Skip to main content
Creating a new NHS England: Health Education England, NHS Digital and NHS England have merged. More about the merger.

Building diversity from the ground up

Cathy O’Keeffe, Associate Director of Cyber Delivery, says improving the diversity of our teams is crucial to the successful delivery of cyber security across the health and care system.

When our regional security lead for the Midlands, Vicky Axon, wrote a blog about the importance of diversity to our cyber team, it set me thinking. How can we improve diversity when, as Vicky pointed out, we’re often not seeing that diversity among the candidates applying for our roles? 

Associate Director of Cyber Delivery Cathy O'Keefe sits at a desk

Although cyber security is one of the most popular and fastest growing fields in technology, the number of women working in the industry still remains low. And this is just one area of under representation that needs to improve. Supporting more neurodiverse candidates and facilitating non-traditional routes into the profession are equally important, as highlighted by the UK Cyber Security Council.  

Some of this comes down to how we attract talent and thinking carefully about the skill sets that are required for different roles, making sure we consider the language in our job adverts, and that we offer flexibility and a variety of application methods.  But I believe we also need to commit to a long-term, active approach to developing our own people. We must bring in a wide variety of colleagues into more junior roles and grow our own diversity.  

What do we really need?

When we look at the current labour market and the dominance of particular characteristics, we’re actually looking at the past. In cyber security, for example, we’ve often benefitted from the related experience of people with military or law enforcement backgrounds.  

Recruitment practices may be changing in the sectors we draw from, but we will need to wait a long time for that to play through among more experienced applicants. Even then, we won’t necessarily be getting the variety of backgrounds and viewpoints that could particularly help us. 

By bringing that expertise into a more diverse and inclusive team we will improve our chances of making good decisions. 

Historically, cyber security has been a male dominated profession. Things are changing but as a female senior leader, I’m still in the minority. I also come from the frontline NHS and that, too, is a bit different. I worked for many years as a radiographer and then as a head of IT and a deputy CIO and that NHS background does give me something to give back to the team. As cyber security evolves, so do our roles and we are all constantly learning and improving.  

By reducing the dominance of a particular set of characteristics, we will likely broaden our perspectives in other ways. If we can get more women into our team, for example, we’ll probably bring in different career experiences and professional backgrounds, and vice versa. That doesn’t mean we won’t continue to value and draw on our traditional recruiting grounds and skill sets, but by bringing that expertise into a more diverse and inclusive team we will improve our chances of making good decisions. 

Reducing turnover

There’s a huge amount of opportunity in cyber. The skills required for some specialist cyber security roles are in great demand within the industry, which can mean colleagues in those positions don’t always remain in the same role for a long time before heading to another opportunity. This poses a problem for a team trying to grow our own diversity because as soon as we have trained people up, we risk losing them. 

The aim is to nurture diversity in its true sense. 

We can do something about this though, by redoubling our efforts to make individuals feel included and supported. We want people to feel we are the right place for them, whatever their background. We have huge advantages. In terms of motivation and feeling you are contributing, it’s hard to beat the NHS. It’s about societal good. What we do really does matter.  

But that is not enough. People also need to feel they belong in our team. They need to see people like themselves progressing. The aim is to nurture diversity in its true sense. That includes, but goes beyond, colour, gender identity, disability, or neurodiversity. It embraces everyone. As Vicky put it, it is about “people contributing from different backgrounds, different viewpoints, different abilities, different ethnicities, different cultural backgrounds, different gender identities, and different ways of thinking.” 

Becoming a better place work

There are particular areas where we know we need to improve. We are about to start up a women in cyber group between us and NHS England, and another one for the Cyber Associates Network (CAN). We’ve also got listening exercises going on in our Cyber Operations directorate at the minute, so people can have their voice heard and shape how we move forward. We can also understand if people feel they’ve been underrepresented and haven’t been listened to.  

We’re also looking at introducing mentoring and reverse mentoring, so we can get information flowing, and we’ve set up a series of workstreams about making cyber security a better place to work. They are run by our staff, who are going to come back in the next 4 to 6 weeks with their plans on how we can improve.  

Of course, we’re still going to have people who want to leave to explore other opportunities. We were really disappointed to lose a really valued junior employee to industry recently, for instance. That’s normal and might absolutely be the right thing for the individual, but we want those who do leave to be feeling that our team was a place where they were valued and supported on their career journey. We also want them to think about coming back to us in the future to help us protect the NHS. 

Related subjects

Vicky Axon, NHS Digital's Regional Security Lead, says monocultures breed security weaknesses and we are still struggling to get the variety of backgrounds we need in NHS cyber teams.
Cyber security is more than ‘just an IT issue’; it’s ultimately about keeping patients safe.  Chris Day, Cyber Clinical Informatics Manager, discusses his role in embedding clinical safety deeper into our cyber security strategies. 


Last edited: 28 February 2023 4:08 pm