Ditch hoodies and hackers to encourage diverse security recruitment

The cyber security industry needs to embark on a charm offensive and address its image problem if it is to successfully recruit more diverse teams in terms of gender, race, sexuality and neurodiversity, according to a panel of sector experts convened at Trend Micro’s CloudSec event in London.

One of the easiest ways to make cyber security more attractive could be to eliminate the traditional stock photo image of a cyber criminal that is so beloved of the media, said Theresa Payton, president and CEO of consultancy Fortalice and formerly White House CIO during the George W Bush presidency.

“We have a branding problem, and it’s systemic,” said Payton. “You hear hacker, and what’s the image? Somebody in a hoodie, most likely a white male, they’re alone, and are hunched over a keyboard, in blue or green light. Not many people look at that image and see themselves in that image.

“Then there’s the branding issue around you’re actually doing noble work, some of the most noble work I can think of. At the end of the day, whether you’re protecting a nation, an international organisation or a company, you’re protecting people, people’s data, and the economy.”

Payton also said more attention needs to be paid to how cyber security jobs are marketed during the recruitment process. Most security job descriptions were “absolutely soul-crushing”, she said.

“You read it and it is the same alphabet soup of certifications and requirements and colleges, almost always, at least in the US, you see ‘degree required’. I think that’s absolute nonsense. If you want diversity in this field, you don’t need to require a college degree.

“If you want diversity in this field, rewrite the job description so that they actually sound like a job you’d want. We’re getting the same results over and over again because we’re going out with the same job descriptions.”

Charlie McMurdie, a 32-year Metropolitan Police veteran and former head of the police’s National Cyber Crime Unit, said security practitioners needed to be more vocal. “I don’t think we do enough show and tell,” she said. “I shout about the cyber unit we put together in the Met, which is probably one of the most diverse teams across the board within the Metropolitan Police.

“We have a mixture of all sorts of different types of people, but also different ways of working – job sharing, term-time working, cyber specials – bringing in industry to work as a special within our cyber capability, internships, maternity leave, all sorts. But that was only enabled because we proactively went out and shouted at people that you can do this.”

Alongside diversity issues that exist across the board in the IT industry, diversity in cyber security is becoming a particular focus for many organisations as evidence mounts that diverse teams are much more effective in every context, not just when it comes to battling cyber threats.

The UK’s National Cyber Security Centre (NCSC), for example, is looking at diversity as an issue in a very wide sense, although, as its policy and communications director Nicola Hudson told a conference last year, this is not necessarily an easy thing to do.

Even so, it was a vital effort, she said. “Without true diversity, we are in danger of group-think, behaviour challenges and, quite frankly, we will not tap into the skills we need.”

The organisers of the NCSC’s CyberThreat2019 conference, which is being run alongside the SANS Institute, are making a purposeful effort to solicit more input, such as papers and speakers, from women.

In August, the Department for Digital, Culture, Media and Sport (DCMS) made more funding available from the Cyber Skills Immediate Impact Fund (CSIIF) to help educators develop security training programmes.

Applicants can bid for up to £100,000 at a time to work alongside security firms and other employers to design training schemes that increase diversity in security.

“The UK is a world leader in tackling cyber attacks, but we must make sure we continue to develop the talent we need to protect the public and businesses online,” said cyber security minister Nigel Adams.

“This latest round of funding demonstrates our commitment to make sure the UK’s cyber security industry has a skilled and diverse workforce and, through our new Cyber Security Council, there are clear paths for those wishing to join the profession.”