Outdated perceptions, unrealistic job ads and a lack of entry points all conspire to exclude women, says USW’s Clare Johnson
When teachers encourage children to think about a future career they tend to run down a familiar list: doctor, lawyer, business leader, scientist, educator, engineer. Technologist may get a look in, but never cyber security professional. This invisibility is bizarre if you think about it, because cyber is one of the most important and in-demand jobs there is, says Clare Johnson, partnerships and outreach manager at the University of South Wales.
“It’s almost as if it’s a closed door,” she says.
The fault may lie, in part, with careers advisors having an outdated view of cyber security as being purely about IT, whereas it is a very broad collection of specialisms these days.
“It’s a bit like multimedia,” Johnson says. “Years back, it was an IT thing. If you had a multimedia website or multimedia marketing materials that fell into IT because it was so new and technical, but now you would be surprised if there wasn’t a specialist in multimedia in your marketing department. It’s just seeped into everything else.”
In order to ensure security seeps into everything else, as it must, security teams need to be more representative of their organisations. Effective defences call for a diverse team that includes HR, governance, data protection, leadership, management and communications expertise. But for many people, cyber security, if they think of it at all, conjours up the Department of No, militaristic imagery, stern controlling characters and a bewildering thicket of acronyms, which can be thoroughly off-putting to the less technically inclined.
Addressing this issue needs to start with education. Johnson works with teachers and children to introduce cyber security concepts at a young age. This can pay dividends, she says, particularly with girls, who at the age of 12 or 13 tend to turn away from technical-sounding subjects. She also visits Brownies units, introducing them to the joys of open source intelligence gathering, otherwise known as cyber-stalking celebs.
“It’s not as sinister as it sounds,” she insists. “What we do is say, find out as much as you can about your chosen celebrity online. They love doing it because they find out little nuggets of information that perhaps they didn’t know, and it’s all readily available on the internet, so it’s nothing secret.
“But at the same time, we can teach them quite a lot of about their own digital footprint. We can teach them about the methods the police would use to search for missing people or for criminals online. We can also teach them about the ethics of how much should you try and find out about somebody. It’s a really good way of teaching them lots of different concepts.”
Another door wedge is recruitment. Agencies in particular tend to put out job ads with requirements for all sorts of qualifications and experience, possibly because they hope to hook the elusive big fish, but more likely because they don’t really understand the positions they are recruiting for.
“A lot of them are completely unrealistic,” says Johnson. “Instead of a specialist role that’s going to deal with the data protection and information security they just think we need a cyber specialist, and they throw everything in that they ever thought of related to cyber security into that one job role.”
Again, this will put off the very people that modern cyber teams need if they are to be truly effective.
“There’s been much research that shows that men are much more likely to apply for jobs when they meet lower thresholds of the criteria than women. Women want to be able to justify their application through every single point, and if you’ve got an entry level job but you’ve got to have five years experience and this or that qualification, well, that’s just that’s just not going to happen.”
Since cyber security is no longer purely an IT concern, organisations should look to train people internally rather than turning to recruitment agencies, Johnson believes. There are many people who would benefit from making a sideways move. In the past cyber was about locking systems down, prohibiting certain actions, calling out transgressions, but these days it is much more about explaining the risk.
“When somebody clicks on a phishing link you don’t want to put them in the naughty corner, you want to say, ‘okay, something’s gone wrong, we want to know about it, and then we can do some education together in terms of what should have been done differently’. It’s more about that cultural awareness and developing that that conversation and providing support networks, which I think women are really good at.”
As another example, it’s more productive to demonstrate how easy it is to crack a weak password than to hand down rules about how long and complex a passphrase should be from on high, because then the information will stick: “Those conversations are much better I think, much more informative for people.”
Opening the door
A career in cyber can be extremely rewarding in both personal and financial terms, says Johnson, but it’s not for everyone. It’s a fast-changing world in which roles evolve quickly and constant learning is part of the job. Being responsible for the organisation’s security is also, understandably, rather stressful. However, in contrast to their rather forbidding image, cyber team members are usually highly supportive, according to Johnson. They all need to get along, and with so many specialist areas: no-one can know everything.
“It’s just having that confidence to go into meetings and be able to say ‘I’m sorry, I don’t know what that is’. I’m always looking stuff up on the internet, even now.”
The cyber skills gap seemingly is as wide as ever. At a time when news of a new ransomware or state-sponsored attack or massive data breach is a daily event, it seems crazy that for many, security is still a closed door. Recently, noticing that few women were turning up to security sessions at the university, Johnson decided to set up a separate women-in-cyber meeting. It was an immediate success, with attendees telling her they’d long been interested in this or that aspect of cyber, but couldn’t see a way in.
Keeping the meetings going requires a bit of effort, she says, but it’s been rewarding.
“You make a contact with somebody else who says, ‘Oh, that was really useful’. That’s why you do it, because you think I’ve changed somebodies feeling about the industry, or I’ve given them the vision of what could be the job for them. That’s makes it all worthwhile, doesn’t it?”
Protect your environment from Ransomware attacks.
Educating yourself and your employees with Cyber Security Awareness Training is the best way to start ensuring your business is protected from cyber-attacks.
Learn more about how The Cloud Consultancy can address and manage your businesses Cyber Security headaches. We can now provision boutique, pro-active, IT support services 24/7/365