Security through Diversity

By Jenny Seaborne

Current diversity landscape

In the past year, several studies have been published focusing on diversity within the cyber sector. In these there have been many different values presented showing the percentage of women in cyber due to a wide range of methodologies used to define a cyber role, as well as little further investigation into representation at different levels of seniority.

The Department of Digital, Culture Media and Sport (DCMS) Cyber Skills in the UK Labour Market 20201 study estimated that just 15% of the cyber workforce are female, compared to 28% of the wider digital sector and 47% of the UK workforce. Clearly the digital sector is behind in gender diversity with the cyber sector being even further behind. Looking at other forms of diversity within cyber security, the same DCMS study found that Black and Minority Ethnic (BME) representation was potentially in line with the digital and wider UK workforce at 16%, but again there’s little further investigation into seniority and ethnicity breakdown.

It’s also important to consider not just representation, but the experiences of those in minority groups already working in cyber security. In the NCSC Decrypting Diversity report, 14% of cyber security professionals said they experienced barriers to career progression2. Of those individuals, 32% cited gender discrimination and 22% cited race, ethnic, social background, or regional discrimination. Evidently internal progress is needed within companies, as well as external progress from recruitment practices.

Nevertheless, some employers have said that they recruit based on merit and a non-diverse applicant pool, which leads to having a non-diverse workforce. However, these employers are often organisations that are taking few or no concrete steps to improve their own cyber workforce diversity3. Merit is undoubtably important in hiring, but a passive approach to increasing diversity doesn’t do anything to help this widely recognised problem in the cyber and wider IT sector.

Benefits of diversity

Companies need a wide range of skills across their cyber security teams, which is best achieved by increased diversity. Diversity comes in many forms, including race, gender, sexual orientation, gender reassignment, age, disability, and religious beliefs. Here are some important ways diversity benefits a team:

More representative

Representation is essential in cyber security, both for teams to match the diversity of those carrying out cyber-attacks, but also to represent the groups they are protecting. A lack of diversity can lead to gaps in cyber security training due to assumptions in end-user knowledge. Having a range of ages in a team additionally results in a valuable variety of skill sets. For example, cyber professionals with long-term exposure may have greater experience with malware, whereas younger team members may be more educated about modern threats.

Different perspectives

Having people on your team from different backgrounds will bring a variety of viewpoints, meaning teams are more likely to overcome obstacles and resolve issues more efficiently,4 by approaching them from different angles and asking different questions. This diversity also means teams are likely to consider more options and find the best solution.

Faster problem solving

A diverse team adds more than just a range of perspectives. When surrounded by diverse peers, the members of the majority group start to question their own assumptions, helping them improve their problem-solving abilities5. Visual diversity in a team causes those involved to handle conflict more constructively and, in anticipation of a potential conflict, individuals are more likely to do more due diligence and research before presenting an idea, leading them to find more problems on their own.6

Expectations of clients

A team with a range of demographics and backgrounds would better reflect their clients and improve their client relationships. Clients of cyber sector businesses are placing increased importance on diversity within suppliers as their own organisations become more focused on the topic, in part due to the gender pay gap regulations introduced in 2017.

Better results and increased profits

There are also quantifiable business benefits to increasing diversity. Companies in the top quartile for gender diversity on executive teams are 21% more likely to outperform on profitability and those in the top quartile for ethnic diversity are 33% more likely to have industry leading profitability7. The internal team benefits from representation, plus differing perspectives, result in better performance and increased profits.

How to increase diversity

Recruitment

Recruitment is often the easiest place to increase diversity in a company and change the make-up of teams. When looking to recruit talent, think outside the box. If you are seeking university graduates for junior roles, consider looking at those who have completed an apprenticeship scheme and already have professional work experience, or look to hire those who have had career break or change, as they can offer a fresh perspective. Additionally, if a lot of recruitment is done through referral hiring it can result in employees with similar backgrounds and, ultimately, a team that offers less diversity.

Research done on 76,000 job adverts8 found that, on average, an advert included six gender-coded words; the most common male-gendered words were “Lead”, “Analyse” and “Competitive”, and the most common female-gendered words were “Support”, “Responsible” and “Understanding”. There are tools online, such as the gender decoder9, that can review your job advert and highlight any gender-coded words used to help remove potential unconscious bias.

When writing job adverts it can also be beneficial to remove any minimum job requirements that are merely a formality, such as specific qualifications or experience with tools which could be learnt on the job. By not accurately representing a job role, potential applicants may be put off from applying. These candidates are more likely to be from a less traditional background and so companies may miss out on diverse talent.

Company culture

Company culture is paramount to retaining the diversity in your team. It’s important to strive for an inclusive workplace and make people want to work for your company. This starts from the top – management must be open to change, transparent about current processes and procedures, and able to listen to the suggestions of employees and colleagues.

Organisations should also encourage mentorship and offer flexible working to support individuals who may need non-standard working arrangements. The current pandemic has shown many employers that flexible working for all is not only achievable and productive but also benefits individuals where the traditional 9-5 office structure isn’t suitable.

Long term commitment

Companies that make a commitment to diversity are much more likely to achieve a more diverse team.10 Diversity doesn’t happen overnight; it needs to be addressed at all levels of a company with conscious steps made to implement it. This could be through a comprehensive diversity strategy, including evaluation of recruitment, interviews, management, and promotion.

For employees, it is often difficult to raise concerns about how management is tackling diversity, so transparency is essential to enable open conversations about how to champion diversity within the company. If it is going to succeed, diversity needs to remain important to a company long-term.

The NCSC Decrypting Diversity report recommended to publish success stories to show the breadth of routes into cyber and the diversity of professionals in the industry today11. Cyber security, by nature, is not the most open industry. A key part of opening up the industry to a wider range of backgrounds is to open up about the breadth of cyber roles out there, routes into them, and why those working in cyber enjoy what they do.

Increasing diversity can be difficult to do on your own, but there are organisations that aim to support underrepresented groups in cyber security and using them can be a great way to increase engagement. These groups can help companies in making a more inclusive company culture, supporting and mentoring employees, as well as circulating job adverts so they reach a more diverse audience.

The Ladies of Cheltenham Hacking Society is one such organisation. It was formed after the founding members noticed that despite Cheltenham and the South West being a major cyber hub within the UK, there was a lack of women. They provide opportunities and a welcoming space for women of all skill levels to develop and hone the technical skills critical for success in cyber. It is a regional chapter of the nationwide Ladies Hacking Society which was founded in London 2 years ago and now has multiple chapters across the country.

Get In Touch

Are you looking for more information about Riskaware, our products or services?

Get in contact with us by filling out the form or call the office on +44 (0) 117 929 1058 and a member of our team would be happy to help.