We need to expand the cyber talent pool to engage with threats - Freha Arshad

One significant underlying issue highlighted by the research is the difficulty translating cyber-risk information into tangible actions within a business. Commonplace terms such as “ransomware” are understood, but mapping cybercrime campaigns or threat actors and aligning these to particular parts of the operation or company assets, along with the resources needed to mitigate them is not easy to do. The search for and development of talent, therefore, becomes more than a matter of technical expertise.

Underpinning the issue, the research revealed that 59 per cent of business leaders and 64 per cent of cyber leaders ranked talent recruitment and retention as a key challenge to managing cyber resilience. One of the report’s conclusions, meanwhile, was that solutions are to be found in partnerships, where a shared understanding can shape the talent pipeline.

Dundee’s new cyberQuarter is an example of where this is happening and where there is a drive to increase the supply of cyber professionals by expanding and promoting inclusion and diversity within cyber recruitment. Underrepresented groups in cybersecurity such as women, people of colour and those with informal educations have been continually discouraged from technical careers through societal expectations and perceptions of cybersecurity work culture and that has to change.

This requires broadening the narrative about who can work in cybersecurity so that people with nontechnical backgrounds, as well as those outside of the traditional education system, understand that there are currently roles for them as well. Many cybersecurity roles can be learned on the job or through apprenticeships. Retraining for technical roles is another possibility.

Embracing diversity also means having a better understanding of those currently working in the profession and knowing how best to nurture the skills of a diverse workforce – because businesses thrive when their people feel the diversity of their experiences and ways of thinking are valued. For cyber security teams, neurodiversity is critical. The National Cyber Security Centre found that 19 per cent of respondents to its latest industry survey identify as neurodivergent, which is significantly higher than the 15 per cent that has been estimated for the UK population. This can encompass a range of conditions such as autism, dyspraxia, dyslexia and attention deficit hyperactivity disorder (ADHD).

Neurodivergent people typically have a range of abilities that can make them ideally suited for the rigours of cybersecurity. These can include having the analytical skills to find the needle in the haystack, being able to visualise solutions, or possessing exceptional focus and problem-solving abilities. Employers should actively look for these skills and harness the innovative capabilities that come from a neurodiverse workforce. In fact, studies show that neurodiverse teams are 30 per cent more productive than neurotypical ones and made fewer errors.

As cyberthreats evolve and expand, so must the talent pool that engages with them. Designing and implementing appropriate cybersecurity solutions demands non-technical competencies such as business, management, legal, policy, problem solving, critical thinking and diplomacy, as well as the technical.

It is well documented that employing a range of people with diverse opinions, backgrounds, experiences and identities leads to greater innovation in any setting and that includes cybersecurity. Diversity is not a “nice-to-have” but something that is likely to influence a cyber programme’s success and strengthen the cyber resilience of an organisation to the highest degree.

Understanding this will help solve the challenge of expanding the talent pool.

Freha Arshad leads the Accenture Cyber team in Scotland in addition to leading the Security team for its Health & Public sector clients.