1  Introduction

1.1 Background on this survey, aims and objectives

The Cyber Expertise Diversity Survey was designed to investigate how new structures being introduced into the cyber security profession may be influencing its composition. The survey is small scale, opportunistic, and exploratory. These limitations mean it is oriented more towards formulating and testing the questions we should be asking rather than providing conclusive answers. It aims to provide recommendations for the design of future larger studies.

The survey was conducted in association with RISCS (the Research Institute for Sociotechnical Cyber Security), and the approach was developed with help from a number of individuals in industry and government who supported the project by providing advice on the approach and objectives.

The Cyber Expertise Diversity Survey explores the intersection of diversity and professionalisation, and thus builds on a line of inquiry developed in recent years through the 2020-2021 NCSC/KPMG ‘Decrypting Diversity’ surveys of individual professionals, and other work such as the organisation-level ‘Cyber Security Skills in the UK Labour Market’ survey, which introduced additional diversity-focused analysis in 2021¹.

¹ See https://www.ncsc.gov.uk/report/diversity-and-inclusion-in-cyber-security-report, https://www.ncsc.gov.uk/report/decrypting-diversity-2021-diversity-and-inclusion-in-cyber-security, https://www.gov.uk/government/publications/cyber-security-skills-in-the-uk-labour-market-2024/cyber-security-skills-in-the-uk-labour-market-2024-technical-report

1.2 Research Goals

We wanted to understand how well aligned categories of cyber specialism are with EDI goals of the profession. We wanted to think through who will find it harder or easier to attain recognised status, and to examine how professionalisation is likely to change the distribution of cyber security expertise.

Motivating these questions is a set of concerns that we believe require further evidence and analysis.

Firstly, scholars have observed that there is a tension between two goals of professional bodies like the UK Cyber Security Council (UKCSC). On the one hand, such bodies seek to standardise professional categories, statuses and processes of recognition. On the other hand, they have a moral purpose to ensure that opportunities are not unequally distributed across society. Standardising professional categories, statuses and processes of recognition can serve to entrench existing inequalities and create new forms of inequality (Evetts 2012; Daniel 2007). The effectiveness of professional bodies’ efforts to support equality, diversity and inclusion (EDI) in their domain is crucial for their legitimacy and sustainability, and the success of these efforts will depend on having a good understanding of the actual and potential effects of standardisation.

Our second concern arose in conversations with experts in security awareness and human factors, and relates to the specific way in which expertise in people and culture is treated in the UKCSC’s Cyber Careers Framework. In this framework, expertise in people and culture is treated as a generic requirement (‘soft skills’); while this decision has the virtue of emphasising that all cyber security professionals need some forms of competence in this area, it fails to recognise expertise in people and culture as an area of deep expertise in its own right². Such expertise in people and culture does not currently lead to accreditation: anecdotally (and our survey was not of a scale that could substantiate this), there is a concern that women tend to be over-represented in this area of the profession (for instance, working in security awareness and human factors) compared with in other areas; if this is the case, the Cyber Careers Framework is at risk of exacerbating issues of gender representation by making it harder for women to gain recognition.

² We point the reader to the breadth of research that has taken place at RISCS, for an appreciation of the deeply technical nature of research into people and culture and related sociotechnical aspects of cyber security. See https://riscs.org.uk/publications/

Finally, we note that many of the senior leaders in the profession came into cyber security before most of the categories of expertise and specialism that are now in common use were clearly defined, before degrees and other qualifications in cyber security existed, and indeed before the term ‘cyber security’ was widely used. Their career routes were often highly idiosyncratic. The UKCSC was founded to provide more structure, with the goal of better supporting the workforce. An early version of the UKCSC Cyber Careers Framework featured a ‘Cyber Security Generalist’ specialism, but this was removed in later iterations. Idiosyncratic career moves may be disincentivised by a structure that ties recognition to advancement in specific domains. Better understanding diversity of expertise may help us to understand the value of atypical expertise profiles, and the risks associated with incentivising more homogeneous skillsets. This was a further motivation for examining the methodologies and data that may be needed to understand the implications of professionalisation.

1.2.1 Approach

Because the survey is exploratory, this report presents the data alongside methodological reflections and reflections drawing on existing social scientific literature. We examine:

• What kind of analysis would illuminate the effects of professionalisation on social inequalities?

• What kind of analysis would illuminate the value of diversity to the profession?

• Are there indications in our dataset that would support specific concerns about the impact of professionalisation on diversity?

Daniel, CarolAnn. 2007. “Outsiders-Within: Critical Race Theory, Graduate Education and Barriers to Professionalization.” J. Soc. & Soc. Welfare 34: 25.

Evetts, Julia. 2012. “Similarities in Contexts and Theorizing: Professionalism and Inequality.” Professions and Professionalism 2 (2).