Making cybersecurity more appealing to women, closing the skills gap
In this Help Net Security interview, Charly Davis, CCO at Sapphire, provides insights into the current challenges and barriers women face in the cybersecurity industry.
Davis emphasizes the need for proactive strategies to attract diverse talent, improve mentorship opportunities, and foster supportive organizational cultures in cybersecurity.
Could you explain the current skills gap in cybersecurity and what makes it a critical issue for both private and public sectors?
The widening cyber skills gap has been well-publicised for many years, and I think several factors are at play. One big contributor is rising demand – cyber threats are now very prominent on the business agenda, and we have multiple regulations like the GDPR, DORA, and NIS2 with a mandate for better security.
But supply is consistently too low against the demand for more security professionals. There are not enough young people entering the industry because cyber is still largely seen as a niche technical field. We need to capture attention and imagination at the secondary school level to kindle a passion for the field and entice school leavers and graduates into the profession ASAP. This issue is a result of the cyber industry being relatively young—it hasn’t yet matured enough to start considering the psychology behind attracting talent and improving diversification.
Obtaining formal training and certification can be challenging for individuals without a specific IT background. Personally, I found it difficult to qualify for entry-level prerequisites for many industry-relevant certifications, as these necessitate a minimum of five years of experience. This poses a challenge for individuals who do not possess the necessary skills or experience.
At the same time, “brain drain” further compounds these issues as experienced personnel leave the industry. Cyber can be very fast-paced and high-stakes, and many people are choosing to exit the field in search of less stressful options. In the UK, I also see talent relocating overseas to pursue opportunities with more chances for progression or better conditions. That means we’re losing qualified and experienced professionals in established roles as well as lacking in new joiners.
It’s a critical issue for all cyber security practitioners because it means teams are likely to operate understaffed. That can prevent them from working at their best, leading to more stress – contributing to the brain drain problem. It’s a vicious circle. I think it’s especially challenging in the public sector because we’re potentially talking about nation-state threats, but the pay is far below private sector alternatives. Added to that, the public sector already struggles with legacy systems and often equally outdated skills and processes.
What strategies can be implemented to attract more individuals to pursue careers in cyber security?
I think the industry can seem quite impenetrable to people who aren’t already interested in breaking into it. ‘Cyber Security is a huge umbrella term that covers many different roles and career paths. You could be travelling the world carrying out red teaming projects for an FTSE 100, or you could be working with governments and contributing to national security. There are also many other options in between, which offer flexible working arrangements that can be especially beneficial to primary carers, who are mostly women.
Very little is done to capture all these nuanced elements of the industry and bring some colour to what the career really entails. This is essential to inspire more people to enter the industry.
It also needs to be made more apparent that, although cyber security is a technical field, it’s very much open for people from non-technical backgrounds. When I first came to the industry for example, I was a single mum with no formal cyber qualifications or certifications. I started off in IT as a salesperson, and now I’m Chief Commercial Officer at a cyber security company. But the pathway to board level and other senior roles isn’t always overly clear and the industry doesn’t prove particularly attractive to otherwise talented individuals that would be suited to it.
How does gender diversity enhance cybersecurity measures within an organization?
I couldn’t speak more strongly of any other industry where diversity has such a positive impact. At its heart, cyber security is all about looking at the threat landscape and considering problems from all angles to find solutions. To achieve balance, a team with diverse backgrounds, religions, genders, skill sets, life experiences, and ages is needed. This diversity leads to more diverse perspectives and potential solutions.
On some days, you may need to deal with nation-state actors with different geopolitical profiles, while on other days, you may encounter some young hacktivists. For instance, suppose a group of young individuals are upset with a large trainer corporation for charging exorbitant prices for their products and decide to retaliate by attacking them. In such cases, having younger team members who can relate to their mindset is immensely beneficial in resolving the issue.
This is something I really love about cybersecurity. The industry would be much poorer without diversity, and it should never be elitist.
What barriers do women face when entering or advancing in cybersecurity?
When I first started my career in cyber security, I noticed a lack of female role models. The industry originated as an offshoot of IT, which has historically been male-dominated. This is where the bias in the industry began.
Although more women are entering the field of cyber security today, they still face challenges in obtaining senior positions, highlighting the need to break the glass ceiling.
This could discourage women from pursuing a career in cyber security, and change is unlikely until more women hold influential senior positions.
Job listings often require highly technical skills and specific qualifications. In my experience, men are more likely to apply even if they do not match many of the requirements due to their confidence. However, since most workplaces are heavily male-dominated, women tend to apply only if they match almost all of the requirements, say 99% of the list.
As discussed earlier, cyber is relatively young compared to other industries. Therefore, it has not yet been able to incorporate psychological metrics into its practices. However, we may witness more diversification in the near future, similar to what other industries did about two decades ago. This could involve a more strategic approach to attract people from different backgrounds to the field of cyber security. Companies in the cyber security industry with women on the boards tend to be better equipped to handle this task.
Can you discuss the importance of mentorship and professional networks for women in cybersecurity? How can these networks be more inclusive and supportive?
From my perspective of a consistent interest in seeking industry expertise for guidance and mentorship in cyber security there is currently both a good news and bad news story. There are some strong examples out there, like Women in Cybersecurity, but I think women can be reluctant to join them because they don’t want to be different to their male counterparts and want to be part of an inclusive operating structure such as Tech Channel Ambassadors recently established to address this significant gap in the sector
Personal mentorship can drive really positive change, and it’s certainly had a strong influence on my career. There’s still a shortfall in organised mentor programmes with businesses, but I see a lot of talented people identifying that gap and reaching out to support those starting out in their careers more proactively, which is fantastic.
It’s important to realise that mentors don’t need to be within the same company or even the same industry. I’m currently mentoring one person within Sapphire and six others outside the company.
Meanwhile, I’ve had four incredible mentors myself—and one of them is a CEO in the fashion industry. She gives me a great perspective on what I’m doing and how my messaging resonates with someone outside of security. It’s easy to get wrapped up in jargon when you’re only talking to technical people. While technical ability is important, there are many other skills that are essential for succeeding and advancing.
What policy or organizational changes are necessary to make cybersecurity a more attractive and supportive field?
Two key things need to happen here, getting more people to launch careers in cyber and making it more likely that they’ll stay in the field.
The first issue needs to be addressed on a national level. I still don’t think we’re doing enough to encourage students into STEM subjects. This issue supersedes promoting cyber security and has a lot to do with the fact that academia is increasingly outdated. We need to recognise the varieties of learning styles within each classroom.
Not everyone excels by sitting still for 7-8 hours a day in a classroom, but those same kids could do amazing things if you let them loose with a Raspberry Pi. We need to go beyond standard testing to nurture these young minds and let them discover their potential. There are some isolated pockets of this, often backed by private companies, but it needs to happen on a much wider scale. Several countries – Singapore, Israel, Australia, to name a few – are doing much more here.
The second issue is more down to individual organisations. Recruiting needs to focus less on exhaustive lists of skills and qualifications and more on mindset and the capacity to learn and develop. We need more pathways for people to enter the industry so we can discover those hidden gems.
One of the other most important factors is ensuring that security professionals feel supported. It’s a high-stakes field that often leads to very pressured situations where every decision is critical. I think personal mentorship is an effective way to help practitioners cope with these stressful situations. Professionals also need to feel like their employer has their back and won’t use them as a scapegoat when things go wrong.
Fill out the form to get your free eBook: