THEEQUALITYROADMAP ELEVATINGWOMENINCYBER JUNE2023
TocelebrateInternationalWomen'sDayin2023,we heldourElevatingWomeninCyberSymposium.
Thispaperisaculminationofthetalks,workshops,anddiscussionsthattookplace aroundthetopicofencouragingmorewomentojoinandremaininthecyber securitysector.
Lingeringstereotypes
Theimportanceofrolemodels
RECOMMENDATIONS
Recommendation1:Expandtherecruitmentpool
Recommendation2:Useformaljobpostingsforrecruitment
Recommendation3:InvolveHRwhenrecruiting
Recommendation4:Putmorefocusonnon-technicalskills
Contents Introduction OurDiversityProblem Sowhat? ElevatingWomeninCyber Progress? Barrierstorecruitment Alackoffemalecandidates?
Lackofvisibleroutes
Recommendation5:Collaborationbetweenbigandsmallbusinesses Recommendation6:Focusmarketingonadiverseworkforce Recommendation7:Promoterolemodelsandcasestudies 3 3 4 6 7 9 9 11 12 12 13 13 13 15 15 16 16 16
OurDiversityProblem
TheDCMS/IpsosMORI2021reportintoCyberSecuritySkillsin theUKLabourMarketfoundthatthe‘cybersectorworkforce continuestolackdiversityrelativetotherestofthedigital sectors’,andthat‘relativelyfewcyberfirmshaveadapted theirrecruitmentprocessesorcarriedoutanyspecific activitiestoencourageapplicationsfromdiversegroups’.
Includedinthis,ofcourse,isgenderdiversity.Thecybersector remainsrelativelynondiverseintermsofgender;just22%of theworkforceacrosscyberfirmsisfemale,comparedto28% inotherUKdigitalsectorsand48%ofthetotalUKworkforce.
Just13%ofthoseoccupyingseniorcyberrolesarefemale.
Whenlookingattheexperiencesofpeopleinthesector,37%ofwomenreportexperiencing barriersintheircareersrelatedtodiversityandinclusion(comparedto18%ofmen) 19%of womenworkingincyberexperienceda‘gender-based incident’,asopposedtojust1%ofmales.
NCSC/KPMGfoundthatasignificantlyhigherproportionofwomen(7%)thanmen(2%) wereconsideringleavingthesectoraltogether.Thesamereportfoundthatamongcyber firmstherewasalowawarenessofgenderdiversityasanissuewhichshouldbetackled. Indeed,someemployersadmittingtoneverhavingconsideredtheissue.
Sowhat?
Butwhydoesthismatter?Whyshoulditmatterthattherearemorementhanothers workingincyber?Isitsimplyaboutpositiveopticsforourcompaniesandoursector,orisit aboutsomethingelse?
In2023wesitonawealthofevidencethatshowstheimpactthatdiversifiedworkforces have.Researchhasshownthatthemostgender-diversebusinessesarelikelytohave higherfinancialreturnsthanthosewhoscoredmorepoorlyondiversitymetrics.
Amorediverseworkforcefostersincreasesinproductivity,creativityandinnovation–all vitalinourfast-pacedandever-changingsector,especiallyatatimewhenthose threateningourcybersecurityarethemselvesbecomingmorediverse.
Itmattersbecause,ontopofthekindofsectorwewanttobeandourplaceincreatinga fairersociety,diversitybringswithitdifferentexperiences,perspectives,ideas,attitudes andinnovation.Astudyconductedin2015foundthatgroupsmadeupofadiverserange ofindividualstendtooutperformexpertgroupsthatconsistofindividualsfromasingle cultural,ethnicorgendergroup.
AsDr.ClaudiaNatanson,thechairoftheUKCyberSecurityCouncilhassaid,“alessdiverse workforcecanstifleinnovationandcanleadtointrinsicbiaseswithinorganisations,which cybercriminalscan–andwill–takefulladvantageof.”
Improvingdiversityincybersecurityisnotsomethingthatneedstobedoneforitsown sake Diversityisnotsomethingthatshouldbeachievedbecauseitlooksgoodforour companiesandourindustry Rather,itshouldbedesiredbecauseitisacriticalbusiness need,especiallyforourprofession.
