Full Report
The 2nd joint report between the NCSC and KPMG UK benchmarks against the 2020 findings to gauge what progress has been made.
Analysis Summary
# Industry News: Decrypting Diversity 2021 — Benchmarking Progress in Cyber Inclusion
## Summary
The National Cyber Security Centre (NCSC) and KPMG UK have released their second joint report investigating diversity and inclusion within the UK cybersecurity industry. Building on 2020 data, the report highlights critical gaps in representation and identifies a significant "say-do" gap regarding inclusive workplace cultures.
## Key Details
- **Date:** 23 November 2021
- **Companies Involved:** National Cyber Security Centre (NCSC) and KPMG UK
- **Category:** Market Analysis / Industry Report
## The Story
The 2021 "Decrypting Diversity" report serves as a benchmark for the UK cybersecurity sector's efforts to foster an inclusive workforce. Following the inaugural 2020 study, this installment surveys thousands of professionals to track changes in demographics and sentiment.
The findings indicate that while the industry is increasingly aware of the need for diversity, progress remains slow. Key issues identified include a lack of senior representation from minority groups, persistent challenges for neurodivergent individuals, and a culture where many employees still feel unable to be their authentic selves at work. The report emphasizes that diversity is not merely a social goal but a fundamental requirement for building the cognitive diversity needed to counter complex cyber threats.
## Business Impact
### For the Companies Involved
- **NCSC & KPMG:** These organizations solidify their positions as thought leaders in the "People" pillar of cybersecurity, moving beyond purely technical analysis to human capital strategy.
### For Competitors
- **Talent Acquisition:** Firms that fail to adopt the report’s recommendations risk losing top-tier talent to more inclusive competitors, particularly as the global talent shortage in cyber persists.
- **Innovation Lag:** Competitors with "monocultural" teams may face blind spots in threat modeling and problem-solving compared to diverse teams.
### For Customers
- **Improved Service Delivery:** Customers benefit from more robust security solutions developed by teams that approach problems from diverse perspectives.
- **Vendor Risk Management:** Modern enterprises are increasingly including D&I metrics in their procurement processes, meaning non-compliant vendors may lose contracts.
### For the Market
- **Standardization of Metrics:** The report establishes a standardized way to measure progress, moving the market away from anecdotal evidence toward data-driven D&I strategies.
## Technical Implications
The report argues that "cognitive diversity" is a technical necessity. Diverse teams are more likely to identify unconventional attack vectors and avoid "groupthink," which is a primary cause of systemic failure in incident response and threat intelligence.
## Strategic Analysis
- **Market Positioning:** Organizations that lead in diversity are positioning themselves as "employers of choice" in a market with roughly 3.5 million unfilled roles globally.
- **Competitive Advantage:** High inclusivity correlates with higher retention rates, reducing the massive costs associated with churn and recruitment in the cyber sector.
- **Challenges:** Deep-seated cultural biases and a lack of standardized reporting in smaller firms continue to hinder industry-wide progress.
## Industry Reactions
- **Analyst Opinions:** Analysts suggest that this report is a "wake-up call" that the industry's talent problem is as much about culture as it is about skills.
- **Expert Commentary:** Many experts have noted that the "neurodiversity" aspect of the report is particularly vital, given the high concentration of neurodivergent talent in technical security roles.
## Future Outlook
- **Predictions:** Expect more organizations to link executive compensation to D&I metrics over the next 2-3 years.
- **What to watch for:** Watch for the emergence of "Inclusive Security" frameworks that integrate accessibility and diversity directly into technical workflows and product design.
## For Security Professionals
Practitioners should view this report as evidence that "soft skills" and cultural competence are becoming core competencies. For hiring managers, the report provides a roadmap for diversifying recruitment pipelines—such as looking beyond traditional computer science degrees to neurodiverse talent and career changers—to build more resilient security operations.