It's currently not possible to ascribe definitive values to several key metrics for diversity and inclusivity in the UK cyber security profession. These include:

• The proportion of people in the profession of:
  - people with disabilities
  - people with different sexual orientations
  - people of different religious beliefs, or no religion
  - people with different gender statuses
  - people from different socio-economic backgrounds or disadvantaged educational backgrounds
  - people from each ethnic group
• The age profile of the profession
• The proportion of which people with multiple ‘minority’ characteristics (those which are not widely present in the profession)

However, some baseline estimates are available. These include:

• For the proportion of women in cyber security roles:
  - 15% - DCMS, 2019 (cyber security sector businesses only)
  - 31% - NCSC, 2020
  - 23% - (ISC)², 2020
  - 13% - BCS CCP Scheme - Successful IA Professional Register
  - 9% - CFP, 2020
• For the proportion of people in cyber security roles who self-describe as neurodiverse:
  - 9% - DCMS, 2019
  - 13% - Bugcrowd, 2020 (global survey of cyber security researchers)
• There are several estimates of the proportion of people in cyber security roles who are from ethnic minority backgrounds:
  - 16% - DCMS, 2019 (cyber security businesses only)
  - 16-22% - (ISC)², 2020
  - 13-15% - NCSC, 2020
  - 18% - CFP, 2020

This lack of baseline metrics is not a UK-specific problem: nearly every country is as unsighted on this, or worse, than the UK.

In the absence of baseline metrics or the option of directing specific people into the profession, the Council’s policy is that there shall be no barriers either to entry to the profession, or to success within it, for any type of person.

The Council’s target for diversity is that the measured diversity characteristics in the profession should match those in the UK’s working-age population.

In practice, this should mean that:

• anyone shall be able to seek and find information, education, training and employment in cyber security; and
• each person’s chance of success shall be dependent only on their aptitude and skills
• everyone in the UK who can work is aware of the prospects for training, education and employment in cyber security
• the broad range of roles available and skills required in the profession is widely known
• no-one shall feel that they could not succeed in these prospects because of who they are
• there shall be no barrier to entering education, training or employment based on demographic characteristics
• selection for roles at every stage must be made without bias, conscious or unconscious, against any type of demographic characteristic.

The UK Cyber Security Council has examined approaches to improving diversity and inclusivity taken by other countries, professions and organisations. Its analysis will help inform much of the Council's work on diversity and inclusivity in the future.

Once the Council is fully operational, the kind of programmes it may support include:

• initiatives which target particular populations, such as neurodivergent young people or military veterans
• partnerships between thoughtful, committed third-sector organisations and commercial providers, bringing the two perspectives together
• the allocation of significant resources managed by skilled organisations, building up a programme over several years with a commitment to improving the offerings each year based on lessons from the previous one
• initiatives that combine a variety of hands-on (even if virtual) ‘learning by doing’, bite-sized instruction, competitions, teamwork opportunities and one-to-one mentoring
• imaginative methods to find and engage with underserved groups, recognising the barriers to their participation and being prepared to provide precursor support before the main programme.

The Council aims to publish specific objectives and plans in due course.

Find the Council's own diversity and inclusion policy here.