Inshort,amorediversecybersecurityworkforcemeansbettercybersecurity.
ElevatingWomeninCyber
benefitfromrolemodelsandcasestudiesofthosewhohavesucceededbeforethemin pushingtheboundariesofwhatcanandshouldbeachieved.
Atpresent,cybersecurityremains–inthewordsofLindyCameron,CEOofNCSC–‘averymaleprofession’.Butwiththerightactions,policiesandattitudes,alongside anaccompanyingsenseofcommunityandsolidaritythateventslikethesymposiumcan engenderwecan,together,changethingsforthebetter.
Progress?
Thispaperseekstobuildontheprogressthatisalreadybeingmade,nottodenyits existence.Progressisalreadybeingmade,bothinattitudestodiversityandtocyber securityingeneral.
Post-COVID,manyintheprivatesectorhavechangedtheirattitudestowardscyber securityanditsimportancetobusinesses AccordingtoareportbyPWC,nearlyall businessessurveyed(96%)haveshiftedtheircyberstrategyduetothepandemic,with 50%ofUKorganisationsagreeingthat‘cybersecuritywillnowbebakedintoevery businessdecision’.
Thispresentsanopportunityforachangeinthewaythingshavebeendoneandinthe attitudesthathavepreviouslypredominatedinthesector.Asmorefocusisputoncyber securityandmoreacknowledgementofthefactthatitneedstobetakenseriouslywecan buildinthefactthatmorediversityisneededinordertosucceed.
whilebuildingonextracurricularactivitiessuchastheCyberFirstGirlsCompetition.
OrganisationslikeWomeninCybersecurityrunalongsideschemeslikeBlackCodherin helpingtoempowerandenablemorewomentoenterourindustry,givingtheskills, knowledgeandconfidencetodoso.Whilesomebusinessesadmittedtoneverhaving consideredgenderdiversity,somearemakingbigchanges.39%ofcyberfirmswhotriedto recruitintheyearafterJanuary2020saytheymadechangestorecruitmorewomen
Bigbusinessisleadingonthis:KPMGrunaWomeninCybercommunity,enablingwomento feelpartofsomethingcollective,wheretheycanseeksupportandadvice;Deloitteruntheir GlobalWomeninCybernetwork,whichaimsto‘promotegenderdiversityinthecyber securityindustrybyinspiringothers,developingourpeopleandbuildingacommunity’;BAE systemshavedevelopedtheWomeninCybergroup,committedto‘improvingthe proportionoffemaleswithinthewiderindustry’byworkingwithschoolsanduniversities; whiletheTechTalentChartercommitsorganisationstoimprovingdiversityandinclusion measuresatacorporatelevel.
However,improvingourculturesandpracticeswillnotbeenoughiflimitedtobig businesses DMCS/KPMGfoundin2022thatifthetwolargestcyberbusinesseswere removedfromtheirsampletheproportionoffemalesintheworkforcefallsfrom22%to17%
Statisticsshowthat82%ofUKfirmsofferingcybersecurityservicesareclassedas‘micro’ businesses–thatis,firmswithbetween1-9employees.Thishighlightstheneedforchange acrossallsegmentsofoursector,fromthesmallestbusinessestothelargest.
Barrierstorecruitment Alackoffemalecandidates?
Itwasreportedthatwhererecruitmentwasputout intoaformalapplicationprocessitwasdoneasafallbackoption,usedonlywhennetworksandpersonal recommendationsfailedtofindsomeonesuitable.
Wherejobpostingsweremadepublicitwasfound thatjobdescriptionswere‘widelyregardedtobe unrealisticintermsoftheirrequirements’.Recruitment agentsoutsideofthesectorreportedfeelinghiring managersdidnotunderstandthelabourmarketand therecruitmentpoolavailable.
