THEDIVERSITYPROCESSFLOW
ETHNICMINORITIESINCYBER
APRIL2023
Incybersecurity,asinmostcomputerscience disciplines,weoftenstartwithaprocessflowdiagram,
ifthisthenthat,elsethisetc,sowecanestablishaprocess,predictoutcomes,and prepareforundesirableincidents.Inyourorganisationandmorespecifically,inyour cyberworkforce,whatisyourdiversityprocessflow?
Let’sstartatthebeginning.Aretherepeopleinyourteamfromanethnicminority background?Ifno,whyisthat?Ifyes,aretheyaminoritywithinyourteam?Ifyes,follow thepreviousanswertoournextquestion.Isitduetoyourrecruitmentprocesses,the languageyouuseexternallyandinternally,perceivedorliteralbarriersinyour organisation,education,alackofrolemodels,orsomethingelse?
Ifthisisthepointwhereyourprocessflowstruggles,becauseyouhaven’thonestly consideredthequestion,weimploreyoutoreadon
Whydoweneeddiversity?
Cyberthreatsknownoborders,attackscancomefromanywhereintheworld,andwith threatsontheriseandsophisticatedactorsdevelopingnewwaystocontrol,infiltrate, andexposeoursystems,coupledwithaskillsgapofover14,000peopleperyearand growing;ensuringwearesafetoliveandworkonlineisnosmallfeat.
Alackofethnicminoritiesincyberonlycompoundstheseissuesasprofessionalsand businessesalikemissoutonkeyinsights,experience,views,andcontributionsfrom peopleofcolourandthosefromethnicminoritybackgrounds Infact,companieswitha diverseworkforceare35%*morelikelytoexperiencegreaterfinancialreturnsthantheir respectivenon-diversecounterparts,and70%*morelikelytocapturemoremarkets.
*Forbes
Outsideofjobdescriptionsandjargon,someoftheterminologyweusewithincyberis problematic,black-listingvswhite-listing,black-hatsvswhite-hats,adividehasbeen establishedwherewhiteisgoodandblackisother.
Thiscreatesanimmediatebarrierforthosefromethnicminoritybackgrounds,inasector whereterminologyisn’tconsistentandcommunicationskillsareessential,weneedtotake stockofourownuseoflanguagearoundcyber.Blackvswhiteterminologyhasexistedfor centuriesandcontinuestofortifybarriers,usingthislanguageimmediatelynegatesa senseofbelongingforpeopleofcolour
Withoutaclearandconsistentapproachtoroles,titles,jargonandrequirementswecreate abarrier.If,forexample,Englishissomeone’ssecondlanguagehowdoweexpect someonetobeabletodecipherthese?
Ifwearetoreachunder-representedcommunities,weneedtobespeakinginlanguage thatappealstothem.Weneedtoexplainwhycyberisaflourishingsectortoworkin,and challengetheestablishedroutesoflawyer,doctor,etcinordertosucceed.Oneparticipant fromourSymposium,IrfanHemani,gaveakeynotetalktitled‘Whydon’tyoubeadoctor?’.
Herehespokeaboutthechallengeshefacedwhenpursuingacareerincyber,because hiscommunitydidn’tunderstandthebenefitsofthiscareerpath.Thisissomethingweare allresponsibleforchanging.Ifwecanconsistentlyandeloquentlycommunicate,with languagethatisinclusivetocommunitiesweneedtoreach,wecanbegintowelcome morediversityintocyber.
TheCouncilarecommittedtoinclusion,andthismeanseveryone Weensureweare inclusiveinourapproachtoourinternalcommunications,externalmarketing,online presence,virtualeventsandfacetofaceinteractions.Weuseaccessiblelanguage,to includeeveryoneintheconversation.Wecreateusefuldocumentssuchasthecyber securityglossaryavailableonourwebsite,tohelppeopleunderstandthelanguageofthe profession.
Education:LabyrinthsandLifelongLearning
createaverystressfulsituation.IfwearetoshoreuptheUKsdefences,weneeddiverse voicesandtalenttodoso,butanuncertainfuture,alabyrinthofqualifications,andavisa costinthethousands,candetergreattalentfromstudyingintheUK.
Therearealsoseveralbarriersaroundpassingsecurityclearancewithoutajoboffer,or withoutapplyingfromwithintheUK.Aswellastheprocessforapplyingforsome governmentrolestakingmonths,andrequiringUKresidency.
Whenwe’rerecruitingforcyberroles,weneedtobeconsciousofthesebarriers,weneedto lookathowwe’reencouragingoverseasapplicantsifwearetofillthe14,000-jobgapper yearinthesector.Alongsidethisweneedtolookathowwe’repromotingcybersecurity withinschools,beforereachinguniversitywhatistheperceptionofourindustry?
