Over the years there’s been much talk about women in cyber security. For example, are there enough; are they the future of infosec; are they paid more than men; are women under-represented, and so on.
As a woman in cyber security, with a voice, I feel a heavy weight on my shoulders and compelled to write about this.
Well it’s simple. Right now, in cyber security we’re failing. All of us. Men and women.
It’s bad enough that we can’t attract others into our industry fast enough and train them up, but the fact that the numbers of women in cyber security are deteriorating is quite frankly unacceptable.
Cyber security has never received so much attention. Cybercrime is growing and when more people are becoming increasingly aware of protection, resilience and training you'd have thought that getting women into our profession would have been easy.
However, it's not been and without a doubt we must reverse this trend and do a better job.
We need to gain more diversity in the workplace and close the gender gap. We need more women driving businesses and leading teams. We need more women to succeed here and I’m not just saying this for feminist motivations or to be politically correct.
The reason why is actually straightforward. It comes down to economics. When we close the gender gap there are huge implications for our global economy. In fact, according to a new report by McKinsey & Co. full gender equality would add 26%, or $28 trillion, to global gross domestic product in 2025.
Imagine the impact of this on global poverty?
So, let’s look at the gender problem, with our eyes wide open and specifically for cyber security for we have work to do.
In September 2015 (ISC)² published the results of their global information security workforce study, entitled ‘Women in Security: Wisely Positioned for the Future of InfoSec.’ They surveyed nearly 14,000 professionals worldwide and alarmingly revealed that the workforce was predominantly male. In fact, only 10% of information security professionals were female. To make matters worse, the figure was the same as the year before, and had reduced from the year before that, despite the growing demand for more cyber security professionals.
So, why are we failing to attract more women into cyber security?
Well, I'm warning you now; I've got a lot to say about this, for I believe it boils down to 3 mistakes that we’re consistently making.
Let me share these with you now.
MISTAKE #1: We’re extremely poor at marketing cyber security especially in schools, colleges and universities.
Despite women outperforming men in higher education, attending university at a rate of twice that of their male peers, and the UK government’s prioritising and subsidising of STEM subjects (science, technology, engineering, mathematics) men still dominate. Although it’s getting better for science subjects such as biology and more women are being attracted to medicine, the number of women that are taking up technology subjects, such as computer science is at an all time low, see the diagram below.
This is heart breaking. In the 1980s women in computing were at an all time high of 38%. We were on a roll and this should have continued. However, it didn't. Since then, there’s been a steady decline and I’m convinced it correlates to the 1980s mass marketing of PCs as “boy’s toys.”
For women to be attracted to cyber security, it’s vital we do several things at this stage:
1. We need to make cyber security more accessible, in schools and earlier on.
Ariane Hegewisch, a study director for the Institute for Women's Policy Research says, “Girls don't get as much opportunity to use computers. They get fewer chances, in part because of a lack of encouragement, curricula that appeal more to boys than girls and a negative stereotype about girls' technical abilities.”
Linda Ortenzo, director of STEM programs for the Carnegie Science Center in Pittsburgh echoes Ariane Hegewisch's view, “Girls get very subtle messages early on … that there are certain fields and certain endeavours that are ‘boy things'.”
Even in 2015 it astonishes me that en masse our views are still so backward. Girls are as interested and as capable, when they’re given opportunities and supported, as boys.
It surprises me too considering the fact that women dominate the teaching profession.
Here in the UK, out of 365,000 teachers, 74% are female. However, it may be explained by the fact that few women make it to senior leadership level. According to figures from the Department of Education, in 2012, 4% of women in schools were head teachers compared to 6% of men. Once again, the genders are split disproportionally and I'm left wondering if there were better representation here and in government there would be improvements.
I know from my own experience computers were introduced to me at school (Tormead) when I was in my early teens and that I showed an interest. As a mother of two boys and a girl, I've also witnessed the efforts each of their schools has made.
My daughter's school, St Teresa's, in particular has been extremely forward thinking under the leadership of a truly remarkable headmaster. They introduced computing in the junior school and girls were coding and building websites from an early age. As a result my daughter sees her abilities as being quite cool and is keen to progress.
