Diversity in cyber improving but inclusion needs work, says NCSC

The cyber security sector may be off to a good start when it comes to diversity, but is falling behind on inclusion, according to the National Cyber Security Centre (NCSC).

In research conducted in partnership with KPMG, the NCSC found that representation of certain minority groups in the sector were in line with the national average, but a lack of inclusive culture means many people feel they can’t be themselves at work.

“It cannot be right that in the year 2020 there are still people within our industry who feel they can’t be themselves or who face discrimination because of who they are, and this report should drive our determination to act,” said Ciaran Martin, chief executive of the NCSC.

“There is far more to do on diversity and inclusion and the NCSC is determined to be a leader in this field, but a cross-sector effort is required to get this right. I urge all cyber security leaders to read the report and act on it.”

The need for increased diversity in the cyber security sector has been a longstanding topic of discussion, and the NCSC report highlights the importance of ensuring diversity and inclusion in the cyber security sector both because it’s the right thing to do, and because a diverse workforce can bring benefits for businesses.

When it comes to diversity in the UK’s cyber security sector, the NCSC survey found an above-average number of women, who make up 31% of the sector, compared with about 19% of tech overall.

Around 10% of the cyber security sector is made up of people who identify as lesbian, gay or bisexual, 1.3% who are trans, and 1% who identify as non-binary, although the report admitted these figures are harder to determine.

Ethnic representation across the cyber security sector is on a par with the UK population as a whole, with 6% made up of Asian or Asian British, 3% from mixed or multiple ethnic groups, and 4% from Black, African, Caribbean or Black British backgrounds.

But although some of these figures, when compared with the overall population, show greater representation of minority groups and a “good starting point” when it comes to diversity in the sector, inclusion is a different matter.

Diversity is focused on ensuring the mixture of people working in a sector are representative of the people using the technology that the sector produces, whereas inclusion is focused more on the culture of the sector and whether it is a place where people feel they can be themselves.

These two factors go hand in hand because, as the report puts it: “Without inclusivity, the cyber security industry will not benefit from improving levels of diversity.”

In other words, if an industry or a workplace does not make people feel good, they will avoid it.

Just over 20% of survey respondents said they didn’t feel they could be themselves in the cyber security industry.

Whether people feel they can bring their whole selves to work can vary depending on their ethnicity, with 75% of white employees in the sector saying they feel confident about their identity in the workplace, compared with only 41% of Black, African, Caribbean or Black British employees.

Almost 15% of those surveyed said they had experienced some kind of barrier to career progression because of a diversity-related issue, with 16% having experienced at least one incident of workplace discrimination in the past year.

Just over 40% of black cyber security specialists said they had experienced discrimination in the past year because of their ethnicity, and 27% of Asian or British Asian employees said the same.

Almost a quarter of women in the tech sector said they hads experienced some kind of gender-based discrimination in the workplace over the past year, as did 31% of non-binary employees and 29% of trans employees.

However, 74% of these issues were not reported or resolved, and 9% of those who took part the survey said they were thinking of leaving either their employer or the industry altogether because of incidents related to diversity and inclusion.

Many also said they had been held back from career progression because of discrimination or other diversity and inclusion-related issues.

Of the 14% who said they had experienced barriers to progression, 32% said these barriers were related to gender discrimination, and 22% said it was racial discrimination.

But there were also some who worried that diversity and inclusion approaches might affect them negatively – 7% said they were worried that diversity and inclusion could be a threat to their career progression because of positive discrimination.

As pointed out by the 2019 winner of the Computer Weekly Most Influential Woman in UK Tech award, increasing diversity and inclusion in the sector does not only benefit those who are under-represented, but everyone else as well.

The NCSC made a number of recommendations aimed at increasing diversity and inclusion in the tech sector, including encouraging leaders in the cyber security space to actively improve the situation, ensuring that inclusivity is part of organisations’ core values.

It also suggested using data to track and monitor change, sharing best practice and using this to build a “toolkit” to help the sector attract and retain diverse talent.

The NCSC called on the Department for Digital, Culture, Media and Sport to use its future UK Cyber Security Council to publicise sector role models and their stories and develop a framework to establish the industry’s roles and the skills needed for them.

The hope is that this first report will act as a baseline for data-driven improvement, allowing the NCSC to monitor the progress of diversity and inclusion in the sector going forward.