The number of men in the cyber security industry may still outstrip the number of women, but it is heartening to see that the number of women has grown from single-digit to 30% in Asia-Pacific in the last eight years, said Yvette Lejins, chief information security officer (CISO) at cyber security firm Proofpoint Asia-Pacific.
While the gender gap is narrowing in the Asia-Pacific, more can be done to attract and retain women in the IT industry, said attendees of a panel discussion organised by Computer Weekly.
Part of the challenge involved with growing the ranks of women in cyber security is the small number who actually make it to a science, technology, engineering and mathematics (Stem) job, said Sabna Sainudeen, president of Women in Cybersecurity (WiCyS) India, and big data platform defence leader at Schneider Electric.
“There is a cyber skills shortage in India. Some 40% of girls plan on a Stem career when in university, but what’s worrying is that the numbers who end up in a Stem career is not high. There’s a leak in the pipeline and we are losing people,” she said.
Besides encouraging young girls to enter Stem careers, this support is also important for adults and can be in the form of role models and mentors, said Elaine Muir, security education and awareness manager at insurance company IAG, and vice-president of the board of the Australian Women in Security Network (AWSN).
“Having role models whose career paths women can aspire to, mentors who help to shape the industry, and creating safe [cyber security career] paths will help to attract and retain females in the cyber security,” she said.
A key issue is gender bias, noted Lejins. “I’ve got hundreds of different stories of how biases come through. I’ve sat in vendor meetings, with budget to buy a product with my team, and the vendor – always male – comes in and talks to my male employees, even though I am the decision maker.”
One way to address this challenge is to provide training to help staff be aware of potentially harmful unconscious biases and reduce its impact on their interaction with others. These biases could be due to a male-dominated culture, whose influence is seen in movies and song lyrics.
“It is no one’s fault that everybody has unconscious biases; it’s about recognising those first, and then taking steps to fix that,” said Muir. In Australia, IAG ensures that job ads do not have male language in them, and hiring managers are trained to remove unconscious bias that may negatively impact the resume screening process.
“It does take hard work. We can’t just sit on our laurels but must continue to push and to call things out, to challenge, and ask ‘Where is the female in the team?’, ‘Can I help you go through some CVs?’” said Muir.
Fundamentally, organisations need to be aligned to believe in cultural diversity and allow for innovation, said Faith Chng, associate director at Trustwave, executive committee (exco) member of Singapore’s Association of Information Security Professionals (AiSP), and co-lead of Ladies in Cyber and exco member of Singapore Computer Society’s cyber security chapter.
“Organisations need to view every employee as an asset…and see cultural diversity and diversity in thinking as critical assets. That would allow us as cyber security professionals to come up with new and better ideas to stay ahead of the hackers,” Chng said.
In Singapore, the AiSP provides mentorship programmes for students as young as 15 years old and working women, and the support and mentorship continues in the long term.
Lejins added that organisations can work to attract women. These are also the things that women can look out for when applying for a new job. They can find out about the diversity count in the workplace, what the organisation is actively doing for women in the workplace, whether there are family-friendly policies in place, flexible working practices, and if the organisation is mindful to avoid using gender-biased language like “coding ninja” or “hacker”.
Starting them young
With technology and coding classes being built into the school curriculum, there is still a need to encourage women at university to consider careers in cyber security.
Some women may take computing courses as a minor at university but may switch courses when they experience peer pressure to take a more conventional path. As a result, there is work to be done with universities to provide support for women and help “paint that pathway for them and know that there is a supportive pathway, all the way through,” said Muir.
Sainudeen pointed out that besides the “pipeline leak” at university, there are women who leave the IT industry at mid-career, when marriage and children enter the picture.
Lejins shared how some organisations aren’t averse to hiring pregnant women and offering support after that. She shared how she had mentored two women who made mid-career switches. One of whom was an Emirates Boeing 777 pilot who was made redundant. After attaining a graduate certificate in cyber, she applied and was hired by a big insurance firm while pregnant.
“I agree that attracting talent is one thing, and keeping them is another, but retention is largely based on an individual’s aptitude, and determination to actually have a breakthrough,” said Lejins.
Diversity of roles
There is often a misconception that cyber security jobs are very technical. In fact, there are a wide variety of different jobs roles requiring a variety of skillsets, including communication specialists, behavioural scientists, lawyers and graphic designers.
“We have such a diverse group of people with diverse backgrounds, none of them have that linear, straight path from high school to university, then into a cyber job. We do need that diversity of skillsets and diverse thinking,” said Muir. She counts among her team members, a former journalist, a graphic designer, and a former high school teacher who used to teach coding and is now running IAG’s secure DevOps coding programme.
Chng added: “This is a very lively and dynamic industry, which can be very rewarding in terms of learning and fulfillment. The many different roles and experience in the cyber security industry means that it offers a wide diversity of experience without the need to change industries”.
Finally, Muir urged organisations to embrace not only gender diversity, but also diversity of thought, culture, environment, sexual orientation and background.
“True diversity breaks down groupthink and shows the ability to think outside the square and to look at problems in a different way. It challenges what we’ve done before and helps us find a better way forward,” she said.