This year’s International Women's Day 2019 theme of #BalanceforBetter is a positive call-to-action to drive gender balance across the world. This year’s campaign states that “the race is on” for a gender-balanced boardroom and gender balance amongst employees. I admire the #IWD2019’s rallying call to put on our running shoes. With the economic uncertainty of Brexit looming, we certainly need to get going.
How bad is the skills gap?
Balance is not a women's issue; it's a business issue, and it’s nothing new. In recent years, gender parity has been identified as critical to reducing the skills shortage within STEM and the cybersecurity industry specifically. The recent (ISC) 2 Cybersecurity Workforce study found that the global cybersecurity skills gap has grown to almost three million. This issue is only getting worse, according to ESG, with over half of organizations reporting a problematic shortage in skills year after year. As the skills gap widens and the cybercrime epidemic worsens ($6 trillion annually by 2021), there’s a critical need to attract and retain talent. So, have we gone the extra mile to get more women into cybersecurity? Have we picked up the pace in recent years? According to Frost & Sullivan, women make up only 11% of the cybersecurity workforce, and Forrester predicts that in 2019 20% of Fortune 500 CISOs will be women. There’s still a clear opportunity for women to fill both the talent and gender gaps.
Why is it important to close the gender gap?
It’s about more than just improving the percentages. It’s about economics and productivity. The World Economic Forum’s Gender Gap Report estimates that gender parity could add an additional US$250 billion to UK GDP, US$1,750 billion to U.S. GDP and increase global GDP by US$5.3 trillion by 2025 assuming it closed its gender gap for economic participation by 25% over the same period. Women in the workforce are better for business, and in cyber security, this is crucial. Cybercriminals are increasingly inventive and savvy. That being said, a more diverse cybersecurity team will be key in facilitating a wider range of ideas and perspectives about how to prevent and manage an attack.
Why are we running? Brexit is coming…
According to #IWD2019, the race is on to achieve a better balance. I’m pretty sure they weren’t thinking about Brexit when they launched this campaign. But for businesses in the EU, there is a deadline looming, that of March 29th. Skills shortages have been an issue in STEM way before Brexit was even a word. Deal or no deal, the added pressure and uncertainty is already having an impact, as a third of European companies cut investment and UK firms cut jobs at its fastest pace since 2012. As the UK becomes a more uncertain and, as some argue, a less attractive/more restrictive place to live and work, the talent pool is at risk of shrinking even further. This effect will harden if significant cuts to EU immigration (as much as 80% by 2021) come into force. Furthermore, according to security professionals, Brexit could leave the UK more vulnerable to cyber-attacks. In this climate, it’s more important than ever to have a fully staffed, fully skilled cybersecurity workforce. In these employee pools, women need to play a crucial role. Writing for Forbes, Avivah Wittenberg-Cox says the following:
If companies want to lessen the pressure of losing European employees, they may want to let their gaze wander to the other side of the kitchen table. Women remain an under-utilized and under-supported resource in the U.K. Brexit will raise the stakes – and the cost – of mismanaging half the country’s potential labor force.
I’m not sure the kitchen table analogy helps the cause, but her underlying point is solid. It’s not all doom and gloom. Brexit could (and should) be a catalyst to accelerate the UK’s efforts in training, attracting and retaining skilled workers in cybersecurity in order to plug the gap. Thom Langford, founder of (TL)2 Security, backs this sentiment up:
The potential shortage of skills and qualified people in a post Brexit landscape should be further incentive to encourage a better gender balance. We all want the top skilled people in the recruitment pool, and if the balance remains 90/10 in favour of men, as an industry we are denying ourselves of a potentially rich source of highly skilled employees. Frankly speaking, it makes no sense to permanently wade in the shallow end of the recruitment pool.
Thankfully, there are already a number of initiatives targeted for women underway. We may also see an uptick in the number of consultancy opportunities in the UK driven by compliance requirements such as Cyber Essentials, the NIS Directive and GDPR.
