If organizations are to mount a better defense against cyber-attacks, new thinking is required. That means building more diverse and inclusive security teams with less reliance on certification requirements and formal academic backgrounds. When a cyber attack comes, cyber capabilities matter more than degrees or accolades.
The need for greater diversity and skill among security teams has been captured in almost every study CyberRisk Alliance Business Intelligence conducted in 2022. Asked about their challenges around everything from ransomware, cloud security and third-party risk, most respondents have mentioned lack of adequate skills among their security staff as a barrier to an upright security posture. On those topics and more, respondents were planning increased investment in both security technology and employees with a fuller array of skills.
A more diverse security team is more likely to approach threats with broader and more creative perspectives. For example, some security professionals may be more familiar with modern threats such as smishing (SMS phishing) and vishing (voice phishing) than others. Some studies also note that men gauge risk differently than women, so it is important to have different perspectives represented on the team to become more adaptive.
Research from decision-services company Cloverpop indicates that an inclusive decision-making process with input from a varied range of people enables faster decisions and better results by up to 60%.
Here are three focus areas that can help organizations navigate the path to greater diversity and effectiveness:
Don’t obsess over skills, experience and certifications:
HP CISO Joanna Burkey recently wrote in a guest column on SC Media that hiring managers haven’t been very flexible over their requirements for certification, accreditations, college degrees and work experience which they believe certain roles demand.
“It has not served the industry well,” she wrote. “There’s a growing realization today that we need to widen the pool of potential applicants by relaxing these requirements.”
She noted that certifications can serve a real purpose, which was especially true when cyber was a “new” domain. Back then, certifications were often used to reflect a degree of knowledge in this emerging space. But over the years, infosec certs have been somewhat diluted and are used too often as a checkbox to pre-qualify candidates. This “expected by default” mentality can exclude people without certs who may actually have stronger overall credentials, Burkey wrote.
The need to rethink the reliance on certifications was further explored in a recent paper from Forrester Senior Analyst Jess Burn.
“Hiring organizations place outsized emphasis on certifications as a requirement, and prohibitive preparation and maintenance costs act as a barrier to entry for early-career and diverse security talent,” Burns wrote. “Maintaining certifications over time is also a source of dissatisfaction among experienced security pros.”
Identify talent within your existing workforce
Immersive Labs, a company whose platform measures security awareness among their clients’ employees, noted in a blog post that companies needs all manner of people and expertise to function properly. For this reason, the company said, it’s worth opening up cyber skills training content to all staff – not just the IT folks. Existing employees could have a wealth of transferable skills already present within the team, whether that’s communication, resourcefulness, a competitive edge, or quick thinking.
“As well as keeping your entire network more secure, everyone is capable of absentmindedly clicking a malicious link,” the Immersive post said. “Training everyone up in some security basics will help you identify staff who excel or show potential in some areas, including any relevant to particular security risks.”
Establish a diversity/inclusion working group
Immersive also recommended organizations establish working groups focused on ensuring diversity and inclusion when hiring security team applicants.
The company noted that it set up such a working group for its workforce.
“With volunteers from every corner of our organization – including sales, engineers, marketing, finance, developers, HR, director and C-suites – coming together, we are improving the way we recruit, fixing outdated language, investigating more outreach opportunities to inspire candidates from different backgrounds, undertaking surveys of our staff, and generally trying to become more accessible and a safe space for everyone,” the company said.
To help other organizations build more diverse security teams, Immersive created what it calls the “Ultimate Cyber Skills Strategy Cheat Sheet.”