Women make up less than 20% of the cyber security workforce.
Most practitioners are white and male. Why?
In our first episode, we explored the cyber security skills gap with Matthew Rosenquist. This gap could be filled by more women entering the cyber security talent pool, if only more would do so.
My guest today is Jane Frankland. Jane has worked in cyber security over 22 years, and she has started a global movement to create a more gender diverse cyber security workforce.
She is here today to talk about making cyber security more inclusive. Let's find out how.
I'm really excited for our show today, because we're talking about a topic that's personally important to me. And that's the role of women in cyber security.
Why is this topic important to you, Jane?
I believe that a failure to attract and retain women in cyber security is making us all less safe, and that really only by getting more women into the industry and staying in it will we have greater innovations and greater security.
Women see risk in a different way to men; women are different.
There have been countless studies that have gone on, which I've written about in my book.
So, we know if we look at women in business, particularly in leadership positions, then companies are more profitable.
We stay on track in terms of budgets, and we are on schedule much more and more profitable.
Business is good and better decisions are made as well when there are more women in business. The collective intelligence of a group increases.
When we're more balanced and more diverse as a group, then decision making improves. We know this from a lot of data that already exists on looking at women in business and in leadership roles.
When we look at security, which is all about making better decisions around risk, then we really have to have more women in our organizations helping us to look at risk and make decisions around doing it in a better way.
Now, we also know that women are highly intuitive; they have high emotional and high social intelligence.
We know that they are very good at creating calm when we have times of turbulence. When we have a security incident or a breach that may be making headlines, looking at the data, women are well positioned to deal with those types of things in a very kind of calm way.
Men are graded on other things. It’s when we come together and work together as men and women, we do a much better job.
That’s why my focus has been so much on getting women into the industry and helping them to stay in it.
When I say stay in it, many women are getting tired and burnt out and having to leave.
How did you get into the field of cyber security, Jane?
I got in as a 20 something year old. I started a cyber security business, so my route was not traditional at all. I actually haven’t met anyone who’s way into security was like mine.
So, in my 20s, I built a technology company with a partner. I really didn't know much about technology, because my background originally was art and design.
At that time, I thought that the only areas of interest were AI or security. But AI was really, really new. It was too pioneering at that time really, but security was feasible.
And I thought security sounded cool. I thought it sounded a little bit like James Bond, and I'm smiling because it's cringe worthy me saying that. I know I'm not alone with that or alone at that time in thinking that.
The objective for me building my organization at that time was to make a load of money fast, sell the company, and go off and do what I was really passionate about, which was my art and design.
You know, life has a funny way. Just when you think you got it worked out, things intervene. So, it didn't go according to plan. But that's how I got into security and how my journey began.
Today, we have a large skills gap in cyber security, and not very many women are working in the space. Why aren't there more women?
It's actually a great question, but it's really hard to answer because the research hasn't been done.
When I started writing my book on security, I originally wrote a blog, and then I thought I'll do a report over Christmas on it.
I wrote 15,000 words of that report and then just thought, well, maybe I should turn it into a book. I had a chat with my publisher and did a Kickstarter campaign.
What I found was that so little research it has been done and is being done into this field, and so much more needs to be done.
I wrote about this in the book, but originally programming and tech were both actually very applicable for women.
Women came into those industries in droves in the 60s, and even before that some were entering in the 50s and 40s
Women have always been pioneering and in technology. Ada Lovelace worked in technology in the late 1800s.
We have always been in this space, but as women came into the field through coding and programming, it was advertised as a new type of work for women. We started to see women rise and then withdraw, and some people believe it was because technology became more valuable.
Therefore, women were pushed out of a valuable domain. Men were pushed in, so women were prevented from moving into those positions of leadership or from doing the work.
Then, we saw media doing a really good job of advertising tech careers to boys. Even PCs and video games were advertised mostly to boys.
So we have some clues, but really when we look at security, much more research needs to be done as to as to why women aren't coming in, and also why they are leaving.
That's fascinating. I hadn't realized that a lot of the media and advertisements around technology were so geared towards men.
Yes, particularly in the 1980s and 1990s.
We did have some female characters, Angelina Jolie in Hackers, for instance, is an exception.
We're seeing media change now, but we're still grappling with the past.
Messages are perpetuated in security that it's nerdy or geeky, or oh, you have to be a super brain.
Or, you have to be a guy in a hoodie in order to come and work in this industry. We are actually so diverse really in the industry.
We can be really diverse in the industry, and we have this beautiful opportunity to be even more diverse and more balanced with the types of people that include.
Do you think not having more women in this space has had an impact?
