Ambassadors and vendors such as SANS. This shows progress. But we must do more across all under-represented groups.
Diversity and inclusion are not just buzzwords but rather crucial components that strengthen the cybersecurity field. Embracing diversity leads to more effective problem-solving, innovation, and decision-making processes while bridging the skills gap and fostering cultural understanding. By prioritizing diversity and inclusion, we can build an aligned cybersecurity ecosystem that reflects the diverse nature of our society and better protects our digital world. It is imperative for organizations to actively promote and create an inclusive environment that welcomes individuals from all backgrounds. By doing so, we can create a more secure and resilient cybersecurity landscape that benefits us all.
Rebecca is shortlisted in the Security Serious Unsung Heroes Awards 2023 for the Diversity Champion category.