TheCouncilhavedevelopedacareerroutemaplookingatthe16specialismswithincyber whichcanbeusedbyschoolteachersandlecturerstoeducatetheirpupilsoncyber securitypathways.ThroughtheCouncil’soutreachanddiversitywork,wewillbecreating educationresourcesforallagesandbackgrounds,toensureyoungpeoplewithaninterest inproblemsolving,communicating,andcomputing,areencouragedtopursueacyber career;andthoseworkingwithinothersectorscanchangecareeranddevelopapassion forcybersecurity.
Perception:RecruitingandRolemodels
perceptionofcybersecurity?
Youdon’thavetolookmuchfurtherthanyourTVsubscriptionservicestobegintoseethe problems ShowslikeMrRobotdoafantasticjobofshowingwhatacyberskillsetcan achieve,buthowrepresentativeisthis?Withsomanyspecialismsoutsideofpenetration testingorethicalhacking,theperceptionisreinforcedagainandagainthatcyber= hacking,andit’sourjobtobustthismyth.Withanincreaseinsocialengineeringattacks, interpersonalskillslikecommunicationanddevelopingtrainingarejustasvitalascoding toprotectacompanyfromallangles,buttheseskillsarenotattheforefrontofour recruitmentdrive.
Instead,weseeafocusonpurelytechnicalskillsand‘redteam’mentality,andmuchless visibilityofthosecreatingsecuresystems,managingvulnerabilities,andleadingaudit andassurancepractices.ThismakesitincrediblydifficultforHRprofessionalstorecruitfor cyberroleswithoutspecialistknowledge,creatingunclearjobdescriptionsandmissing potentialtalentdueonlytotheirownlackofeducation Ifeverycompany,ineverysector, needsaninformationorcybersecurityprofessional,whichwe’dstronglyarguetheydo, whereareHRprofessionalsmeanttogotoacquiretheknowledgetheyneedfor recruitment?
Allowancesmustbemadeforthosethatrequirelongerblocks ofannualleavetovisittheirhomecountry,thosethatrequire thesameamountoftimetocelebrateEidasothersdoto celebrateChristmas,thosethataretechnicallybrilliant withouthavingEnglishastheirfirstlanguage,therearemany waystocreateaninclusiveculture
Considerationmustbetakenwhenwerecruit,whenwetrain, andwhenweretain,soacultureofdiversityisdeveloped withinacompany,notjustatthefrontdoor.Diversityatevery levelmeansempoweringstafftoapplyforpromotions,totake onlargertasks,totrainothersanddevelopthemselves,so theycansecuretheirseatintheboardroom.
Thereisnodoorthatsays‘welcometothecybersector’for newcomers.Peoplefindtheirwayinthroughbackdoorsand sidedoors,andweneedtodobetter.
AsaCouncilwearemappingnotonlythespecialismsthat exist,buttheentryroutesintothosespecialisms,the certifications,qualifications,andaccreditationsthatunderpin them,andprovidingaframeworkforcyberprofessionals, hiringmanagers,andthosewithnobackgroundincyberto getintoathriving,rewarding,andgrowingsector.Butwecan’t dothisalone.
Weneedyourhelp
Tobreakdownbarriersweareworkingwithindustry,academia,careerchangers,cyber veterans,andpeoplefromallages,backgrounds,andspecialismstomakesureweget thisright Wearesupportingcandidatestounderstandthelandscape Wewillprovide recruitmentsupportfromcreatingtherightCV,tointerviewingsuccessfully
Weaimtohighlightcandidate’sexperiencewhetherpaidorunpaid,andeducation whetherformalorinformal,tomakesurepeoplefromallbackgroundsgetintotheroom Andforthosealreadythere,we’reworkingwithindustrytomakesurehiringpanelsare representative,thattheirlanguageisinclusive,thatbarriersareremoved,andthathiring managersunderstandwhattheyarerecruitingfor.Meaningtheycansecureandretain professionalswhoexcelintheirrole.
Weneedeverypersonreadingthispapertotakeupthechallengeofincreasingdiversity withincyber,tolookattheirownrecruitmentprocesses,tospeaktotheirteams,toshift theperceptionofcyber,championtheircolleaguesandrolemodels,toworkwiththe Counciltodemystifythesector.
Weneedeveryreadertoeducatethemselvesontheframeworksalreadyinplace,and tolookaroundtheroom,everyroom,andaskthemselves'Isthisgoodenough?','Have weachievedthediversitywesetouttoachieve?'Andiftheanswerisyes,let’swork togetherandbuildonthatbestpractice,tosupportotherorganisationstodothesame. Iftheanswerisno,wehopewehaveprovidedsomeinitialguidanceonstepsyoucan take,nowandinthefuture.
Wehopeyouwillbeapartoftheconversation andwillsupportourmissiontoincreasediverse voiceswithincyberandcomeonthejourneytoa placewherewecanallseethosefromethnic minoritybackgroundsflourishwithinoursector. We’llseeyouthere.
