Are you thinking as diversely as your attackers?
Breaking down barriers, improving diversity, and being inclusive bring all kinds of benefits to the business. Research shows that there are commercial benefits too, with more diverse companies being more innovative and driving higher revenues1. Diversity can play a major role in transforming cybersecurity.
Cyber attackers don’t care how or by what mechanism they gain illicit access to your organisation and its systems and data – only that they do. It’s a pragmatic approach which isn’t constrained by corporate politics, HR regulations, hiring practices, certifications or even factors as simple as race, gender and appearance.
Your cybersecurity teams are tasked with defending your company against attackers who are simply the best in their field at their “job”. They weren’t “hired” based on their education, the university they went to or the company logos they might have on their CV or the number of certificates they have. Only that they are capable, innovative, and good at the “role”. Doesn’t it make sense that your cybersecurity teams reflect that approach too?
Diversity strengthens defense
There is a perception in cybersecurity that the industry remains overly male-dominated. According to the recent National Cyber Security Centre Decrypting Diversity report2, in the UK, women comprise 36% of cybersecurity professionals, which is higher than the US for example, but it still leaves work to do.
There is also a general lack of diversity in UK cybersecurity, with groups such as Black (3%) and Asian (8%) cybersecurity professionals comprising low percentages of the industry3.
Why does it matter? Because your attackers are constantly innovating, collaborating across different cultures and countries and always looking for new ways to infiltrate your security. They use diversity as a source of ideas and different approaches. Diversity in recruiting and seeking to find new talent with different ways of thinking can give you the problem-solving skills your current IT roster might lack.
Using diversity as a strategic defensive technique means you can bring together a broad range of different perspectives and experience which drive new ideas and solutions. Building your cybersecurity team based on a deep database of skills and knowledge could prove to be a far more effective approach than building one only on certificates, schooling and rigid training. Do they even need to be from a cyber security background?
Prioritize across-the-board diversity
Diversity in cybersecurity doesn’t only mean focusing on different ethnic groups or genders. It also means recruiting from different social backgrounds in general, to draw on people’s different life experiences that they can apply to problem-solving. In the 2022 ClubCISO Information Security Maturity Report, 31% of CISO respondents stated that their best recruits were coming from Apprentices (up from 18% in 2021). This is a great demonstration of the widening of the application pool.
Neurodiversity is another key area that CISOs should be mindful of. Addressing skills gaps and strengthening your security team means bringing in different minds and perspectives, and that starts with embracing neurodiversity. Neurodiverse individuals often think outside the box and see things from different angles, which can be invaluable in spotting potential security vulnerabilities or malicious activities.
How do you go about it?
To start with, a change of mindset. Embrace the notion that diversity can and will give your IT teams a stronger approach to cybersecurity and a wider breadth of skills and thinking on which to draw. Next, your recruitment policies and practices. Advertise your cybersecurity jobs with inclusive wording.
But alongside that, your recruitment thinking needs to change too. You need to get rid of the traditional idea that cybersecurity talent must have pre-requisite qualifications, certifications and experience if they want to be considered for a role in your organisation. Notwithstanding that many industry certifications become outdated quite quickly due simply to the pace of change in the sector, they’re also often beyond the social or financial reach of potentially talented recruits. So, think about things like apprenticeship programs that could encourage talent in who might not otherwise have access to the roles.
And ultimately, perhaps think a little more like your potential attackers do. Recruit your cybersecurity professionals based on ability to do the job and what they bring to the team. Test out your candidates at interview stage to try and identify unique problem-solving qualities and capabilities rather than sticking to traditional competency-based testing which can put talented individuals off.
Research by Harvard Business Review around cybersecurity in the US has found that in many enterprise organisations, unconscious biases are still present in hiring processes and often pull the wrong candidates into company recruiting funnels4. Things need to change. In the UK, it does seem that positive change is being achieved: the recent ClubCISO Security Maturity Report 20225 found that 65% of CISOs are now recruiting from diverse backgrounds and investing in more homegrown talent and apprentices. This is progressive stuff.
A focus on diversity and hiring a wider breadth of experience and skills can change the make-up of your cybersecurity teams, make your defenses more robust, and make you more attractive as an employer. It could be a smart investment in today and tomorrow.
Author: Kevin Fielder, Chief Information Security Officer at FNZ and Advisory Board Member at ClubCISO
References:
[1] https://www.bcg.com/publications/2018/how-diverse-leadership-teams-boost-innovation
[1] https://www.ncsc.gov.uk/files/KPMG-and-the-NCSC-Decrypting-Diversity-2021-report.pdf
[1] https://www.ncsc.gov.uk/files/KPMG-and-the-NCSC-Decrypting-Diversity-2021-report.pdf
[1] https://hbr.org/2021/02/research-how-companies-committed-to-diverse-hiring-still-fail
[1] https://www.clubciso.org/clubciso-security-maturity-report-2022-full-results/