Patching the infosec skills shortage

With the number of data breaches skyrocketing in recent years, and an increase in high profile hacks dominating the headlines, there is growing concern about the impending shortage of infosec professionals required to meet increasing needs.

So ask yourself this: as this skills crisis looms large why is half the global population still so massively underrepresented? And could it be that the skills gap is a problem of our own making?

The lack of women in tech is a well-documented issue. It’s been talked about for so long, however, that you may well a) assume it must be well on its way to being fixed, or b) have become so tired of hearing about it, that you are desensitised to the topic. The fact is, there’s a whole host of reasons this topic should still be a major area of concern for everyone in tech; from a simple belief in equality (which sadly doesn’t seem to be enough to drive widespread change) to more capitalist concerns (which probably will).

It is estimated that the global cyber-security workforce will have 1 to 2 million jobs unfilled by 2019. With women currently making up only 11 per cent of the current workforce it is, at the very least, a matter of good business sense to encourage women into this growing sector - if women were better represented in security, there would be no shortfall. We should also consider the evidence that having people with a range of backgrounds, experience and viewpoints makes for a stronger team.

For example, businesses with more women on the Board are proven to be more profitable. So why the mismatch between supply and demand? It’s easy and comforting to simply conclude that women just don’t want technical roles, but there’s a wider issue here, in that we are all shaped by our environment. I believe that society’s pervasive message that women ‘aren’t technical’ has a lot to do with it. It moulds women’s interests from an early age when scientific toys are labelled “for boys”, right through education where girls are disadvantaged by a lack of confidence in their ability to study technical subjects. If girls are socialised to believe tech is “not for them”, then is it really a surprise that we find fewer women pursuing careers in areas like infosec?

This message also shapes how women are perceived at work. I still meet people who, on first introduction, assume that my female colleagues and I must work in non-technical roles like HR/ PR. This assumption is a minor annoyance for me right now, simply because I know what presumptions lie behind it. It becomes much more than that, however, when women who are applying for technical roles are rated lower than men with identical skills, simply because of their gender.

Unfortunately, even when women manage to get into the tech industry against the odds, it’s not always a welcoming environment to work in. Even women who earn recognition for their tech skills are often still judged in ways male colleagues would not be. For example, I recently attended a technical talk in which the male speaker praised a developer’s coding skills but then repeatedly talked about how “hot” she was; painful. And the worst bit? Nobody intervened.    

So what can we do? Individually, we need to speak up when we see sexism in the workplace. I ask this of you particularly if you’re a man. Try to put yourself in my or your female colleague’s shoes (if you have one!) and look around you at the next infosec event you go to, then imagine raising your hand to question something related to gender. Tough, right? We need to make sure that women already in infosec are treated with respect and that it’s a work environment that will attract more skilled women, rather than drive them away.

Next, on a company level, we need to ensure those women can actually get jobs and can progress well once they hold them. We need to re-evaluate hiring and promotion practices - if it’s good enough for the Silicon Valley tech giants, it’s good enough for cyber security companies too.

It’s not all bad news in infosec. There are excellent companies out there that foster a positive collaborative environment (I am lucky to be working for one). The cyber-security startup scene in the UK is growing rapidly and some are being founded by women who actively celebrate the value that females can bring to their business.

So, whatever your role, from SecOps to CISO, developer to founder, look around and ask yourself honestly why there aren’t more women on your team and then use whatever level of influence you have, in both your work and personal life, to try to change that. Don’t let a lack of women in infosec become your most persistent vulnerability.

Dr. Leila Powell, Security Data Scientist, Panaseer

Image source: Shutterstock/Duncan Andison