I don't care if you're male or female, I just want you to get the job done.” Cyber Security Challenge CEO Stephanie Daman's view is common, yet figures show there is still a shortage of women in the top jobs and across the security sector as a whole.
It is clear the impetus is there, but the numbers aren't increasing. In September 2015, ISC2's Global Information Security Workforce study found only 10 percent of industry professionals were female. This figure was flat on the previous year and had reduced from 11 percent the year before.
It's not because the security sector – and indeed the wider IT market – doesn't want to employ more women. There is a skills shortage and diversity is a major area of investment. Therefore, many firms are putting together programmes to encourage women into the industry.
In addition, businesses know the benefits of employing women in cyber-security. On top of helping to diversify the workforce, women are good communicators and able to bring something new to a constantly changing industry. Employing more women also has the potential to reap financial rewards according to a report by McKinsey. In response to a lack of women at conferences, Australian male speakers criticised organisers for setting up “dude fests”, pledging to boycott panels that don't include women. Sree Sreenivasan, chief digital officer at the US Metropolitan Museum of Art said he would no longer take part in exclusively male panels.
Many firms are looking for talented female security people, but sometimes there simply aren't any options to pick from. According to Kirsten Connell, MD of Cyber London, an initiative for IT security start-ups, less than 10 percent of the companies applying for the programme have female founders. “We are really conscious of it – we would love a more equal balance but it isn't there to choose from.”
The female deficit in IT security begins at a young age, when many girls fail to take up the science, technology, engineering and mathematics (STEM) subjects that can lead to a career in the sector.
Having taken history at university, Daman says she is “not a technical person at all. Most of my generation fell into it,” she says.
Daman says: “Girls like to know the context, so it's about making it much more inclusive, taking into account history and how cyber influences what we do today.”
Part of the problem is a lack of understanding around what a job in cyber-security involves. In addition, it is a relatively new industry so career paths are not always clear.
“It's a misunderstanding that you need to be techie,” says Ruth Davis, head of cyber-security strategy, BT Security, who worked in strategy consulting at Deloitte, and TechUK. Her current job involves market strategy and analysis and she is the de facto policy lead on cyber-security.
Indeed, the chief information security officer is no longer a purely technical role, says Emili Evripidou, cyber-security manager at Deloitte, and founder and director of the group Women in Security. “An amalgamation of human and technical skills are required to meet the demands of the job, meaning women have a chance to excel,” she says.
Even so, girls need to be inspired to choose a cyber-security career. This is why role models are integral to attract young female talent to the sector. “Promoting the profiles of female CISOs with ‘success stories' inspires younger generations to consider a career path in this area and could result in an increased number of girls joining the industry,” according to Evripidou.
Orla Cox, security operations manager, Symantec Security Response agrees saying: “I think that educating younger girls on what's out there and creating role models they can look up to would really help.” With this in mind, it has been suggested that mentors are needed to guide more girls into security careers and help them once employed. ISC2's ‘Women in security: wisely positioned for the future of infosec' report, suggests new hires in cyber-security should be paired with a mentor.
But role models can be hard to find when senior security personnel are usually men. “They are the ones people will see,” Davis says. “When going to conferences, it used to be there were no women apart from me and it was a bit depressing. We need to give young people more female role models to relate to.”
Companies are starting to put schemes into place: BT, Ericsson, O2 and Vodafone are part of a new pilot mentoring scheme to encourage schoolgirls to pursue STEM careers. Women's networks from each of the four companies have been working together on the pilot in partnership with Girls Talk London, an organisation aiming to empower women to learn from others in senior business roles.
Meanwhile, Davis has been working on a pipeline within BT security to encourage women and the firm also has an initiative including a ‘buddy' programme for new joiners. “BT will go into schools and universities talking to women already taking courses. They might be taking something like events and we say, you can have a career in cyber.”
She adds that BT is trying to increase the visibility of its female cyber practitioners. Bucking the industry average, Davis says 16 percent of the BT security workforce is women.
There is certainly a drive towards increasing the number of women in cyber-security, but it cannot be denied: discrimination still happens. In fact, most women in security have experienced some kind of discrimination – whether intentional or unintentional. Speaking frankly, one woman said she had been patted on the head during a meeting, and another time pushed out of the way by a man looking to reach a colleague. Another woman said she's been mistaken for a cloakroom attendant at a conference.
Cox says during her early days at Symantec as a technician, people would often mistake her for a receptionist “as there were virtually no women in technician roles at that time”. “I always found it very amusing, but also quite frustrating,” she says.
Margrete Raaum – chairman of the board of directors at FIRST – is an example of a technically-capable women. In the past, she says she has had to “prove” herself in certain situations. “In companies, they sometimes don't believe you know the technical side - they just assume you are just a manager,” says Raaum.
This is despite her background in digital design and networking. “I used to work in networking architecture and routing and as a network person you get involved in security issues,” she explains. “I also took a master's in security to back this up.”
When Raaum took her technical technique and digital design qualification in the 1990s, she was the only woman on the course. “The teachers were the worst part, as they kept making remarks about me being a woman. One teacher just said: ‘There are women here?'.”
At conferences, Raaum thinks the audience is about 10 percent women in general. “Speakers are much worse. I went to a conference in Sweden and I think there were two women who spoke.”
However, she hasn't faced any issues in her role as the chairwoman of FIRST, she says. “Here, no one makes a big deal out of me being a woman.”