Cyber security is one of the most exciting, varied and challenging industries I can think of. From technical roles such as securing a network, incident response and ethical hacking, to social and cultural roles, through to jobs preventing and detecting digital crime, it offers a wide variety of career paths and opportunities. And yet the teams that are responsible for ensuring our IT security infrastructures, digital resilience and cyber security are suffering from a significant skills shortage. According to the recent DCMS report ‘Cyber security skills in the UK labour market’ (2020), approximately 48% of businesses have a basic cyber security skills gap. Compounding this issue is the fact that the industry is seriously lacking in gender diversity, with women making up between just 12% and 25% of the cyber security workforce. So what, if anything, is going wrong, and why does it matter?
Whilst there are some excellent examples of initiatives to support women in cyber security, there are certainly many situations where this is not the case. One of the first meetings I attended after taking on a more senior role in cyber security had no other women in the room – apart from just one who was there to take the minutes. In the past I have been asked to get the coffee, I have been told jokes that even my best friend wouldn’t say out loud, and I have had a door closed in my face when talking about my area of responsibility. Little wonder that those brave enough to join the industry often leave after just a short career.
And yet diversity is critical to developing robust and effective teams. According to Nicola Hudson at the National Cyber Security Centre, homogenous teams made up of just one type of demographic encourage ‘group-think’ behaviours. But cyber security has so many facets that it stands to reason that the more diverse the workforce, the better equipped we will be to face the challenges posed. That means that if we can encourage more women to work in cyber security, and develop more girls to want to pursue computing subjects, then we stand a chance of reducing the skills gap whilst also improving diversity within the sector.
Perfection, but for whom?
Here’s a little aside. A while back (more years than I care to mention), my husband and I bought a new house. I can be rather independent, so I set myself to work on some of the DIY projects that needed doing. One day I single-handedly put up a mirror in our hallway (a simple task compared with the installation of a cat flap into a UPVC door that I had done the previous week). It was perfectly central to two wall mounted lights, and completely level. I was very happy with the end result, until my husband stood in front of it and I realised that he couldn’t actually see himself because it was too low. Whilst the work was technically sound, and the mirror functioned perfectly for me, it wasn’t fit for purpose for someone else just a few inches taller than me. Doing the work on my own meant I that I failed to take into account different users (apologies to my husband for referring to him as a ‘user’ here, but hopefully you see my point) and IT teams are no different. Employ a team of one type of person and you may get a perfect service or product, but it may only be perfect for that demographic. Had my husband been home when I put the mirror up, he’d have told me it was too low before I hammered the nail into the wall. Instead, he silently put up with 12 years of stooping to check his appearance before leaving the house.
Maybe you are thinking that this doesn’t apply to you, but most of us have biases without even realising it. Consider this riddle (and take a moment to think about it before reading on): “A boy and his father are in a serious road accident, and sadly the boy’s father dies at the scene. The boy is rushed to hospital for a lifesaving operation, but the surgeon says “I cannot operate on that boy because he is my son”. Explain.
A handful of us will come up with the correct answer straightaway, but I imagine more than a few of us cannot fathom how this can be the case. Is the boy adopted? Has his mother remarried? Of course, the answer is that the surgeon is the boy’s mother, but in experiments carried out by Wapman and Belle in 2012, only 15% of the participants came up with the right answer. I tried the same riddle on both of my daughters, and neither of them got the right answer straight away, despite priding themselves on being strongly supportive of women’s rights. It happens elsewhere too: type ‘University Professor’ or ‘cyber security specialist’ into an internet search and you’ll see a sea of middle age, white male faces. Our unconscious biases run deep and recognising this can be a small step towards solving these diversity issues.
Why does it matter?
If you’re still not convinced that there’s an issue, here are some statistics. In 2019, (ISC)2 estimated the global IT security skills shortage to be over 4 million, and according to the KPMG / NCSC report entitled Decrypting Diversity: “an abundance of evidence shows that diversity and inclusion can provide commercial advantages … including better financial performance, increased creativity and innovation, greater employee satisfaction, lower absenteeism and stronger talent retention” (KPMG, 2020). Yet the number of women studying Computer Science in HE is still only 18% (Catalyst, 2019) so we’re unlikely to see any significant changes soon.
Perez, in her 2020 book “Invisible Women” refers to the ‘Default Male’, who forms the basis for much of the data in our world today, causing design, safety and many other things to be skewed towards a standard set of characteristics that simply don’t relate to women. For example, the list of symptoms that doctors use to diagnose a heart attack relate specifically to men – and these are very different to the symptoms that a woman may have, meaning that a heart attack in a woman may go completely un-noticed. Worse still, if a heart attack is diagnosed, then some of the medications used to treat the condition can actually do more harm than good when given to a woman.
So think about what you could do to improve diversity in this area. Could you run some debates on the importance of gender diversity in STEM, or create activities that focus on areas that will appeal to girls as much as boys? If you are a woman teacher, perhaps you could act as a role model, encouraging girls to consider this exciting career. Celebrate the women of the industry in equal measure to the men. Women aren’t necessarily better, but we are different. We will tackle problems in different ways to our male counterparts. We will approach challenges from a different point of view and come up with different solutions. The same is true for different age groups, cultural backgrounds and so on. We all bring something different to the party.
And if you’re wondering why I called this blog post “It was never a dress” then take a look at the image below. Women don’t wear dresses, they wear superhero capes.
- Cyber security skills in the UK labour market 2020, conclusions and recommendations
- (ISC)² Finds the Cybersecurity Workforce Needs to Grow 145% to Close Skills Gap and Better Defend Organizations Worldwide
- BU Research: A Riddle Reveals Depth of Gender Bias
- Decrypting Diversity: Diversity and Inclusion in Cyber Security, 2020
- Women in the workforce - UK: Quick Take
- Perez, C. C., (2020) 'Invisible Women', Vintage
Clare Johnson, Partnerships and Outreach Manager (Digital & STEM), University of South Wales
Founder of Women in Cyber Wales
Clare is the Partnership and Outreach Manager (Digital and STEM) at the University of South Wales. She is passionate about encouraging and inspiring young people, especially girls, to consider careers in cyber security and STEM subjects. As such, she has developed an extensive outreach programme which includes cyber security days for Brownies and Guides, primary and secondary schools’ outreach and community activities. Previously Head of Cyber Security Education at the University, Clare is now responsible for developing partnerships with STEM businesses that highlight the opportunities within the sector and build pathways from further education into higher education and employment. She has close links with the Thales National Digital Exploitation Centre and has worked alongside Welsh Government and the National Cyber Security Centre to promote educational and skills development. Clare is also the founder of the Women in Cyber Wales cluster, which aims to provide support and networking to women working, or hoping to work, in the industry and now has approximately 150 members.