Critical thinking and problem-solving are important attributes for a cybersecurity professional, so it is time to apply those skills to connect the dots between the skills shortage and lack of diversity.
There is no question that recruiting talent in sufficient numbers is a challenge, but it is one that I believe a more inclusive talent pipeline would help to alleviate.
According to the Cybersecurity Workforce Study, there are over two million unfilled information security jobs. We are still far from where we need to be, despite the fact that this number is down from 2020. In the face of increased digitization and a rising tide of attacks, the current cybersecurity workforce of 4.2 million people globally needs to grow by 65% to keep up with the demand for its skills.
We need to draw from a wider talent pool to plug the gaps. The researchers from Washington, D.C.-based think tank the Aspen Institute said that diversity efforts to date have not addressed the overwhelming white-ness and male-ness of the cybersecurity field. Estimates show that only 4% of U.S. cybersecurity workers self-identify as Hispanic, 9% as Black and 24% as women.
Our industry faces serious future risks if it doesn't find ways to recruit new talent to fill vacancies. The current lack of diversity poses more immediate risks because company systems aren't homogeneity and neither are potential attackers.
The authors of The Business Value of a Diverse Infosec Team from the Institute for Critical Infrastructure Technology made a point about how different experiences and perspectives can make a difference in problem-solving.
Proactive cybersecurity strategies aggregate a lot of perspectives, which brings benefit to innovation, problem-solving and consensus-building.
The narrative is being shifted.
As the chief information security officer at Elastic, I believe that information security leaders can do a lot to shift the narrative within their organizations. This requires a lot of fresh thinking when it comes to recruitment.
The team I lead as a female CISO includes people who represent a wide range of human nature, including sexual orientation, gender identity, race and age. Background, educational pathway, and industry experience are just as varied.
Diversifying the cybersecurity talent pool is more than just a numbers game for me. I run a fully staffed team and I am not just focused on the number of people. It is also about improving the work we do.
A more diverse cybersecurity team is a better team. Different perspectives are important in a multidisciplinary field. When threats and tactics change daily, the diverse viewpoints on my team help counter complacency by bringing new thinking to situations. Our adversaries are constantly trying new ways to get around controls and identify vulnerabilities. Our work in counter attacks is more disruptive because of the different perspectives of my team.
The point of view reinforced by David Epstein in his book, "Range: Why Generalists Triumph in a Specialized World," is that our industry's overreliance on specialists with the "right" qualifications and educational background might actually be a weakness. A good fit for cybersecurity is that generalists with wide-ranging interests are more creative, more flexible and able to make connections that their more specialized peers can't see.
The value of diverse thinking within my current team is evident in the ongoing data protection certification process that we perform for customers. Our team can quickly get beyond the way things have always been done and find better, more efficient and safer ways to meet changing compliance objectives.
I have seen a clear-cut advantage of diverse thinking from my team's approach to supporting our fully distributed workforce. Being a distributed company by design, with almost 80% of our employees working remotely, demands that my team think differently when it comes to data privacy and protection. Our constant innovation in supporting secure remote working meant we were already prepared in this area when the Pandemic hit, while other companies were still struggling to make the leap.
Taking action.
Transforming words into action is what matters most. I work for an organization that values inclusivity and acceptance for all of its employees.
This gives managers and employees a clear set of cues as to who we are as an organization and who we aspire to be, telling employees: "Just come as you are." We can hire and retain the best talent wherever they reside by creating an environment that is inclusive for all employees, through a commitment to equal pay, emphasis on internal hiring and priority skills over location.
Our company has a 40% hiring rate target for women or non-binary individuals, with a 30% hiring rate target for technical roles globally. The hiring rate target for underrepresented groups in the U.S. is 34%.
I have personally taken steps to ensure that Elastic increases diversity in its talent pool. Here are some pointers for other information security leaders.
The scope of qualifications should be expanded. Skills, qualifications, experiences and capabilities gained from shorter programs, online certificates, other jobs and participation in cybersecurity communities that support core foundational understanding of systems and their vulnerabilities can be seen beyond traditional schooling and minimum career experience. Some of the most successful teams that I have built over the years have come from a variety of IT disciplines, such as systems architecture, business analysis and project management. A former emergency medical technician was hired by me to join my team. The attention to detail has been brought by former lawyers. People with a marketing background are good at tackling customer data privacy challenges with compassion, while those from the financial sector are good at compliance issues.
What makes them strong additions to my infosec teams is their curiosity, willingness to question, and excitement to learn and try new things. These experiences are just as important as skills.
Encourage groups that are not white. Women, people of color, and members of the LGBTQIA+ community are often left out of hiring pools. Job descriptions should state that the company fosters a welcoming environment for everyone and encourages personal and professional development of its cybersecurity talent.
I have recently recruited people who do not have the standard security qualifications for an internship. Most of the recruits moved into full-time roles quickly. I have taken steps to work more closely with local community colleges and with recruitment specialists who focus on supplying more diverse candidates for cybersecurity roles.
Make your hiring process easy to understand. If the hiring process isn't adapted for those with accessibility needs, many would-be applicants are discouraged. We have worked to make sure that everything from our recruiting site to our internal digital properties and tools follow international guidelines and translate into a positive environment for all candidates and employees.
Anonymized hiring is a part of the process. I make sure that unconscious bias doesn't play a part when we're making decisions about job candidates.
Our recruitment efforts need to reach a wider audience because we need people with diverse life experiences, education and skills. If they don't, we risk overlooking talent and viewpoints that could be helpful in delivering on our mission as an industry. We will only have ourselves to blame if we allow that to happen and continue to compete for talent that fits nicely with age-old biases.