Cyber talent diversity: It's time to redefine the face of security
A global phenomenon is happening, driven by the changes brought about by the Covid-19 pandemic. This phenomenon is 'The Great Resignation,' evidenced by data from the Bureau of Labor Statistics, which shows 4.5 million Americans voluntarily quit their jobs in 2021.
But, what does this mean for cybersecurity? Many of those individuals quitting their jobs were from the tech sector, including security. An already widening skills gap in tech is now a massive canyon. Before the pandemic, diversity was already on the agenda to help fill the security skills gap. Diversity is now imperative in the security industry to ensure that a company has enough resources to build a pool of talent and that this pool reflects the variety of needs of the business of security.
According to new data from Infosec Institute, over 90% of hiring managers struggle to fill open cyber roles. So, how does an organization go about creating an effective and achievable diversity policy to attract skilled security professionals?
Katie Boswell, Director of Cybersecurity at KPMG told Infosec about the importance and experience of hiring a diverse team.
Should you pay the ransom?
The importance of recruiting diverse teams in cybersecurity
Diversity is a word that is bandied about a lot, and rightly so, as human society comprises a diverse group of individuals. Diverse security teams need to reflect the true demographic of human society, not just to check the ESG (Environmental, Social, Governance) policy box, but because it works out well for the business.
This was evidenced in a recent Infosec Institute survey, which found that 80% of survey participants reported hiring success linked to the active recruitment of diverse candidates. This compares to just 55% of their less successful counterparts. The survey also found that the same hiring managers placed diverse candidates into cyber roles at a higher rate. This was seen as a trend across the board for women, BIPOC, neuro-diverse, and LGBTQ plus candidates. In other words, companies that reach out to a wider pool of diverse candidates were more likely to attract cyber talent.
Five key goals of diversity-focused hiring
If you fish in the same pool, you'll eat the same fish; diverse recruitment requires a diverse pool. A recruiter needs to reach out to find talent across the human spectrum. How you do this will undoubtedly change as you become more experienced in hiring diverse cyber teams. However, insight from those already doing diversity recruitment helps. Here are some key goals to recruiting and retaining diverse talent in your cybersecurity teams.
1. Be diverse in how you find diverse candidates
One of the issues in building a diverse team is knowing where to look. Developing a plan of action in meeting your diversity policy must include reaching out to the right place to find that diverse team. Shake up where you look for candidates, don't go to the same places repeatedly.
Boswell told Infosec, "I like that you have to hire a diverse team, and you have to do it often. To do this successfully, you must be deliberate about it. And if you are going to be deliberate about it, you should focus on places where diverse people are. If you're hiring from the same schools over and over again, then you're not going to be diverse."
2. Change your view of what makes a good candidate
Diverse people might not fit the traditional view of a good candidate. As a neurodiverse person, I tend to work better alone. The common idea that teamwork is best may be true in some circumstances, but not all. In cybersecurity, for example, working alone fits the remit of many roles. Checkboxes are easy to create but can 'box your candidates in' (or out). Interviewing is another area that can be difficult for neurodiverse people and other diverse candidates, in general.
The interview process may be off-putting for some candidates that would otherwise be perfect for the role. Remain open to options during the job ad creation, deciding who to interview, and the subsequent interview process. Boswell reiterated this fact: "job descriptions definitely need to be something that shows inclusivity." Recognize that not everyone fits the 'ideal interviewee/employee' tick box, and this flexible thinking should be part of a recruitment policy.
3. Be flexible in the job
Building a diverse team means being flexible across a range of topics. Take childcare, for example, Boswell summed up a flexible attitude by telling Infosec that "if you can offer something that's flexible, you're going to attract people and be able to retain more people. The more rigid you are, the harder it's going to be for people to stay in a role, especially in these times; employees may need to take care of their families when they need to." This flexibility in working environments is a common theme in our post-pandemic world. Flexibility in work location was increasingly important in a Hackajob survey of tech employees, "The Great Disconnect." The survey found that 72% of the technology workers see remote working as "an important perk."
4. Fit to the interests and knowledge of the diverse candidate
There is little point in recruiting a diverse candidate if you will fit a square into a round hole. Retention of talent is as important as recruitment. Make sure that you fit the interests of the people you are targeting with the right role. Boswell told Infosec that KPMG recognizes that talent must be supported to stay. "Make sure that recruited individuals land in the right place in your organization. This does mean that you must spend more time ensuring that the new recruit is placed in the right area. This should not be a tick-box hiring approach. It is in the companies interests to place the new employee in an area that will continue to help them build their career."
5. Keep the dialogue going
Once onboard, it is important to maintain a dialogue with all employees. Individuals in the diversity community can be a great source of advice on how to recruit diverse teams: KPMG's talent management lifecycle builds this into their recruitment ethos. The team is asked questions such as "what was important to them when they joined the company." You can then use this information to better support that person on a day-to-day basis.
Phishing simulations & training
Infosec article by writer Rodika Tollefson on diversity in cybersecurity wrote, "Diversity is especially important because cybersecurity in general, and risk management in particular, is a complex problem." Complex problems are well-suited to being viewed from different positions. A diverse cybersecurity team will have lasting benefits for the businesses that put the effort in to recruit these individuals.
Sources:
- Bureau of Labor Statistics, Bis.gov
- Neurodiversity as a Competitive Advantage, Harvard Business Review
- Why diversity of thought matters in cybersecurity, Infosec
- The Great Disconnect, Hackajob
- The Great Disconnect, Hackajob
- Women in cybersecurity: Building diversity, accessibility and stronger teams, Infosec
- How to create a more diverse cybersecurity workforce, Infosec
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- Cyber talent diversity: It's time to redefine the face of security
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cybersecurity and Windows 11: What you need to know
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization