The Missing Link: Women in Security
The lack of women in technology is a long standing problem and still the number of women working in IT continues to tumble. Over a twenty year period from 1990 to 2010 the number of women working in computer sciences dropped from 30% to 18%. While there have been some great efforts at promoting diversity within IT there is one area of technology where gender diversity is a very real issue; cyber security.Â
Women represent just 10% of the IT Security workforce. This is despite double-digit annual increases in the profession.
Many have responded to this fact by asking âWhy does it matter? If the job is being done well it shouldnât matter what gender the person isâ.
On the surface this might appear to be true. But if we begin to dig a little deeper we will see the importance of a diverse security workforce.
First things first, we are not keeping up with hackers and something needs to change. Despite the overall growth in the number of IT security professionals and the corresponding expenditure on security technologies, we are frequently seeing severe data breaches and network compromises. Security is a huge business concern and the cracks in current security capabilities are showing.
2015 alone has seen multiple high-profile data breaches. David Jones, Kmart and Aussie Farmers Direct are just a sample of the many security breaches within Australia. Perhaps most troubling of all is the hack of the educational toy maker VTech which resulted in the names, birthdays and genders of hundreds of thousands of children being exposed.Â
Threats are evolving rapidly as we integrate more sophisticated and cloud-based technology in to our lives. The widespread adoption of technologies such as bring your own device (BYOD), cloud-based services, bring your own application and Internet of Things (IoT) opens up wider security implications that are not being effectively tackled.
So why do we need Women?
Security is a broad and ever expanding field that goes far beyond coding. In 2013 CISSP released a report revealing that in order to get information security back on track we need skills and expertise that are not considered crucial by existing standards. While technical skills are integral itâs important to supplement the proper skills and perspectives necessary to make impactful business decisions.
The report went on to reveal that the women who were surveyed believed that a successful IT Security professional should maintain a variety of skills. The surveyed men believed that technical skills were the priority.
If cyber crime is to be tackled effectively then a holistic, multidisciplinary approach to security is required. Â Any business will do far better when there is a diverse pool of human resources working together. Security is no different.
Diversity, therefore, is fundamental to the future of cyber security. It just makes good business sense.
How can women break in to the industry?
I met with Daniela Traino who is Director of Cyber Security Business Team at Data61 to discuss her experiences in the security industry.
Daniella started her career with a background in accountancy and computer science in management consulting, eventually focusing on security because she found it the most fun and interesting side of her work. On reflection Daniella says that the security environment is definitely a boys club, but her passion for her work meant that she didnât even notice it in the earlier days of her career.
ââThere are barriers you need to plough through but you have to see it as a challenge. You need a level of fortitude and a passion for your workâ
As Daniellaâs career perfectly demonstrates there is no single route in to the security field. Though Daniella has worked in very technical disciplines such as penetration testing she advises women not to be put off by the techy image security has, âcyber security is changing all the time and itâs multidisciplinary. Women should assess their skillset and see where it best fits in the security spectrum. Technical skills are great, but you also need to understand how to apply those skills to business.â
The multidisciplinary nature of modern security means that women from many different industries are well placed to make the move in to security. Despite securityâs techy âhackerâ image, disciplines such as law, consulting, compliance, risk management, analytics and privacy are all non-technical roles which are directly linked to security and offer a great stepping stone for women keen to transition.
Daniella pointed out a few really key pieces of advice for women who want to work in security:
- Seek out mentorship and advice from people you trust
- Put yourself out there and networkÂ
- Be yourself! Use your personality and donât mimic male colleagues
- Keep your skills current and be passionate about learning
- Donât give up! If youâre really passionate you will find your way
Mentorship and networking is perhaps one of the most powerful tools that women can harness to further their careers in security. It can, however, be a fairly daunting concept to some. âNetworkingâ can bring to mind images of power suits and business cards and can be somewhat intimidating. In reality, however, networking is often a far more casual affair and a chance to meet people in the industry who can provide invaluable insights and advice.Â
As Daniella said, âMany women are poor at finding mentors and donât want to put themselves out there. I didnât do it very well myself in the beginning but eventually I built networks of people I respect. I didnât have any guidance or formal mentorshipâ
Seeking out informal mentorship and guidance from a trusted and respected colleague, boss or peer is an excellent step in the right direction. For many it will be a step out of their comfort zone but itâs crucial to find mentors and tap in to their experience, insight and advice.