Thiswouldleadtounrealisticandimpossiblesetsof criteria,withcandidatesunabletomeetthedemands forjobswhich,inreality,encompassed‘2or3’different jobs.Itwasfeltthatthiswouldnegativelyeffect workplacediversity,andleadtopotentialcandidates becomingdisillusioned,putofffromapplyingand deflatedabouttheirchancesoffindingworkincyber roles.Itiscommonknowledgethatmenaremore likelythanwomentoapplyforjobsevenwheretheydo notmeetallthecriterialisted.
Incaseswherejobadvertsweremademore accessibletodiversecandidatestherequestoften camefromHRratherthanthehiringmanagers.This waswhenHRwasconsulted,whichisnotalwaysthe case.
Moreover,aslistedabove,giventhesizeofmostcyber firms,itislikelythatmanywillnotevenhaveaHR departmentcapableofintroducingmeasuresto increasediversityandinclusion.
Giventhis,despiteemployersclaimingalackof applicationsfromwomen,itislikelytheirrecruitment practicespossessanelementofunconsciousbias thatisputtingwomenofffromapplyingandharming diversity.
Lackofvisibleroutes
Whileemployersmightbeunawareaboutthebackgroundsofpotentialcyber applicantsthereisanaccompanyinglackofawarenessabouttheopportunitiesand routesthatonecantakeintothecyberprofession,especiallyforthosewhocomefroma non-cyber/non-STEMbackground
AtatimewhenmoremalesthanfemalesstillstudySTEMsubjects(withsomesuggesting barriersforfemalesbeginasearlyasprimaryschool)itisimperativethatthecyber industryhighlightsthedifferentwaystobreakintoacareerincybersecurity.
TheUKCyberSecurityCouncilisworkingtorectifythisandhasrecentlyrelaunchedour CyberCareerFramework,alongsideourCertificationFrameworkandCareerMapping Toolwillhelpbothindividualsandemployerslearnmoreaboutpathwaysintocyber.
TheCouncil’sprogrammesofchartershipwillalsoenablethoseseekingacareerinthe sectortoidentifyamethodbywhichtheycanqualifyandpractice,simplifyingthe journeyintotheindustry
TheCouncilwillcontinuetobuildonthiswork,andbydoingsocanchangetheviewof whatatypicalcyberprofessionallookslikeandwheretheyhavecomefrom.
Lingeringstereotypes
beingmadeintermsofgenderequality.Whatdoescyberlookliketoyou?Formany,the wordconjuresupimagesofmalehackersinhoodies,typingawayfuriouslywhilesatina basement.Ontheoppositeside,agroupofmeninsuits,lookingatscreensinthe‘warroom’. Whilethesemaybecrudeandcomiccharacterisations,stereotypesdomatter,because theyaffecthowwefeelinstinctivelyabout,inthisinstance,whatacyberpersonlookslike.
Thecontinuationofthesestereotypesbetraythenarrativethatcybercanbesomething different Cyberisafast-paced,excitingandvitalindustrywhererealdifferencescanbe made.Therearen’tmanysectorsthatcanmatchitintermsofwhatitcanoffer.
Onemethodbywhichgenderstereotypesreproducethemselvesisthroughnoninclusive languageandterminology,aswellasmarketingimageryandmaterials.Bychangingthe waycybersecurityispromoted,tobemoreinclusiveanddiverse,wecanbreakdownthe stereotypesaroundourindustryandwhatacybersecurityprofessionallookslike.
Theimportanceofrolemodels
Measurestoincreasetheaccessibilityofjobpostings,improverecruitmentpractices,and evenbreakingstereotypesaroundcyberareallpossible,andtheyallinterlinkandoverlap, havinganeffectoneachother.Andyetthereareotherthingsthatcanbedoneto encourageandinspiremorewomentoseekacareerincyber.
Attendeesatthesymposiumwereaskedfortheiropinionsonwhattheywouldliketohave seen,andwhatwouldbebeneficialforthoseseekingtoentertheindustry.Onethemethat cameuptimeandtimeagainwastheimportanceofrolemodelsandmentors.
Recommendations
Thispaperhaslookedatsomeissuesregardingthe attraction,recruitmentandretainmentofwomenin cybersecurityroles,andfromitwerecommenda numberofmeasuresthatcanbeputinplaceinorder toensurethatprogressisbeingmade
Toseetheserecommendationssucceedwillrequire bothcollaborationandindividualworkfromanumber ofparties:government,theCouncil,employers, recruitmentbodies,industryrepresentatives,academia, outreachprogrammes,andindividuals.
