Diversity, Equity and Inclusion (DEI) initiatives are now well established in cybersecurity with only 8% of businesses saying they did not have any, according to the ISC2 Cybersecurity Workforce Study 2023. But while these are well-established internally, businesses are still failing to communicate their commitment when recruiting, stacking the odds against applicants from diverse or minority backgrounds. The report warns that in times of economic uncertainty and given the huge skills gap, which is rising 30% year-on-year in the UK, organisations can ill afford to exclude large swathes of the available talent pool. So why are recruitment efforts still so narrow in focus?
DEI efforts are undoubtedly insular, with the same survey revealing that only 26% of job posts refer to DEI programs or goals in the job description and only 40% conduct blind tests that assess based on skills or potential to eliminate bias. Both these steps can make a subtle but important difference. If we look at recruitment based on gender, for example, those whose job adverts referred to DEI had a workforce comprising 26.6% women compared to 22.3% among those that did not. It was a similar story for skills-based hiring where the workforce was made up of 25.5% women amongst those that did adopt this approach versus 22.2%.
No entry level openings
Demonstrating a commitment to DEI and the elimination of bias is key in an industry that is still predominantly made up of white males (54% according to the survey) and where gatekeeping has been an issue (i.e. controlling who is allowed to enter or progress within the profession). In fact, some have famously stated that there isn’t a skills gap at all, with plenty of talent available, just very little opportunity to gain a foothold on the ladder. And it’s a claim that appears to be substantiated by the State of Cybersecurity 2023 report by ISACA, which found that experienced positions outnumber entry level positions by a factor of two to one. The report warns that “that no number of reskilling programs will help to overcome” the lack of opportunity caused by such narrow recruitment practices and it is clearly skewing intake, with new entrants considerably older on average than they have been in the past (48% of new entrants are aged 39 years or older, according to ISC2).
Encouragingly, the elitism associated with entering the profession which once saw cybersecurity degrees prized above all else is on the wane. Only 31% of cybersecurity professionals have entered the profession with an industry degree and among hirers only 30% said a degree was desirable for entry level positions, found ISC2. This is good news as industry groups have long championed the removal of degree mandates, especially for entry-level positions, but it’s in part due to the fact that degree syllabuses are failing to align with industry needs. The minimum standard for a bachelor degree to be approved by ENISA, for example, is that just 25% of modules need to be on cybersecurity topics.
Insufficient support
The primary factor now when deciding if a candidate is suitably qualified is hands-on cybersecurity experience, according to 72% of those questioned by ISACA. But this often requires these candidates to invest their own time and resources in getting the necessary experience which can take between 1-3 years. Moreover, there’s been a decline in reimbursement of fees, meaning that once in a role support for continued learning is being withdrawn, with only 55% of organisations picking up certification renewal fees on behalf of their employees.
Without encouragement and support, potential applicants are deselecting themselves as they don’t believe they have what it takes to succeed. These are the numbers we can’t quantify but what we can look at is the number of organisations that are willing to recruit from non-cybersecurity backgrounds. The ISC2 survey found only 51% are changing their hiring requirements in this way. Worryingly, the vast majority seem to be looking to cross-train non-security staff inhouse to fill security roles, with ISACA saying this was the top strategy used by 45% of organisations. Only 19% were offering apprenticeships or internships.
Where we are today and where we need to be
Insufficient entry level openings, an over emphasis on technical experience, and a lack of educational support coupled with inward-looking recruitment practices that seek to cross train existing employees rather than cast the net anew are all making it extremely difficult for all new entrants but particularly those who have historically been discriminated against.
Globally, only 18% of the cybersecurity workforce is female and 38% are non-white, which means we still have a long way to go. The scales are tipping, with 26% female and 57% non-white in those aged under 30. But the needle is nowhere near where it needs to be in order to help redress the balance and fill the workforce gap which currently stands at 4m globally, almost equivalent to the number employed which stands at 5.5m, as estimated by ISC2.
Yet there’s one particularly telling statistic from the ISC2 survey that speaks volumes – a fifth of respondents said they felt discriminated against in their place of work. This suggests that DEI initiatives, while being widespread, are not nearly as successful as employers might think they are and that significant change is needed to make the industry one that welcomes and supports talent.