I recently did a fireside chat with Geoff White, investigative journalist, author, and broadcaster and among the UK’s leading technology specialists, working for BBC News, Channel 4 News, The Sunday Times, and many more at The Future of Cyber Security Virtual Conference. I was asked numerous questions on diversity in cybersecurity, mostly related to gender, my focus. I thought some of the recent findings may be useful to you, so just before I share the answers I gave to Geoff’s questions, I want to ask you…
Have you checked out The Source? It’s my brand new project for women in cybersecurity and you can support it as a Founding Member, Ally, or Corporate Sponsor. All you have to do is visit the following link and choose your reward: https://bit.ly/THESOURCEKICKSTARTER
Q. Where is the biggest cyber security skills gap currently?
There are a variety of reports circulating that detail the skills gap. If you look to (ISC)2 and their Workforce Study, they’ll tell you that for the first time since they started tracking the cybersecurity workforce numbers in 2004, they’ve seen a decrease in the skills gap – from 4.07 million in 2019 to 3.12 million in 2020. According to their latest Cybersecurity Workforce Study, the workforce increased 25% from 2019 to a total of 3.5 million professionals worldwide. The numbers reflect an increase in new entrants to the field – 700,000 of them – but (ISC)2 notes that this doesn’t tell the whole story. Only when you factor in the pandemic can you understand the reduction in demand.
Other organisations will tell you that the number one sought-after cybersecurity skill right now is in cloud and gaining certified cloud security professionals is a challenge due to the rapid digital transformation and adoption of cloud infrastructures, especially since the global pandemic. The shift toward the cloud is unstoppable, and inevitably, it’s driving a soaring demand for specific cloud security skills from Amazon, Microsoft, and Google in particular.
Companies like Burning Glass say cloud security skills are far outpacing the broader demand for cybersecurity skills and over the next 5-years, you should expect demand for these specific skill sets to grow faster than any others. Note, this is despite automation, which can often help with cybersecurity talent shortages. Organisations still need to build new talent and ensure the right skills are in place. They need to develop the right mindset, behaviours, and culture when operating a secure cloud environment.
If you look at research carried out on behalf of the UK government’s Department for Digital, Culture, Media, and Sport (DCMS) which was released in 2021 and explored the nature and extent of the cybersecurity skills gap (people lacking appropriate skills) and the skills shortage (a lack of people available to work in cybersecurity job roles) you’ll find some interesting data.
Commissioning Ipsos MORI and Perspective Economics to research the current UK cybersecurity skills labour market, they looked at about 1.6 million UK businesses including cyber firms and found that a high proportion of them continue to lack staff with the technical, incident response, and governance skills needed to manage their cybersecurity. They estimated that:
- About a half of all UK businesses have a basic security skills gap (i.e., they can’t complete the recommendations laid out in the Cyber Essentials Scheme and are not getting support from external cybersecurity providers – so that’s things like storing and transferring data, firewall configurations and detecting and removing malware).
- About a third of UK businesses have a more advanced security skills gap, so that’s things like penetration testing, forensic analysis and security architecture.
- About a third of UK business were not competent in terms of incident response skills. These businesses poorly understood and undervalued (both among management boards and within IT teams) cybersecurity skills.
When they looked at cyber firms, they saw that…
- Almost half (47%) have struggled to find technical cybersecurity skills, either among existing staff or among job applicants. Interestingly, the most common skills gap was in incident management, investigation and digital forensics, followed by assurance, audits, compliance and testing, and cybersecurity research. A total of 13% of those surveyed said that job applicants missing these skills had caused them to achieve their business goals.
- Around 1 in 5 cyber firms (18%) also said that job applicants lacking non-technical skills, such as communication, leadership or management skills, had prevented them from meeting their business goals. Around a quarter (23%) said this about their existing employees.
Q. How does employing a more diverse workforce help to fill the skills gap?
In security, we’ve always had a huge tendency to rely on technology. Often, we’ve used it as a silver bullet to try to eliminate cyberattacks and compliance failures. Whilst we’ve used people to implement the tech and develop processes to support it, we’ve made a fundamental error. Typically, we’ve used the same types of people – those who are male and have come from a military, intelligence, or STEM background. Unknowingly, we’ve recruited in our shadow. These are people like us. They fit in; it feels good working with them, and whilst they do worthy work, at speed, the problem of having the same types of people in our industry has limited our thinking. When we all think the same is anyone really thinking? As such, it’s created a unique culture in cyber, which has made us more siloed and susceptible to groupthink.
