In this Help Net Security interview, Charly Davis, CCO at Sapphire, provides insight into the current challenges and barriers facing women in the cybersecurity industry.
Davis emphasizes the need for proactive strategies in cybersecurity to attract diverse talent, improve mentoring opportunities, and foster a collaborative organizational culture.
Can you explain the current skills gap in cybersecurity and why it is an important issue for both the private and public sectors?
The widening cyber skills gap has been well known for many years, and I believe several factors are at play. One big factor is increasing demand. Cyber threats are now high on the business agenda, with multiple regulations such as GDPR, DORA, and NIS2 mandating improved security.
However, the demand for more security professionals is always met with too little supply. Cyber is still considered a niche technology field, so not enough young people are entering the industry. We need to attract attention and imagination at secondary school level to ignite passion for the sector and attract school leavers and graduates into the profession as quickly as possible. This problem stems from the relatively young age of the cyber industry, which has not yet matured enough to begin to consider the psychology behind attracting talent and increasing diversity.
For those without a specific IT background, formal training and certification can be difficult to obtain. Personally, I found it difficult to meet the entry-level prerequisites, as many industry-related certifications require a minimum of 5 years of experience. This poses a challenge for individuals who do not have the necessary skills or experience.
At the same time, “brain drain” exacerbates these problems as experienced talent leaves the industry. Cyber is so fast-paced and high-stakes risky that many people choose to exit the field in search of less stressful options. In the UK, we often see people moving overseas in search of better career opportunities and better conditions. This means we are losing qualified, experienced professionals to fill existing roles, and there is also a dearth of new participants.
This is an important issue for all cybersecurity professionals because it means teams are likely to be operating understaffed. Therefore, they may not be able to perform at their best, leading to further stress and creating a brain drain problem. It's a vicious cycle. I think it's especially difficult in the public sector because even though we're talking about potentially national threats, salaries are far below private sector alternatives. On top of that, the public sector is already plagued by legacy systems as well as outdated skills and processes.
What strategies can be implemented to attract more individuals to pursue careers in cybersecurity?
For those who are not yet interested in entering this industry, I think this industry can seem very difficult to enter. “Cybersecurity is a huge umbrella term that covers a variety of roles and career paths. You might be traveling the world running a FTSE 100 Red Team project, or working with governments. In the meantime, there are many other options that offer flexible working arrangements that may be particularly beneficial to primary caregivers, who are primarily women.
Very little has been done to capture all these subtleties of the industry and add color to what a career actually entails. This is essential to encourage more people to join the industry.
We also need to make it clearer that while cyber security is a technical field, it is very open to non-technical people. For example, when I first came to the industry, I was a single mom with no formal cyber qualifications or certifications. I started as a salesperson in the IT industry and am currently the Chief Sales Officer for a cyber security company. However, the path to board level or other senior roles is not always clear, and the industry is not particularly attractive to talented people who are well-suited to it.
How does gender diversity strengthen cybersecurity efforts within an organization?
No other industry has such a positive impact on diversity. The core of cybersecurity is looking at the threat landscape and looking at problems from all angles to find solutions. Achieving balance requires a team with diverse backgrounds, religions, genders, skill sets, life experiences, and ages. This diversity leads to more diverse perspectives and potential solutions.
Some days you might have to deal with nation-state actors with different geopolitical profiles, and other days you might encounter young hacktivists. For example, a group of young individuals may be angry at a large trainer company for charging exorbitant prices for their products and decide to retaliate by attacking them. In these cases, having younger team members who can relate to their way of thinking can be very helpful in solving problems.
This is what I really like about cybersecurity. Without diversity, the industry would be even poorer, and it should never be elitist.
What barriers do women face in entering or advancing in cybersecurity?
When I first started my career in cybersecurity, I noticed a lack of female role models. Although the industry began as an offshoot of IT, it has historically been male-dominated. This is where the industry bias began.
Although more women are now entering the cybersecurity field, they still face challenges reaching senior roles, highlighting the need to break through the glass ceiling.
This can discourage women from pursuing careers in cybersecurity, and changes are unlikely to occur until more women are in senior, influential positions.
Job postings often require advanced technical skills or specific qualifications. In my experience, men are more confident and therefore more likely to apply even if they don't meet many of the criteria. However, most workplaces are male-dominated, so a woman tends to apply only if she meets almost all the requirements, for example 99% of the list.
As mentioned earlier, the cyber industry is relatively young compared to other industries. Therefore, it is not yet possible to incorporate psychological indicators into practice. But in the near future, we may see further diversification, just as other industries did some 20 years ago. This could include a more strategic approach to attracting people from diverse backgrounds to the cybersecurity field. Companies in the cybersecurity industry with female directors tend to be better equipped to handle this task.
Can you talk about the importance of mentorship and professional networks for women in cybersecurity? How can we make these networks more inclusive and supportive?
From my perspective, which has a consistent interest in seeking industry expertise for guidance and guidance on cybersecurity, there is both good news and bad news at the moment. There are some strong examples, such as women in cybersecurity, but women are reluctant to participate because they don't want to be different from men and want to be part of an inclusive governing structure like Tech Channel. I think it could become a target.Ambassador recently established to address this huge gap in the field
Personal mentoring can really make a positive difference and has definitely had a strong impact on my career. While there is still a lack of structured mentoring programs by companies, more talent is recognizing the gap and reaching out to support those looking to start their careers more proactively. I see it. This is great.
It's important to realize that mentors don't have to be within the same company or even the same industry. I currently coach one person within Sapphire and he coaches six people externally.
On the other hand, I myself have had four great mentors, one of whom is a CEO in the fashion industry. She gives me great perspective on what I do and how my message resonates with someone outside of security. When you only talk to engineers, it's easy to get caught up in jargon. While technical ability is important, there are many other skills that are essential to success and advancement.
What policy and organizational changes are needed to make cybersecurity a more attractive and supportive field?
Two important things need to happen here. It's about making it possible for more people to start careers in cyber, and increasing their chances of staying in the field.
The first issue needs to be addressed at the national level. I don't think enough efforts are being made to encourage students to participate in her STEM subjects. This issue overrides the promotion of cybersecurity and has a lot to do with the fact that academia is becoming increasingly outdated. We need to recognize the diversity of learning styles within each classroom.
Not everyone can excel at just sitting still in a classroom for 7-8 hours a day, but those same kids can accomplish amazing things when set free with a Raspberry Pi. We need to go beyond standardized testing to nurture these young minds and help them discover their potential. There are some isolated parts of this that are supported by private companies, but it needs to be done on a wider scale. Several countries, including Singapore, Israel and Australia, are doing more here.
The second issue is more dependent on the individual organization. Recruitment efforts should focus on mindset and ability to learn and develop, rather than an exhaustive list of skills and qualifications. We need more avenues for people to enter the industry so they can discover hidden gems.
Another most important factor is making sure security professionals feel supported. This is a high-stakes field and often leads to highly pressured situations where every decision counts. I think personal mentorship is an effective way to help practitioners deal with these stressful situations. Professionals also need to feel that their employer is on their side and will not use them as a scapegoat when problems arise.
Fill out the form to get this whitepaper and find out what it takes to join this growing industry.
