Its 100 years since women got the vote in the UK and more women are now speaking at Cyber-Sec conferences, alongside a renewed focus on recruitment and education. But momentum needs to increase. Kate O'Flaherty reports.
Ripples of outrage spread across the cyber-security industry last week after women in red evening gowns were seen promoting a product at the Infosecurity Europe 2018 conference.
The event's organisers condemned the move, saying vendor contracts ban the use of so-called ‘booth babes'. But the damage had already been done: How can industry perceptions change for the better if this is the view portrayed by security vendors themselves?
Thankfully, this behaviour is in the minority. A more gender diverse cyber-security industry is starting to happen, according to the women SC Media UK spoke to this year. Indeed, more women are speaking at conferences, and multiple programmes and initiatives are taking place including a renewed focus on recruitment.
Meanwhile, an increasing number of high-profile men are speaking out about the importance of a gender diverse workforce. Trend Micro's Rik Ferguson, for example, is refusing to be part of panels that do not feature female speakers.
But at the same time, female cyber-security professionals are still reporting being patted on the head, mistaken for marketing, overlooked at conferences – and worse.
Dr Jessica Barker, co-founder of Redacted Firm and a prominent voice on the speaking circuit, recalls several times she was treated a certain way for being a woman, particularly when she was at a more junior level.
The problem is often assumptions led by unconscious bias, she says, citing an awkward situation at a conference when the person at the desk assumed she couldn't be a speaker because she is a woman. “There was no malice, she had just been seeing men all day,” she concedes.
However, she is observing positive change: On the speaking circuit, more women are on the agenda “than even a few years ago”, Barker says.
Role model and mentor
Barker is a role model and mentor who plays a key part in encouraging young women to consider a career in cyber-security. Her own career was not typical. Having studied sociology and politics at Sheffield University followed by a PhD, she was headhunted by a company looking for a cyber-security professional. “They wanted someone who looked at security from a human angle and had heard about my research.”
Barker worked as a freelance consultant for four years and last year set up Redacted Firm with her partner, who is an ethical hacker and social engineer. Barker stands out because she is able to communicate well – which is often thought to be a female trait.
“I think women are in general brought up with more focus on communication skills,” says Barker. “I know men who are fantastic communicators, but I think having diversity in general is important because it brings in different world views and experience.”
Sian John, chief security adviser at Microsoft, has just received an MBE for services to cyber-security. She was always technically talented: Her father, a maths lecturer, encouraged her abilities from a young age.
After taking a computing degree at university, John moved to London working for the government and then security vendor Symantec before securing her current position at Microsoft.
John counts herself lucky to have had several female bosses during her career – a factor she thinks helps to increase diversity on security teams. But that's not to say she hasn't experienced issues. During a job interview, John was once asked: “You are a woman, you are technical: How did that happen?”
In addition, she says: “I get that thing occasionally when you get judged for interrupting talking. But unlike some men, I don't walk into a room and expect to own it and that can be the biggest advantage. People will often come back and ask me a question quietly at the end of the meeting.”
The value of a diverse workforce is being realised. Change is happening at business level as companies accept that gender diversity can improve their overall capabilities. Cath Goulding, head of cyber security at Nominet says: “At conferences, it's being talked about as a business need: Thinking about the problem in different ways. The more diverse the views around the table, the better you will be at solving it.”
However, according to the most recent Frost & Sullivan survey, commissioned by (ISC)2 and the Executive Women's Forum, women comprise 11 percent of the global security workforce and seven percent in Europe.
This can lead women to feel they need to ‘prove' themselves. Rashmi Knowles, field CTO EMEA at RSA Security, says: “One of the reasons I did a CISSP a few years ago is: I am a woman at RSA and people would say, ‘are you at the right conference?' I did it to prove my worth.”
Things can be very different outside Europe and the US. Jovi Umawing, malware intelligence analyst at Malwarebytes is an IT graduate who started coding at University. She took her course in the Philippines, where women in IT aren't unusual. But Umawing noticed a change when she moved to the UK with her current employer.
