In this week’s guest column, Kingsley Gate Partners’ Vice President Vanya Ivbule shares how diversity, equity and inclusion (DE&I) efforts can help to solve the cybersecurity industry’s talent shortage.
Whether it is ransomware and extortion, phishing and malicious emails, denial of service attacks, or malware, cybercrime is on the increase, with the pandemic-related trend for remote working only exacerbating the cybersecurity risk for organisations.
One significant challenge in protecting against cybercrime is the severe shortage of cybersecurity professionals. A recent global workforce study, carried out by the cybersecurity professional organisation ISC, identified a global cybersecurity workforce gap of some 2.7 million employees in 2020. Additionally, two-thirds (60%) of participants worked for organisations experiencing staffing shortages that placed their organisation at risk.
While there is no simple solution to this shortage of specialist skills, a focus on DE&I is essential for both providing effective cybersecurity and addressing the workforce gap.
LACK OF DIVERSITY IN CYBERSECURITY
As cyber attacks become more complex and personalised, ethnic, gender and cultural diversity are key to allowing the cybersecurity workforce and their organisations to think creatively around threats and probabilities. A diverse cybersecurity workforce is better able to anticipate the variety and nature of personalised attacks, for example.
At present, though, there is a concerning lack of diversity in the cybersecurity workforce. In October 2021, Microsoft announced a national campaign to help equip US college students with the skills needed to work in the industry. As Brad Smith, Microsoft’s President and Vice Chair, noted in a company blog post, “82.4% of the country’s cybersecurity jobs are held by men, and 80% are held by people who are white”.
BEST PRACTICE DE&I MEASURES
The Cybersecurity Workforce Study identified a range of DE&I related measures – standard best practices – that cybersecurity professionals expected from their employers. These included providing mentoring and support at all job levels; providing more flexible working conditions; diversifying management and hiring team practices; eliminating pay and promotion gaps; establishing diversity goals, missions and value; and promoting women, minorities and under-represented groups to leadership roles.
Of course organisations should already be engaging in these initiatives, and more, to improve DE&I performance generally. However, worryingly, fewer than a third of participants indicated that their organisations were planning to invest in diversity, equity, and inclusion initiatives within the next year, or establish organisational diversity goals. Nevertheless, there are some cybersecurity specific actions that can help.
One example of hiring practices, for example, is to look beyond the obvious talent sources. While most people still tend to come from the IT industry, the path into cybersecurity is changing dramatically. Many individuals have a non-traditional education in cyber, and are entering the industry via a certification route, such as CISSP (Certified Information Security Systems Professional) and ISACA certifications that are holistic and helpful for senior leadership and management positions.
ADDRESSING BARRIERS TO ENTRY
Equally, it is possible to hire on attitude, aptitude and culture from non-technical functions, such as marketing and finance and then train necessary skills. As the workforce study notes, a key takeaway for job seekers and managers is that “people interested in cybersecurity roles should not need to rely on a lengthy checklist of technical skills”. The report highlights several traits which are highly valued. These include ‘strong problem-solving abilities’, ‘curiosity and eagerness to learn’ and ‘strong communication skills’.
And cybersecurity isn’t just DevSecOps and Chief Privacy Officers, the service sector also needs people across a variety of functions with lower barriers to entry, such as sales and marketing. Here, one sourcing strategy is to hire from traditional cybersecurity customers such as financial services firms, then provide the necessary sales and marketing learning and development.
CYBERSECURITY LEADERSHIP CENTRES
Another good example of a DE&I related initiative is the move by both IBM and Microsoft to engage with the student community in the US. In IBM’s case, the firm is partnering with over 20 Historically Black Colleges & Universities to establish Cybersecurity Leadership Centres. While Microsoft’s national campaign is aimed at the community college network where 57% of students are women and 40% identify as Black, African American or Hispanic.
It is important to stress here that progress on DE&I must be meaningful, not merely a superficial exercise for the purpose of improving external optics, as may have been the case with some organisations in the past. Cybersecurity is a market where negotiating power resides with the cyber talent. Creating and retaining a truly diverse cohort of cybersecurity talent is not only about providing the appropriate financial compensation and rewards, but also demonstrating real commitment to DE&I practices.
ABOUT VANYA IVBULE
Vanya Ivbule is Vice President of Kingsley Gate Partners, a global retained executive search firm, and heads up the EMEA Cyber Security Practice based out of London. Ivbule specialises in supporting PE backed portfolio companies on go to market strategy, scaling and transformation as they prepare for acquisition or IPO.
The tech industry still has a long way to go to fix inequality and discrimination to attract more diversity, according to a recent report. Click here to read more.