News » Profiles
The diversity gap in cybersecurity and skills based hiring
Matt Nathan is the editor in chief of DiversityQ and has worked for New Statesman and The Guardian
I spoke to Greg Craft, the Talent Director and Jack Jordan-Connelly, the Relationships & Community Manager from Immersive Labs, a Bristol-based cybersecurity start-up; they have created a browser-based platform that sets out to tackle both the skills shortage and diversity gap in cybersecurity through bias-free, skills-based job placements.
I had some hands-on time with the platform which uses a set of bite-size learning tools followed by challenges to take users from beginner through to expert whilst logging their progress and demonstrations of their new technical skills.
They have individual academies specifically for veterans and also the neurodivergent, as well as a student academy. I wanted to find out more about the background to the business, their thoughts on diversity in cyber, their hopes for the future and their ideas on solving the diversity gap in cybersecurity.
What’s the background to Immersive Labs?
Greg: We formed in January 2017 and we’re now 55 people, but our CEO (James Hadley) worked in cybersecurity for about 18 to 20 years. He’s very passionate, same as we all are, about widening access into cybersecurity. Cybersecurity has a double set of circumstances in the fact that it’s very un-diverse, particularly with women in tech, and there’s a huge skills gap, which is projected to be millions and millions, depending on which set of figures you look at.
He realised that essentially the ways of upskilling people in cybersecurity didn’t scale and weren’t particularly well suited to addressing the diversity gap in cybersecurity; and taking that forward is Immersive Labs, aiming to remove lots of these barriers and widening access. There’s a huge diversity gap in cybersecurity. If you have everybody who has the same background and works in the same way and probably has a lot of alignment in their ways of thinking, there’s not much challenge and there’s probably a lack of fresh input, which would be a problem in any industry. . Unless more is done to remove some of those barriers that prevent people getting into cyber security, we’re just going to end up with the same status quo and it’s not going to solve the skills gap which means a massive shortfall of people
Why is there a diversity gap in cybersecurity?
Greg: I think historically it’s been people relying on academic qualifications to get into cyber security. Although it’s still in relative infancy as a recognised profession. And over the years, I think employers have just taken people who have studied computer science. This exacerbates the problem because more males than females have studied computer science. The platform enables people to upskill and develop hands-on practical cybersecurity skills. And through the digital cyber academies, I guess we’re proving that you don’t have to have an academic background or qualification and in fact actually as a business, you should be resourcing based on evidence of skills. So i.e. skills-based resourcing, not have you got the right degree, or have you got the right level of industry experience. And through our academies, we’re saying you can upskill and then apply for jobs through the platform and the sole application metric being that employers are only looking for evidence that there’s pre-validated technical skills and nothing else.
What’s the reception been like?
Jack: It depends on the client. We’ve found some companies are extremely receptive and it’s worked quite well. Some are very receptive, but it hasn’t bled down to the resourcing teams – we’ll get a very enthusiastic individual at CXO-level, who has bought into the idea very much so, but the process is just too difficult to change throughout the business. And then we’ve found other examples where there’s been a lot of initial reluctance, but they’ve tried to give it a go and seen success. It’s been a blend really.
But it’s as much of a learning experience for Immersive Labs, working with a variety of companies because I suppose all modern history has been based on CV recruitment and we’re trying to change that to something completely different. Sending over a digital profile based on our platform, it has the huge benefit of removing all potential unconscious bias. So, there is no detail of ethnicity, there is no gender, but it’s difficult to be able to fit that into pre-established HR because you’ve got say, 21 applicants, 20 come from external sources with a CV and one comes from us with a digital profile. But we are finding success. There’s a lot of buy-in and it’s about utilising these areas of the workforce that have not been included so far.
So particularly with the neurodivergent academy, with some cases, there’s up to a 90% unemployment rate for those with autism, for example. But within cybersecurity, 75% of autistic traits fit really well in certain cybersecurity roles. So, when we’ve got this huge skills gap and this diversity issue in cybersecurity, more traditional means of recruitment aren’t solving either. These companies are having to pay higher salaries for the same pre-existing talent pool and that might solve the issue for the business, but it doesn’t solve the issue for the sector, for the economy, because it’s just people fighting over the same resource. So, we find that companies are willing to be more adaptable with their HR processes because they are accessing new areas of the talent pool that so far haven’t been available, or they have been available but generally ignored or underutilized.
