It is hard to fathom why the number of women in cyber-security is not increasing. Globally, only 10 percent of the world's cyber-security professionals are female. In Europe, this figure declines to just 7 percent of the cyber-security workforce and in the UK, only 8 percent.
These figures come in spite of the best efforts of the industry and UK government – which wants to introduce cyber-security into schools to help plug the skills gap. This is in addition to programmes such as GCHQ's CyberFirst Girls Competition aiming to identify talented young female coders.
Many women who spoke to SC think programmes such as these do not tackle the whole issue. The cyber-security industry is broad, they say, and there are a range of jobs that go beyond just technical skills.
Jennifer Arcuri, ethical hacker and Hacker House founder, tells SC: “You don't have to be a stem cell scientist to work in cyber-security. There are a lot of jobs that don't need you to be in front of a computer 24 hours a day writing code.”
Cath Goulding, head of information security at Nominet agrees. “Cyber is much broader than that – you don't have to be a code breaker,” she says. “There are lots of different roles.”
That is not to assume women aren't as technically gifted as their male counterparts. Of course, some are immensely talented in this area. Take for example, Zoe Rose, cyber-security analyst at Schillings, who taught herself how to programme a robotic arm in school. Like many women, she is also a good communicator: She was nicknamed “the translator” during her first job as an IT manager.
However, particularly for women working in an industry such as IT, Rose says it's common
to have “imposter syndrome”. “It's easy to assume you don't know what you are doing. I wanted to be in IT, but didn't think I knew anything. In fact, I knew a lot more than I thought.”
Part of the problem is a lack of female role models across all disciplines. The industry needs a more diverse group of people to look up to, says Jane Wainwright, senior manager at PwC's cyber-security division. “We need to make sure that young women know: we don't pick people just because they have an IT degree. It's about finding role models for those with non-traditional backgrounds,” she adds.
Like many cyber-security professionals of both genders, Wainwright started her career in the military. She joined the PwC cyber-security team in 2013 and has since helped build the firm's proposition around privacy and data protection.
Ruth Anderson, head of IT and cyber risk at Lloyds Banking Group also comes from a military background. “Having role models in any career is vital,” Anderson says: “The ability to look up and see someone you admire is powerful. It doesn't have to be a female, just someone who wants to encourage you.”
Mivy James, head of consulting, national security and technical consultant at BAE Systems Applied Intelligence has about 150 people in her department, of which “not enough are women”. However, she says at entry level grade, about a quarter of the graduate intake is female. In addition, she says, her boss is a woman.
Mivy James - head of consulting, national security and technical consultant at BAE Systems Applied Intelligence
James' coding skills stood out from a young age: When she was nine, she wrote a programme to do her maths homework by copying code from a computer game magazine. James counts herself lucky to have had a father and teachers who pushed her to expand her abilities.
Male dominated environment
It is clear that female talent is available, but some women are put off from working in a male dominated industry. Many say they have to act differently to get by in this type of environment.
Wainwright admits women often have to be “a bit more forthright” to succeed in the corporate world. “I would guess with my military background – we are very direct and authoritative – it hasn't been all that difficult. I worked out how to navigate it.”
Despite having a successful career, James says she sometimes feels very aware of her gender: “I often feel when I meet people and I'm there as a technical authority, I have to say something technical early on. I feel that some people don't expect it and think you might be there in a general management role. So, I put myself under pressure to make it clear by providing insight straight away.”
Julia Harris, head of information protection and assurance at the Post Office, has worked in a number of systems programmer and senior cyber-security roles, including a stint at the BBC. She remembers going to conferences in the 1980s when there were just “six women there”.
“You knew you had to be 10 times better than a bloke to get the promotion,” she says. “But because I had been in that environment, I was well equipped to handle prejudices and it didn't faze me.”
Despite an apparently unshakable exterior, Harris admits suffering discrimination in the past. “A HR director asked me if I was going to have babies. In my first job, I was asked why I didn't wear short skirts.”
Even in an age of supposed gender equality, it is assumptions like these that can be a problem –deterring many women from entering the industry. Going to conferences in the past, Rose says she would feel uncomfortable and “people would think I was someone's girlfriend”.
However, she says there is now a “huge change” in the way women in IT are viewed. Today, Rose often speaks at conferences. She thinks it's important that women are prominent speakers both through ‘women in security' discussion panels and presentations about technical subjects.
Zoe Rose, cyber-security analyst at Schillings
They have the knowledge and the ability, so why do women hold themselves back? Sometimes, the issue is confidence. “Women tend to be better at maths even if they don't think they are,” says Harris. “Also, security is logical – and women are logical.”
“Women are just as capable of understanding cyber-security as men, but they wrongly assume that they can't,” says Arcuri. “I did six certifications myself and powered through them not because I am an elite top hacker; I can just digest and learn that information very quickly.”
It is agreed that the problem starts in education – so it's important to encourage girls into the sector at a young age. “There has been progress on education and scholarship opportunities for women in security,” says Bonnie Butlin, co-founder and executive director of the Security Partners' Forum and international coordinator of the Women in Security and Resilience Alliance (WISECRA). “There has also been increased emphasis on engaging girls earlier in their educational careers, and even starting in the early education years.”
This is in addition to programmes such as the training portal created by Arcuri's business partner – a tool that can be downloaded anywhere to help younger people who want to learn cyber skills. “Whenever we expo, I befriend the girl immediately and make it my job to get her on the course,” Arcuri says, adding: “At our last one, the girls were the best in the class.”
As well as targeting the younger generation, many companies offer internal programmes to help drive women into and up the ranks of the business. Diversity is important to KPMG and the firm runs several programmes focusing on women. Caroline Rivett, the firm's global cyber-security lead for life sciences, cites the example of a KPMG programme aimed at encouraging more women into technology roles, called ‘IT's her Future'.
“We mentor junior people and talk them through different aspects and career choices,” she explains. In addition, she says: “We have looked into different ways of recruiting to be more inclusive – it's a very intense, day-long process of interviews, exercises and presentations. This very quickly helps people decide if KPMG is the right place for them.”
Harris says the Post Office runs a ‘women in leadership' programme where women can meet one another and provide support. Harris says she is being mentored by another woman and has offered to mentor others if needed.
Carmina Lees, VP, IBM Security UK and Ireland says her employer offers initiatives to encourage women into top roles, such as flexible working for those returning from maternity leave and talent programmes.
Meanwhile James' employer, BAE, offers a number of programmes including a diversity inclusion council. As part of the programme, departments such as HR and recruitment ensure the firm is advertising its jobs in the right places to attract diversity.
Separately, James has founded BAE's gender balance network. “We are an informal group rather than policy makers and have about 150 members globally. We have events to promote the issue and we hope to raise awareness.”
As many of the anecdotal stories show, attitudes towards women in security have changed drastically over the last few years. So, it's worth considering that the figures might not say it all.
The widely-held opinion is, it will just take time. Women are coming into cyber-security at graduate level, thanks to a number of courses and apprenticeships. But it is possible the biggest gap – and the one which poses the most significant challenge – is at senior level.
Wainwright says: “There are lots more younger women coming into cyber-security at graduate level. But I don't really see any churn or turn in my own peer group.”