Sarah Clarke, of Infospectives, who is also a mother to two girls, says, “Working in technology has to be normalised for girls.” She makes many valid points in her article on ‘Women In InfoSec – GRCers more than hackers? If so, so what? Plus bigger cultural questions' and like me is actively promoting technology and cyber security to her daughters and other women, both young and old.
2. We need to advertise cyber security more and when we do make it appealing.
We need to showcase what an amazing profession cyber security is and how well it's set for being a future-proofed, highly paid career. This is important for when technology is disrupting many professions by replacing staff; cyber security is set to stay. This is vital for women to see as genetically we've a tendency to be risk averse and therefore seek security, as it's built into our DNA.
We also know from research drawn from computer science that women often choose to study because they want their work to affect the world. In cyber security it’s easy to play to this. Many go into cyber security because they’re driven by a desire to protect people, their information, their livelihoods, and in some cases their lives by keeping them safe online.
I’d love to say that when I first started out in cyber security these were my reasons. However, they weren’t.
As some of you know, when I started my consultancy in 1997, I did so with a partner. Some of you may not know that I came from a background of art and design. I knew nothing about technology or IT. In fact, I was actually a bit of a Luddite!
Now, this could have presented me with a problem, if I'd have let it, especially as I was the one selling. However, it didn't, and the reason why was because I chose to lead our company with security.
In my opinion, selling security was far more interesting than selling routers, servers or any other IT component. To me, it felt a little bit like James Bond. I'm cringing writing that line, but as a youngster who was full of imagination that's exactly what I thought at the time.
In all seriousness though, without realising it, I'd actually done something that we may need to do in cyber security in order to attract more women.
Sex it up.
Yes, I'd glamourised it, sexed it up and made it a fun profession for someone of intelligence.
I'd sold it to myself, as being cool too and then was able to sell it to others with ease. I also believed in it and over the years my passion for it has exuded more and more as it satisfies my three core beliefs – freedom, empowerment and entrepreneurship.
The other reason I liked it then (and still do now) was because security (when you're selling to C-Levels) is really quite simple. It requires good communication skills and boils down to risk and resilience. And, neither is difficult to understand.
3. We need to change the way we're recruiting and make cyber security more inclusive to women and not so stereotyped as being a male domain.
Cyber security covers many areas including design, GRC, penetration testing, intelligence, incident response, awareness and so on, and I was reading an interesting article by Josephine Wolff, ‘Hackathons have a Gender Problem' and her view on why we don't have more women in cyber security.
Her take on why we're not attracting more women into cyber security came down to the increasingly dominant way in which we’re using competitive hackathons in computer science education, training and recruiting.
She argues that hackathons — events that typically centre on coders competing against one another to build a new product or service — are positioning a young, energised and anti-establishment aura and that they’re inadvertently putting off a lot of women.
She describes hackathons as being typically crowded, cluttered, rooms, filled with tables, laptops, folding chairs, pizzas and soda. Participants stay up all night and curl up in hoodies on the floor to catch an hour’s sleep when they can’t keep their eyes open a second longer. The atmosphere’s competitive as prizes, internships and job offers are there for the winners.
She includes Marie desJardins' view (a Professor of Computer Science and Associate Dean at the University of Maryland, Baltimore County) and she sums up what the vast majority of women think about these events:
“These hackathons are not very pleasant places to hang out. You’re supposed to think, ‘I’m gonna wear the same clothes and stay up all night working on this thing because I’m so brilliant and so dedicated.’ I think even the word hackathon is just a really unappealing word — it just brings up a certain set of images which aren’t usually very appealing to women.”
Events like these are intimidating to women and unless we can change this recruitment process we're not going to get more buy-in.
Deloitte's female only hackathon is a good start but I'm still not convinced this is the right way to go about drawing in talent. We need to get better at our recruitment process in general and much training is needed for those recruiting. Recruiters need to stop recruiting on the basis of “I like the look of this one,” or “they're so like me” or even, “if we hire this one we'll hit our gender quota.”
4. We need to show cyber security as having flexible working conditions.
The way we work is changing. I wrote about it in my last article, ‘The Future of Work in Cyber Security. Is it Freelance?' We’re working longer hours, communicating with more people, in different countries via more “tools” and the workplace is rapidly seeping into our homes.
