21 February 2023
CREST, the global not-for-profit community of cyber security businesses and professionals working to keep our information safe in a digital world, today launches its latest best practice guide, describing how to foster greater equity, inclusion and diversity (EID) as part of national cyber security strategy.
CREST’s latest good practice guide delivers practical information for government departments charged with developing not only a National Cyber Security Strategy (NCSS), but a more diverse, inclusive NCSS.
A NCSS is a framework describing a nation’s strategy to ensure a more resilient, trusted and robust cyberspace. Part of that is a clear plan to grow and nurture the talent pipeline, ensuring people have the right skills to fight ever-evolving cyber threats to national security.
And yet, as CREST CEO Nick Benson says: “It is surprising how few NCSS documents mention harnessing the benefits of a more inclusive and diverse cyber security workforce. As the gap between supply and demand in the cyber security workforce grows, a clear course of action exists to attract a more diverse talent pool to the sector.
“As an industry, we must encourage more people into the sector who have different backgrounds, influences and experiences. A more diverse workforce will deliver myriad benefits, including fresh, creative perspectives – on how we can solve complex security problems.”
The 2021 Cyber Security Workforce Study from (ISC)2 suggests the number of additional professionals organisations need to defend their critical assets adequately stands at 2.72 million people.
The 33-page free guide is now available to download via CREST’s website.
This latest guide includes up-to-date descriptions of what equity inclusion and diversity mean in the context of the cyber security sector, including age, disability, neurodiversity, gender, sexual orientation, race, religion and socio-economic background.
“Improving equity, inclusion and diversity at a national level is essential for any nation that wants to improve its cyber resilience,” said Allie Andrews, CEO of PRPR and author of the report. “Tapping into a diverse talent pool is not just key to alleviating the skills shortage and the right thing to do, but it is clear it also improves security teams. There are a lot of great initiatives out there, but what is needed is greater guidance in NCSS about what works and what doesn’t.”
The guide describes how to include these crucial considerations in an NCSS, with examples of international strategies which have taken EID into account. In addition, the report delivers examples of good global practice and how to measure the success of a strategy.
However, EID is about more than simply including policies in an NCSS.
Nick Benson adds: “Recruiting and retaining more diverse cyber security professionals requires more than policy. It needs genuine collaboration with all stakeholders in the cyber security ecosystem. It may also need significant societal or cultural change at a national or workplace level, which takes time, but the rewards will be worth it.”
The report is one of several produced by the not-for-profit organisation to help build capacity and consistency in the cyber security industry, aimed at companies and individuals who need to understand the importance of EID in cyber security strategy.
In 2020 CREST received a grant of US$1.4 million from the Bill & Melinda Gates Foundation to help increase cyber security capacity and cyber resilience in Bangladesh, Ethiopia, Indonesia, Kenya, Nigeria, Pakistan, Tanzania and Uganda. This latest EID Guide is created by CREST to assist in this enabling process.
CREST is a not-for-profit accreditation and certification body representing the technical information security industry. CREST provides internationally recognised accreditations for organisations providing technical security services and professional level certifications for individuals providing vulnerability assessment, penetration testing, cyber incident response, threat intelligence and security operations centre (SOC) services. CREST Member companies undergo regular and stringent assessment, whilst CREST certified individuals undertake rigorous examinations to demonstrate the highest levels of knowledge, skill and competence. To ensure currency of knowledge in fast changing technical security environments the certification process is repeated every three years.
For more information on CREST: www.crest-approved.org
For media enquires contact: Allie Andrews, [email protected]