Cyber talent diversity: It's time to redefine the face of security
A global phenomenon is happening, driven by the changes brought about by the Covid-19 pandemic. This phenomenon is 'The Great Resignation,' evidenced by data from the Bureau of Labor Statistics, which shows 4.5 million Americans voluntarily quit their jobs in 2021.
But, what does this mean for cybersecurity? Many of those individuals quitting their jobs were from the tech sector, including security. An already widening skills gap in tech is now a massive canyon. Before the pandemic, diversity was already on the agenda to help fill the security skills gap. Diversity is now imperative in the security industry to ensure that a company has enough resources to build a pool of talent and that this pool reflects the variety of needs of the business of security.
According to new data from Infosec Institute, over 90% of hiring managers struggle to fill open cyber roles. So, how does an organization go about creating an effective and achievable diversity policy to attract skilled security professionals?
Katie Boswell, Director of Cybersecurity at KPMG told Infosec about the importance and experience of hiring a diverse team.
ChatGPT training built for everyone
The importance of recruiting diverse teams in cybersecurity
Diversity is a word that is bandied about a lot, and rightly so, as human society comprises a diverse group of individuals. Diverse security teams need to reflect the true demographic of human society, not just to check the ESG (Environmental, Social, Governance) policy box, but because it works out well for the business.
This was evidenced in a recent Infosec Institute survey, which found that 80% of survey participants reported hiring success linked to the active recruitment of diverse candidates. This compares to just 55% of their less successful counterparts. The survey also found that the same hiring managers placed diverse candidates into cyber roles at a higher rate. This was seen as a trend across the board for women, BIPOC, neuro-diverse, and LGBTQ plus candidates. In other words, companies that reach out to a wider pool of diverse candidates were more likely to attract cyber talent.
Five key goals of diversity-focused hiring
If you fish in the same pool, you'll eat the same fish; diverse recruitment requires a diverse pool. A recruiter needs to reach out to find talent across the human spectrum. How you do this will undoubtedly change as you become more experienced in hiring diverse cyber teams. However, insight from those already doing diversity recruitment helps. Here are some key goals to recruiting and retaining diverse talent in your cybersecurity teams.
1. Be diverse in how you find diverse candidates
One of the issues in building a diverse team is knowing where to look. Developing a plan of action in meeting your diversity policy must include reaching out to the right place to find that diverse team. Shake up where you look for candidates, don't go to the same places repeatedly.
Boswell told Infosec, "I like that you have to hire a diverse team, and you have to do it often. To do this successfully, you must be deliberate about it. And if you are going to be deliberate about it, you should focus on places where diverse people are. If you're hiring from the same schools over and over again, then you're not going to be diverse."
2. Change your view of what makes a good candidate
Diverse people might not fit the traditional view of a good candidate. As a neurodiverse person, I tend to work better alone. The common idea that teamwork is best may be true in some circumstances, but not all. In cybersecurity, for example, working alone fits the remit of many roles. Checkboxes are easy to create but can 'box your candidates in' (or out). Interviewing is another area that can be difficult for neurodiverse people and other diverse candidates, in general.
The interview process may be off-putting for some candidates that would otherwise be perfect for the role. Remain open to options during the job ad creation, deciding who to interview, and the subsequent interview process. Boswell reiterated this fact: "job descriptions definitely need to be something that shows inclusivity." Recognize that not everyone fits the 'ideal interviewee/employee' tick box, and this flexible thinking should be part of a recruitment policy.
3. Be flexible in the job
Building a diverse team means being flexible across a range of topics. Take childcare, for example, Boswell summed up a flexible attitude by telling Infosec that "if you can offer something that's flexible, you're going to attract people and be able to retain more people. The more rigid you are, the harder it's going to be for people to stay in a role, especially in these times; employees may need to take care of their families when they need to." This flexibility in working environments is a common theme in our post-pandemic world. Flexibility in work location was increasingly important in a Hackajob survey of tech employees, "The Great Disconnect." The survey found that 72% of the technology workers see remote working as "an important perk."
4. Fit to the interests and knowledge of the diverse candidate
There is little point in recruiting a diverse candidate if you will fit a square into a round hole. Retention of talent is as important as recruitment. Make sure that you fit the interests of the people you are targeting with the right role. Boswell told Infosec that KPMG recognizes that talent must be supported to stay. "Make sure that recruited individuals land in the right place in your organization. This does mean that you must spend more time ensuring that the new recruit is placed in the right area. This should not be a tick-box hiring approach. It is in the companies interests to place the new employee in an area that will continue to help them build their career."
5. Keep the dialogue going
Once onboard, it is important to maintain a dialogue with all employees. Individuals in the diversity community can be a great source of advice on how to recruit diverse teams: KPMG's talent management lifecycle builds this into their recruitment ethos. The team is asked questions such as "what was important to them when they joined the company." You can then use this information to better support that person on a day-to-day basis.
Phishing simulations & training
Infosec article by writer Rodika Tollefson on diversity in cybersecurity wrote, "Diversity is especially important because cybersecurity in general, and risk management in particular, is a complex problem." Complex problems are well-suited to being viewed from different positions. A diverse cybersecurity team will have lasting benefits for the businesses that put the effort in to recruit these individuals.
Sources:
- Bureau of Labor Statistics, Bis.gov
- Neurodiversity as a Competitive Advantage, Harvard Business Review
- Why diversity of thought matters in cybersecurity, Infosec
- The Great Disconnect, Hackajob
- The Great Disconnect, Hackajob
- Women in cybersecurity: Building diversity, accessibility and stronger teams, Infosec
- How to create a more diverse cybersecurity workforce, Infosec