There’s a global skills shortage in cyber security and it’s getting worse. According to (ISC)2, the gap has now reached 3 million. But at the same time, in an age of increasing cyber-attacks, companies need a wide range of security skills on their teams.
It doesn’t have to be expensive: companies can make the simple change of diversifying their security team. If implemented optimally as part of a firm’s recruitment strategy, this brings more views to the table and increases the range of skills available.
But making this change can be a challenge, requiring IT leaders to overhaul their recruitment strategies to encourage diverse people to apply for jobs in the first place. So, how can this be done?
Diversity comes in many forms, including race, gender, sexual orientation, age, physical abilities and religious beliefs. Taking this into account, the first step is to recognise the benefits of each type of diversity.
For example, by embracing gender diversity, companies can benefit from the fact that women and men gauge risk differently, says Jane Frankland, author and managing director of Cyber Security Capital. “Typically, women are more risk averse and their natural, detailed exploration makes them more attuned to changing pattern behaviours – a skill that’s needed for correctly identifying threat actors and protecting environments.”
She points to a study performed by the US military, titled ‘Women in Battle: What Women Bring to the Fight’, which found that the collective intelligence of a group grows as the percentage of women increases.
Recruiting in the age of the cyber security skills gap: challenges to overcome
The cyber security skills gap is nothing new. So, what can be done to bridge it?
Joan Pepin, CISO at Auth0, is a transgender woman respected for her cyber security skills. She has worked for understanding companies but says there can be challenges. For example, she has experienced the same issues as women in technology, such as sexism in the workforce.
But in addition, she says: “It can be an issue for most trans people when they come out. I have learned to ignore, deflect and laugh at people who have a bad attitude.”
Once a trans employee has come out, a company’s support is key, says Pepin: ‘I do think it’s important that managers have a discussion about it, without the person there, so colleagues can ask questions. The manager should bring in an educator, rather than leaving the trans person to do that. Say, ‘this is the person’s new name; this is the person’s new pronoun – and we expect you to use these’.”
Neurodiversity in the workforce
Another, perhaps less obvious form of diversity that can benefit cyber security is neurodiversity – including those on the autistic spectrum and people with dyslexia and dyspraxia.
Among the benefits of employing neurodiverse people, says Michael O’Malley, VP of marketing at Radware: “Often those with atypical brains can quickly identify clues while sorting through large data sets. When you incorporate neurodiversity into the workforce, you begin to remove cognitive blind spots that have limited your team in the past.”
IASME CEO Dr Emma Philpott has experienced this first hand: IASME has recently hired 14 neurodiverse staff. “The ideas they are coming up with are amazing,” she says.
But there are also considerations when employing neurodiverse staff. “People like this find it hard to get settled into a new environment,” says Dr Philpott. However, she points out: “Once in, they tend to stay in the job and are very loyal to the company – they don’t like change. If you support them in their roles, you retain them.”
At the same time, neurodiverse people are often very good at one thing but might be weaker in other areas, says Dr Philpott. “One guy we employ is amazing at Linux, but he can’t write. Instead of being ok at lots of things, they are often amazing at some things and bad at others.”
Which UK cities are the most attractive to cyber specialists?
Crucial Academy’s Cyber Security City Ranking reveals the cities best placed to attract cyber talent
Nicola Whiting, who was diagnosed with autism aged 45, is COO at Titania, a company that employs multiple neurodiverse people. She says firms and technology leaders can encourage diverse candidates to apply for jobs by explicitly saying these applicants are welcome. She says: “Make it clear that the organisation will be supportive of any needs they might have and that you have a zero-tolerance attitude towards discrimination.”
In addition, Mike Spain, founder, Cyber Neurodiversity Group says firms should examine their company values. “Be an organisation that values different ways of thinking and provides the structure for all their employees to do what they do best. This will give you a huge competitive advantage.”
Meanwhile, says Dr Philpott. “Autistic people often don’t have the understanding of social assumptions. You have to be direct and plain. If you expect them to wear a suit, please tell them to wear one. When you say, ‘turn up at work at this time’, do you mean dead on time? Make the rules exact.”
It’s also important to educate the rest of your staff. “Awareness days for all can make a big difference in building knowledge and understanding that ultimately will impact culture,” says Spain. “But don’t single out individuals for unnecessary pressure – not everyone wants to be a role model or ‘openly’ neurodiverse.”
Diversity from the start
The benefits are clear, but to encourage a more diverse team, recruitment processes need to change. This includes the wording of job adverts, which can put some people off from applying.
Frankland advises hiring managers to ensure the language in job adverts isn’t biased. “There are some really good tools you can use to ensure it’s gender neutral, for example, Textio.”
Meanwhile, Frankland recommends reducing emphasis on qualifications, particularly degrees. In addition, she advises “improving recruitment practices by performing skills-based challenges, work sample tests, capability and aptitude assessments, and training people on the job like we did in the old days”.
Will blockchain solve the cyber security skills crisis?
There will be multiple long and short-term rewards for businesses that make the effort, but Stephen Jones, UK MD at SANS Institute warns it can be a long process: “When you need someone fast, such as a junior analyst, it’s hard because there is a skills shortage.”
Yet at the same time, some changes can be made straight away. Whiting says: “Good practice is often the same for all kinds of people – whatever their diversity type. It’s about listening to their feedback and looking honestly at your company culture and practices.”
She advises: “If you’re going to make an improvement – such as ‘quiet areas’ to benefit the noise sensitive – ask yourself, ‘are there others who would benefit too?’. Quite often, making accommodations for a diverse workforce make the environment better for everyone – yourself included.”
Written by Kate O’Flaherty