The boundaries are blurring.
This is good, for what it means is that there will be more flexibility. And, flexibility is attractive for both men and women, as increasingly we have to work around our children, ageing parents or have plans to.
Long gone are the days when we have to report into the office. For cyber security professionals many of us work from home and commute in for the odd client or internal meeting, or work from global locations that we choose to live in.
5. We need to improve the barriers to enter cyber security.
These day's we're changing careers more often and career reinvention is going to increase over the next decade too. Although we're going to become more specialists in what we do, we'll be moving into other careers as technology rapidly develops. We'll need to acquire knowledge fast, as high-value work will require the mastery of deep-skills and being able to morph and slide into other areas of mastery will be vital.
As a result, we'll need to make this achievable in cyber security. I'll give you an example of what I mean.
The other day I was speaking to a young woman who was working for a cyber security company. She'd graduated a few years before, was bright and stuck in a non-deliverable job that was not fulfilling her potential. Whilst she loved the industry and rated her employer, she expressed huge interest in becoming a consultant. Unfortunately though, her employer was not willing to develop her. Like most, they wanted / needed ready-made “deliverables” that they could bill-out from day one.
If she was going to skill-up she knew it was going to be hard. Ignoring the fact that she worked full-time and would need to spend hours studying in her free-time; she was on a meagre salary and had a student loan to pay off. The problem she faced was how she could afford to skill-up, as cyber security courses are expensive.
Now it would have been easy to say, you've just got to get resourceful because it's worth it, but I believe there needs to be a way to change this if we're going to attract more women (and men) into our industry. Solutions like Cybrary.IT and the UK's Open University's Introduction to Cyber Security help, but so would more government support.
6. We need to encourage more women to step outside their comfort zones.
Julia Langkraehr, knows a thing or two about business, having founded and grown an international multimillion-pound business in three countries. Last year, she mentored me and gave some wise advice.
She said, “I’m going to challenge you to do something that scares you every day. I want you to get used to expanding your comfort zones so this becomes a habit.”
Stepping outside your comfort zone isn’t easy. It requires immense courage, as it feels horrible and unnatural especially as you’re exposed to failure and potentially ridicule. I should know, as I’ve done it plenty of times. I’ve done it with public speaking, video blogs, live webinars and training – high risk “things” that exposed me to more people.
Many people find it hard to believe but I’m actually quite a shy person and I’ve had to work on these things by practising over and over again in order to overcome my fear and improve. I remember the first time I trained a group of students. I was TERRIBLE and I’m 100% sure it cost me more work with the company. However, despite it being such a painful experience for all parties, I learnt a lot and that enabled me to get better.
So my advice to other women is to do as I did and still do – get comfortable expanding your comfort zones. Don't be afraid of failure. We usually learn the most when we cock up.
Show courage like the ancient Greeks did. To Athenians courage was natural and voluntary in contrast with their enemies, the Spartans, who according to Pericles, were forced to be courageous through extensive training and painful discipline.
7. We need to lean in and mentor and support more women.
A couple of years ago I was asked to speak in Australia to an audience of about 800. I’d not been speaking in front of audiences for that long and the thought of it absolutely terrified me. One of the main reasons why was because I would have been in front of an audience of cyber security professionals.
For me, that’s an entirely different kettle of fish than being in front of entrepreneurs or women in business, which is my comfort zone.
I remember reaching out to Neira Jones, who I didn’t know at the time. I politely asked if we could connect and then for advice on whether someone like me – a non-techie – a mere mortal – should do it.
Neira was kind and full of encouragement. She told me to do it and that the industry needed more non-techies who could communicate the issues in non-technical terms.
So the point I want to make is this.
Seek out mentors or those who'll support you. Sometimes it may require you to pay for this and at other times it may not.
Over the years I’ve invested a great deal of my time to networking and also in paid programmes where I’ve got access to leading figures, such as Dale Murray, who’ve helped me perfect things, like pitching, and to develop.
