All the figures indicate there is a stark gender divide across the global cybersecurity profession. In fact, women comprise just ten percent of the global information security workforce.
The industry’s failure to recruit from over half the available talent pool is not just a diversity issue, but a security issue. 75 percent of UK IT chiefs recently claimed there is a cybersecurity talent shortage, and almost a quarter of them believe this makes them an easier target for hackers. Attracting more women into the workforce would clearly lessen this shortfall. So why does the industry continue to recruit overwhelmingly from just half the population, and what can be done to widen the recruitment net?
Part of the reason is that the type of experience and education that cybersecurity recruiters seek forms an unintentional barrier to entry for women. Cybersecurity employers tend to build their job specs and recruitment criteria around seeking people who have experience or qualifications in Science, Technology, Engineering and Math (STEM), a field men are more likely to study and work in than women. Yet cybersecurity is increasingly diversifying beyond purely technical roles. As we enter a digital economy where every aspect of a business, from its staff to its customer data, is now ‘connected’, cybersecurity is becoming a multi-faceted profession that is required to drive change across every part of a company from the legal department to the boardroom.
At KPMG, we have altered our cybersecurity recruitment practices to reflect this and managed to radically diversify our workforce as a result. We have managed to achieve a near 50/50 gender split amongst new graduate hires to our cybersecurity division by recruiting just as many people with non-technical degrees. We look for three types of employees – the hard-core techies, the business management types and those who can translate between them. We found that the ideal ‘business manager’ and ‘translator’ candidates are often humanities or arts graduates, and a huge proportion of them are women.
Cyber is now more than hacking; which is why we can recruit from more diverse backgrounds. Managing business risk, known as Governance, Risk and Compliance, is becoming more central to cybersecurity. And the skills required for this area, such as building bridges between different departments and diffusing emotions, are soft skills that people from non-technical backgrounds often have in abundance. Indeed, a recent (ISC)2 study found that Governance, Risk and Compliance is one of the fastest-growing areas of cyber, with a higher proportion of women than men are in these roles.
These individuals may lack tech experience, but they can be quickly trained to grasp the basics; whereas it can be much harder to do it the other way around by quickly honing an individual’s ‘soft skills’. An effective cybersecurity division needs a balance of both.
Crucially, if you invest in training non-technical people, they are more likely to stay with your company for the long-haul; whereas ‘off-the-shelf’ technical whizzes can make a lot more money as freelance security consultants rather than dedicating their careers to one company. This is even clearer in a large consultancy, where you can see a clear path to career progression and opportunities to develop other skills such as project management, sales and business development.
Cybersecurity employers could easily diversify their workforce if they recruit for key attributes instead of specific degrees, understand that training ultimately pays off in better staff retention rates and that business skills are as important as technical expertise for the modern cybersecurity professional.
Lucy Chaplin is a manager at KPMG Financial Services Technology Risk Consulting and an (ISC)² member
Find your next job with computerworld UK jobs