How to improve diversity and workplace culture in the cyber security sector

You can listen to AustCyber’s podcast ‘OzCyber Unlocked’ here:

Today, the term ‘diversity’ has almost become a buzzword. Every company is trying to demonstrate how diverse they are as an organisation, and how loudly they can shout about what they’re doing. But what does diversity actually mean? And diving in deeper, what does diversity mean in the cyber security sector, an industry built on the premise of innovation, progressive and forward thinking solutions?

For Laura Lees, Vice President, ISACA Sydney Chapter and Sydney Co-chapter Lead at the Australian Women in Security Network (AWSN), diversity refers to diversity of thought. “Diversity in gender and diversity in people’s backgrounds from a cultural perspective is really important for organisations, because you get a completely different perspective on things,” she said.

For Jacqueline Kernot, Cyber Security Partner at EY, diversity is actually the symptom. “We tend to talk about diversity as an output in itself, but the population around us has encompassed a huge range of cultures, neurodiversity, racial and sexual orientations; and if we are making sure everyone has an equal chance, we need to create environments where people can be free to be themselves. Diversity should be normal, but we’ve created a situation where it’s not, and that’s the problem.”

Cyber security has a larger proportion of women than STEM does — yet both industries are miles away from where they need to be. Tony Vizza, Director of Cyber Security Advocacy for the Asia-Pacific Region at (ISC)² said, “The biggest challenge in terms of diversity is the long standing perception that cyber security is something that boys do; something that men do. It isn’t something that girls do”.

A big part of the diversity problem in cyber security is shifting this perception that permeates across the industry. Targeting this at a young age and ingraining into young girls that STEM and cyber security is in fact open to them, is a key part of the solution.

Although the skills shortage and closed international borders have heightened the lack of talent available, if the sector is honest with itself, the problem was a pertinent issue before the COVID-19 pandemic. The sector struggles welcoming people with diverse backgrounds into its workforce, putting barriers up before someone even has the opportunity to try their hand at a role in cyber security.

Jacqui Loustau, founder of AWSN said, “I’ve seen lots of women come with many years of experience of transferable skills and they’re not even getting a first interview. I’m sure that’s untapped talent we have and skills we could transfer. As long as people have the right attitude and aptitude, we can retrain them and give them a chance.”

This extends beyond just work-related skills too. Screening people to the degree the sector does, is working against every grain of what diversity really means, by excluding those who can’t afford a high level tertiary education but might have the skills and attitude to learn the craft on the job.

Kernot said, “If we’re going to have diversity of thought, we need to think more broadly beyond the necessity of university. Acquiring a university degree is quite a socio-economically privileged process — and barring people based on this, points to the industry needing to have a broader mindset. It’s a profession where you learn to add value as you go.”

Perhaps the best way forward is to look at other sectors doing a better job with diversity than the cyber security sector is. Some organisations are removing self-assessments in performance reviews, because they’ve learned that women assess themselves 30 per cent lower than their male counterparts. Other companies that have multi-national meetings have started putting captions on Zoom so their foreign colleagues can follow the conversation properly.

Kernot revealed EY has created a diversity and inclusion index; measuring how people feel about belonging, how they feel about being in a team and how they feel about how they’re treated relative to everyone else in their team.

“Globally, we’ve created a DNI tracker to measure leaders and leadership teams. All partners will be measured on their ability to move their DNI tracker five basis points up the scale each time, and if they don’t — their performance metrics won’t be hit, meaning they won’t get paid unless they can demonstrate their teams are inclusive,” Kernot said.

In 2009, women made up 11 per cent of the STEM workforce in Australia. Last year, women made up 13 per cent of the STEM workforce. Over that decade, the government has spent more than $268 million on initiatives to get women into STEM programs and encourage women’s economic security, yet the needle has only moved a mere 2 per cent. The issue is not access to the sector, it’s the perception of the sector.

The perception gap — the idea that it’s harder for women to succeed in the STEM sector is holding women back and pushing the diversity agenda further down the list of achievable priorities. Having more women in leadership roles at organisations that have the potential to empower and inspire young girls into pursuing a career in cyber security, is what’s going to shift the dial.

If the industry wants to talk about its willingness and desire to be diverse, it can’t just talk about it, it needs to act. When the borders do eventually open and we can accept more talent, the eminent skills shortage in Australia will still prevail, not for a lack of opportunity, but from failing to address the perception gap.

Learn more about how to improve diversity and workplace culture in AustCyber’s podcast ‘OzCyber Unlocked’:

Photos by:

The Australian Cyber Security Growth Network