As another year comes to an end and we prepare to enter 2019 it’s time to look back at what’s been going on for minorities in cybersecurity. As you’d expect, there’s good news and bad news.
The good news is, the industry is waking up to diversity. In all its forms – experience, thinking, age, gender, ethnicity and so on – diversity is being talked about more and more. There’s a recognition for the arts, and that social science and computer science need to come together.
There’s been a big push for neurodiversity, a concept where neurological differences including dyspraxia, dyslexia, attention deficit hyperactivity disorder, dyscalculia, autistic spectrum, Tourette syndrome, and others are recognized and respected as any other human variation. Also, governments and forward-thinking businesses, all over the world, are beginning to implement diversity initiatives across all age groups.
To say this excites me is an understatement. Focusing on diversity isn’t just about doing what’s right for minorities. It’s good for society. Diversity offers a strategic and competitive advantage to business. For example, teams are more productive, innovative, and cost-effective compared to homogeneous teams.
When we examine gender diversity, risk and cybersecurity, countless studies have shown that women and men gauge risk differently. Women are far better at assessing odds than men, and this often manifests itself as an increased avoidance of risk. As women are typically more risk averse, their natural detailed exploration makes them more attuned to changing pattern behaviors – a skill that’s needed for correctly identifying threat actors and protecting environments. They also don’t fall for attacks that are being written purely for men.
Research reveals that women score highly when it comes to intuition, emotional and social intelligence, too. They’re able to remain calm during times of turbulence – a quality that’s required when breaches and major incidents occur. They use their intuitive thinking to make good decisions quickly and without having all of the information, which is a requirement in a world that values speed and agility.
Yet, as men tend to be more pragmatic with their thinking, what matters is that no one gender is better than another. It’s simply that we’re different, and when we come together to solve problems, we’re able to solve them faster. We progress. We evolve.
So, I’m going to start my look back at what’s been going in this year with children. In the UK, the NCSC’s CyberFirst Girls Competition is proving to be a phenomenal success. This year, 4,500 girls (1,200 teams) between the ages of twelve to thirteen entered and Megan, Jess, Zara, and Callena from The Piggott School were crowned the winners and received individual prizes along with their school.
In the USA, Palo Alto Networks and the Girl Scouts launched a variety of cybersecurity skills programs for girls aged between five to twelve years old, with badges – up to eighteen of them – upon competence and completion. Rather than learning how to minimize hacking vectors, younger Scouts are now being taught about data privacy, cyberbullying and how to protect themselves online.
Looking at initiatives for women, this is undoubtedly the year of the woman and in cybersecurity, women are leaning in and going for that seat at the table. As a result, many more women’s groups and initiatives have been sprouting up.
On International Women's Day (March 8th), I formally launched my book, IN Security. By hosting a sell-out event for journalists and supporters I managed to raise awareness, garner support for the IN Security Pledge and the book became an Amazon number one best-seller. As a result, I’m being inundated with requests for keynotes, book signings, interviews and consultancy for how to attract and retain more women in cybersecurity.
Moving on, this year saw the birth of the Queue for the Loo initiative at TechUK. Fronted by Sian John of Microsoft, this initiative aims to bridge the gender skills gap by scheduling quarterly events for female cyber professionals to network, exchange ideas and find mentors.
Turning to technical knowledge and skill sharing, The Cyber Skills Immediate Impact Fund (CSIIF) pilot launched earlier this year, in the UK. With a remit to increase diversity and widen the net in recruiting for the field, it selected seven schemes run by CompTIA, Immersive Labs, PGI Cyber Academy, the National Autistic Society, UK Cybersecurity Forum Community Interest Company, Youth Fed and Integrate Agency CIC. The schemes target young adults, individuals on the autism spectrum, those with care commitments and those looking to change careers.
Creating a different kind of learning experience, Eliza May Austin created the Ladies of London Hacking Society (LLHS), an offensive and defensive technical security meetup for women. Attracting more than 300 members and growing, women turn up with laptops and work together or alone to complete Capture the Flag (CTF) exercises. There, they’re able to ask their peers questions and learn in a safe space.
Reflecting upon all of these efforts it would be easy to conclude that we’re making headway on diversity. But no matter how well we think we’re doing with it; the bad news is we still have a long way to go.
In April, we saw UK companies with more than 250 employees publishing details on their gender pay gap figures and the number of men and women working at each level. Analyzing the results reveals a noticeable and systematic gender pay gap between like-for-like roles and signals barriers to progression for women. Disappointingly, the UK is worse than the OECD average.
