Diversity & inclusivity in the cyber security profession
The arguments for diversity and inclusivity in any industry or profession are many and irrefutable. They include essential fairness, reflecting and understanding customers and citizens, a broader range of ideas and perspectives, and a greater pool of potential workers for that industry or profession.
There are massive challenges in talent across every industry, cyber security being just one. It’s vital that the industry further diversifies and encourages a broad base of talent at all levels. It’s really easy to build a team of people that look and feel like you, but if you do, you won’t get a team that’s truly seen and heard. If everyone’s the same, chances are their opinions are the same, and you’ll lose out on the great ideas that diverse perspectives can bring.Martha Lane Fox CBE, Entrepreneur and Crossbench Peer - from 'Decrypting Diversity', NCSC/KPMG UK, July 2020
The cyber security profession in the UK faces specific issues in respect of increasing the pool of cyber security talent.
- supporting more neurodiverse candidates into the profession
- increasing the number of women in the profession
- facilitating non-traditional routes into the profession
The UK Cyber Security Council has a specific objective to support and improve diversity in the UK cyber security sector. The Council is committed to overcoming actual or perceived barriers to entry into or progression within the industry.
Diversity and inclusivity in the UK cyber security profession, 2020
It's currently not possible to ascribe definitive values to several key metrics for diversity and inclusivity in the UK cyber security profession. These include:
- The proportion of people in the profession of:
- people with disabilities
- people with different sexual orientations
- people of different religious beliefs, or no religion
- people with different gender statuses
- people from different socio-economic backgrounds or disadvantaged educational backgrounds
- people from each ethnic group
- The age profile of the profession
- The proportion of which people with multiple ‘minority’ characteristics (those which are not widely present in the profession)
However, some baseline estimates are available. These include:
- For the proportion of women in cyber security roles:
- 15% - DCMS, 2019 (cyber security sector businesses only)
- 31% - NCSC, 2020
- 23% - (ISC)2, 2020
- 13% - BCS CCP Scheme - Successful IA Professional Register
- 9% - CFP, 2020
- For the proportion of people in cyber security roles who self-describe as neurodiverse:
- 9% - DCMS, 2019
- 13% - Bugcrowd, 2020 (global survey of cyber security researchers)
- There are several estimates of the proportion of people in cyber security roles who are from ethnic minority backgrounds:
- 16% - DCMS, 2019 (cyber security businesses only)
- 16-22% - (ISC)2, 2020
- 13-15% - NCSC, 2020
- 18% - CFP, 2020
This lack of baseline metrics is not a UK-specific problem: nearly every country is as unsighted on this, or worse, than the UK.
The UK Cyber Security Council’s policy and target for diversity and inclusivity
In the absence of baseline metrics or the option of directing specific people into the profession, the Council’s policy is that there shall be no barriers either to entry to the profession, or to success within it, for any type of person.
The Council’s target for diversity is that the measured diversity characteristics in the profession should match those in the UK’s working-age population.
In practice, this should mean that:
- anyone shall be able to seek and find information, education, training and employment in cyber security; and
- each person’s chance of success shall be dependent only on their aptitude and skills
- everyone in the UK who can work is aware of the prospects for training, education and employment in cyber security
- the broad range of roles available and skills required in the profession is widely known
- no-one shall feel that they could not succeed in these prospects because of who they are
- there shall be no barrier to entering education, training or employment based on demographic characteristics
- selection for roles at every stage must be made without bias, conscious or unconscious, against any type of demographic characteristic.
Best practices, guidelines, initiatives and support: in development
The UK Cyber Security Council has examined approaches to improving diversity and inclusivity taken by other countries, professions and organisations. Its analysis will help inform much of the Council's work on diversity and inclusivity in the future.
Once the Council is fully operational, the kind of programmes it may support include:
- initiatives which target particular populations, such as neurodivergent young people or military veterans
- partnerships between thoughtful, committed third-sector organisations and commercial providers, bringing the two perspectives together
- the allocation of significant resources managed by skilled organisations, building up a programme over several years with a commitment to improving the offerings each year based on lessons from the previous one
- initiatives that combine a variety of hands-on (even if virtual) ‘learning by doing’, bite-sized instruction, competitions, teamwork opportunities and one-to-one mentoring
- imaginative methods to find and engage with underserved groups, recognising the barriers to their participation and being prepared to provide precursor support before the main programme.
The Council aims to publish specific objectives and plans in due course.
Find the Council's own diversity and inclusion policy here.
The organisations I’ve worked in, including MI5, have been at their best when they’ve shown creativity and the ability to tackle problems from innovative angles. You don’t get that without diversity – in all its forms.Lord Jonathan Evans, former MI5 Director General - from 'Decrypting Diversity', NCSC/KPMG UK, July 2020