Critical thinking and problem-solving are considered vital attributes for the cybersecurity professional — so it’s time our industry applied those capabilities to connect the dots between the skills shortage and lack of diversity.
There’s no question that recruiting talent in sufficient numbers right now is a growing challenge — but it’s one that I believe a more inclusive talent pipeline would help to alleviate.
In its Cybersecurity Workforce Study 2021, industry body (ISC)2 found that 2.7 million information security jobs remain unfilled worldwide. While this number is down from 3.1 million in 2020, we’re a long way from where we need to be. In the face of increased digitization and a rising tide of attacks, the current cybersecurity workforce of 4.2 million people globally needs to grow 65% to keep up with the demand for its skills.
In other words, we’re going to need to draw from a wider talent pool to plug the gaps. But as researchers from Washington, D.C.-based think tank the Aspen Institute point out in their Diversity, Equity and Inclusion in Cybersecurity report, diversity efforts to date “have not addressed the overwhelming white-ness and male-ness of the cybersecurity field.” Estimates suggest that only 4% of U.S. cybersecurity workers self-identify as Hispanic, 9% as Black and 24% as women, the report noted.
It’s clear that our industry faces serious future risks if it doesn’t find ways to recruit new talent to fill the growing number of vacancies. But more than that, its current lack of diversity poses more immediate risks because company systems aren’t homogeneous, and neither are potential assailants.
The authors of The Business Value of a Diverse Infosec Team from the cybersecurity think tank Institute for Critical Infrastructure Technology make this point forcefully: “Homogeneous experiences and perspectives yield less success compared to problem-solving done by teams with varied backgrounds.”
Proactive cybersecurity strategies, by contrast, aggregate a multitude of perspectives, which brings the benefit of innovation, problem-solving and consensus-building.
Shifting the narrative
As the chief information security officer (CISO) at search-powered solutions company Elastic, I believe that individual information security leaders can do a great deal to shift the narrative, at least within their organizations. What this takes is a hefty dose of fresh thinking when it comes to recruitment.
The cybersecurity team I lead as an LGBTQIA+ female CISO includes people who represent the array of human nature when it comes to neurodiversity, sexual orientation, gender identity, race and age. The picture is just as varied when it comes to background, educational pathway and industry experience.
But let me be clear: Diversifying the cybersecurity talent pipeline is not just a numbers game for me. I’m not just focused on onboarding in sufficient numbers to run a fully staffed team. It’s also about improving the quality of that team and the work we perform.
Put simply, a more diverse cybersecurity team is a better cybersecurity team. In a multidisciplinary field like this, different perspectives are critical. When threats and tactics change around us daily, the diverse viewpoints on my team help counter complacency by bringing new thinking to situations. Our adversaries, after all, are continuously trying new tactics, finding new ways to bypass controls and identify vulnerabilities. My team’s different perspectives bring a more disruptive “hacker mindset” to our work in countering attacks.
Our industry’s overreliance on specialists with the “right” qualifications and educational backgrounds might actually be a weakness — a point of view reinforced for me by David Epstein’s 2019 book, “Range: Why Generalists Triumph in a Specialized World.” Epstein argues that generalists with wide-ranging interests are more creative, more agile and able to make connections that their more specialized peers can’t see, especially in complex and unpredictable fields — a description that is a good fit for cybersecurity.
The value of diverse thinking within my current team is evident in the ongoing data protection certification process that we perform for customers. For this key compliance process, diversity is our strength, because our team can quickly get beyond “the way things have always been done” and find better, more efficient and — critically — safer ways to meet changing compliance objectives.
Another example where I’ve seen a clear-cut advantage of diverse thinking is from my team’s approach to supporting our fully distributed workforce. Being a distributed company by design, with almost 80% of our employees working remotely, demands that my team think differently when it comes to data privacy and protection. Our constant innovation in supporting secure remote working meant we were already prepared in this area when the pandemic hit, while cybersecurity teams at other companies were still struggling to make the leap.
What matters most, of course, is transforming words into action. For me, it helps that I work for an organization that prioritizes inclusivity and acceptance for all employees in its Source Code.
This gives managers and employees alike a clear set of cues as to who we are as an organization and who we aspire to be, telling employees: “Just come as you are.” By creating an environment that is inclusive for all employees, through a commitment to equal pay, emphasis on internal hiring and prioritizing skills over location, we can hire and retain the best talent wherever they reside.
This year, our company's aspirational DEI goals include a 40% hiring rate target for women or non-binary individuals, with a 30% hiring rate target for technical roles -- globally. And for underrepresented groups, our hiring rate target in the U.S. is 35%, with 27% for technical roles.
With that backing, I’ve personally taken positive steps to ensure that Elastic increases diversity in its cybersecurity talent pipeline. So here are my pointers for other information security leaders:
Broaden the scope of qualifications. Look beyond traditional schooling and minimum career experience to see skills, qualifications, experiences and capabilities gained from shorter programs, online certificates, other jobs and participation in cybersecurity communities that support core foundational understanding of systems and their vulnerabilities.
Some of the most successful teams that I’ve built over the years have not only come from a variety of IT backgrounds, such as systems architecture, business analysis and project management but from outside of the IT discipline entirely. For example, I hired a former emergency medical technician who moved into healthcare fraud analysis before joining my team. Former lawyers have brought attention to detail. People with a marketing background have proved adept at tackling customer data privacy challenges with empathy, while those from the financial sector bring new thinking to compliance issues.
But what they all have in common, and what has made them strong additions to my infosec teams, is their curiosity, a willingness to question, and excitement to learn and try new things. These transferable experiences are just as important, if not more important, than specific skills.
Encourage underrepresented groups. Add language that explicitly states your interest in groups often left out of hiring pools, such as women, people of color and members of the LGBTQIA+ community. Job descriptions should make explicit that the company fosters a welcoming environment for everyone and encourages personal and professional development of its cybersecurity talent.
For example, I have recruited for an intern program recently immigrated individuals who do not have the standard security qualifications. Most of these recruits quickly moved into full-time roles and outperformed cybersecurity veterans. I have also taken steps to work more closely with local community colleges on sourcing graduates and with recruitment specialists who focus on supplying more diverse candidates for cybersecurity roles, such as CyberSN.
Make your hiring process accessible. Many would-be applicants are discouraged if the hiring process isn’t adapted for those with accessibility needs. We’ve worked to ensure that everything from our recruiting site to our internal digital properties and tools follows international guidelines and translates to a positive environment for all candidates and employees.
Anonymized hiring is an important part of this process. I regularly review resumes with the identifying information stripped to ensure that unconscious bias plays no part when we’re making judgments on job candidates.
Cybersecurity teams need people with diverse life experiences, education and skills, so our recruitment efforts need to reach a far wider audience. If they don’t, we risk overlooking talent and excluding viewpoints that could be instrumental in delivering on our mission as an industry. If we allow that to happen and continue instead to compete for the increasingly sparse talent that fits nicely with age-old biases, we’ll only have ourselves to blame.