Accidental exclusion exacerbating cyber's staffing problem
Many people who would excel in cybersecurity roles see no obvious way in, with those that do make it getting stuck in entry-level positions
Cyber skills are at a premium. At the same time, more and more organisations are understanding the wisdom of building a diverse security workforce to better reflect the world outside.
In theory, this could be a virtuous circle: recruiting from non-traditional cohorts should help bridge the yawning skills gap while diversifying the workforce and strengthening defences, but as we have reported several times recently, this is not as easy as it should be.
First, people who have not come up through the traditional computer science and security certifications route are frequently unaware of the opportunities. This is at last being addressed in schools by initiatives such as Cyber Explorers, but there is still a way to go before cybersecurity becomes a career destination rather than a sideline.
There's also the lingering perception, among management as well as potential recruits, that cybersecurity is a hardcore computing and technical discipline, whereas nowadays it's a much broader field than that.
Then there's a matter of company culture, and indeed the culture of cybersecurity. Bristling with militaristic imagery, the language of security can be off-putting to many of those who might actually excel in the field.
The answer is often to insist that recruiters cast their net wider, said Clare Patterson, CyberCompare advisory board member. On a panel session at Computing's Cybersecurity Festival this week, she spoke about her experience as CIO of Shell. On one occasion, all new security hires were men, drawing criticism from the board and necessitating another hiring round.
"We did get the candidates. They existed - I don't know where they were hidden before. But I do think it is about pushing people under pressure to do it."
It's not all about reaching out. It can be about reaching sideways. The skills desperately sought by organisations could already be within their walls.
"People who have worked in compliance and fraud or things like that could easily migrate into cybersecurity," advised Andrew Vautier, CISO at Accenture.
Accidental exclusion
The lack of diversity in cyber teams is "partially our own fault," said John Stenton, head of IT at Thrive Homes. The trickle of applicants who do not fit the standard profile is down to the lack of an obvious way in, and more attention needs to be paid to signposting.
"Diversity makes us stronger," he said. "We should say welcome, come and join us at the grass-roots level. But there's a pipeline problem."
Retention and burnout can be another challenge, particularly at the start of people's cyber careers, where disillusion can quickly set in.
"You get people that joined cyber because it kind of sounded cool, and they get stuck in a SOC doing 24/7 support. They don't enjoy that and they leave," said Vautier.
This exacerbates the challenge of building a more diverse team, because a career ladder out of such entry-level roles is usually less clear for those who did not arrive via the traditional routes.
The remedy is concerted action by management, said Patterson. But since everyone is desperate to hire, "it's hard to remember to think about support for diversity and inclusion. It falls down the to-do list."
A wider range of paths both to and through cyber careers is required. Greater diversity in cyber roles and the employees that fill them will help in time, no doubt. But in an area as crucial cybersecurity, many organisations still cling to the comfort blanket of traditional frameworks.
Diversity should not a box ticking exercise in cyber or anywhere else - it's vital to get the right people into the right positions - but a lack of formal criteria covering entry sideways moves from for example tends to favour the status quo.
Organisations need to be bold and look at the person not the qualification, said Joseph Da Silva, CISO at RS Group.
"We accidentally exclude a lot of people because you don't need a degree in computer science to be in cyber. You don't need a degree at all. But we're closing our doors to those who have not been to university and who are not interested in computer science.
"I'd love to have more psychology students, sociology students, political science students, because all that is embedded in what we do."