Utilising social media, especially LinkedIn, can be a great way of networking so itâs important to have a detailed and relevant profile before you start using it for networking. Meetups and security events
are another effective way to build your knowledge base, meet other professionals in the business, and build your profile.Â
What can business do to attract and retain more women?
Yes, women can take a number of steps to build their security career. But what can businesses do to attract more women and begin to build a diverse, and therefore more effective, security team?
The effort to build a diverse security workforce will take time, and there are of course issues that need to be tackled at school and university in order to encourage more females in to STEM courses. However there are certainly measures that companies can take immediately to start encouraging diversity.
Letâs start with the image problem.Â
Security has a very masculine image with a large number of its male workforce being comprised of ex-military, ex-police and ex-physical security. This often results in a very macho environment that, either consciously or unconsciously, is not inclusive to the majority of women. Such a homogenized environment is unlikely to offer the diversity of thought and skillset we know is required to tackle modern cyber threats.Â
Daniella advises, âCompanies need to take a good look at the culture within their cyber security functions. Some of the rhetoric and behaviour can be extremely blokey and is not inclusiveâ
The difficulty in trying to change an ingrained male culture is that a number of men are likely to feel threatened. Legendary investor Warren Buffet himself once said that one of the reasons for his great success is that he was only competing with half the population.
This is where true inclusivity is important. If diversity becomes a case of Women versus Men then itâs doomed to fail. The fight for diversity needs to permeate an entire organisation and has to include men. Culture starts from the top, and men in senior management are in an ideal position to bring about authentic change.
There is no value in disenfranchising men and itâs worth noting that there are many industries that suffer due to a lack of male representation. This is not about taking menâs jobs. Itâs about taking a savvy and diverse approach to a cyber security industry that is crying out for a fresh approach.
The recruitment process is another key area that companies should look at. Unconscious bias is a very real issue and as Daniella notes, âmany hiring managers recruit in their own image. There are small steps we can take to overcome this such as stripping the name and gender from all resumes, but companies should think more broadly about how they hireâ.
Though the overall move towards diversity and inclusivity in security will be gradual, we can see that there is action that organisations can take immediately:
- Celebrate womenâs achievements in cyber securityÂ
- Review the recruitment process and take steps to remove unconscious biasÂ
- Promote role models in the industry, both male and female
- Be proactive in managing culture and environment
- Identify high-performing women and give them a chance to expand themselves (Women are much less likely than men to ask for new challenges or opportunities)
- Offer flexibility to both women and men. We need a flexible workforce, not just a flexible female workforce
- Be inclusive. There is no value in a Men versus Women situation
The future of women in cyber security
As weâve seen, diversity has many challenges that require a multi-pronged approach rather than a quick-fix band-aid on the surface.Â
If weâre to change the current status quo and grow the number of women in security from the dire figure of 10% we must act now. Â Itâs not enough to blame the low numbers of women graduating with STEM degrees. Research tells us clearly that cyber security is multi-disciplinary and requires skills from a whole host of different backgrounds, not purely technology.
As ever, culture is key and macho culture needs to be addressed. There is too often a perception that women simply donât belong in cyber security.
Itâs very telling that even highly experienced women such as Daniella, who is a Director of Cyber Security, still faces unconscious bias on a regular basis. âWhen I attend conferences or events, Iâve had some think Iâm in marketing!â.
There is a skill shortage within cyber security that can be addressed by a fresh recruitment process. Companies can gain a great deal by considering highly skilled candidates who do not come from traditional security backgrounds.Â
By continuing to hire the same type of candidate we are falling behind in the fight against cyber crime.