Written by Joanne Hall, School of Science, RMIT University and Maria Beamond, School of Management, RMIT University.
Cyber threats and attacks are increasing: Australian organisations face unprecedented risks.
Although an increasing number of tech companies are active cyber defenders, many report difficulties in recruiting, retaining, and developing cybersecurity talent: Inclusive talent management could be the answer.
Diverse cyber adversaries require diverse cyber defenders. In the workplace, teams with talent from diverse backgrounds enable cyber threats to be examined from multiple perspectives.
However, an organisation only gets value from the diversity of their workforce if the underrepresented groups are empowered to contribute. Inclusive talent management assumes that everyone has ‘a talent’; empowering everybody to boost the success of their organisation.
The OECD[1] defines diversity along six dimensions: migration; ethnic groups, national minorities and indigenous peoples; gender, gender identity and sexual orientation; special needs including learning disabilities and physical impairments; and giftedness including neurodiversity.
We also suggest that diverse academic background, professional experience and age are also important dimensions of diversity.
Each of these dimensions may need specific talent management strategies to recruit, retain and train (or retrain) potential cybersecurity talent. However, an inclusive organisational culture is an imperative. Organisations with a culture that makes them more welcoming and inclusive increase their competitive advantage.
Inclusive talent management practices are not yet widespread in the cybersecurity industry. Let’s look at some of the ways that inclusive talent management could be applied to cybersecurity workforce.
Recruitment
Job advertisements frequently request a number of years of work experience. However, a curious, creative professional actively involved in their community could rapidly acquire deep technical skills and organisational knowledge. Limiting to recruit and attract talent with a specified duration of experience could exclude the most enthusiastic, curious, creative, and community-engaged cybersecurity talent from your shortlist.
Technical and non-technical skills are required in all cybersecurity roles. Technical skills can often be learned in-house, whereas the non-technical skills (or soft skills) can be more difficult to gain. For example: a former emergency nurse with some technical training might be good in an incident response role because they can keep calm in a crisis. A former librarian might be good in a governance role as they have the patience to read extensive documents. A person who is blind may note vulnerabilities because they interact with technology in different ways to a seeing person. A neurodiverse talent may have traits such as hyperfocus, precision, persistence and the ability to identify patterns. Recruitment which focuses on technical skills and experience may fail to attract those with highly developed non-technical skills, and nonstandard perspectives.
Recruitment processes need to be flexible enough to engage with the diverse dimensions of talent. For instance, neurodiverse talent often presents poorly in an interview, yet are very capable in a technical role. For a client facing role, and interview may be appropriate, however interview panels need to be diverse to attract diverse talent; such as if all members of an interview panel of the same gender or cultural background may turn off candidates with different gender or cultural background.
Recent graduates are ambitious and enthusiastic, but little experience on where best to build and direct their innovative ideas and energies. Broad ranging and structured support can rapidly turn an inexperienced graduate into a valuable team member. Recent graduates expect lower salaries than experienced professionals, making recent graduates an attractive addition to an established team. Some graduates have experienced unpaid internship experiences; or international graduates are vulnerable to exploitation by unethical migration agents or by intensive workload are few examples of what is happening.
Curiosity and creative problem solving are some of the most sought after attributes in cybersecurity staff. Yet very few job advertisement, key selection criteria or promotion rubrics mention curiosity or creativity. Well-resourced curiosity turns a little bit of knowledge into subject matter expertise. Well supported creativity turns tricky problems into achievable solutions. Hiring for curiosity and creativity and providing resources and support can create teams with deep knowledge that can creatively solve tricky problems.
Retention
Valuing staff contribution can be done in many ways. Salary is important, but not everything. Some people enter cybersecurity for the technical challenge, some for the humanitarian ideal of keeping the community safe, some because they think hacking is ‘cool’, some because would like to go back to the workforce, or some just because they have the skills. Those motivated by technical challenges may not be interested in managerial career pathways, as well as those who are retired may like to work few days per week; those motivated by humanitarian notions may like to choose their projects based on end user groups; those who want to be a hacker may not like client engagements that require a business suit; and those motivated by their own skills (such as neurodiverse talent) may not be interested in any of the former. Providing opportunities for work that matches an employee’s motivation leads to staff feeling valued.
Equitable opportunities include large things like promotion pathways; project allocation; travel opportunities; special training and mentoring opportunities fitting the different diverse dimensions of talent; and creating a safe workspace in relation to e.g., team meetings, task allocation and the way that someone is introduced. Studies indicate that white men often speak most in team meetings and interrupt their female or non-white colleagues. Neurodiverse talent feels valued and supported at work when employees provide a place where they can be safe and relaxed with non-distractions and pressures. Indigenous talent value organisations that support connectivity with their community, and provide cultural awareness training within organisations, development and training opportunities, and ongoing support and mentoring. When mature age talent make fewer mistakes, are more reliable, and have higher productivity rate than their younger colleagues, they look for flexibility in the workplace, still want the social engagement and intrinsic rewards but with less career focus. Creating organisational strategies to support diverse dimensions of talent not only enhance retention and productivity but also a sustainable workforce, reputation, and competitive advantage.
Training
Employers can offer study leave or payment of course fees to support their staff to upskill into a cybersecurity domain or create their own training strategic support. Many universities and TAFEs offer cybersecurity courses of various lengths and foci, from the highly technical, to a business focus, for highly theoretical to practical implementations. Various courses of study are eligible for commonwealth funding support. However, training may need to fit with needs of diverse dimensions of talent. Training and retraining are valuated to most diverse dimensions of talent.
Private training organisations, industry bodies and vendors offer short courses that can train people in a specific area of knowledge. Organisations can consider arranging for a team of employees to do a specific short course of most relevance. This can be useful for those in a cybersecurity role who need to learn a new technology, or those in an adjacent role looking to enter into a cybersecurity role. Vendor training (or retraining) packages may offer good value if your organisation is already using the vendors’ products, but can be used to advertise new products, which may not be the best use of your staff time. Be aware that the private training space is diverse with many quality operators vying for space alongside shams. We teach our staff to spot a scam email, we can also try to spot a sham training offering.
Sharing knowledge and skills within an organisation builds capacity. Rotating staff into a cybersecurity team for a few months, and rotating cybersecurity staff into another team for a few months can build cross disciplinary skills, and productive working relationships across business units. Training and development are two of the most valuated aspects within the diverse dimensions of talent, attracting these talent and retention.
Inclusive Talent Management for Cybersecurity
Inclusive talent management means ensuring that all staff, including diverse dimensions of talent, have equitable opportunities for career development, and are supported to engage in formal training and development, and knowledge sharing experiences if they are interested.
- Attract, recruit, and retain diverse dimensions of talent through an inclusive company culture
- Ensure that job advertisements and instructions to recruiters will not exclude cross trained or informally trained staff.
- Take a chance on a recent graduate, especially if you are adding strength to an existing team.
- Get value from the diverse perspectives in your organisation by ensuring that everybody is empowered to contribute all their best ideas.
- Build technical and managerial career paths within your organisation.
- Investigate upskilling options (training, retraining), universities, TAFEs, private training organisations and vendors can provide useful training options that can be fitted to diverse talent, but don’t get scammed!
- Design ways to share cybersecurity skills within your organisation.
Strength through Diversity: Education for Inclusive Societies (https://www.oecd.org/education/strength-through-diversity/Design-and-Implementation-Plan.pdf)