Cybersecurity has a diversity problem.
Research shows women only represent around 10% of the cybersecurity workforce in the Asia-Pacific region. Around the world, only 1% of female cyber workers are in senior management positions. In the US, meanwhile, women make up just 14% of the cyber workforce, and African-Americans a mere 3%.
Why a lack of diversity is a problem
This is not just a social justice issue. By dismissing diverse talent, we're shooting ourselves in the foot and handicapping our cyber capabilities. With a workforce that’s already overstretched, we’re restricting the size of our talent pool even further. And in a world in which different perspectives can cover blindspots and open up new approaches, we’re leaving ourselves vulnerable to cyberattack.
Without a diverse range of voices in your team, you’re missing out on a rich mix of experience, talent and ideas. Diverse teams stay together longer and make better decisions quicker. Here’s how a lack of diversity is hampering cyber – and what your organisation can do about it.
How diverse teams perform better
There’s plentiful evidence pointing to the advantages of diversity. Companies ranked in the top quartile for gender and ethnic diversity have been found to be respectively 15% and 35% more likely to outperform their rivals, while the companies rated highest for LGBTQ+ inclusion consistently perform better than the rest of the stock market.
That difference is partly because people from different backgrounds do things differently. Research shows, for example, that women in cyber are more likely to be across risk and compliance than their male colleagues. Non-diverse teams, meanwhile, are likely to have unchallenged biases, and unintentionally set up processes that follow those biases. One of the biggest examples of the pitfalls of groupthink has been in facial recognition technology. Many facial recognition algorithms primarily used data sets of white, male faces, with one study finding that black and Asian people are up to 100 times more likely to be mistakenly identified by them.
By 2028, meanwhile, it’s estimated that women will control around 75% of discretionary spending around the world – which means they’ll also encounter the majority of ecommerce-linked cybercrime. For cybersecurity teams to offer all-round security, they need to be as diverse as the world in which they operate. Lacking those diverse voices and perspectives at the decision-making table means you’re likely to have more blindspots in your cybersecurity, increasing your cyber risk and vulnerability.
Diversity is not just about filling seats and quotas
But increasing diversity in your team is not as simple as flicking a switch. Issues start with recruitment, and many existing hiring practices make it harder for candidates from different backgrounds to get through the system. Typical issues include:
Lack of knowledge about opportunities – one survey suggested that 69% of women who might have considered a career in cyber were put off because they did not know where to start.
Companies restricting their search to candidates with set educational levels, and thus discounting talented candidates, particularly from underprivileged backgrounds.
Adverts that failed to use gender-neutral language, or persistently featured white male models as representatives of your organisation.
Unconscious bias, which means some hirers are less likely to pick candidates who don’t have traditionally white or Anglo names.
Businesses that have restricted talent pools or don’t think about the needs of candidates with mobility issues.
Older or younger candidates being rejected for roles because of their age – 90% of Australians believe ageism is a growing problem.
These all point to systemic issues that are reflected in recruitment practices across all kinds of organisations. But what’s the solution?
Building the right organisational culture
Diversity isn’t just about making the right hires – it’s about building an inclusive and supportive culture. If your team drips with the tech-work clichés of male-dominated “bro culture”, it’s unlikely to feel like a welcoming place for women. If company presentations always feature the same old well-tenured faces, more recent hires may not feel they have a voice at the company.
The day-to-day lived experience of working at your organisation is a huge indicator of your organisation’s culture and values. Are white men consistently paid more? Are different religious practices treated with equal respect? All these factors can quickly make individuals feel excluded. That means people from different backgrounds may feel less comfortable speaking up, and makes staff retention harder. An inclusive team culture is vital if you’re building a diverse cybersecurity team.
Inclusive marketing and outreach efforts can be a huge help in broadening your applicant pool. Anonymous resumes and relying on scorecards rather than hunches will help combat hiring biases. Unconscious bias training, already taken seriously at many organisations, is a great start, but should form part of a wider strategy of inclusion – along with metrics to measure the results.
And you won’t be alone: the push towards greater diversity increasingly has impetus from the top. Australia has set out diversity goals, and the Australian Cyber Security Growth Network (AustCyber) is keen to stress recent improvements in gender balance. The Australian Strategic Policy Institute (ASPI) is championing Indigenous Australian interests in cyber, while Women Speak Cyber offers podcasts and strives to get female voices heard at conferences. In New Zealand, increasing the numbers of Maori people and Pacific Islanders working in cyber has long been an aim, while Kordia has put diversity at the heart of its “cyber academy”.
Solving the diversity and inclusion challenge in cyber
Diversity is a highly complex problem. There’s no one-stop solution, but progress is being made across the sector. Shifts in hiring, training and workplace culture will all help your organisation, but you must have buy-in from the top to ensure changes can be carried through.
Diversity should be an ongoing aim in cybersecurity – it’s not something that can be ticked off as “done” and then forgotten about. But if you keep improving your processes and culture, you will be able to build a more diverse and more effective team. The payoff includes fewer blind spots, a broader perspective, a compelling employer brand and the ability to deal with whatever threats tomorrow holds.