Blog

Why is gender an issue in Cyber Security, and what can be done to redress the balance?

Sep 10, 2018

SteveMair By Steve Mair
Senior Cyber Security Consultant, PGI

On 18th June 2018, the Department for Culture, Media and Sport (DCMS) made an announcement to the effect that PGI are going to run a 10 to 12 week training programme for women with little or no cyber security background. 

Candidates will be employed from the outset of training, moving straight into a guaranteed job on completion with a leading employer within the sector. This programme is called Women in Cyber and currently PGI have had over 160 expressions of interest from women around the UK.

At the forthcoming (ISC)² Secure Summit, I will be taking part in a panel discussion on Diversity and Skills in Cybersecurity. I am a passionate advocate of skills training and capacity building, and am one of the trainers delivering a scheme which PGI recently started to train ex-service personnel in cyber skills using a similar programme to that being offered for Women in Cyber. 

A recent Cybersecurity Ventures report showed that women currently only make 20% of the cyber security profession’s workforce, while another of their reports predict 3.5 million cyber vacancies globally by 2021. It is clear that there is an urgent need to recruit more professionals into all aspects of cyber security, and that women are massively under-represented in the profession.

Why is having more women in the workforce so important? In Ruchika Tulyshan’s book The Diversity Advantage , she explains that the companies that attract, retain and advance women have the potential to be more profitable and innovative than others. Women in the US have spending power annually ranging from $5trillion to $15trillion. Whatever an organisation is selling, be it software, services, goods etc, chances are women have a large, if not majority, influence in what is being bought. Without sufficient female representation in the leadership team, there’s a tremendous missed opportunity to get into the mindset of a massive customer base.

The world of information security, like many industries, has been seen as a predominantly white male career stream. I think this is partly due to hidden bias – inherent prejudice for people seen as ‘different’ – and also due to the gender pay gap (which gets worse if you are a non-white woman, according to research). I’ll talk about these in more detail later in this post.

A friend of mine recently made a great distinction between diversity and inclusion. She said that diversity was being invited to the party, and inclusion was being asked to dance. I thought this was a great analogy, and I think that inclusion is what we need to be aiming for because in order to understand people’s needs we need to be asking and involving them, not assuming we know best.

To me, while diversity ensures fair representation across different groups and communities, we’re in danger of endorsing a tick box approach to meet social responsibility, in danger of recruiting diversely but not involving these groups in any way. That doesn’t seem like an ethical model to foster employee satisfaction and commitment, or to grow our business. People from under-represented groups should be involved in decision making, policy creation and review, in building processes and procedures which make best use of resource: they are an integral part of the workforce so why wouldn’t they be included?

Where diversity may be about companies monitoring such things as recruitment, inclusion is more about asking under-represented groups questions such as “Where should we be advertising to get the optimal response” or “How can we amend our working practices to help you feel welcome and valued?”.

I was listening to a recent podcast featuring Paolo Gaudiano where he gave a fantastic example of hidden bias. An organisation held regular meetings which had been well attended, then moved them to 8am, and the men responsible for the meeting couldn’t work out why women were generally unable to attend. They found out by asking the women that in this instance, at that time of day, as primary care givers they would be getting their children ready for school. It sounds obvious when stated like this, but it’s a great example of the sort of hidden bias that affects some women in the workplace.

At a recent talk the futurist Mike Walsh asked why, when a new employee joins straight from school or university, we immediately try to mould them to the way we work. They’re the people who will be running businesses in 20 or 30 years’ time, they’re the ones who have grown up with technology, so why aren’t we explaining what our business does and asking them what they find the strangest about the way our teams work, make decisions and communicate? They may have ideas which seem radical to older, more experienced people, but they may make better use of resource and will provide innovation in an inclusive way. 

The pay gap is also pretty much endemic across industries, professions and locations. Figures from the UN’s Progress of the World’s Women 2015-2016 report showed that over the course of their careers women in France and Sweden would earn 31% less than men, in Germany they’d earn 49% less and in Turkey they’d earn 75% less. Unmarried women in the USA would earn 4% less than men doing the same roles, but married women with one child would earn 24% less than a married man, and again these gaps widened if the women were non-white.

More work needs to be done in schools, to help young people understand what career options there are in information security. Part of this means that the careers advice being offered needs to change, but there also need to be more under-represented groups teaching the STEM (Science, Technology, Engineering and Maths) subjects: good role models can have a huge impact from an early age.

The (ISC)² Women in Cyber Security report from 2017 shows that this may already be starting to happen within the millennial generation, where 52% of women under the age of 29 have an undergraduate degree in Computer Science.

I believe the industry wants to change, and now is a good time to be involved to help push those changes through. I hope you’re able to join me and the rest of the panel discussing Diversity and Skills at the (ISC)² conference in September.