The IT security industry is still failing to attract workers beyond a highly limited demographic, the Chartered Institute of Information Security (CIISec) warns.
Unless it can embrace greater diversity – in gender, age, ethnicity, disabilities and experience – it will face a stagnating workforce, and be unable to keep up with a rapidly expanding skills gap, according to the CIISec, which gained chartered status for the cyber sector earlier this year, and was formerly the IISP.
According to the Enterprise Strategy Group, the number of organisations reporting a problematic shortage of cybersecurity skills has increased every year since 2015. At the same time, CIISec’s survey of information security professionals showed that 89 percent of respondents were male, and 89 percent were over 35; meaning the profession is still very much in the hands of older men. If the diversity issue isn’t addressed, then not only security, but future development of the cyber security industry itself, will suffer.
Many organisations point to the need to develop specialist security skills as a reason for reduced diversity, as employees need the right technical background. Yet the majority of IT security professionals – 65 percent – still believe that the best way to develop security skills is to learn on the job. At the same time, many individuals will have already developed the skills needed in security in other careers, from attention to detail and identifying unusual patterns of behaviour, to the communication skills needed to drive security awareness and behavioural change in others.
Amanda Finch, CEO of the Chartered Institute of Information Security said: “The expectation that security is purely a technical subject has led to a focus only on very specific individuals to fulfil roles. Even if we weren’t in the middle of a skills crisis increased diversity should be a priority, but the present situation makes it critical. Expanding the industry’s horizons isn’t only essential to make sure the industry has the skills it needs. It will give a whole range of individuals the opportunity to thrive in a new career, and in the long term protect the industry from stagnation by introducing more varied backgrounds.”
As a broad industry, security has a position for every background, and multiple opportunities to apply already-existing skills. For instance, a librarian may be particularly adept at, and find satisfaction in, recalling and connecting information to ensure everything is in its correct place – essential in spotting evidence of a security breach. Other examples of transferable skills include:
Tracking and managing multiple actions at once – parent returning to work;
Leading teams in stressful conditions – armed forces;
Demonstrating and explaining best practice clearly – teacher;
Teamwork and collaboration under pressure – hospitality staff; and
Following best practice consistently while still being able to adapt – driver.
The industry also needs to make a more diverse audience aware of the benefits a career in cyber security can provide and encourage them to switch careers or begin a new path, CIISec suggests. As for the opportunities, most, 86 percent of information security professionals say the industry will grow over the next three years and 13 percent say it will “boom”.
Amanda Finch added: “If the industry starts to attract a more diverse range of people whilst spreading awareness of the opportunity available, we could be well on the way to truly modernising the industry. Key to all this will be both organisations and individuals having a framework that can show exactly what skills are necessary to fulfil what roles. This will not only help hire the right people. It will also mean that it the routes to progress through an individual’s career are clearly marked, ensuring that individuals who enthusiastically join the industry don’t over time become jaded or burn out due to a lack of opportunity.”
