NCSC and KPMG release Decrypting Diversity report

KPMG and the NCSC released their first report looking at diversity and inclusion in the UK cyber security industry

Today, KPMG and the NCSC released their first report looking at diversity and inclusion in the UK cyber security industry. A lack of diversity within the cyber security sector has long been seen as a challenge for the industry, inhibiting the exchange of ideas and Acting as a barrier to efforts trying to bridge the cyber skills gap.

This timely report will help industry understand where it is failing on diversity issues and what steps the sector must take together. Significantly, the report aims to create a benchmark for diversity and inclusion in the UK cyber security industry which will help the industry understand the areas in which it is making significant progress, and where additional attention is required.

Following the release of the report, the NCSC and KPMG will convene a series of industry-led working groups to take forward recommendations from the report and help to bring them to fruition. Going forward, these working groups will guide future variations of this report and will help to create a more diverse and inclusive cyber security sector.

The report finds that though the cyber sector has higher levels of LGBT and female representation than the wider technology industry, a number of communities reported higher levels of discrimination and lower confidence than the survey as a whole. These experiences suggest that the industry is suffering from a lack of diversity and this could lead to the loss of talent.

Some of the key statistics from the report include:


  • 11% of respondents identified as LGB
  • 31% of respondents identifying as female which is low relative to the population but higher than other technology industry surveys
  • 13% of respondents identify as a minority ethnic group
  • 1.3% of respondents identified as trans
  • 17% of respondents were eligible for free school meals


  • 72% of respondents feel confident being themselves in the workplace
  • 16% of respondents experienced at least one negative incident in the last year
  • 74% of those who experienced negative comments did not report anything
  • 14% of respondents experienced barriers to career progression due to D&I issues
  • 9% of all respondents considering leaving their employer or the industry.

These statistics show that there is still a long way to go to make the cyber industry the champion of diversity and inclusion that it should be. To rectify this, the Report sets out five recommendations:

  1. The industry must take an active role in leading on diversity and inclusion. The industry must work collaboratively to develop a clear vision for what diversity and inclusion practices cyber professionals should expect.
  2. Create from a more distributed workforce: Identify a set of principles for organisations to bake inclusivity into future ways of working with employees in more disparate physical locations.
  3. Use data to understand and track representation: The industry should leverage its expertise in data to establish best practice for measuring diversity and inclusion in organisations
  4. Create a Cyber D&I talent toolkit: The industry should build upon existing good practice both inside and outside the sector to produce a toolkit to help organisations map the talent lifecycle for their cyber employees and show how diversity and inclusion can be embedded at each stage
  5. Learn from D&I best practice: The industry must work will all stakeholders to share diversity and inclusion best practice across the industry to learn from each other as they each take their own steps to improve the experiences of cyber professionals
  6. Publicise the success stories: DCMS should use the UK Cyber Security Council once established to produce a set of case studies and career journeys that show the breadth of routes into cyber and the diversity of professionals in the industry today.
  7. Map out the roles and skills: DCMS should use the UK Cyber Security Council once established to produce cyber roles and the skills required in order to develop a framework to describe cyber roles and skills consistently.

techUK believes that this report and the subsequent recommendations are a welcome step, in a space where progress has simply been too slow in recent years. By setting a benchmark, the cyber sector will be more able to effectively assess its progress on diversity and inclusion issues and to figure out which policies are the most effective. techUK looks forward to supporting this progress, both through the proposed working groups and in the existing ongoing industry efforts .

Ciaran Martin, Chief Executive of the NCSC, said:

“It cannot be right that in the year 2020 there are still people within our industry who feel they can’t be themselves or who face discrimination because of who they are and this report should drive our determination to act.

“There is far more to do on diversity and inclusion and the NCSC is determined to be a leader in this field, but a cross sector effort is required to get this right.

“I urge all cyber security leaders to read the report and act on it.”

Bernard Brown, Partner and Vice Chair, KPMG UK, said:

“If the UK is to continue to play a leadership role in cyber security, we need to create an innovative and inclusive workplace that attracts the finest minds from our communities. Highly skilled cyber security specialists are an imperative in a rapidly expanding digital economy, supercharged by COVID-19.

“Our findings show that the cyber industry has a lot to do if it is to build truly inclusive workplaces. The report provides a route map for change and a call to action for a collective response to the issues raised.”

Jacqueline de Rojas, President, techUK, said: 

“This report on diversity and inclusion in the UK’s Cyber Security industry couldn’t be more timely. Diversity in the sector is growing but this report sheds light on the discrimination still faced by marginalised groups in the workplace. For diversity efforts to be truly impactful, you must first build an inclusive culture for all. The creation of a benchmark will do more to highlight how we can ensure that everyone feels confident and safe at work, and is a fantastic step forward.

“The inclusion of diverse voices at every stage widens our perspective when operating under pressure. In difficult times, we see the heavy reliance on our scientists, technologists and engineers to come up with solutions, fast, to support the Cyber sector. We cannot do this successfully without diversity across the board.

“As we build towards the digital economy of the future, it is crucial that we foster diverse skills and talent to progress with adaptability rather than simply course-correcting from outdated recruitment and hiring practices.”

You can read the full report here