The Innovation of Diversity in Cybersecurity
The cybersecurity profession has a diversity problem – here's what we can do to fix it.
As a woman working in cybersecurity, and one who speaks frequently at conferences, I am often asked about the issue of diversity in this profession. At many cybersecurity events, women are very much in the minority, as both speakers and attendees. At a large industry conference I attended a few months ago in London, there were 38 speakers on the agenda: only four of those speakers were women, three of whom were speaking on a panel about diversity in the industry. Indeed, in the profession as a whole, research suggests that women comprise of only 11% of the workforce and earn less than men.
Diversity comes in many forms and is, of course, not just about gender. Most people working in this profession are white men with technical backgrounds. This is not to criticise white men with technical backgrounds, but diversity does matter. We need diversity for talent, representation and fairness. Talent is equally distributed among the population, so when you have an under-representation of one or more social groups in your business or industry, you have less talent than there is in the world at large.
We deal with some really complicated issues in cybersecurity, and we need that talent to address those problems. Having diversity also facilitates the representation of different worldviews and different experiences. People with varied life experiences will come at problems differently. Diversity breeds diversity, so from a representation point of view, the more diversity we have the more that sends a message that “you can do it too.” In terms of fairness, opportunities should be open to all and capable individuals should be able to thrive in a fascinating and rewarding field such as cybersecurity, regardless of their gender, ethnicity, sexuality or any other factor.
Jane Frankland has been working in the information security industry for 19 years, is the Managing Director of KnewStart and is author of the soon-to-be-published book IN Security: How a failure to attract and retain women in cybersecurity is making us all less safe and what to do about it. Jane has been undertaking copious amounts of research to write her book and so I asked her what more we can do to improve gender representation in cybersecurity:
“I believe it’s best answered by looking at the three challenges that I believe we need to overcome: attraction, identification, and retention. Looking at attraction, this is really all about how we’re marketing to girls and women about exactly what it is that we do. Right now, cybersecurity has an identity problem and is misunderstood. Identification is all about how we identify and hire female talent… A quick win here would be if we implemented better processes, and used technology at various points to help us. This means, writing job descriptions from scratch whenever someone leaves a team and needs to be replaced. Retention is all about keeping women engaged in the workforce, and fulfilling their potential.”
One of the issues Jane highlights is that we are not adequately communicating to a diverse group of people about what we do. Cybersecurity is perceived to be a very technical subject: this is certainly what I thought of it when I was first headhunted for a cybersecurity consultancy role some years ago. It did not occur to me that someone with my background (in sociology, politics and civic design) would have knowledge, skills and experience relevant to something that; to me at the time, it seemed to be purely about technology. I came to understand that cybersecurity is, of course, about how people interact with technology and information, but this had not been immediately obvious to me. This misconception that cybersecurity is a purely technical discipline means that even those working in more people-focused roles, such as delivering awareness-raising training, tend to have technical backgrounds. Lance Spitzner, Director of SANS Securing the Human sees the problem with this:
“The 2017 SANS Security Awareness Report found that over 80% of awareness professionals have a highly technical background…. while technical people understand the technology and problems we face, they do not have the skills nor experience to effectively engage with employees and communicate those problems. Based on the data we have, awareness is a communications problem.”
Both Jane and Lance highlight the need to communicate opportunities in cybersecurity more widely, and this is pertinent to neurodiverse people, too. At a recent event about neurodiversity and cybersecurity careers organised by IAAC and the Cyber Security Challenge UK, it was suggested that autistic people may only apply for a role if they meet every single requirement listed in the job advert, indicative of the very literal understanding common with the condition. Holly Foxcroft, a neurodiversity consultant, spoke at the event and argued of the need to increase awareness of opportunities and of presenting the industry as desirable to autistic people. According to Foxcroft, “flexibility and work environments” are important factors in desirability.
I asked Holly what, in particular, employers could do to create and develop workplaces that attract and support neurodiverse people:
“If you’ve met one person with Autism, you’ve met one person with Autism. So needs and requirements may change, and that’s why disclosure should be promoted and supported to help retain a NeuroDiverse work place. In return you’ll have a dedicated, hardworking employee who can offer very unique, incredible abilities within a skill shortage sector.”
Calls for diversity are sometimes met with the argument that any initiatives to promote certain social groups give people in those groups an unfair advantage above others in society. People will often say, for example, that they are not concerned with the gender of a person applying for a job; they just want the right person. I asked Jane what she says to this argument:
“Picture the scene. Three people are watching a game of football (soccer). They’re all of different heights and there’s a tall fence that obstructs the view for two of them. Someone comes along and gives them all boxes to stand on. However, the tall person doesn’t really need a box, as he’s tall enough to see over the top of the fence without an aid. The person who’s of medium height can now see over the fence. However, the shortest person still can’t see over. Whilst they’ve all been treated equally the problem still exists. Equity is when each individual is given a different sized box to stand on, in accordance with their height, which enables them to see over the top of the fence and view the game. Although the problem has been solved it’s been done so by treating each individual differently. Ideally, the best the solution would be if a system could be designed that removed the problem altogether, and any need for accommodations, for instance, if the fence were replaced with a see through wire mesh.”
This drive to make cybersecurity, and STEM in general, accessible to all is something that has been central to Steve Lord’s work developing the HIDIOT. Steve is a full-time penetration tester and founder at Mandalorian and co-founded UK Information Security Conference 44CON in 2011. The Human Interface Device Input/Output Toolkit (HIDIOT) is a credit card-sized computer that you can build from scratch, and is aimed at anyone over 11 years old, even if they have never soldered before. In developing the HIDIOT, Steve has created something which will suit all educational needs and is ideal for children with special education needs or those who struggle to focus. Steve told me why this was so important to him:
“The lesson that we should all learn from encouraging diversity in STEM is that nobody should be excluded based on attributes out of their control. Accessibility isn't easy, all we can do is try to provide a base level and improve as best as we can when the opportunity arises.”
This call for diversity echoes statements made by Robert Hannigan, when he was Director of GCHQ, at Stonewall Workplace Conference in 2016:
“To do our job, which is solving some of the hardest technology problems the world faces for security reasons, we need all talents and we need people who dare to think differently and be different. We need different backgrounds, experiences, intellects, sexualities, because it is in mixing all of those together that you get the creativity and innovation we desperately need. As a technology-driven agency, we have to be a vibrant workplace and welcoming to all. Dull uniformity would completely destroy us.”