How do we encourage more women into cybersecurity and senior positions?
The needle is moving but not far enough both from a skills shortage and gender parity standpoint. So how can we pick up the pace? Here are 5 focus areas that could help improve female representation in the industry:
Highlight the economic and productivity argument
It is estimated that companies with three or more women in senior management functions score higher in all dimensions of organisational effectiveness. Women not only have a positive impact on the bottom line but also bring a unique skill-set that is crucial to cybersecurity. As Jane Frankland states, more diversity will make us all more secure:
Diversity offers a strategic and competitive advantage to business. For example, teams are more productive, innovative, and cost-effective compared to homogeneous teams. Reports show gender and cultural diversity offers a 35% performance improvement, which is significant. But, when we look at cybersecurity, that’s when it gets more interesting. Countless studies show us that women and men gauge risk differently. Women are far better at assessing odds than men, and this often manifests itself as an increased avoidance of risk. As women are typically more risk averse, their natural detailed exploration makes them more attuned to changing pattern behaviours – a skill that’s needed for correctly identifying threat actors and protecting environments. They also don’t fall for attacks that are being written purely for men.
Cybercriminals are increasingly inventive and savvy, so a more diverse cybersecurity team is key to facilitating a wider range of ideas and perspectives about how to prevent and manage an attack. Government and industry need to do a better job of highlighting the benefits of diversity and set targets around this. We need to see more action like GCHQ’s CyberFirst, and in light of Brexit, government and industry need to align to maximise the impact of these investments.
Tackle the issue at every career stage
Research suggests that we should tap into the education system early (before the age of eight) to show young women that careers in the cybersecurity industry aren’t just for men. But there are still many open windows for showing women how they can benefit from adding cybersecurity skills to their tool belts regardless of age. The PGI Women in Cyber Programme enables women to convert their aptitude and current skill set into cybersecurity. They are not just looking for graduates, but all returners and career changers from STEM and non-technical backgrounds.
More female role models
There can never be too many female role models. Women in senior positions should be seen and heard, as it’s encouraging for women in more junior roles to see women in senior positions. Sheryl Sandberg invites us all to lean in and do our bit. Larger firms such as Amazon, who have launched Amazon Amplify with the aim to increase women in technology and innovation roles across its UK business, have put some focus on raising the profile of female leaders in cybersecurity, but smaller organizations and cybersecurity technology companies should also do more. These initiatives don’t have to be costly; they can be empowering for employee culture.
Look at retention as well as recruitment
Jane Frankland calls out the issues around recruitment and retention in her book In Security. Women face a number of barriers in recruitment, progression, pay, discrimination and retention. For working mothers (and fathers), Christine Armstrong in The Mother of All Jobs identifies the need for greater flexibility and equality both in and out of the home as a critical factor in the retention of women in the workplace. Well-being, flexibility and leadership need to be aligned. Flexible working practices are key to increasing retention rates in cybersecurity and could also help us to attract more female talent into the industry.
Women in cybersecurity is everyone’s job
This is important, as each company will have slightly different issues and individual ways for them to be tackled. It’s not about quotas, soft targets and messaging work. If diversity-related objectives were built into company objectives and, in light of Brexit, government policy, the issue could be transformed organisation and countrywide. With Brexit looming, there is a heightened sense of urgency and uncertainty in the European job market. The race to recruit and retain skilled people within cybersecurity is on. The skills shortage in cybersecurity is not new and not unique to women, but women bring unique skill-sets to cybersecurity that have a positive impact on economics, productivity and risk. In short, more women in cybersecurity will undoubtedly help to achieve the #BalanceforBetter International Women's day is striving for. Getting more women into cybersecurity should be everyone’s job, what are you doing to move the needle?
Author Note: Jane Frankland has launched a branding resource/guide which is available here - http://bit.ly/cybersecuritypersonalbranding. Also, Jane is launching a Cybersecurity Personal Branding Programme, in April. To ensure you don't miss out, you can follow her on Twitter. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