As a woman in cyber security I’ve also been there for other women too. I’ve followed Sheryl Sandberg's advice in her brilliant book Lean In, and thrown down the ladder and helped other women up, or connected them to others, or advised whenever I could.
MISTAKE #2: Women need to see other women succeeding in order to believe that they can succeed too.
In my last company I pushed my business partner forward and ensured he received all the publicity. As far as I was concerned I was just getting on with the job of building our company. In hindsight this was a mistake, for there are so few women who've built seven figure cyber security businesses. I now know that women need to see other women succeeding if they’re going to believe that they can succeed too.
Women in cyber security need to see women achieving in other computer related careers too, for under-representation here is where it all stems from.
Earlier this year I read a CNET special report exploring what people and companies are doing to make the tech industry more diverse, more equitable and more welcoming to women. It revealed that the percentage of women working in major tech companies was consistent at 30%.
Not bad, I thought, as 30% would mean that in most cases you'd have one woman in every meeting.
Then, I looked a little more closely and realised that the breakdown of women in leadership and tech roles, as is illustrated below, showed significantly fewer in positions to influence their companies’ strategic direction or product development.
When women make up about 50% of the population, they need to be able to shape the products they buy and use so more will be sold. Not having representation here is costing the business as money is being left on the table.
Perhaps that’s why there’s a drive to increase the number of women directors and Board Directors. For example, Intel has pledged $300 million toward building a more diverse workforce, including tying managers' compensation to their progress in that area. Apple is donating $50 million to the Thurgood Marshall College Fund and the National Center for Women and Information Technology to help swell the pipeline of qualified women and minorities.
The UK government has a goal too – to make a third of directors women by 2020 and David Cameron has pledged to end the gender pay gap within a generation by making employers report on the pay differences.
I'm not sure how he plans to do this but commitments like these are without a doubt encouraging, as are the many groups that have sprung up to support women in security over the years.
In the UK, I know of many that are active, for example, Womens Security Society, Women in Security Council – ASIS International, Women In International Security, (ISC)² London Chapter – Women in Security and Fraud Women's Network.
These groups work independently of one another and organise regular networking events and presentations, which is fantastic. They’re staffed by volunteers and have no hidden agenda other than to support and encourage.
Others however, have, and I’ve seen them be used as lead generators for business, by currying favour with the buyers and influencers who attend, or as recruitment vessels so gender targets can be met. Without getting into the right or wrongs of this, what I’ve seen at all of these events is that they’re missing a trick.
I’ll give you an example.
A few months ago, in August, I attended an event by Deloitte’s Women in Technology Network, entitled ‘Women in Cyber: The Power of Security.’ I was attracted as they had a fantastic line up of speakers and panellists who were talking about topics I was interested about, namely:
- The security challenges and opportunities in the rapidly changing world of technology.
- Is it possible to be secure in an interconnected world?
- Do we need to challenge the approach to information security?
- Is it possible for organisations to ever be ‘secure’?
- What skillsets are required to work in security?
I'd also brought along a young woman I was mentoring. I was encouraging her to network with more women in the industry and raise her profile.
The evening started with a keynote speech from Yolande Young, Chief Information Security Officer SABMiller, followed by an insightful panel discussion with some leading professional women working in the industry, and a special guest speaker, Andrew France, OBE, former Deputy Director of Cyber Defence Operations at GCHQ.
It was slick, many attended and I found it insightful. The speakers were human, witty and unpretentious. I liked them a lot. However, what I noticed was that none were visible online. And, what this signalled was that they weren’t accessible.
As I sat in the audience wanting to spread the word, I looked for them on Twitter and couldn't find them. I remember shaking my head at the time and feeling so disappointed. Even large organisations like Deloitte weren't set up to maximise the opportunity.
But, this is normal; I see it all the time.
In my experience there are few women in cyber security who actually build a strong personal brand, promote themselves and the work that they do. For whatever reasons, so few have a voice and in my opinion this isn’t helping to attract more women into cyber security, especially the younger generations – our future.
I don’t want to appear as if I’m demanding this, as this is a personal choice, and requires a time investment, but I know that unless we act as ambassadors for our industry and other women see us doing this we’re not going to attract more women into cyber security.
I feel we have a responsibility.
