Diversity in Cybersecurity Recruitment: Connecting the Dots

The Interplay of Cybersecurity Skills Shortage and Diversity

Critical thinking and effective problem-solving are essential qualities for any cybersecurity professional. It is therefore imperative that the industry itself utilizes these skills to understand the connection between the current skills gap and the existing lack of diversity.

Recruiting an adequate number of skilled professionals is becoming increasingly difficult. However, a more inclusive approach to talent acquisition could significantly mitigate this challenge.

The Scale of the Cybersecurity Workforce Gap

The Cybersecurity Workforce Study 2021, conducted by (ISC)², revealed that 2.7 million information security positions globally remain vacant. Although this figure represents a decrease from the 3.1 million reported in 2020, substantial progress is still needed.

With increasing digitization and a growing number of cyberattacks, the existing global cybersecurity workforce of 4.2 million individuals must expand by 65% to meet current demands.

Consequently, expanding the scope of talent acquisition is crucial to address these shortages.

Diversity as a Current Challenge

Researchers at the Aspen Institute, in their report on Diversity, Equity and Inclusion in Cybersecurity, highlight that previous diversity initiatives have not adequately addressed the predominant lack of representation from minority groups within the field.

Current estimates indicate that only 4% of U.S. cybersecurity workers identify as Hispanic, 9% as Black, and 24% as women, as noted in the Aspen Institute’s report.

The Risks of a Homogeneous Workforce

The cybersecurity industry faces significant future risks if it fails to attract and retain a more diverse talent pool. However, the lack of diversity presents immediate risks as well.

Company systems are not uniform, and neither are the individuals who may attempt to compromise them.

The Value of Diverse Perspectives

The Institute for Critical Infrastructure Technology, in their report "The Business Value of a Diverse Infosec Team," emphasizes that teams with varied backgrounds consistently outperform those with homogeneous experiences when it comes to problem-solving.

Homogeneous perspectives can limit success, while diverse teams foster innovation and effective critical thinking.

Proactive Cybersecurity Through Inclusion

Effective cybersecurity strategies benefit from the aggregation of multiple viewpoints. This approach promotes innovation, facilitates robust problem-solving, and encourages consensus-building.

Ultimately, a diverse workforce is not just a matter of equity; it is a fundamental requirement for a resilient and effective cybersecurity posture.

Reframing the Cybersecurity Approach

As the CISO at Elastic, a company specializing in search-powered solutions, I firmly believe that information security leaders possess the capacity to significantly alter the prevailing narrative, particularly within their respective organizations. This transformation necessitates a substantial injection of innovative thought, especially concerning recruitment strategies.

The cybersecurity team under my leadership, as an LGBTQIA+ female CISO, embodies the full spectrum of human diversity. This includes representation across neurodiversity, sexual orientation, gender identity, race, and age.

However, let me emphasize that diversifying the cybersecurity talent pool isn't merely about achieving numerical targets. My focus extends beyond simply filling positions to maintain a fully staffed team.

A more diverse cybersecurity team demonstrably performs at a higher level. In a field as multifaceted as cybersecurity, varied perspectives are essential. The ever-changing landscape of threats and tactics requires fresh insights, and my team’s diversity actively combats complacency.

Our adversaries are in constant pursuit of novel methods to circumvent security measures and exploit vulnerabilities. The differing viewpoints within my team foster a more disruptive and proactive “hacker mindset” in our defense efforts.

The industry’s tendency to prioritize specialists with conventional qualifications and educational backgrounds may, in fact, be a vulnerability. This perspective aligns with the arguments presented in David Epstein’s 2019 book, “Range: Why Generalists Triumph in a Specialized World.”

Epstein posits that generalists, possessing broad interests, exhibit greater creativity, adaptability, and an enhanced ability to forge connections that elude their more specialized counterparts – particularly in complex and unpredictable domains like cybersecurity.

The benefits of diverse thinking are readily apparent in our ongoing data protection certification process for clients. For this crucial compliance undertaking, our team’s diversity is a key asset, enabling us to move beyond established practices.