Attackers are varied. They don’t all have the same profiles. They come from many different backgrounds, parts of the world and have varied experiences and perspectives. And in order to defend we need to mirror them. We need our people to look just like those who are attacking us. That way we’re not blindsided. That way we stand a chance at being able to spot threats and develop solutions to counter our attackers faster and more adequately.
Right now, we are lagging, and even though our jobs are very different to our attackers, as we’re more restricted due to legalities and company processes, etc, being able to draw from a diverse pool of candidates means we can tap into a greater pool of talent. It means we’re opening ourselves up to the possibility of better defence rather than restricting ourselves. If we look at women alone, in the UK, 51% of the UK population is female and almost 72% of the workforce is women.
Q. What does diversity look like to you and why is it important?
I like this explanation from Queensborough Community College who say that diversity is about what makes each of us unique. It encompasses acceptance and respect for our individual differences. These can be along the dimensions of race, ethnicity, gender, sexual orientation, socio-economic status, age, physical abilities, religious beliefs, political beliefs, or other ideologies. It’s the exploration of these differences in a safe, positive, and nurturing environment. It’s about understanding each other and moving beyond simple tolerance to embracing and celebrating the rich dimensions of diversity contained within each individual.
The reason why diversity is extremely important is because we get better results. By valuing individuals and groups free from prejudice and by fostering a climate where equity and mutual respect are intrinsic, we’re able to create a success-oriented, cooperative and caring community that draws intellectual strength and produces innovative solutions from the synergy of its people.
However, when you look at the cybersecurity workforce, you can see it continues to lack diversity relative to the rest of the digital sectors, particularly when it comes to senior positions. Drawing from (ISC)2’s research again, cybersecurity professionals are more than twice as likely to be male, meaning there’s an under-tapped demographic available for recruiting if companies can position the role in a way that overcomes common misconceptions.
Even figures from the UK’s DCMS report show that disappointingly, relatively few cybersecurity firms have adapted their recruitment processes or carried out any specific activities to encourage applications from diverse groups. The data highlights the following:
- 17% of the workforce come from ethnic minority backgrounds, falling to just 3% of those in senior cyber roles (i.e., those typically requiring 6 or more years of experience).
- 16% are female (vs. 28% across all digital sectors), falling to 3% in senior roles.
- 10% are neuro divergent, falling to 2% in senior roles.
- 9% are physically disabled, falling to 1% in senior roles.
Q. Why is diversity important?
By increasing diversity within our talent pool, we can be more innovative, better problem solvers, and more thorough in our approach to risk. Cybersecurity is, after all, a people problem, and only when people are regarded as being the strongest shield throughout our whole ecosystem and given the opportunity to fulfill their potential will we become more resilient in our defence.
If we look at gender and cybersecurity, an area I’m focused on, it gets interesting as women are natural guardians, have always been called on during times of war, and do offer a strategic and competitive advantage to business. In fact, gender and cultural diversity can offer a 35% performance improvement, which is significant to any business.
The good news is, more organisations are understanding that women are good for cybersecurity and are investing in ways to recruit, train and retain more. They’re understanding that gaining an advantage over our adversaries depends upon us doing this.
They’re becoming more aware of the countless studies that have shown that women and men do gauge risk differently. These studies have found that women are far better at assessing odds than men, and this often manifests itself as an increased avoidance of risk. Women are typically more risk-averse, and their natural detailed exploration makes them more highly attuned to changing pattern behaviours – a skill that’s needed for correctly identifying threat actors and protecting environments.
Research also tells us that women score highly when it comes to intuition, emotional and social intelligence. Additionally, that the collective intelligence of a group increases by 73% as the percentage of women increases. Studies tell us that women are able to remain calm during times of turbulence – a quality that’s required when breaches and major incidents occur and that they’re better able to use their intuitive thinking to make good decisions quickly and without having all of the information, which is a requirement in a world that values speed and agility.
Women are also less likely to fall for attacks that hackers are now being written for men. Having more women enables organisations to lower the risks from attackers who’ll continue to exploit any weaknesses – things like unconscious biases that are prolific – and they’ll use these any way they can, whilst they have a chance.
The Financial Conduct Authority (FCA) is now talking about this too and have spoken about research from CASS Business School which suggests that greater gender diversity rather than diversity of thinking r experience actually improves risk management culture and decreases the frequency of European banks’ misconduct fines, equivalent to savings of $7.48M per year.
