skip to main content
Close Icon We use cookies to improve your website experience.  To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.  By continuing to use the website, you consent to our use of cookies.

Straight Talk IT

Omdia view

The “Rule of Steve,” originally introduced by Dawn-Marie Hutchinson, suggests that in a room (virtual or physical) full of cybersecurity professionals there are usually more people called Steve than there are women. This should give everyone some idea about how far this industry has to go in order to encourage diversity into the workforce.

The security industry needs more people, period. Prior to the COVID-19 pandemic, (ISC)² estimated the workforce shortage to be over 4 million. That’s a lot of people, with the biggest shortage of around 2.6 million reported in Asia Pacific. The shortfall in North America stands at around 560,000, in Latin-America around 600,000, and in Europe just shy of 300,000. Even with expected reductions in workforces in general as a result of financial pressures from COVID-19, cybersecurity will remain an area of importance and we will need more people than we have today.

To build the workforce, we need to encourage diversity. We need more women, more ethnic diversity, more neurodiversity. We need more men. We need more people from a whole range of “groups” who have the right aptitude and attitude to work in information and cybersecurity.

Does everyone who works in the industry need to be in an office? Most definitely, “no.” Remote working significantly expands the pool of candidates, which in turn brings access to a better and more diverse range of individuals. A disparate and global workforce thinks more broadly, has different ideas, and can drive faster business outcomes than centrally located groups. For those naysayers who didn’t believe it was possible to work remotely in cybersecurity, the COVID-19 crisis has proved otherwise and presents a new opportunity to break the Rule of Steve.

Does everyone who works in the industry need to be technical? No—here’s an example. Business information security officers (BISO) need to be able to speak to the business and speak to the IT and information security functions. These people should not be expected to have formal information security qualifications; instead, look within the organization for individuals who are perhaps security ambassadors or champions, or others who have expressed an interest.

Some people in the industry do need to be technical, and finding people with the right technical skills and expertise can also be a challenge. However, at events such as Black Hat, there are frequently a cohort of technical people—DBAs, for example—who are desperate to make their way in the world of cybersecurity but can’t find an opening because they don’t have the Certified Information Systems Security Professional (CISSP) qualification. At the time of writing, according to (ISC)² there are around 150,000 CISSP qualified individuals globally—asking for this qualification seriously limits the pool of candidates. Why can’t organizations instead look for individuals with an aptitude for technology and an enthusiasm for security, and train them into the roles that so desperately need to be filled?

It is time to think beyond the usual confines of building a specialized workforce and fishing in the same small talent pools as everyone else. Forward-thinking organizations focus on recruiting-in and training people with the right aptitude and attitude for information security—this will increase diversity, and ultimately improve the security posture of organizations.

Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.

Recommended Articles