In cybersecurity, we talk a lot about risk, assessing it, prioritising it, and mitigating it. We measure maturity in frameworks, implement controls with precision, and expect every stakeholder to understand their responsibilities. But there’s one risk most organisations still treat as optional. It’s not in their registers, not in their roadmaps, and certainly not in their budgets. That risk? Exclusion.
The underrepresentation of women and other marginalised groups in cybersecurity has been well documented. Yet, the needle hasn’t moved in any meaningful way. In fact, some indicators suggest it’s moving backwards. In the UK, the percentage of women in cybersecurity dropped from 22% to just 17% in the past year, a staggering decline in one of the world’s most essential and fast-growing sectors.
So why hasn’t representation fixed the problem? Because representation alone is not the solution. Inclusion, which is structural, measurable, and embedded, drives business resilience. And in an industry underpinned by constant change and complexity, inclusion isn’t a “nice to have.” It’s a business-critical control.
The Cybersecurity Workforce Shortage Isn’t Just a Pipeline Problem
Globally, the cybersecurity workforce faces a shortfall of nearly 4 million professionals, according to the World Economic Forum’s Global Cybersecurity Outlook 2025 report. In the UK, roles in cyber have increased by 128% over the past three years. Demand is skyrocketing, yet talent acquisition remains a major blocker for security leaders.
Traditionally, this shortfall has been framed as a “pipeline problem.” If only more young women pursued STEM degrees. If only more girls were interested in coding. If only we had more role models.
These narratives ignore the real issue: women and diverse professionals are entering the field, but they’re not staying. According to Microsoft, women are 45% more likely to leave tech roles than their male counterparts. Retention and progression are where the industry is bleeding talent.
That’s not a pipeline issue; that’s a workplace issue. And in cybersecurity, that workplace issue becomes a resilience risk.
Inclusion Isn’t a Distraction from Risk, It Strengthens Risk Management
Security is, by nature, multidisciplinary. It requires legal, technical, behavioural, strategic, and operational inputs. That means the best outcomes come from diverse thinking and a collaborative culture. Homogeneous teams, whether in identity or discipline, are more prone to blind spots, confirmation bias, and groupthink.
Consider this:
- A McKinsey report found that gender-diverse executive teams were 25% more likely to achieve above-average profitability.
- Research from Bayes Business School revealed that increasing female representation on financial institution boards correlated with a significant reduction in regulatory fines, in some cases equating to an annual saving of £6 billion.
- In cybersecurity, diverse teams outperform in scenario planning and threat modelling. They’re more likely to anticipate unconventional attack vectors and challenge assumptions that undermine security posture.
The logic is simple: diverse teams see different risks, and therefore design better defences.
Where the Industry Has Gone Wrong
Despite countless awareness campaigns, International Women’s Day events, and school STEM initiatives, the representation problem remains. Why?
Because most approaches to diversity in cyber have been performative, piecemeal, and underfunded. They rely on passion, not policy. And they often place the burden of change on the very people who are most excluded.
Let’s break down the systemic flaws:
- Superficial DEI Programmes
Diversity, Equity, and Inclusion (DEI) efforts are often vague and unmeasurable. “Raising awareness” is not a strategy. If you can measure your patching cadence, you can measure your promotion equity.
- The Leadership Blind Spot
Too many CISOs and board-level executives view inclusion as separate from “real” risk, something HR can handle. But inclusion is directly tied to:
- Workforce stability
- Cultural adoption of security practices
- Ethical decision-making in crises
If it’s not in your governance strategy, you’re missing a key piece of your security framework.
- Hidden Hostility
Bias hasn’t disappeared, it’s just become harder to see. Women in cyber still report exclusion from leadership pathways, disproportionate scrutiny, and workplace cultures where success is met with resistance instead of support. Without structural change, these conditions silently erode diversity.
- Disengaged Allies
Men still hold the vast majority of leadership positions in the cyber industry. Yet many feel unsure how to help or fear saying the wrong thing. Others wrongly perceive inclusion as a zero-sum game. This stasis results in too few taking meaningful action.
Inclusion as a Business Control
So, what does effective, resilient inclusion actually look like in cybersecurity? It looks a lot like other mature controls: strategic, auditable, and tied to business outcomes.
Data-Driven Decision-Making
Track the metrics that matter:
- Who’s applying?
- Who’s being promoted?
- Who’s leaving, and why?
Use this data like you use breach detection: to surface patterns that require investigation and response.
Accountable Leadership
Inclusion should be part of leadership KPIs, just like operational risk or regulatory compliance. It’s not an optional initiative; it’s a governance responsibility.
Structural Change Over Symbolism
Panels and mentoring are useful, but they don’t fix broken systems. Inclusion means rewriting recruitment processes, offering flexible career paths, and ensuring psychological safety across all roles.
Intersectionality in Practice
Gender is just one lens. True inclusion means examining how identity, background, ability, neurodivergence, caregiving status, and more intersect to affect opportunity. The goal isn’t representation for optics, it’s equity in outcomes.
Why This Matters Now More Than Ever
Cybersecurity has never been more mission-critical. As we face escalating ransomware attacks, AI-generated threats, and increasingly complex regulations, like NIS 2 and DORA, we need people who can think differently, act quickly, and collaborate across disciplines.
Inclusion isn’t a social campaign. It’s a resilience strategy.
If we want to build security cultures that work, cultures where employees report incidents, follow policies, and care about protection, we need inclusive environments that people want to be part of. Environments where voices are heard, contributions are recognised, and leadership is diverse in thought and experience.
Because here’s the truth: inclusion is infrastructure. Without it, everything we build sits on shaky ground.
Fix the System, Not the People
We’ve asked women and other marginalised professionals to adapt to cybersecurity, to fit into systems never designed with them in mind. It hasn’t worked. The numbers prove it. The stories reinforce it. And the talent gap widens because of it.
It’s time to reverse the lens. Organisations must adapt to the talent they want to retain. That means:
- Embedding inclusion into every stage of the employee lifecycle
- Holding leaders accountable for equitable outcomes
- Investing in real structural change, not just awareness campaigns
If inclusion isn’t part of your risk strategy, your risk strategy is incomplete. And in an industry where threats evolve by the minute, that’s not just bad optics: it’s bad security.
