There just aren’t enough people choosing - or being chosen - to pursue cyber-security to keep pace with the rapid growth in demand for skilled staff. Yet the IT security industry still remains focussed on a highly limited demographic warns the Chartered Institute of Information Security (CIISec).
And it’s not just about getting more women. Without greater diversity in gender, age, ethnicity, disabilities and experience – the sector faces a stagnating workforce, and a rapidly expanding skills gap.
The Enterprise Strategy Group found that the number of organisations reporting a problematic shortage of cyber security skills has increased every year since 2015. At the same time, CIISec’s survey of information security professionals showed that 89 percent of respondents were male, and 89 percent were over 35; meaning the profession is still very much in the hands of older men. If the diversity issue isn’t addressed, then not only security, but future development of the cyber-security industry itself, will suffer.
Many organisations point to the need to develop specialist security skills as a reason for reduced diversity, as employees need the right technical background. Yet the majority of IT security professionals – 65 percent – still believe that the best way to develop security skills is to learn on the job. At the same time, many individuals will have already developed the skills needed in security in other careers, from attention to detail and identifying unusual patterns of behaviour, to the communication skills needed to drive security awareness and behavioural change in others.
"The expectation that security is purely a technical subject has led to a focus only on very specific individuals to fulfil roles," said Amanda Finch, CEO of the Chartered Institute of Information Security. "Even if we weren’t in the middle of a skills crisis, increased diversity should be a priority, but the present situation makes it critical. Expanding the industry’s horizons isn’t only essential to make sure the industry has the skills it needs. It will give a whole range of individuals the opportunity to thrive in a new career, and in the long term protect the industry from stagnation by introducing more varied backgrounds."
Finch notes how security is a broad industry with many opportunities to apply already-existing skills including:
Tracking and managing multiple actions at once – parent returning to work
Leading teams in stressful conditions – armed forces
Demonstrating and explaining best practice clearly – teacher
Teamwork and collaboration under pressure – hospitality staff
Following best practice consistently while still being able to adapt – driver
Recalling and connecting information to ensure everything is in its correct place – librarian
The industry also needs to make a more diverse audience aware of the benefits a career in security can provide and encourage them to switch careers or begin a new path. The opportunities are clear. 86 percent of information security professionals say the industry will grow over the next three years and 13 percent say it will "boom".
"If the industry starts to attract a more diverse range of people whilst spreading awareness of the opportunity available, we could be well on the way to truly modernising the industry," continued Finch. "Key to all this will be both organisations and individuals having a framework that can show exactly what skills are necessary to fulfil what roles. This will not only help hire the right people. It will also mean that it the routes to progress through an individual’s career are clearly marked, ensuring that individuals who enthusiastically join the industry don’t over time become jaded or burn out due to a lack of opportunity."
Nicola Whiting, chief strategy officer at Titania adds: "Our industry only has two key missions: creating new, innovative and beneficial solutions, and ensuring they are resilient to attack. Organisations that haven’t invested in diversity will have a tendency towards ‘group think’ – known to result in unchallenged and poor-quality decision making, with all its attendant risks. Most people would also agree that ‘to defeat an attacker, we must learn to think like an attacker’: and attackers are a diverse bunch. Therefore, for both innovation and defence, it’s essential that organisations look at diversity as a key metric for success."
John Amer, security architect, BT, agrees noting how: "As the security industry continues to evolve, it’s absolutely critical that we attract people from different areas. A diverse workforce helps to bring a wide range of skills and perspectives, which is essential to address the range of opportunities and threats that an increasingly digital world provides. By actively raising awareness of careers in cyber-security, and the types of roles and skills required, we can attract people from all backgrounds, age groups and experiences. This will be crucial to tackle the cyber-skills gap and to enable organisations to meet the challenges of today and tomorrow."
**Editor's note. Readers of this article can also look forward to SC Media UK announcing its 50 Most Influential Women in Cyber Security 2019 at a Gala networking event atop the BT Tower in London on the 5th of November (Sponsored by BT Security, CISCO and ISC(2)). The full list will also be published on SC Media UK for registered users.