The NCSC & KPMG UK’s 2020 Diversity and Inclusion report set the baseline for diversity and inclusion in the cyber security industry: one year on, the second annual survey – the results of which were launched on 23 November – provides the opportunity to benchmark against the 2020 findings to gauge what progress has been made in terms of individuals’ experiences in the sector.
Progress in diversity and inclusion is vitally important to the cyber industry, because, ultimately, ‘a more diverse and inclusive team is a more innovative team’. As the NCSC’s CEO, Lindy Cameron, highlighted during the launch event – not only is it right thing to do, it’s also the logical thing to do to ensure better business outcomes. The NCSC and KPMG UK are, therefore, committed to continuing this study over the long term in order to see greater change. Indeed, it is hoped that the findings of the report will help employers to review the progress they’re making; and to identify where they need to do more and take action.
What were the key findings?
Overall, the research conducted found some improvements, but the conclusion is that there’s more to be done to improve experiences and opportunities for all.
In some areas, diversity in the cyber security sector is higher than the average across the country; for example:
- 19% of those working in cyber are neurodivergent, compared with the 10% estimate for UK population as a whole.
- 26% of those working in cyber identify as disabled, compared with 20% of the UK population as a whole.
- 10% of those working in cyber identify as lesbian, gay or bisexual, compared with the 2.2% of the UK population, as per the Office for National Statistics’ (ONS’) 2018 data.
… And in others it’s around the same:
- When it comes to ethnic diversity, cyber is roughly aligned with national figures.
- 1% of the cyber workforce is made up of trans women and men, or people who are non-binary, which is in line with the wider population.
But there’s much work still to be done.
This year’s research reports that 36% of those working in cyber are women, which is up from 31% last year and better than much of the tech industry; but this increase is likely in part due to the wording of the question to align with the 2021 Census; and, of course, it still falls considerably short of the percentage of women in the population as a whole. Furthermore, there’s a higher weighting of female staff in younger groups, while senior roles – including the CISO – still tend to dominated by men.
In terms of inclusion, the report noted both positives and negatives, including:
- 71% of survey respondents felt able to be themselves in the workplace, but that leaves 1 in 5 cyber professionals who feel that they cannot be themselves.
- There has been a sharp rise in the number of LGBTQ+ people who felt uncomfortable disclosing their identity in the workplace
- 22% of respondents have experienced discrimination in the past year, but the number not reporting incidents has fallen since last year from 74% to 65%
So, the message is clear that the industry isn’t inclusive enough for certain groups – and this, in turn, will have a negative impact on their ability to do their best if they’re constantly trying to fit in. Indeed, an inclusive approach must permeate into recruitment and retention if industry is going to keep the talent it needs to thrive.
Discrimination is , unfortunately, a real problem in the sector with 1 in 5 respondents having experienced it in the last year, which is a slight increase from last year. This could be because people feel more comfortable reporting it, or it could be an increase in incidents – either way, this is not good. Furthermore, 4 out of 10 incidents reported were not resolved, so this is not just about the process for reporting: organisations need to create an inclusive and open culture where everyone’s contribution is recognised.
How was the research conducted?
This year, 945 people from across the UK cyber industry took part in an online survey. In order to preserve continuity, the underline methodology was the same as last year, however, new features were built in for 2021 to provide a richer, more complete view of diversity and inclusion in the sector. These included a wider range of characteristics such as age, disability, neurodiversity and location, as well as the size and type of organisation that individuals work for and insights into how they joined the industry.
Two areas that the report highlights as needing further study are (1) the impact of the Covid-19 pandemic on the findings; and (2) the need to expand the sample size in order to gain meaningful conclusions from the analysis of intersectionality in order to better understand the experiences of those in more than one minority group.
Key recommendations for driving positive change
The report sets out six recommendations for the cyber industry to adopt in order to drive significant change. These are not expected to change radically each year, but rather they’re designed to be long-term, enduring recommendations that will evolve as work progresses to improve the situation. Indeed, the idea is that they will support the industry to collectively move the dial in some of the key areas highlighted for improvement.
The recommendations are:
- Take an active role in leading on diversity and inclusion
- Create and benefit from hybrid working
- Use data to understand, monitor and improve the talent lifecycle
- Learn from D&I best practice
- Publicise the success stories
Map out the roles and skills
The newly created UK Cyber Security Council will take a leading role in pushing forward the diversity and inclusion agenda in the industry and addressing how changes can be made; and it has already put together a comprehensive set of steps that organisations can take.