For women in cybersecurity, who represent eight percent of the workforce, one of the lowest proportions in the world, men are earning an average of 16% more than women. According to the data, the pay gap is widening for women in cybersecurity, unless they’re in executive positions. Despite 50% of women in cybersecurity roles having a graduate degree (compared with forty five percent of men), men are still nine times more likely to be in managerial positions and four times more likely to be in C-suite and executive positions.
Whilst some studies, for example the 2018 Women in the Workplace report by McKinsey & Company and LeanIn.Org, are reporting little progress for (US) women despite a commitment, new figures by (ISC)2, Forrester Research and Cybersecurity Ventures suggest otherwise. According to these companies we are moving the needle on gender diversity and women in cybersecurity are now estimated to be anything from fifteen to twenty four percent of the workforce – a rise from 11%.
Diversity is a complex affair though. Bias and abuse, such as harassment and bullying are unfortunately rife in our global cultures. They’re built into the fabric of our organizations and the events we attend. The tech industry, of which cybersecurity is a division, tolerates discrimination very well. It’s hardwired to marginalize minorities, particularly women and people are comfortable turning a blind eye.
We saw this in 2018, with the trio of black teen girls – the only female, black team in NASA’s national high school STEM competition. When these young women made it to the finals, they were subjected to racial abuse and a hack-the-vote effort by members of the board. When some of the girls took to social media to report what was going on, NASA shut down the voting.
Last month’s events across the world served as another reminder of just how far we have to go. On November first, tens of thousands of Google employees walked out as part of a worldwide protest organized against their handling of sexual harassment. The walkout came after reports that that Android co-founder Andy Rubin was given a $90 million severance package after allegedly sexually assaulting a fellow employee.
The world took notice. Similarly, our industry did when I spoke out about the women in red dresses at Infosecurity Europe. After being trolled on Twitter, which resulted in Twitter accounts being shut down and some people being disciplined by their bosses for what they wrote, and hearing about instances of sexual harassment and assault at events worldwide, I brought the industry together to create a Code of Conduct.
It quickly became apparent that I wasn’t the only one who aspired for better behavior. Aligning with the Time’s Up Movement and Now Australia, the code of conduct’s purpose is to ensure that all people, particularly women, are kept safe from inappropriate behavior, such as bullying, harassment and assault at cybersecurity events. Guaranteeing care and support, it sets a standard of behavior that can be expected of event attendees, speakers, sponsors, partners, facilities staff, and organizers.
Through relentless campaigning, the IN Security Code of Conduct is now in four continents and being supported by senior representatives from Black Hat, the Cybersecurity Challenge, (ISC)2, FiTT, AISA, AustCyber, the Australian Cybersecurity Centre, the Now Movement, AWSN, the Security & Influence Trust Group, Women Speak Cyber, Cyber Risk Meet Ups, Brainbabe, CyberSN, Rela8te Group, Habitu8 and Telstra. Next year, I’ll be pressing for more action, launching training programs around this and others.
Now, whilst I’m a huge champion of diversity, particularly gender diversity, I believe it is time to change the dialogue. I’m concerned the industry is addicted to the drama of the ‘women in security’ narrative, and by focusing on ‘women in’ we’re further dividing a depleted workforce, and alienating men.
Words are powerful, and sadly, the truth of the matter is that our ‘women-in’ words are not inclusive.
This year, I’ve felt a growing animosity whenever gender diversity has been brought up. Both men and women are afraid and a widening gap in trust is emerging amongst genders. As more women are speaking up in the aftermath of the #MeToo movement and women’s marches, which is good, men are feeling uneasy. It’s leaving them feeling uncertain and even confused about where they fit in and how to behave with their female colleagues.
The Senate Judiciary Committee hearings in regard to Judge Kavanaugh’s appointment to the Supreme Court following assault claims haven’t helped either. No one needed to be in the USA to acknowledge the fact that this event charged the space even further.
This is why I’m calling for a different approach to how we tackle gender diversity in cybersecurity. As I presented in South Africa on Women’s Day, it hit me. There, they have a saying, “Strike a woman; strike a rock” and as much as I’d like to champion this, I know it’s not what we need to do. Tit for tat and raising fear is not the answer. Instead, we must unite and pull in allies from dominant groups.
All too often we rely on minority groups to fix what’s wrong, but what research tells us is that when they point out unfairness about their treatment, they’re actually less likely to be listened to or believed. Known as the Complainer Effect, the only way to rectify this is if someone from a dominant group speaks up and points it out.
Finally, I believe women and minorities need to be like water. Water flows. It finds a way to wherever it wants to go. It can transform into steam and rise. Whilst nothing is weaker than water, when it attacks something hard or resistant, then nothing withstands it. Nothing will alter its way. Being so fine that it’s impossible to grasp, when you strike it, you’re not wounded and nor is it. When it’s severed, it is not divided.