Information security industry has to become more diverse, warns Chartered Institute of Information Security

The IT security industry is still failing to attract workers beyond a highly limited demographic, the Chartered Institute of Information Security (CIISec) has warned.

Unless it can embrace greater diversity – in gender, age, ethnicity, disabilities and experience – it will face a stagnating workforce, and be unable to keep up with a rapidly expanding skills gap.

According to the Enterprise Strategy Group, the number of organisations reporting a problematic shortage of cybersecurity skills has increased every year since 2015. At the same time, CIISec’s survey of information security professionals showed that 89 percent of respondents were male, and 89 percent were over 35; meaning the profession is still very much in the hands of older men. If the diversity issue isn’t addressed, then not only security, but future development of the cyber security industry itself, will suffer.

Many organisations point to the need to develop specialist security skills as a reason for reduced diversity, as employees need the right technical background. Yet the majority of IT security professionals – 65 percent – still believe that the best way to develop security skills is to learn on the job. At the same time, many individuals will have already developed the skills needed in security in other careers, from attention to detail and identifying unusual patterns of behaviour, to the communication skills needed to drive security awareness and behavioural change in others.

“The expectation that security is purely a technical subject has led to a focus only on very specific individuals to fulfil roles,” said Amanda Finch, CEO of the Chartered Institute of Information Security.

“Even if we weren’t in the middle of a skills crisis increased diversity should be a priority, but the present situation makes it critical. Expanding the industry’s horizons isn’t only essential to make sure the industry has the skills it needs. It will give a whole range of individuals the opportunity to thrive in a new career, and in the long term protect the industry from stagnation by introducing more varied backgrounds.”

As a broad industry, security has a position for every background, and multiple opportunities to apply already-existing skills. For instance, a librarian may be particularly adept at, and find satisfaction in, recalling and connecting information to ensure everything is in its correct place – essential in spotting evidence of a security breach. Other examples of transferable skills include:

• Tracking and managing multiple actions at once – parent returning to work
• Leading teams in stressful conditions – armed forces
• Demonstrating and explaining best practice clearly – teacher
• Teamwork and collaboration under pressure – hospitality staff
• Following best practice consistently while still being able to adapt – driver

As well as expanding its own horizons, the industry also needs to make a more diverse audience aware of the benefits a career in security can provide and encourage them to switch careers or begin a new path. The opportunities are clear. 86 percent of information security professionals say the industry will grow over the next three years and 13 percent say it will “boom”.

“If the industry starts to attract a more diverse range of people whilst spreading awareness of the opportunity available, we could be well on the way to truly modernising the industry,” continued Amanda Finch.

“Key to all this will be both organisations and individuals having a framework that can show exactly what skills are necessary to fulfil what roles. This will not only help hire the right people. It will also mean that it the routes to progress through an individual’s career are clearly marked, ensuring that individuals who enthusiastically join the industry don’t over time become jaded or burn out due to a lack of opportunity.”

Nicola Whiting – Chief Strategy Officer, Titania added:

“Our industry only has two key missions: creating new, innovative and beneficial solutions, and ensuring they are resilient to attack. Organisations that haven’t invested in diversity will have a tendency towards ‘group think’ – known to result in unchallenged and poor-quality decision making, with all its attendant risks. Most people would also agree that ‘to defeat an attacker, we must learn to think like an attacker’: and attackers are a diverse bunch. Therefore, for both innovation and defence, it’s essential that organisations look at diversity as a key metric for success.”

John Amer – Security Architect – BT, said:

“As the security industry continue to evolve, it’s absolutely critical that we attract people from different areas. A diverse workforce helps to bring a wide range of skills & perspectives, which is essential to address the range of opportunities and threats that an increasingly digital world provides. By actively raising awareness of careers in cyber security, and the types of roles & skills required, we can attract people from all backgrounds, age groups and experiences. This will be crucial to tackle the cyber skills gap and to enable organizations to meet the challenges of today and tomorrow.”