Is the lack of diversity in cybersecurity actually making us less secure? Jane Frankland of Cyber Security Capital believes so. She shares her insights on how more diversity in the information security sector can mitigate risks.
It’s well-documented that the tech industry has struggled with improving diversity in its workforce. It’s an even bigger problem in the cybersecurity sector. According to the 2017 Global Information Security Workforce Study: Women in Cybersecurity, conducted biennially by the Center for Cyber Safety and Education and (ISC)2, only 11 percent of information security professionals worldwide were women – essentially stagnant since 2013.
This statistic troubles Jane Frankland, a cybersecurity business consultant. Frankland posits that the lack of diversity in cybersecurity affects security risk. Her book, InSecurity: Why a Failure to Attract and Retain Women in Cybersecurity is Making Us All Less Safe, explores the issue further.
Frankland shares her insights on why diversity is important in cybersecurity and how to improve the state of play:
Q: What is the current state of gender diversity in cybersecurity?
I’ve been in the industry for 19 years and I thought there were more women. When I read the (ISC)² report, I was shocked! That’s what spurred me into action – actually looking into the situation. The numbers are decreasing. It’s a sorry state of affairs.
Q: How does the lack of diversity in cybersecurity create a security risk?
Gender diversity is highly topical now. When I first started out, I was looking at it purely as a case that it’s good for GDP, there’s more innovation, there’s more contribution, and it’s good for business. When women are politically and economically empowered, then countries are more stable.
But when I started looking into it from a security perspective, I found that women and men are different and we think differently, and that’s a good thing – particularly when we look at risk, because men and women see risk in a very different way. If you have uniformity of thinking, you’re just going to end up with the same types of answers. Our industry puts up barriers to entry in order to improve the quality, but I think they put up too many barriers to the industry, which I think is holding us back.
In terms of the qualifications, you need to be certified with this qualification, you need to come from this background, or have a certain amount of experience to go into a role. I think they’ve closed doors to a lot of people because they’ve been too specific in terms of what they want. Because they’ve been specific, it’s narrowed the types of people that we have in the industry.
We need different types of people in our industry – [spanning] gender, age, ethnicity – so we can get different perspectives on what we’re doing and get a better output.
Q: How can these barriers be removed to attract more women?
There’s two things: attraction and identification. In terms of attraction, you might want to attract younger people. That can be [reaching out to] girls in school, and that can be your pipeline. Equally, you may want to attract those who are already working and want to switch careers. So perhaps they come from a career in law or maybe technology (or teaching, or accounting), and they transfer over because they’ve got good insight and their skills are transferrable.
In terms of identification and removing the barriers, it’s really looking at process. For example, what are the job specifications? I’ve seen job specifications where there are 43 bullet points and it’s ridiculous! A lot of the time, women will look at that and be put off, and think there’s no point even applying. So it comes down to better job descriptions in terms of what exactly we need, the minimum requirements, and looking at the language we’re using to make sure it’s neutral language.
Q: What are the unique attributes women can bring to cybersecurity?[Traditionally,] the workforce wants compliance and uniformity, which stems from the Industrial Revolution. Nowadays, we’re looking for creativity and good thinking. What can’t be automated, what can’t be turned into a machine, is becoming much more prized.
The way we work and what we require is changing. But there’s still resistance to being different. What I’m saying is: it’s OK to be different. It’s advantageous. When people are different, it’s harder work and the communication can be harder, but we work harder to be understood and so we come up with things that people haven’t seen [before]. And we’re not blindsided.
There are two types of routes [that people tend to take into the cybersecurity sector]: from the military and intelligence industry or from tech. That’s fine, but you’re going to get a certain type of thinking because they come from domains like that.
If you bring in people from other fields, like psychology or the arts, you get different viewpoints. Bind it all together, and get a better output.
Women are different from men, but together we’re better. We see things differently; our brains work in different ways. Because of that, we’re much stronger when we work together.
Learn more about getting the skills and training to break into cybersecurity by checking out Careers in Cybersecurity.