“In Europe, I observed there weren't many visible women out there,” she says. “Booth babes was the first instance where I felt there was something not right for women in the security industry. If you are a security company using women to sell your products, I think you lack creativity.”
At the same time, there are some interesting examples of gender diverse organisations in the UK. Some new firms – especially those led by women – have been able to build in this factor from the start. Poppy Gustafsson, EMEA CEO at Darktrace, formed the company together with her co-founders just five years ago.
Darktrace is a gender diverse firm with 40 percent female employees, run by two women CEOs, which Gustafsson says happened naturally. “We have got to where we are today by not overthinking it,” she says. “It helps having women at the top, so we don't need to set up policies when we hire. At Darktrace it feels like gender is irrelevant.”
And this can be true even at older organisations. Maxine Bulmer, cyber-security director, CGI UK joined the company 12 years ago as a consultant after spending 20 years at HMRC.
Bulmer was lucky: The people she has worked with in security were always very supportive. “Women were supported and respected for what they are capable of,” she says.
The recruitment problem
Sadly, the wider industry is nowhere near reaching gender parity or equality. But focus is turning to how to attract women to apply for jobs in the first place.
“I know from my research that recruitment could be improved tremendously by formalising processes and technology,” says Jane Frankland, founder of Cyber Security Capital and the IN Security Club and Movement. “Thanks to advancements in technology, data gathered can help to inform and reduce unconscious bias.”
Frankland says among the changes needed, job ads need to be “freshly written rather than copied and pasted from the last time the job was advertised”. She points to tools such as Textio, which can analyse the language used in job descriptions and ensure it is neutral.
Holly Williams, senior penetration tester at Sec-1, learnt to code in the military. She thinks the recruitment process can be “unfair and off-putting”.
Indeed, experts emphasise the importance of avoiding rigid lists of requirements including security certifications when advertising for jobs in the sector.
In addition, Frankland thinks the interview processes needs to change. “Gender diversity on a selection committee plays no role whatsoever when candidates are evaluated. Panel interviews don't work either – they provide no means of independent evaluations; they simply give you an observation of one.”
Instead, she advocates ‘blind auditions', job sample tests and structured interviews.
But women must be encouraged onto the right path before they enter the jobs market. It's known the industry needs to start in schools to capture female talent early and many initiatives are already underway, such as the National Cyber Security Challenge's Cyber First Girls Competition.
But Frankland adds: “We have a long way to go before the general public understands that cyber-security is not just a job for the boys or a technical domain.”
In order to improve, educators need to realise cyber-security is no longer just a STEM subject. Bonnie Butlin, co-founder of the Security Partners' Forum says: “Education from an earlier age may encourage interest and innovative thinking when it comes to security, not just in the STEM sectors, but also in the social sciences and other disciplines.”
This is a complex task – further compounded by the need to encourage women to take STEM subjects too. Bridget Kenyon, global CISO Thales eSecurity took further maths and physics at school and astrophysics at university. A technically talented professional, Kenyon's CV includes a role at University of Warwick in 2006 where she was head of information security.
Kenyon points to “a massive quantity of unconscious bias” from both men and women. But she thinks it's important to normalise women in security jobs: “Trying to show women doing stuff can be quite effective. You can make it more acceptable if it seems normal.”
Last year, women told SC UK that the biggest gap is at senior level. This is still the case in 2018. Institutional barriers preventing or discouraging women from entering the industry and being promoted remain, says BAE Systems' threat intelligence analyst Saher Naumaan, who, alongside her colleague Kirsten Ward, has set up Europe's first general cyber-security conference with an all-female speaker line up.
Many issues remain but momentum is building. While the numbers remain stagnant, the industry is certainly realising that at the very root of the problem, culture needs to change.
“Organisations need to look at what they're doing to attract, hire and retain a more diverse cyber-security workforce,” says Frankland. “It's going to take years, so approaching this with an entrepreneurial, collaborative mindset and using data to drive decisions will be essential.”