Solving cyber security’s diversity problem
This article originally appeared in issue 23 of IT Pro 20/20, available here. To sign up to receive each new issue in your inbox, click here
Cyber security is the most sought after tech skill in the UK, with 43% of organisations indicating a shortage, up by a third since 2020. Government figures, meanwhile, show the UK’s cyber security recruitment pool has a shortfall of 10,000 people a year.
One major factor limiting the tech talent available is a shortage of women entering the sector and occupying leadership roles. Women only represent 20% of the global cyber security workforce, according to Cybersecurity Ventures, which plummets to just 11% in the UK. Similarly, research from Eskenzi PR reveals women hold only 10% of board positions and 16% of management positions within the world’s leading cyber security firms.
“I have worked in cyber security for over 25 years and watched it evolve throughout this time, but one thing that hasn’t changed is that the industry is still swarming with men,” says Yvonne Eskenzi, director and co-founder of Eskenzi. “The industry needs more women in driving seats and companies need to understand the traits women can bring to security roles to improve our overall defences.”
Off on the wrong foot
One of the main driving factors behind the leadership gap starts with education. Schools persistently struggle to encourage gender diversity in STEM subjects. In 2020, for example, just 16,919 girls chose to study computer science at GCSE, compared to 61,540 boys.
“Gender diversity is a STEM problem that most likely originates from the lack of women and people of colour within the initial pipeline, which begins in primary school,” Jameeka Green Aaron, CISO at Auth0, tells IT Pro. “We are still a society that pushes ‘social norms’ dolls for girls, video games and building blocks for boys. Translated into career options, it becomes very clear how and why the pipeline problem persists.”
The problems begin in primary school, according to Auth0 CISO Jameeka Green
Joani Green, senior consultant at F-Secure Consulting, adds cyber security isn’t a career that’s evangelised to girls, so many don’t know it’s something they can pursue – let alone become a leader in the industry. “People who find themselves in the industry usually got there through some rare combination of the right place, the right time and a burning curiosity,” she tells IT Pro.
“Cyber security has only recently become its own established discipline and not many universities even offer it as a specialist course outside of the UK. It suffers from the same lack of diversity as most other STEM careers, so the problem is likely connected to communication; we simply aren’t good at describing what a juicy career cyber security can be to the masses.
“The industry also has a tricky reputation to navigate for potential career changers, pursuing a new career in an industry that is over 80% male is quite intimidating – it takes a lot of guts and there will always be ‘easier’ options to choose from.”
This lack of diversity extends beyond school and university, too. Course Online, for instance, tells IT Pro learners across all subjects, since the start of January 2020, have been 53% female and 47% male, while for cyber security courses these figures change to 61% and 39%, respectively.
For many organisations, meanwhile, workforce diversity simply isn’t a priority. “With digital skills generally scarce, it’s often the case that cyber security roles are difficult to fill. As such, a candidate’s diversity isn’t always given the consideration it deserves,” says Dione Le Tissier, defence director at KPMG’s People and Change practice. Cyber security firms, she adds, might simply not be aware of the scale of discrimination in the industry. Recent research, for example, found that 74% of discriminatory incidents went unreported, meaning there’s no way for leaders to understand the magnitude of the problem.
Keeping with the times
Not only does working within a male-dominated industry fuel the cycle; many believe a lack of female role models also makes it difficult for women to aspire to jobs in cyber security, which can carry much broader implications.
Diverse teams lead to a diversity of thought, Suzy Greenberg, vice president at Intel Product Assurance and Security, tells IT Pro. This, in turn, provides organisations the opportunity to build innovative solutions to address some of today’s biggest cyber security challenges.
“The threat landscape is constantly evolving and becoming more complex – everything ranging from ransomware threats, attacks on critical infrastructure, overlooked vulnerabilities at the firmware level, and more,” Greenberg says. “Just as solving cyber security challenges requires a holistic approach, building a cyber security workforce should involve holistic thinking.”
A lack of diversity, particularly in leadership roles, also results in processes and decision-making being hampered, adds Adenike Cosgrove, cyber security strategist at Proofpoint. This leads to a narrow-minded approach to threat detection. “This can cause dangerous assumptions in end-user knowledge,” she says. “If we continue looking in the same place for cyber security professionals, we will continue finding the same types of people, from the same backgrounds, with the same skill set and the same perspectives.
“While cyber security teams stay the same, we can be sure that the threats we face do not. In other words, by following this traditional approach, we will continue to put the same set of eyes on a rapidly evolving set of problems.”
Le Tissier adds businesses could also struggle to maintain a competitive advantage if they fail to diversify their cyber security teams. She points to “an abundance of evidence” demonstrating gender diversity and inclusion can lower absenteeism, as well as lead to stronger talent retention and higher employee satisfaction. Discrimination, she adds, also inflicts unnecessary psychological and emotional impact on those who experience it. It’s likely that individuals facing these problems will want to leave the industry altogether, further straining the talent shortfall.
It’s about the bigger picture
Efforts to address the gender imbalance in cyber security leadership must start with proactive efforts to improve inclusion, Greenberg says. “Nobody wants to be in a room where they don’t feel welcomed,” she explains. “Everyone engaged in cyber security — especially those well-represented in the industry or in positions of privilege — has a responsibility to foster a welcoming space that encourages collaboration and teamwork among colleagues, regardless of their gender identity.
“Creating a more inclusive space can start with supporting crowdsourced programmes that reach the broader community, encouraging collaboration and driving innovation. For example, crowdsourced bug bounty programmes support the cultivation of proactive security awareness beyond the tech community and reduce barriers to entry.”
Niamh Muldoon, global data protection officer at OneLogin, similarly believes a lack of women at the top of the ladder means others will be uninspired to take on leadership roles, and ask for promotions. “Women earn less than men and are less likely to have ever asked for a promotion throughout their careers,” she says. “Women in cyber security, and all other industries, need to be empowered to ask for the benefits and recognition they deserve.
Women earn less than men, and are less likely to have ever asked for a promotion
“Furthermore, it’s vital that employers focus on not only hiring female talent but also nurturing that talent. In traditionally male-dominated industries, there may not be policies or infrastructure in place to accommodate the needs of new female employees; for example, flexible working and maternity leave. All of these issues need to be addressed in order to make cyber security an industry that appeals to women, retains them, and allows the female workforce to thrive.”
Heather Hinton, CISO at RingCentral, believes that the industry also needs to work to make the cyber security industry more appealing to women, beyond the default “attackers”, “ransomware”, and “encryption elements”.
“We need to lift the lid and show how broad and interesting cyber security really is — that it covers product development, technology architecture, people’s behaviour, business impact, risk management and trade-offs, and situation management,” she tells IT Pro. “When we teach cyber security, we need to highlight this entire big picture – the entire elephant, not just the left leg or the trunk or the tail.”
Business value of APEX
The business value of Dell Technologies APEX as-a-Service solutions
How upgraded server and storage platforms support digital transformation
New Dell EMC PowerStore delivers high-end enterprise storage features at midrange price point
The complete guide to cloud economics
Improve decision making, avoid risk, reduce costs, and accelerate cloud adoption
Transform your network with advanced load balancing from VMware
How to modernise load balancing to enable digital transformation