When Tessian performed research, they said encouraging greater gender diversity in cybersecurity would have a huge impact on our global economies. They believe if the number of women working in cybersecurity rose to equal that of men, we’d see a $30.4 billion boost to the industry’s economic contribution in the US and a £12.6 billion boost in the UK. And, if women earned as much as their male counterparts, we’d see billions more pour in, with a further $12.7 billion added in the US and £4.4 billion would be added to the UK economy.
Q. There are a lot of programmes in place to help bridge the skills gap: Are these working? If so, which are the most effective?
It’s really hard to tell as many aren’t tracked and the results aren’t always well communicated. I know that LLHS is doing a good job, as is Immersive Labs, and Capslock. However, from what I‘ve seen in terms of women’s groups there’s some great work that’s being done but room for improvement. That’s why I’ve created a unifying women’s platform, The Source. It brings together the best partners and solutions in a community.
The Source is where women go to learn, connect and exceed. It’s where they get access to resources including mentors. But it’s far more than a mentoring platform. It’s about clarity, resilience, empowerment, leveling-up, innovation, collaboration, and truth-seeking. Importantly, it’s about unifying women’s groups, and it’s available for entry, mid and leader-level women including entrepreneurs. It’s incredibly unique and innovative.
Q. Gender diversity is improving in cybersecurity – the latest ISC(2) figures show around 24% of the workforce is women. But what else needs to be done?
There’s a lot of work and only so much I can go through with you here but when I work with organisations, I always start with a discovery phase so I can assess what’s working and what’s not. Being able to assess any bias in the data ecosystem is useful as then we can have data-driven conversations, which are far more meaningful.
Then, it’s about getting crystal clear on what the organisation wants, i.e., skills, competencies, and values, and what good looks like. Often companies miss this part and just jump straight to solving the problem – or what they think is the problem. Unfortunately, because they don’t understand the root problem well enough, they typically end up working on a symptom, and nothing really ever improves. It’s like trying to put a band-aid over a deep wound that needs stitching and hoping it will heal.
After getting clear on what good looks like, it’s time to build the strategy. If you’re using a headhunting or recruitment agency you need to let them know that you want equal numbers of male and female candidates. If you’re not using an agency, then you need to get the relevant stakeholders together for a workshop and devise a communication plan that will attract the women with the skills you’re looking for.
In parallel, it’s good to deliver training on unconscious bias and how to write inclusive job specs. This is important because subtle word choices can have a strong impact and negative effects. For example, when Danielle Gaucher and Justin Friesen of the University of Waterloo and Aaron C. Kay of Duke University investigated whether institutional level mechanisms existed that reinforced and perpetuated existing group-based inequalities, they found conclusive evidence to suggest that they did. Employing both archival and experimental analysis, their research demonstrated that when gendered wording was used in job recruitment materials it maintained gender inequality in traditionally male-dominated occupations. Results indicated that job advertisements for male-dominated areas that employed greater masculine wording, for example, adjectives like superior, competitive, ambitious, driven, determined, leader, dominant, resulted in women perceiving that they would not belong in this work environment.
Female coded language contains words like collaborative, committed, connected, cooperative, dependable, interpersonal, loyal, responsible, supportive, trust, and considerate, Companies like Textio, an advanced machine learning platform for writing better job postings, can make this much easier. Textio instantly predicts the hiring performance of your post by comparing it to more than 50 million others, along with providing clear guidance on how to improve it. Furthermore, it boasts that on average, hiring teams with a 90+ Textio score recruit a talent pool that is 24% more qualified with 12% more diversity, and they do it 17% faster than those with a lower score. So, make sure both your ads and job specs use gender-neutral language rather than masculine-coded language. Consider where to promote the ads so you reach diverse talent.
In the application process, ideally, you’d strip out anything that could identify the candidate’s gender. Without a name, gender, or age, this makes the interviews blind and gives you the best chance of diverse talent getting through to the interview phase.
Before any interviews take place, you want to ensure you’ve devised structured questions with objective criteria (scoring) defined for each question. Once again, you can use a tool to help you do this or you can do it manually. Structured questions are essential as lots of bias can occur at this stage so, with them, they ensure you’re not inadvertently selecting talent in your own image.
Q. What is the biggest challenge for women looking to get into a career in security?
Although many will tell you women aren’t applying for jobs, this is a myth. The women are there. It’s the hiring process which is causing the biggest challenge for women. As mentioned previously, job ads are often poorly written, so they don’t appeal, and the selection process is often biased.