We’re not identifying the threats accurately. You might say we have a tendency to really try to solve problems with technology.
So, how can we get the right people to our work in our organizations? What processes can we look at before actually implementing the technology?
From a risk perspective, if the environment is all male, which it mostly is, we're not going to get the best risk posture, and we're not going to get the best solutions.
The diversity of thinking that comes about from getting men and women in in a room together, so speed, agility, decision making, and the types of solutions that we're putting in place, are all affected by not having a more balanced gender workforce in security.
So, this is a big question I'm going to ask, but how do we change this?
First, we have to become aware of the problem, and we need more research.
I'm so for having data driven conversations. Everything that we do, we have to measure.
What is the effect of bringing more women into the organization? We need to be measuring that.
In order to get more women into a company, you've got to look at your processes to begin with so often, and companies get really irritated by this.
So often I will hear hiring managers say that. “Well, women just don't apply. You know, we're advertising our job, blah, blah, blah.”
And, and I'll ask them, “Well, have you looked at your processes, because I know that women are there. I know that women do want to come in, whether it's after university, or you know, tertiary education, or whether it's because of pivoting. They’ve heard about it, and they're interested in it.”
We’ve really got to look out what are our processes are when it comes to hiring, and what are the messages that we're putting out there? You've got to look at your own messages as leaders and be aware of those.
We've got to look at job specs; we've got to look at language, we've got to look at if we’re making all people feel welcomed - not just women.
But we can do this through our language choices and through our visual communication.
Think about the pictures and the messages that are on our websites.
I'm passionate about getting more women into the organizations, but making it right for all people. That's what we as women want. We don't want to get an advantage because we're meeting our quota or target.
We want and expect to get into the roles because of our ability.
I wonder if cyber security just generally doesn't feel approachable for women Is there a culture happening that feels exclusive?
I think it depends on your age, and also the area that you're looking to get into.
So, I built a penetration testing company. That was my first security company, and I've spent a long time in that world.
Now, I've always found penetration testers or ethical hackers to be very great, absolutely great people. I found them very accepting of me, but I also have heard that they cannot be accepting sometimes.
So, once you're in and you're accepted, great; you're one of them. But sometimes breaking into that can be tricky.
There is this whole culture of having to be on the defensive and being impenetrable, as opposed to actually let's welcome you in.
For us to build the best organizations, you need to build performance. And we have to be open, we have to be welcoming.
We have to take those leaps of faith that quite often can feel totally alien.
How do you coach leaders to build an inclusive culture?
Well, you've got to start with really big picture.
I start with mission and vision and value statements, and really boiling down into those. When I'm working with CISOs, or chief information security officers, often I'll go through a high challenge, high support model.
With high challenge or high support, we're creating environments whereby the people who are coming into their organizations are challenged; they are stretched; and they are made to feel safe. They are allowed to fail, and they are supported through failure.
There are very clear boundaries, so that they can operate in psychological safety.
I start with the leaders and go through mission, vision, values and things like that, helping them to identify their communication and get their pitch right.
What it is that they want to achieve their objectives?
If it means getting more women with great talent into their organizations, then we need to look at processes, in addition to the messaging and communication, and finally culture.
What’s happening when a woman is hired? How are you onboarding them? How are you developing them? How are you setting them up for success?
When you create these high challenge, high support cultures, then you have a fantastic pipeline of talent.
From a personal brand perspective, it’s also in your interest to really work in in this manner. You don't just attract the best talent and build the most amazing companies. You also attract amazing opportunities and opportunities that are aligned with who you are and what your values are and your mission is.
Jane, what is your advice for women who are thinking about getting into the field of cyber security?
Connect with me! Come and join the In Security tribe.
Ther are things that I do just for women, and I'm very passionate about this.
There will also be things that I will do just for men as well, and things that I do for people together.
We need to come together as women in groups so that we can feel safe, so that we can feel vulnerable. We can be empowered and inspired together.
Come and join the tribe come and when you join you will find out about a mentoring masterclass and meetup platform that I am building and will be released this year.
So, that's really exciting because mentoring and sponsorship are two very different things.
In order for us to own our own voices and get our voices out there to get the best projects and to get work that we want to do, we really need to change some of the things that we're doing.
And that means raising our voice and our visibility, and so come and connect with me, and then work on the areas that I've just described.
Personal branding is also something I'm very passionate about, because it tackles the visibility and voice aspect.
I've got programs that I do just for women, and they're around that and then I've got programs that I do with leaders that are around that as well.
As we end, I encourage everyone to go check out Jane’s book, InSecurity: Why a Failure to Attract and Retain Women in Cybersecurity is Making Us All Less Safe.
See you next time!