Women in IT security: Pushing at an open door?
Jain Wainwright - Women in IT security
The main issues are well known. There's a skills shortage in the information security profession, yet while the number of jobs in the sector grows by more than 300,000 per year, the number of women remains stubbornly low, 11 percent of the profession globally and just seven percent in Europe. That's even less than the 17 percent of women seen in the IT and telecoms industry as a whole.
This is a colossal loss of talent for the sector, and a loss of opportunity in a dynamic, interesting, and rewarding sector for women who may have either not considered, or been deterred from working in the industry.
IT and especially IT security is currently seen as a man's world – but it wasn't always so. As 92 year old Jean Alys Barker, Baroness Trumpington, an active member of the House of Lords who worked as a ‘cipher clerk' using her translation skills in navel intelligence at Bletchley Park during World War II, pointed out, some 70 percent of those working at Bletchley Park – or Station X as it was codenamed - were women.
Wrens had been specifically asked to staff the section, run the machines and organise the Registry Office; most of the analysts and many cryptographers were women too. The code breaking operation – a forerunner to GCHQ - was secret, and the code breakers kept their silence after the war, not seeking recognition. We now know that the world's first programmable electronic digital computers, Colossus, were operated by women. In the US during WWII Admiral Grace Hopper was working on the Harvard Mark I computer, but she is better known for having largely devised the most used corporate programming language COBOL. Since then women have worked in the intelligence services at all levels including the top, with Stella Rimington publicly announced as the head of MI5 in 1992.
Such illustrious achievements, along with the many senior women running companies and departments or working in them at all levels today, demonstrate that the issue is not and never has been one of ability/temperament, or any of the other ‘excuses' that were once put forward to limit women's ambition.
Why so few women today? Lack of role models, perpetuation of the existing status quo, cultural – and sexist attitudes, the old-boys network and ignorance of the opportunities all play a part, but at an official level, the companies and organisations in the sector are actively seeking more women out of self interest – there's jobs to be filled.
Initially it sounds as if Sue Milton, immediate past president ISACA London chapter and managing director, SSM Governance Associates, had a more conventional IT career path: programmer, system analyst, business analyst, IT security specialist, IT auditor, business auditor, governance expert. But Milton explained to SC that's not how it started out. Milton came to be trained from scratch, despite not having an IT background, after passing an aptitude test at a time when the City of London had a surge in demand for IT personnel following deregulation of financial markets in the 1980s. “I took a test because it was offered to me. On passing I was invited to train as a programmer and the subsequent career path. Governance takes into account risk, and IT security is a vital component of sound IT risk management.”
Perceptions have an impact, and often have a basis in reality. In WWII women entered new sectors of the economy and the discipline of information security was deemed appropriate for women, but since then the impression has been that security is a male domain, harking back to physical security of military and law enforcement, while the more cerebral end of computer security and encryption often throws up the image of a computer hacker, typically imagined to be a single young man with poor social skills, confined to his bedroom and screen.
Ex-uniformed men do remain well represented, and the hacker stereotype, while unrepresentative and grossly exaggerated, is not without some foundation. But there are also increasing numbers of ex-uniformed women as well as techie-women in the sector, plus demand for a broader range of problem-solving approaches and skills. As cyber security becomes a mainstream concern and moves up the corporate agenda, as routes of attack increasingly sidestep technology and exploit social networks and human failings, demand for communication and people skills grows. Technical skills are still valued, but are also sought outside the narrow self-replicating pool of the past which no longer provides either the numbers or diversified skill set required.
There is no one defined career route in the security industry, and the women SC spoke to demonstrate just some of the alternative paths taken to arrive at their current positions. We also asked, what sort of projects are they involved in, and what helped or hindered that progress?
Working directly in an IT department seems to have thrown up more direct sex discrimination than other routes, but sexism was also encountered elsewhere.
Sue Milton (see box), working in IT departments, cited three of what she says were several such experiences, noting that the linking factor in difficulties faced is that they “were always one of attitude by others.”
“Throughout the 1980s, men really thought that women would not enjoy IT. So it puzzled them as to why I would want to work in IT. Obviously it must be because I was not good at other things, so therefore I was probably not good at IT either….”
More directly, Milton told SC, “I was turned down for networking jobs (LANs and WANs were the new IT revolution then) because I was told I would not want to wear trousers every day, so there was a ‘modesty issue' and also I would not want to get dusty or crawl through small spaces.”
Finally, there was the promotion block due to assumptions about ability: “In response as to why all the plumb IT audit investigations went to a male colleague, I was told by the male Head of Audit that my colleague held the better professional qualifications. In terms of academic qualifications, I held more and, for the one professional qualification we both held at the time, I had scored the higher mark for CISA certification we had taken at the same time.”
For Sharon Wallis (see box), while “not a techie ‘geek' myself,” she says she was able to bring skills in complementary non-technical areas such as policy development, internal and external communications, coordination and organisation awareness, as well as project and change management – which are equally suited to men and women.
Sharon Wallis, financial sector resilience team, Bank of England, had a typical starting point, telling SC: “I didn't make a conscious decision to spend my career in information security/cyber or indeed business continuity.” What was less usual was that Wallis had pursued a specifically related academic route, an Information Technology masters degree with a thesis on Effective Risk Analysis and Management.
Also working at the tech coalface, Andrea Walker (see box, next page) agreed, telling SC: “Coming up through the technical ranks I have always felt that I had to work twice as hard to get equal recognition as my male counterparts. The men I have worked directly with have always been fantastic and treated me as an equal and as a friend. But I did feel that if they were to make a mistake it would be quickly forgotten, whereas the reputation I had worked very hard to build could be much more easily destroyed. When starting out I faced the comment “girls shouldn't do engineering, they don't have the right brains for it”, sadly said in all seriousness.
“It was often frustrating that my face didn't fit some people's perceptions of what someone who was able to make important technical decisions should look like. Once, when someone (not a BBC employee) was told they needed my approval, they took one look at me and actually asked if they could talk to a man – eventually discovering, “it turns out I do need to speak to you, after all”.
Nonetheless, the demand to grasp complex technology in a fast moving environment initially presented a challenge, overcome she says, largely with curiosity and asking questions.
Wallis comments: “In today's business world, the successful team is a blend of men and women who bring different attributes to the table, and when you put these together, the combined effect can accomplish great results.”