Additionally, many women will discount themselves from an application for not meeting the bulk of the criteria. The most common answer women give for not applying for a job is, ‘I didn’t think they’d hire me since I didn’t meet the qualifications, and I didn’t want to waste my time and energy.’ Note, the most commonly requested certification by cyber employers in the UK is a CISSP, which is in 36% of online job postings that ask for a specific certification. CCNP certifications are also in high demand, with 23% requesting them.
Workplace flexibility is also an important incentive on job ads/ specs when it comes to women, yet few companies are advertising this in their job descriptions or adopting it as part of their workplace culture.
And here’s a top tip for hiring companies to apply in their recruitment efforts. Knowing how competitive a job is doesn’t put women off from applying. In fact, it increases the likelihood. It turns out that the desirability of a job matters more to women than the tougher competition.
Q. Once in a security career, how can women ensure they progress and what are the barriers preventing this?
Often there can be resistance to women breaking stereotypes higher up from security leaders, who may view a woman’s application as illogical if she’s not risen from a technical rank. When this happens often, they’ll present questions and scenarios during the interview that will trip a woman up so she’s discounted.
However, the lack of gender balance isn’t actually the biggest challenge for women working in the industry. One of the biggest challenges I’ve found is a lack of awareness or knowledge of the industry, a lack of clear career development paths, and an understanding of how promotions occur in their companies.
So, women must get clear on what’s required so they can improve their chances of promotion. They must also understand that their chances of being penalised will increase if they build their careers in the same way as men.
When Catalyst researched this, they found that even when women stayed on a traditional career path and did “all the right things,” they were unlikely to advance as far or earn as much as their male counterparts. For women, it was only making their achievements known and gaining access to powerful others that had the greatest impact on their career advancement. And only making their achievements known impacted women’s compensation growth. In addition, they found that changing jobs could negatively impact women’s compensation growth.
For men, gaining access to powerful others also contributed to greater advancement. But when it came to compensation growth, rather than making their achievements known, men most effectively increased their salary by conducting external scans and indicating a willingness to work long hours. In addition, they found that changing jobs positively impacted men’s compensation growth, indicating it’s a successful career advancement strategy for men.
Women benefit from having different types of networks especially when they include a women’s network. A new study by the University of Notre Dame and Northwestern University reveals that women who have a solid support group of other women are more likely to attain high-ranking leadership positions.
The study, published in the Proceedings of the National Academy of Sciences, looked at the link between students’ graduate school social networks and placement into leadership positions. They followed 700 former graduate students from a top-ranked U.S. business school as they were accepted into leadership-level positions. They then looked at the size of each person’s social network; the proportion of same-sex contacts; and how strong their network ties were.
They found that more than 75% of high-ranking women had strong ties to a female-dominated inner circle or at least strong ties to two or three women whom they communicated with frequently. Those women with a wide network and a female-dominated inner circle had an expected job placement level that is 2.5 times greater than women with small networks and a male-dominated inner circle.
For men, if they had a large network, regardless of gender, they were more likely to earn a high-ranking position. Women who had social networks that resembled that of their male counterparts were more likely to hold low-ranking positions.
The researchers also found that when women have powerful male connections, they may improve access to information about job search and negotiations, but it’s those female-dominated inner circles that really help women gain gender-specific information that can help them get ahead in the male-dominated job market. So, in summary, women helping women is still the best way to get ahead.
But these are just a few things. There are many more resources that can help women progress, such as mentoring, sponsoring, personal development such as mindset and energy work. And that’s why I’ve built both personal and professional development into The Source, my brand new project for women in cybersecurity.
Q. How has the pandemic affected gender diversity within cyber security?
A new global report from Tessian has revealed that cybersecurity jobs ‘weathered the storm‘ of COVID-19, and indicates that the pandemic has generally had a positive impact on the careers of female cyber security professionals. However, more work needs to be done, especially to encourage greater representation of women in the field – particularly in the top management roles.
They revealed that nearly half of women working in cybersecurity (49%) had been impacted positively during the pandemic with just 9% of female cybersecurity professionals saying that the pandemic negatively impacted their careers. 94% of women in cybersecurity said they’d recruited new staff members to help support their team in 2020 and 89% of women working in the industry reported feeling secure in their jobs.
Now I want to hear from you…
- Tell me what you’re noticing when it comes to getting more women into cybersecurity or remaining in it. Share what’s working for you and any training investment tips you have.
PS. Image by Unsplash, Christina @wocintechchat.com
PPS. If you’re ready to find your next mentor, gain further support with a community of women in cyber, and uplevel in a way that’s fun, inspiring, and uplifting, or support women, back The Source. You can become a Founding Member, an ally, or a corporate sponsor. You’ve got until 21 September 2021!