blackday - stock.adobe.com

NCSC commits to new diversity measures

The National Cyber Security Centre’s second annual report on diversity in cyber security finds room for improvement

The National Cyber Security Centre (NCSC) has committed to a package of measures designed to improve diversity both in its own ranks and in the wider security community, acting on the findings of its second annual report on diverse security cultures.

The Decrypting diversity report, produced in partnership with KPMG, set out to analyse the progression of diversity and inclusivity in security over the past 12 years. Overall, it found some improvements, but concluded there was more to be done in improving experiences and opportunities for all.

As a result, the NCSC is today making five commitments to improve the sector’s diversity:

  • To engage more closely with educational institutions with high proportions of students from under-represented groups;
  • To achieve year-on-year increases in the numbers of women offered places on its CyberFirst Bursary scheme;
  • To make changes to its external recruitment practices to better attract diverse talent, reflective of the community the NCSC serves;
  • To introduce measures to eliminate gender and ethnic minority pay gaps in the NCSC;
  • And to provide information and support to NCSC staffers to help promote a fully inclusive environment.

“The UK is rich with diverse communities and, as the Decrypting diversity report makes clear, we need to ensure the cyber security profession reflects that diversity,” said NCSC CEO Lindy Cameron. “As cyber security leaders, it is our job to drive positive change, and I urge decision makers across the industry to take immediate action to improve opportunities and experiences for all.”

The 2021 report reveals a picture of diversity and inclusion in the security sector that could best be described as mixed.

In some areas, it found diversity to be high when compared with the average across the country – more people working in cyber are neurodiverse – 19% compared with 10% more widely – or disabled – 26% compared with 20% of the population as a whole. Reported incidence of both neurodiversity and disability was notably higher in younger age groups.

LGBTQ+

The picture was similarly positive with regard to the number of people who identify as lesbian, gay or bisexual, which stands at 10%, significantly higher than the 2.2% of the UK population who declared themselves as such in the Office for National Statistics’ (ONS’) 2018 data.

The NCSC separates out trans and non-binary people in its reporting, and stated that about 1% of the cyber workforce is made up of trans women and men, or people who are non-binary, in line with the wider population. The NCSC said it had, however, noted a sharp rise in the number of LGBTQ+ people who felt uncomfortable disclosing their identity in the workplace. This may reflect to some extent a climate of increased mainstream hostility towards LGBTQ+ people, especially trans women and men.

In terms of ethnic diversity, the cyber workforce is roughly in line with national figures, with people from BAME backgrounds marginally increasing to 15% from 13% this time last year. The NCSC found a significant jump in the number of black people in security who felt able to be themselves in the workplace, which may reflect wider trends arising from the Black Lives Matter movement.

However, in terms of representation of women, there is clearly still much work to be done. Although 36% of security pros are women, up from 31% last year, this change reflects in part a change to the wording of the question to align with the 2021 Census, and still falls far short of parity. Notably, it found there were more women at relatively early stages of their security careers, with senior security leaders and CISOs much more likely to be men. Nevertheless, said the NCSC, representation of women is significantly higher than that recorded in other similar studies.

Dione Le Tissier, defence director in KPMG UK’s People and Change practice, said: “It’s so important that people working across the sector can thrive and reach their full potential, regardless of their gender identity, ethnicity, disability, sexual orientation or socio-economic background.

“And while we’re seeing improvements in representation, the research shows that there is plenty of work to be done to deliver progressive change and create diverse and inclusive working environments.

“This research delivers vital insight, lifting the lid on the sector so we can better understand how individuals feel about working in cyber security and key areas for improvement.”

Lowering barriers to entry

Simon Hepburn, CEO of the UK Cyber Security Council, which has adopted diversity and inclusion (D&I) as one of its four pillars, said the report’s recommendations, if solidly researched and implemented correctly, could play a huge part in lowering barriers to entry into the world of security.

“The sector must succeed at this,” he said. “It’s vital not just to help the sector fill the tens of thousands of vacancies that exist, but for the sector and the UK to benefit from the wider range of abilities, improved creativity, different thinking and alternative contributions of a truly diverse, inclusive cyber security workforce.

“The Council and the NCSC are in lockstep over the D&I objectives for the sector and, to that end, we also welcome and agree with the conclusions of the report,” said Hepburn.

“Second, we’re very aware that the recommendations in the report are – as they must be in such a report – largely about what needs to be done, and we’re conscious that little may change unless the sector proceeds to address how to do what needs to be done; programmes will need to be devised and executed,” he said.

“The Council will therefore play its full role in devising, driving and supporting D&I programmes, through the Council membership we are at the start of building. I encourage cyber-related organisations that want to lead the way in D&I, and which want to show the sector that they’re leading the way, to join us without delay. There is much to do.”

Read more on Security policy and user awareness