Editor’s note: The following is a guest article from Akif Khan, a VP analyst at Gartner specializing in identity and access management.
It’s no secret that cybersecurity teams are struggling to fill roles and retain staff. A recent Gartner survey found that 57% of organizations' greatest concern was finding and hiring emerging security leaders.
Simultaneously, many cybersecurity teams are also experiencing increasingly complex threats from a wide range of attackers. Attackers are creative and come from a diverse array of backgrounds.
Many global security teams struggle to cope with this, partly due to a lack of diversity within their own ranks.
Security leaders can address skills shortages and combat increasingly complex threats by attracting diverse candidates, building recruitment strategies and benchmarking diversity levels. Organizations that do not address talent shortages and diversity gaps could harm their current and future security programs, leading to suboptimal security and risk outcomes.
Cybersecurity leaders must attract and retain diverse individuals to maintain momentum and the long-term effectiveness of their organization’s security program.
How to attract diverse candidates
Cybersecurity leaders can work in conjunction with their HR department to craft a strategy for recruiting a more diverse workforce. This strategy can go beyond addressing skills shortages and focus on improving retention, too.
A key factor contributing to the ongoing cybersecurity talent shortage is the overriding focus on predominantly technical cybersecurity skills. Working with HR, cybersecurity leaders should look beyond purely technical skills to ensure that they are evaluating critical “soft skills” like leadership, communication and collaboration.
Cybersecurity leaders can broaden their recruiting scope to attract diverse candidates by following three key best practices:
Design job criteria for flexibility:
Rigid hiring criteria hinder a diverse workforce, as candidates will often not apply for roles unless they have the exact background, experience and skills listed as requirements for the role.
To rectify this issue, adjust criteria such as the required credentials and experience to be more focused on potential and transferable skills.
This will not sacrifice the quality of hire, but instead bring in more candidates who consider themselves self-taught individuals when it comes to particular skills.
Customize the hiring process to the candidate:
Security leaders need to create segment-specific hiring processes to include underrepresented candidates. For example, candidates with disabilities may not choose to pursue certain opportunities if they are not accessible to their needs.
These candidates may be put off by a traditional interview format. Avoid this by mentioning accommodations in job descriptions to appeal to underrepresented candidates.
Consider alternative talent models:
Alternative talent models can help organizations meet new skills needs at a lower cost than full-time employees and attract more diverse talent. Examples of alternative talent models include part-time, freelance, project-based or contract-based employment.
Build recruitment and inclusion strategies specifically for neurodiverse employees
Neurodiverse workers are often overlooked by organizations. Those with neurodiverse traits bring specific skills and characteristics that are beneficial to cybersecurity teams.
Hiring neurodiverse candidates will create a new level of thought diversity that can help combat advanced threats.
Cybersecurity leaders must create a dynamic support ecosystem for neurodiverse individuals, as it can be overwhelming transitioning to a workplace environment.
Define communication best practices. The way in which managers and team members communicate with neurodiverse colleagues is important when it comes to demonstrating how expectations, feedback and general discussions happen.
Cybersecurity leaders must also design an inclusive workplace environment to ensure neurodiverse individuals are given the best chance of success. This does not entail lowering performance standards, but rather modifying the work environment to help employees perform their job successfully.
Within the neurodiverse talent pool, recognize that it is not a one-size-fits-all approach. Not all cybersecurity team members will have the skills to manage people or be excellent communicators, but be sure to not filter out neurodiverse individuals by requiring generic skills that are not actually necessary for the fulfillment of roles.
Benchmark diversity levels and assess team culture
Improving diversity betters overall business outcomes and work environments. A lack of diversity in cybersecurity teams will reduce efficacy, which perpetuates an unsupportive toxic work culture and environment. Those across the cybersecurity industry frequently experience burnout from stress, which can lead to turnover.
Cybersecurity leaders must work closely with HR partners to measure diversity to establish a baseline view of the current position. To identify barriers within recruiting and retaining diverse teams, cybersecurity leaders can use Gartner’s Culture PRISM that examines the culture within teams:
- Purpose: Why we do the things we do
- Rules: What is expected or permissible
- Identity: Who we think we are in relation to others
- Safety: How we help each other succeed
- Measures: What we value and pay attention to
While all five components are important, it is critical to focus on the concept of safety. Safety plays a crucial role when it comes to diversity and issues related to toxic cultures. Individuals will not be able to reach their full potential if they don’t feel safe and comfortable. Leaders who promote diversity and inclusion practices will be able to improve their employees’ feelings of safety.
The cybersecurity industry will continue to face a global skills shortage unless actions are taken to improve the diversity of cybersecurity teams. Cybersecurity leaders need to be partnering with those in HR to craft a plan of action to broaden their team's diversity.
The global talent pool consists of many diverse candidates, so it is important to make sure the criteria of job roles are flexible and customizable in order to appeal to those who find it hard to navigate the mainstream recruitment processes.