What kind of organisations are you working with?
Jack: If you think, when we’re talking about one of our main sponsors on the Digital Cyber Academy, BAE, that sponsorship allows them the ability to post however many jobs they’d like on the platform and allows them access to a much wider talent pool than traditional methods of recruitment. Hargreaves Lansdown is a financial services company and because of the sensitivity of the data they hold, cybersecurity will always be a priority for them; they’re also now hiring through the DCA to attract top talent to their business. When talking about businesses and organisations that use the platform commercially for upskilling their staff, we’re at a place now where, and the economy is in a place where, nearly every business at a certain size needs to prioritise cybersecurity, in some way or form. So ultimately the breadth of companies we work with now, and the industries we can work with in the future is almost unlimited.
How are you attracting users?
Jack: It depends very much on the academy. So, for the student academy, it will generally be working with student unions or working with faculty directly, working with academic staff who then pass it on to their students. For the veteran’s academy, we’re partnered directly TechVets, so they’re our primary partnership although we do have connections to other organisations. It’s very word of mouth, understandably anybody who has left the forces or is still serving will know people who have left and are seeking new employment. And it’s the same with students. You get one student on the platform and we see that grow by 5 or 10 people within an instant. There’s the word of mouth, network effect.
The neurodivergent academy is slightly different in the way that we’ve discovered – we’ve had a lot of success building relationships with, I suppose, you would say industry contacts, but how to actually translate that into active users has been the issue we’re finding so far. So an example I can give, we’ve just partnered with the Salford Cyber Centre, so there’ll be about 40, 50 neurodivergent individuals who will be joining the platform within the next couple of weeks. So, it’s relationships like that that we’re starting to build. The best way to summarise all that is, how each academy grows is tailored to the target audience.
What’s the size of the potential market?
Greg: It depends on the size of the academy you’re looking at. For the student academy, it’s currently available to students in the UK, the US, Singapore, Australia, Canada, Saudi Arabia, UAE and now Switzerland too, with Poland and Jordan opening in the coming weeks’ thanks to new sponsorship in those countries. I don’t actually know the total number of students who could get access to it, but it’s not restricted to those studying computer science or cybersecurity, any student at a university or college, studying any subject. It’s open to a huge potential market.
And the way that the content is structured within the platform, it goes from absolute pretty much how do you spell cyber through to very complicated, for example, advanced malware analysis. So students, no matter what they’re studying, or no matter what their previous experience, can connect with the material at their current level of ability. Therefore, it’s not restricted to those who have some previous experience.
Where do you see yourselves in 18 months?
Greg: Expanding our commercial client base. So, we have clients on five continents so far. We’re getting a lot of traction particularly in financial services, who obviously have a lot of important data to protect and they’re finding that because their people can connect in with and upskill on the platform 24/7, that’s actually a very efficient way for them to develop their internal teams. So, we’re expanding our external client base probably here, in the US particularly, and potentially also releasing our Digital Cyber Academy across Western Europe.
What kind of traits are employers looking for?
Greg: Ones which fit in very well with how the platform operates, which is quite nice. Which is probably what’s getting us some traction. But in essence, it’s people who can show analytical thinking, perseverance, horrible phrase but thinking outside the box, troubleshooting, just think of new ways of looking at things, the ability to find patterns. The way the platform is structured in the fact that we don’t have to provide learning material, we provide challenges in a way in which we can assess whether they’ve actually got the competence or not. It draws out those traits of being able to go away, research, find information and then practice combining those.
11% of cybersecurity workers are female why is that?
Greg: That’s a good one. I don’t know but I guess – whatever the initiatives are, they’re still not cutting through in quite the way that most people would envisage.