This allows us to identify superior, more efficient, and – most importantly – more secure methods for meeting evolving compliance goals.

Another clear advantage of diverse thinking is evident in how my team supports our fully distributed workforce. As a company intentionally structured for remote work, with approximately 80% of employees working remotely, my team is compelled to adopt innovative approaches to data privacy and protection.

Our proactive innovation in secure remote working positioned us well when the pandemic arose, while other organizations’ cybersecurity teams were still adapting to the shift.

The Importance of a Varied Team

• Different perspectives counter complacency.
• A “hacker mindset” is fostered through diverse viewpoints.
• Generalists can offer unique insights in complex fields.

Cybersecurity requires a broad range of skills and perspectives to effectively address evolving threats.

The Importance of Action in Diversity, Equity, and Inclusion

Truly impactful change stems from translating ideals into concrete actions. Working within an organization that embeds inclusivity and acceptance within its core values – its very Source Code – provides a strong foundation for this.

This foundational commitment offers both leaders and team members a clear understanding of the organization’s identity and aspirations, effectively communicating: “Bring your authentic self to work.” By fostering an inclusive atmosphere through equitable compensation, prioritizing internal advancement, and valuing skills over geographical constraints, the ability to attract and retain top talent, regardless of location, is significantly enhanced.

Our company has established ambitious DEI objectives for this year, aiming for a 40% hiring rate for women and non-binary individuals, with a specific target of 30% for technical positions, on a global scale. Furthermore, we are striving for a 35% hiring rate for underrepresented groups within the U.S., and 27% for technical roles.

Supported by these organizational goals, I have been actively working to expand diversity within Elastic’s cybersecurity talent pipeline. Here are some recommendations for fellow information security leaders:

• Expand Qualification Criteria. Move beyond solely focusing on traditional academic backgrounds and minimum years of experience. Instead, recognize skills and qualifications acquired through shorter programs, online certifications, alternative employment, and active participation in cybersecurity communities that demonstrate a fundamental understanding of systems and vulnerabilities.
  Throughout my career, some of the most effective teams I’ve assembled have comprised individuals from diverse IT backgrounds – including systems architecture, business analysis, and project management – and even from outside the IT field entirely. For instance, a former emergency medical technician transitioned into healthcare fraud analysis before joining my team. Prior legal experience has contributed a keen eye for detail. Professionals with marketing backgrounds have demonstrated empathy in addressing customer data privacy concerns, while those from the financial sector have offered innovative perspectives on compliance.
  The common thread among these individuals, and the key to their success, is their intellectual curiosity, a willingness to challenge assumptions, and an eagerness to learn and experiment. These transferable skills are often as valuable, or even more valuable, than specialized technical expertise.
• Actively Encourage Underrepresented Groups. Incorporate language into job postings that explicitly welcomes applications from groups historically excluded from the hiring process, such as women, people of color, and members of the LGBTQIA+ community. Job descriptions should clearly state the company’s commitment to a welcoming environment and the professional development of its cybersecurity personnel.
  Recently, I successfully recruited recent immigrants for an internship program, despite their lacking conventional security credentials. Many of these interns quickly transitioned into full-time positions and consistently exceeded the performance of experienced cybersecurity professionals. I have also proactively collaborated with local community colleges to source graduates and partnered with specialized recruitment firms, like CyberSN, focused on identifying diverse cybersecurity candidates.
• Ensure an Accessible Hiring Process. A complex or inaccessible hiring process can deter many qualified applicants. We have prioritized making our entire process – from the recruitment website to internal digital tools – compliant with international accessibility guidelines, creating a positive experience for all candidates and employees.
  Anonymizing applications is a crucial component of this effort. I routinely review resumes with identifying information removed to mitigate unconscious bias during the candidate evaluation process.

The strength of cybersecurity teams relies on the diversity of life experiences, educational backgrounds, and skill sets represented within them. Consequently, our recruitment strategies must reach a significantly broader audience. Failing to do so risks overlooking valuable talent and excluding perspectives that are vital to achieving our industry’s objectives. Continuing to compete for a limited pool of candidates who conform to outdated biases will ultimately be detrimental to our collective success.