Breaking the bias in cyber

Inclusion and diversity are fundamental to the success of any organization — and particularly important for those working in the cyber security industry. This industry — like many others — is realizing the error they made in not being inclusive and are now recognizing and prioritizing inclusivity and diversity in their workplaces. Although improvement can be seen, there’s a lot more work to be done, with organizations and individuals continuing to face challenges in this space. To mark International Women’s Day, I’m going to spotlight the importance of inclusion and diversity in cyber security and identify the key steps the industry can take to enhance and embrace the benefits of a diverse and inclusive workforce. 

International Women’s Day is an opportunity to commemorate the cultural, political, and socioeconomic achievements of women. While there’s a day to celebrate the success of women in the workforce, gender diversity is an area many organizations still struggle to get ‘right’. There are still significant gaps when you look at the ratios in the industry; women still make up a lower percentage of the workforce, and this is no different in cyber security. But why? What are the biases when it comes to women in cyber security, and why do they exist? Is enough being done to challenge those biases? Organizations are increasingly moving in the right direction, with more initiatives to promote bringing more women into the profession and helping them challenge and overcome those often-unconscious biases.

KPMG’s Women in Cyber network has been set up to connect teams globally, creating collective action to promote inclusion and diversity, and tackle discrimination. This began as a regional initiative, with KPMG in the UK’s Women in Security internal network but has quickly expanded. Discussing topics like ‘Imposter Syndrome’, ‘Politics, Promotion and Performance’ and ‘Empowering women of black heritage’ helps those in the network to understand and navigate inclusion and diversity. Such programs continue to expand internationally across the KPMG global organization. Although just one part of the toolkit of methods available to organizations, these networks and programs are key to starting and maintaining the conversation about the benefits of inclusion and diversity across all those who work in cyber.

So, why has there recently been such a big focus on having inclusive and diverse teams in the cyber profession? Organizations are increasingly dependent on technology, which the global pandemic has accelerated, and the nature, complexity and number of threats to this technology are increasing. Cyber security has never been more important in keeping us all safe. And yet, the cyber security industry faces a well-documented skills shortage, along with clear evidence of burnout and stress among over-worked professionals. As such, organizations should ensure they can continue to attract and retain the top talent — and be increasingly reliant on the diversity of ideas and approaches to tackle the evolving threat landscape. Everyone should feel included and be able to reach their potential no matter what their gender, ethnicity, sexual orientation or background. Everyone has a part to play in making this a reality.

According to my colleague, Maliha Rashid, Cyber Security Services Director, KPMG in the UAE, if the human case for inclusion and diversity wasn’t already compelling enough, the business benefits are also clear. In the cyber security industry, we need novel solutions to tackle novel threats. This means thinking outside the box and challenging traditions and norms. The best way to get that is through new ways of thinking, which is diversity — and to ensure everyone on the team feels willing and able to share new ideas, which is inclusion.

While the moral and business cases for having inclusive and diverse teams is clear and communicated widely across societies, not all organizations are making sufficient efforts to prioritize it. There are numerous barriers that many organizations face, that range from the tactical to the strategic.  For example, some organizations lack the required expertise to recognize or understand the diversity of their workforce and issues of inclusion. Others might face more fundamental or systemic barriers. Some organizations might have poor company cultures and working practices that create and enable discrimination. In either circumstance, the first step organizations need to take is to recognize overtly the importance of inclusion and diversity.

KPMG in the UK — in conjunction with the National Cyber Security Centre (NCSC) — has published two landmark reports, Decrypting diversity, that have examined the state of inclusion and diversity within the UK’s cyber security industry in 2020 and 2021. The annual survey data collected as part of these reports has shed light on the level of diversity within cyber security, as well as the extent to which individuals feel included and the proportion who have been discriminated against. As co-sponsor of the most recent report, Jonathon Gill, Head of Aerospace and Defense, KPMG in the UK, has said, “gathering and analyzing data is the important first step to improving inclusion and diversity” and this helps to highlight “how individuals feel about working in cyber”.  

The findings from the most recent report show that discrimination is very real within the UK’s cyber security industry. For example, over one in five (22 percent) survey respondents said they had experienced negative comments or conduct from a colleague relating to protected characteristics in the last year.  Worse still, 65 percent of those respondents didn’t report those comments or conduct to their employer.

The experience of inclusion and discrimination for those from minority groups is often worse. For example, 70 percent of survey respondents said they felt able to be themselves at work, which indicates some reason for comfort. However, this statistic quickly drops to 60 percent for black respondents and, even more worryingly, falls to 56 percent for respondents who identify as neurodivergent. This highlights that, often, top level statistics like this can hide the relative experience for minority groups, which is often worse than the general survey population. Focusing on the experience of the individual is key.

In the Decrypting diversity reports, KPMG in the UK and the NCSC propose a set of recommendations that are intended to guide organizations and individuals working in cyber security to improve inclusion and diversity:

1. Take an active role in leading on inclusion and diversity. Senior leaders need to set a vision for success with clear expectations for employees.
2. Create and benefit from hybrid working. The global pandemic has highlighted the many benefits to hybrid working, which can act as a multiplier for inclusion and diversity, by breaking down traditional barriers to entry that some people might have faced previously.
3. Use data to understand, monitor and improve the talent lifecycle. Taking a data driven approach to the talent lifecycle can help organizations to recognize where and how they need to improve.
4. Learn from inclusion and diversity best practice. Collaboration across the global cyber security industry to share and learn from best practice methods is key to success.
5. Publicize the success stories. Recognizing and publicizing the career successes of those from minority groups helps to attract talent that might not otherwise have considered a career in cyber security.
6. Map out the roles and skills. Developing a framework for the cyber security roles and skills required creates transparency, which enables a greater diversity of people to join the cyber industry and navigate their careers pathways. 

Samar Iqbal, Assistant Manager, KPMG in the UK, says “As a woman from an ethnic minority working in technology, guidance and advice from those with extensive experience in this space have helped me unlock my true potential and opened my mind to the possibilities, I would not have initially thought were possible or available to me.”

It’s important to remember that those from minority groups are unlikely to have had access to the same opportunities as those from more privileged backgrounds. These recommendations are important steps to lower the barriers to entry from what is often perceived to be a closed sector.  Ultimately, attracting a more diverse talent base and ensuring individuals feel included is essential to the health of the wider profession.  

Creating inclusion and achieving diversity in an organization is fundamental to its overall effectiveness. A diverse workforce enables diversity of ideas and, for those in cyber security, this is directly linked to successful outcomes. Ensuring employees feel included and that they don’t face discrimination will bring the best out of them as individuals, which ultimately leads to organizational success.

Samar Iqbal, Assistant Manager, KPMG in the UK
George Shaw, Manager, KPMG in the UK