Jack: I’m hoping, it will be a slight spring effect when talking about the number of women in cybersecurity, and tech overall, being so low and continuing to drop in some areas. A lot of the initiatives that seek to address the diversity gap in cybersecurity have the message that tech is a boys’ club at the moment and we need to work together to change that. So, the spring effect that I would hope is happening is that the message being picked up at the moment may be that because it’s seen as a boys’ club, there’s diminished interest from women to move into the sector but once you get 5 years down the line, 10 years down the line, or even much sooner, you start to see the next generation come through who have taken the other side of that message, saying you’re the next generation, you need to be part of this, we need more women and they have a real desire to be part of the solution.
It’s difficult to comment on because it’s an issue that won’t be solved overnight but at the same time it is an immediate issue. And it’s balancing what short-term gains you need to show to merit these programmes but also ultimately the long-term, it is a long-term goal. There’s no overnight where suddenly it’s going to become 50:50 from 11%.
Greg: I think role models play a big part in the diversity gap in cybersecurity. There are lots of female role models in cybersecurity. I know there’s criticism of conferences in perhaps not giving them front of a stage and the same level of visibility. But I think once you get to a level of critical mass, I don’t know what that point is, but then it starts to become self-fulfilling because you’ve got enough people in the pool to become role models for the next generation. There’s definitely a visibility issue.
Making the case for a career in cyber
Greg: First and foremost, it’s pretty much a zero-unemployment market. There is an incredible diversity of jobs within cybersecurity. I know lots of different organisations that are looking to actually address this but I think cybersecurity has often been viewed as noughts and zeros and very male orientated and primarily a role in cybersecurity as being a penetration tester. Actually, the number of roles and the number of areas of cybersecurity is very diverse. It’s not just a technical issue, it’s a human problem. And there’s a very diverse range of skill sets that are required to fill the skills gap and not just being a penetration tester. So, I think it’s getting across that diversity of roles and that actually there’s a role for everybody. I think that that will grab more people.
Solving the diversity gap in cybersecurity
Jack: I think a way to solve the diversity gap in cybersecurity would be to look at the level of inclusion at a younger age. It is something that we’re seeing already. There are a lot of programmes aimed at schools so for instance, we’ve recently agreed to be part of the Bristol and Bath Cyber Skills Initiative which works very closely with the younger ages. I genuinely think that’s where the core difference is going to be made and that’s where I would see that inclusion at a younger age for any group that you’ve mentioned so far; okay you can be male, white, straight, middle-class and that’s fine, you can still be involved. But getting neurodivergent groups in, getting more women involved, more BAME diversity, I think that inclusion at a young age so everyone is growing up with those ideals – the next generation moving into the workforce are already in a place where everyone is used to being part of the same group, and it’s not seen as being part of a boys club, it’s not seen as old white males sitting in a room. They’ve already learned that there is a different path.
Greg: I think the key to the diversity gap in cybersecurity, is getting even more employers openly receptive to skills-based resourcing, so resourcing based purely on the evidence of potential and pre-validated skills and technical skills if it’s a technical role. And it’s just opening their minds to it being based on the skills they need, rather than where they’re from, the university they went to, which will help them fill their internal positions and just widen the market.
I guess we definitely want to encourage people who fall into the categories of people that we have our platform available to, to know that it’s a resource that they can use. And there are already lots of employers who are willing to recruit based on pre-validated technical skills, not just our sponsors but other organisations across the country as well. So, if it’s in their interest to do, then they can access the platform and upskill. And you will very quickly realise if it’s not for you, it’s not going to be for everybody. But I think lots of people are surprised actually how interesting and varied and rewarding it can be. So, it’s just a case of opening people’s eyes and them giving it a go.
Jack: The only other thing I’d add is there’s no ego in Immersive Labs. We’re not trying to take on and change the world all by ourselves. So, kind of tied to that point, if there are any initiatives, if there are any groups, if there are any organisations, whatever it may be, we’re happy to have a conversation around supporting them as well. We want to be part of the ecosystem, both locally within Bristol and Bath but also nationally and then internationally. We want to be a part of a much wider network solving these issues and not just trying to be the sole saviour of the world and the diversity gap in cybersecurity.
See also: Auticon: the autism-positive consultancy