Talent growth and retention will be one of the key topics at Noord Infosec Dialogue Nordics and Noord Infosec Dialogue Belux. According to Kay Formanek, CEO and Founder of Kay Diversity & Performance, diversity in the workforce has a direct and measurable impact on the efficiency of decision-making. Read part one of her research below.
“I was speaking last week to the CIO of an international company that had been the target of an intense cyberattack and was still trying to recover 3-weeks after the event.
The company had spent significant capital on protecting itself against such an attack, and yet when the attack came, it was crippled. A due diligence of the event highlighted that the cyberattack protection strategy was doomed by “group think”. Yes, the largest issue at stake was a lack of diversity of talent to richly evaluate cyber risks, to prioritise these risks, to develop a model to minimise the risk and when attacked, to respond rapidly with agility and effectiveness to the security breach. At the heart of the conclusion was that the organisation had fielded a team of security specialists who were so extremely homogeneous that they all looked and quantified risk through the same lens. Voices on the outer side of the group were minimised and sometimes even ostracised for raising alternative approaches.
I have held through my research and writings that the digital revolution provides THE platform for deliberately seeking out diversity of talent, in every single aspect of the digital revolution, and in this case, in response to needing to tackle cybersecurity.
All the key CIO surveys for 2017 (ref.1) confirmed that cybersecurity was now staunchly on the list of Top 10 priorities of CIO’s and in many lists, topping the list of priorities. CIO’s feel overwhelmed by the proliferation of attacks and attack vectors. They feel confused by the array of vendor security solutions and they face a crippling shortage of security experts. Really? Or is this about a crippling unconscious bias in the sourcing and retaining of talent in the cybersecurity market that closes the door on talent that could make the difference? And this results in a lack of women in security roles, lack of generational diversity (specifically young talent) and talent specialisation that ignores potential roles outside of the normal security specialists.
My research confirms that both factors are at play. Yes, there is a critical shortage of security specialists AND a deep unconscious bias results in diversity of talent not being considered for security jobs or actively pushed out by a hostile environment.
Let me share the facts about the growing cybersecurity threats and the lack of diversity in cybersecurity talent. Finally let’s look at what can be done now and mid-term to address this imbalance.
Growing Cybersecurity Threats
Experts predict that cybercrime will result in a global cost of $6 trillion by 2021 (Ref 2). Fifteen years ago, the models for securing IT systems were simple and classic: secure your IT systems at the perimeter. The exponential growth of cloud technologies and data volumes makes it increasingly difficult to protect against the onslaught of hackers, state-sponsored attacks and inside jobs. By way of the growth in Internet of Things (IOT) there are also a growing number of entry points from which hackers can attack.
As it has now become clear, the classical approach no longer works. Cybersecurity can also not be an afterthought. And every company needs to muster up the diversity of talent to build and integrate security tactics and defences and recovery at the heart of the organisation in a creative and responsive manner.
The Shortage of Cybersecurity Professionals
Increased cyber threats lead to increased demand for security professionals. But supply simply can’t keep up, not if decision makers doggedly fish from the same talent pond, unwitting and unknowing about the risks that will arise by having homogeneous talent pool. Global spend on cybersecurity is expected to reach $1 trillion over the next four years, yet by just 2019, experts foresee a cybersecurity skills shortage to the tune of 1.5 million unfilled jobs. (Ref 3)
Diversity in Cybersecurity
My research, complimented by a plethora of other commissioned research, reveals that a root cause of the cybersecurity talent shortage is a lack of diversity. Discrimination – even if it’s unconscious and implicit bias – ignores relevant talent or pushes out the talent or poorly uses the talent.
A recent study found that only 11% of security professionals are women, a figure that has remained stagnant over the last 3-5 years. Ethnic minorities are also severely underrepresented, at just 12% of the workforce. (Ref 4)
In the UK, only 12% of the cybersecurity workforce is under the age of 35 years and when one compares this to the percentage involvement in other roles, this is difficult to comprehend. Even more concerning are the research conclusions from the Center for Cyber Safety and Education. Only 6% of UK Companies were willing to hire talent for cybersecurity jobs from university and/or school and train the talent for security roles. The report claimed that employers are “closing the door on millennials”, refusing to hire and train inexperienced recruits. (Ref 5)
Focus on Women in Cybersecurity: Challenges
Gender diversity in cybersecurity is also severely lacking. The Global Information Security Workforce Study (GISWS), conducted every two years by the Center for Cyber Safety and Education and (ISC)2, concludes that the lack of gender diversity in cybersecurity is at critical levels. The latest worldwide study was conducted from June 22 through September 11, 2016. This online survey gauged the opinions of 19,641 information security professionals from 170 countries regarding trends and issues affecting their profession and careers. The key findings included:
- Women are globally underrepresented in the cybersecurity profession at 11%, much lower than the representation of women in the overall global workforce.
- 51% of women report various forms of discrimination in the cybersecurity workforce
- In 2016 women in cybersecurity earned less than men at every level.
A Burning Platform for the Industry: Actively, Consciously Hire Diversity of Talent to Minimize Cybersecurity Threats!
The threat of cyberattacks is no longer a distant possibility. It is a daily reality and the targets of cyberattacks are nations, global corporations, small-medium enterprises (SME’s) and every individual. To deal with this reality we need to change our lens on our talent pool. We need to view this pool as being larger than we had originally defined the pool and more diverse (and certainly not a homogeneous pool of talent). This newly framed pool of talent will comprise talent with rich nuances in approach, different insights, new specialisations, different perspectives and different generational frameworks. This is not only about creating a larger pool of talent but the ability to muster the right talent to develop rich responses to the increasing threat of cybersecurity attacks.
In Part 2 of this publication, under the title “Realising Diversity in Your Cybersecurity Talent”, I will explore the practical steps that companies can take to develop a diversity talent strategy for cybersecurity and the steps they need to take to not only attract the right talent but to foster that talent within their organisations through the right leadership, the right processes and protocols and the right metrics.”
Ref 1: Gartner 2017 CIO Survey; NASCIO 2017 CIO Priorities; OracleVoice 2017;
Ref 2: 2016 Cybercrime Report, Steven Morgen (Editor)
Ref 3: Frost & Sullivan and (ISC)2
Ref 4: Frost & Sullivan and (ISC)2
Ref 5: Economia; Millennials needed to full cyber security workforce gap; Jessica Fino; Feb 2017
Written by: Kay Formanek – CEO and Founder KAY Diversity and Performance | Visiting Lecturer to Business Schools: Digital Leadership, Engagement and Diversity; Speaker, Author and Coach / Aberkyn Lead: Inclusive Diversity Transforming Organisations | Vice Chair: HealthNet NGO
NOORD INFOSEC DIALOGUE NORDICS: Following on from the success of providing a unique platform for CISO’s in the in the UK and BENELUX region to share practical take-aways, benchmark and network with likeminded peers and meet with selected solution partners, the Noord Group brings to you a strategic information security event catering specifically to the needs of the Nordic market. Find out more at www.noordgroup.co.uk/infosecnordics.
NOORD INFOSEC DIALOGUE BELUX: For the first time the Noord InfoSec Dialogue has been researched and developed for information security leaders in Belgium and Luxembourg. By invitation-only, this premium two-day intensive event hosts modern experts and thought leaders all coming to together with the sole purpose of understanding and being prepared for a common adversary. Find out more at www.noordgroup.co.uk/infosecbelux.