Cyber security skills Gender Gap
A couple of years ago, I was involved in an exercise to identify talent in cyber security/ethical hacking and help recruit individuals into the profession. My role was the head of a gang of cyber terrorists and I was duly identified and arrested.
Such, it would appear, are the lengths we must go to these days to find candidates with sufficient skill to protect our networks and businesses from data breach and cybercrime. What I found most disappointing was the diversity of the candidate pool. Of forty-two contestants, only one was female.
Forward-wind to last November and I’m in Düsseldorf at the final of the European Cyber Security Challenge (just observing this time). Ten teams of talented individuals from ten countries, all aged 14-30. The level of aptitude gave me hope for the future security of our continental digital economy but, yet again, I was left bemused and alarmed by the gender deficit. Of ninety-nine contestants, ninety-six were male.
In March this year I was at the final of the InterACE competition at Cambridge University. Inter-ACE is an annual cyber security competition run by a consortium of sponsors including the National Cyber Security Centre, and forms part of the Cambridge 2 Cambridge (C2C) competition. C2C was founded in 2016 and announced by Barrack Obama and David Cameron as part of a series of initiatives aimed at harnessing the nations’ collective brainpower to combat global cyber attacks. InterACE did slightly better in my unintentional Gender survey, with a male to female head count of 85/15 but it was still wildly disappointing.
“So what?” I can guess you’re thinking right about now. “Maybe girls just don’t like Cyber Security competitions.” Well, whilst that may very well be the case, unfortunately it’s a trend that’s reflected in the workforce generally.
Gender gap in security
In March 2017, (ISC)2 published the largest-ever survey of over 19,000 cyber security professionals, which revealed a chronic shortage of women working in cyber security amid a widening skills gap, with women forming just 7% of the European cybers ecurity workforce, amongst the lowest proportion anywhere in the world.
Part of the eighth Global Information Security Workforce Study (GISWS), the Women in Cyber security report surveyed 3,694 cyber security professionals in Europe, with 1,043 from the United Kingdom. In the UK, the proportion of women stands at just 8%, significantly less than the proportion of women working in all STEM industries across the UK. The revelations follow the recent pledge to introduce cyber security into UK schools to help plug a skills gap that the Government says is a “national vulnerability that must be resolved”.
The survey also found that women in the European and UK cyber security industry are subject to the worst gender pay gap of any region in the world. In Europe men earn 14.7% more than women, while in the UK men earn 15.5% more.
If that weren’t enough, the responses highlight the fact that European and UK employers prioritise candidates with technical experience and qualifications, inadvertently favouring men and filtering out women because they are less likely to study STEM subjects. Thirty-five percent of organisations in the UK state that they look for a technical degree while just 27% of female professionals in the UK have studied computer science degrees, compared with 41% of men.
None of this is great news if you’re a woman either working in, or considering a career in cyber security so it’s no wonder the numbers I’ve been able to observe in recent years are borne out by the (ISC)2 survey. Despite the Chancellor’s claim to be “taking decisive action” and the wider Government observation that the skills gap in Cyber Security is a “national vulnerability that must be resolved”, as a profession and as a nation we’re not making much headway.
Here’s what my boss, Adrian Davis, EMEA MD at (ISC)2, had to say about it: “These results highlight that the infosec profession is missing out on the talents and skills of 50% of the (working) population: women. The issues of the pay gap, overt discrimination and focus on ‘techie’ skills and qualifications make our profession highly unattractive to women. Yet, if we are to succeed and thrive as a profession in an age where our skills and knowledge are in high demand, we must address these issues urgently and constructively: doing so will future-proof our profession and enhance our skills and reputation.”
And I agree wholeheartedly. The problem is how do we address these issues urgently and constructively? Gender diversity is really, after all, only the tip of an ever-looming iceberg.
Two years ago, IT was replaced with Computer Science on the Secondary School National Curriculum. Primary Schools are now required to teach coding. The Government is investing £20m in a new cyber security programme for secondary schools and GCHQ has been accrediting computer science courses for universities for some time now; but all of this work doesn’t solve the day-to-day recruitment and retention issues faced by global corporates and the Small Medium Enterprise (SME) community that is the backbone of UK PLC.
My personal opinion is that less weight should be put on technical qualification and more on the individual. Cyber talent doesn’t often fit the traditional behavioural competency recruitment model and some of the best talent may not be registered with your favourite recruitment consultants. I would, for example, recommend anyone with recruitment responsibilities has a read of the Information Assurance Advisory Council’s “Autism and Careers in Cyber Security – A Short Guide for Employers” available from www.cybersecuritychallenge.org.uk
Often those with real aptitude, of any gender, may not ‘sift’ or interview well, but those companies and business owners who are prepared to move away from legacy HR methodologies are often pleasantly surprised at the results. Whilst we wait for mainstream education to start producing the talent we’re all desperately searching for, it can often help to take a chance on some raw talent and offer them industry training in-post.
But what do I know? Why not try it for yourself and see what happens…
Brian Higgins JP
Director, Public Services,
Women’s Security Society, and Business Development Manager (ISC)2 EMEA (at time of writing)