Workplace diversity is often championed for ethical or moral reasons. However, these are far from the only factors behind the need for more diverse teams – particularly in cybersecurity. As I explored in my last column, as the threats we face become more diverse, so too must the teams we put in place to defend against them.
Greater diversity in our cybersecurity teams can also help us protect the increasingly broad range of employees that make up the workforce. If we want to protect our organizations, we must protect our people, and as the workplace grows ever-more diverse, that becomes more of a challenge.
How can we really expect a cybersecurity team that is homogenous in its make-up, its thinking and its decision-making to protect an employee-base comprising a wide variety of ages, genders, and social, cultural and ethnic backgrounds?
Understanding the diverse workforce
Today’s attackers primarily target your people – in varying ways, across a range of channels, with objectives that aren’t always obvious. They may trick workers into opening malicious attachments or clicking on unsafe links, con your customers into sharing their login credentials, or impersonate your CEO to convince your finance department to wire money to a fraudulent account.
To understand how to best protect against these attacks, we must first understand the people that are being attacked.
Research shows those in more senior positions are less likely to experience a phishing email or spoofing attack, which goes against the assumption that cyber-criminals target VIPs. In fact, quite the opposite. As job level decreases, the reverse is true of the threat profile – the likelihood of being on the receiving end of these threats increases. Research shows that a significant proportion of malware and credential phishing attacks were also found to be directed at generic email accounts.
This poses a particular challenge as generic addresses are easy for attackers to find online and harder to protect – 2FA, for example, doesn’t lend itself well to shared email addresses. Bogus emails sent to these addresses also often reach multiple recipients, of varying job levels, at one time.
In the UK, the employee-base on the front line of such attacks is far from one-dimensional. Just under half of the workforce are women while 85.6% of people of working age identify as White, 8.1% Asian, 3.4% Black, 1.8% are of mixed ethnicity and 1.1% from other ethnic groups.
Education levels are just as wide-ranging. University graduates account for 42% of the labor force, with 21% educated to A-Level standard, 20% holding GCSE A-Cs or equivalent and 17% with no formal qualifications.
What’s more, with rising numbers of 18- to 24-year-olds in employment and the number of over-70s in the workforce more than doubling in the last decade, the UK’s employees span an increasingly wide age range.
Reflect the workforce, Protect the workforce
To protect these end-users and the organizations they represent, cybersecurity teams must be reflective of the wider workforce. Failure to build diverse teams can lead to a narrow-minded approach to threat detection, cause dangerous assumptions in end-user knowledge and facilitate poor decision making.
A team made up of older, more experienced cybersecurity professionals, for example, could assume that the younger, digitally native generation has an innate understanding of common cyber threats. However, we know this is not always the case. Research shows baby boomers and Gen X workers (those aged between 38 and 53) have a much stronger understanding of common threats such as phishing and ransomware – likely due to longer-term exposure to, and training around, these topics.
Equally, a younger team could assume a general understanding of more modern threats such as smishing (SMS phishing) and vishing (voice phishing) – terms that the majority of baby boomers and Gen X’ers are unfamiliar with.
A lack of gender diversity – women account for just 24% of the total cybersecurity workforce – can also have far-reaching consequences. Not least because male-oriented teams are known to gauge risk differently to those with a greater female influence, potentially leading to gaps in cybersecurity training.
Process and decision making can also be severely hampered by homogenous teams – be it through a lack of gender, ethnic, age or education diversity. A recent study of over 200 teams across two years found the more inclusive to make better decisions up to 87% of the time.
Teams that practice an inclusive decision-making process, with input from a varied range of people, were also found to make decisions twice as fast and deliver better results by up to 60%.
Rising to the challenge
Stats and studies of this nature cannot be ignored – especially in an industry experiencing the kind of skill shortage currently being felt in cybersecurity. Our industry faces a shortfall of almost three million skilled workers – with 59% of organizations reporting to be at an extreme or moderate risk due to a lack of cybersecurity staff.
If we’re to have any chance of closing this gap and mitigating that risk, we need to cast our net far and wide. Not just to ‘make up the numbers’ but to build teams capable of protecting the increasingly diverse workforce from increasingly diverse threats.
This is not just a box-ticking exercise for the sake of equality. Lack of diversity in our industry has far-reaching consequences – that could put the organizations we strive to protect at risk.