Recommendation1:Expandthe recruitmentpool
Employersneedtolookbeyondthosewithcyberand STEMbackgroundstoincludethosefrom‘non-cyber’ backgroundsintheirrecruitmentprocess.Over80% ofthoseincyberrolesoutsideofthecybersectorhave transitionedfromrolesinotherpartsofthebusiness.It isimperativethattheseshouldnotbeexcludedfrom jobapplicationssimplybecausetheymightnothavea cyber-relateddegree.
Recommendation2:Useformaljob postingsforrecruitment
Ithasbeennotedelsewhereinthispaperthatformal andopenpublicrecruitmentdrivesareoftenusedasa fall-backoptionforcyberroles,tobeusedwhen networksandword-of-mouthrecommendationsdo notprovidesuitablecandidates.Thishasanegative effectondiversityas,inamale-heavyindustrywordof-mouthrecommendationsandnetworksarelikelyto bepredominantlymale,especiallywhenitcomesto recruitingforseniorroles.
Recommendation3:InvolveHRwhenrecruiting
WherepublicjobpostingswereusedDCMS/KPMGfoundthattherewereaspectsofjob descriptionsthathadnegativeimplicationsfordiversity,fromunrealisticperson specificationcriteriatounreasonabledemandsofthejob.RecruitmentagenciesandHR departmentsshouldworkwithhiringmanagerstoensuretheirjobpostingsaregenderneutralandaccessibletoall.
Recommendation4:Putmorefocusonnon-technical skills
Organisationsarestartingtorealisethatnon-technicalskillsarefundamental.
PWCfoundthatnewhiresareexpectedtopossessmorethanjusttechnicalknowledge. Whilesecurityintelligence(46%)andtheabilitytoworkwithcloudsolutions(40%)are citedasthemostimportantskillsfornewemployees,thiswascloselyfollowedby communication(38%),projectmanagement(38%)andanalyticalskills(37%).
Ifso-calledsofterskillsaregivenamoreprominentpositioninjobvacancyadverts, andgivenequalweightingwithmoretechnicalskills,thereiseverychancethiswill persuadeamorediversecohortofapplicants.
Recommendation5:Collaboration betweenbigandsmallbusinesses
Bigbusinessisleadingintermsofpromotingand empoweringwomenincybersecurity.However,thefact remainsthatthemajorityofcybercompaniesintheUKare smallormicrobusinesses,withouttheresources,timeor moneytoputintoadrivetorecruitmorewomenintothe sector.Bigbusinessesshouldworkwithsmallerbusinessesto shareresourcesandbestpracticewhenitcomesto attractingandretainingwomenincyberroles
Recommendation6:Focusmarketing onadiverseworkforce
Stereotypespersistaroundwhatcyberisandwhoworksinit. Tocountertheimageoftheboysclubthatstillhaunts perceptionsofcybersecurity,marketingandimageryshould befocussedoninclusiveimages,wherepeoplefromdifferent backgroundscanseethemselvesasbeingpartofoursector andcanfeelempoweredtopursueacareerincybersecurity
TheLifelongLearningEntitlement,scheduledtocomein2025, willallowmanymorepeopletotrainincyber-focused courses.Changingtheimageofwhocybersecurityisfor beforethenisvitalforustoseizetheopportunitytoattract morewomenintotheprofession,thattheLLEcanprovide.
Recommendation7:Promoterole modelsandcasestudies
Researchhasshowntimeandagainthatpeopleare attractedtorolesinwhichtheycanseethemselves.Astudy from2019foundthatearlyexposuretocybersecurity professionalsthatfemalescanrelatetocouldincrease femaleinterestintheindustry.Indeed,somehaveeven assertedthatthelackoffemalerolemodelsistheprimary reasonforthegendergapinourprofession.
Importantworkisbeingdoneandprogressis beingmade,butmorecanbedone,morecanbe written,morepeoplecanbeshowcased,more storiescanbetold.
