There is a well-publicized shortage of women in the IT industry but, in cybersecurity, it is even more pronounced. (ISC)2’s Global Information Security Workforce Study, the biggest of its kind, found that the world’s information security workforce is 90% male.
The gender imbalance is a security problem too as 75% of UK IT decision-makers say they suffer from a cybersecurity talent shortage, which is putting them in the hacker’s crosshairs. Attracting more women into the workforce would help defend against threats. So why does the industry seem to attract just one half of the population, and what can be done to broaden the appeal of a career in IT?
At KPMG, we have achieved a near 50/50 gender split among new graduate hires to our cybersecurity and broader technology departments. We have achieved this by widening our graduate recruitment criteria beyond purely ‘techie’ degrees because, in a connected economy, cybersecurity is required to reach across and bring together all aspects of a business.
With data breaches, cybersecurity is a customer service issue, and with heavy fines and business reputations on the line, it is also now a legal issue and a boardroom issue. That means cybersecurity is increasingly required to straddle multiple departments and work with multiple stakeholders. In addition to recruiting ‘techies’, we tend to hire people with business management skills, who have the ability and desire to translate technical information for a non-specialist audience, communicate to the boardroom, manage projects, look at regulation, governance and compliance or design policies and processes. Rather than recruiting from specific degree courses, we look for particular attributes (such as an analytical mind) which are often found in graduates from humanities and arts degrees, where women predominate.
Crucially, we offer training to help up-skill new recruits who may not come from a technical background. In a large consultancy like KPMG, you can also offer training in other areas, from project management to business development, creating a dynamic, well-rounded team of cybersecurity professionals with ambition, and a clearly-mapped path to career progression.
This makes cybersecurity more attractive to female recruits, as the business management area of cyber, known as “Governance, Risk & Compliance” (GRC), has been shown to be much more appealing to women. GRC roles require business acumen and soft skills, as well as technical knowhow, and there are more than twice as many females in these roles than in cybersecurity as a whole. It is also one of the fastest-growing sectors of cyber. An added bonus for our recruits is the opportunity to develop skills in strategy, project management and other skills that are valuable to business consultants beyond the world of cyber.
Cybersecurity is now more diverse than it was before which is why companies should find it easier to diversify their recruitment pool. Many prefer off-the-shelf cybersecurity talent and balk at the cost of training talent in-house.
Yet with a cybersecurity talent shortfall driving up contractors’ fees, training your own talent in-house can be a cheaper long-term alternative to splashing out on contractors.
Recruiting from a wider range of degree backgrounds and then offering a wider range of potential career development options, also ensures that recruits are more likely to stay with a company for the long haul and reach managerial-level positions. Cybersecurity specialists can command huge sums of money by working as security contractors, and therefore rarely become managers.
Diversifying the profession and thus creating more women ambassadors for the industry will help challenge the tech-centric image that deters many potential female recruits and show that cyber is increasingly a broad profession open to people from a variety of backgrounds.