The younger generations are on social media networks – and I'm not talking Facebook. Unless we're proactive and find out where they hangout, and learn to engage with them in a language and style that connects we’ll all miss out.
This brings me to my next point, which is about visibility, and one of the reasons why companies like Contact Book, a broadcast agency, launched Expert Women.
Expert Women is an initiative that was founded by Professor Lis Howell, the director of broadcasting at City University who held editorships at GMTV and Sky News, and Lisa Campbell, the (now former) editor of Broadcast magazine.
Seeing that 80% of the experts on the news were men and that it wasn’t mirroring working society they knew more had to be done. So, as part of the Expert Women initiative they perform monthly monitoring of the BBC, ITV News, Channel 4 News, Sky News and 5 News.
They’ve also presented a pledge to British broadcasters that 30% of the experts on their programmes should be female experts. The good news is that Channel 4 News and Sky News were the first to sign it and that ITN ITV News and BBC News have their own internal Expert Women initiatives that Expert Women support.
Whilst this is all very positive, the challenge that they have is in getting expert women to step forward. Having spoken to the founder of Contact Book, Kerry Hopkins, I now understand why it’s so hard. Women, unlike men, lack confidence. If they don't believe they can do it or know enough they won't step forward.
I've heard countless stories about men who've jumped into a cab (taxi) knowing little about the subject matter and “winged it” on TV. I've also sat amongst many capably, expert women (pictured above) discussing this and heard how they would not put themselves forward. That is, aside from Darshana Ubl, pictured on the right. Some of you may have seen her on the UK news representing small businesses on behalf of Entrevo, earlier this year.
This brings me nicely on to mistake number 3.
MISTAKE #3: Women lack confidence and we're doing nothing to improve this.
Evidence shows that women are less self assured than men and that to succeed confidence matters as much as competence.
To illustrate this, you’ve probably heard that men apply for a job when they meet only 60% of the qualifications and that women only apply if they meet 100% of them. This finding comes from a Hewlett Packard internal report and has been quoted in many articles and books including Lean In and The Confidence Code.
Many women can relate to this, including me, and it’s important we examine why.
Firstly, qualifications, certifications and degrees have historically played a different role for both genders. For example, women haven’t had the luxury of having an old boy's network to help them secure jobs. As a result, from the time when we first entered the workforce in greater numbers in the 20th century, we’ve done so only when we’ve gained the right training or accreditations.
Qualifications were our way in and a way of demonstrating that we were worthy and could do the job.
However, as a result women have been taught, unintentionally, to see the workplace as orderly and meritocratic – something that it's not. And, this may explain why women have underutilised advocacy and networking to-date.
Secondly, for years, women have been taught to comply. We’ve followed the rules at home and school and learnt that when we do we’ll be rewarded. And, when we’ve entered the workplace we’ve once again played by these rules: “work hard and your natural talents will be recognised and rewarded.”
However, it’s not worked out for us in the way it’s supposed to.
Although we’ve made huge progress in the workplace, men have continued to get promoted faster and be paid more. And, this is even after dozens of global studies have found that companies employing women as leaders and in large numbers outperform their competitors on every measure of profitability.
A McKinsey report makes for some interesting reading for they found that men are often hired or promoted based on their potential, whereas women are for their experience and track record. If women know this and have watched it occur in their workplaces, it further promotes the issue of confidence over competence and keeps women stuck in a self-doubt mode and from applying for jobs for which they don’t meet the qualifications. It also frees up places for men.
In order to change this and become more confident, women need to stop thinking so much and just act. Action brings clarity and it also brings progress.
Now I want to hear from you…
Tell me in the comments below or in a private email:
- If you're a woman in cyber security or tech what experiences have you had?
- What do we need to do in order to attract more women into cyber security or tech?
Please share your stories and experiences here, and if you’ve got a question, just pop it down here.
PS. The challenge
I'm in a challenging mood, as things have to be done. If you want me to speak about this or be available to comment on women in security I'd be delighted. I'm particularly interested to hear from (or be connected to) anyone in government, education or the media. If you want to join me on a mission to improve this get in touch too, via LinkedIn or email.
If my article resonated, please share it. If we work together we can achieve more!