Slow code: Cybersecurity’s gender problem
Despite the cybersecurity industry being borne out of wartime information security and code-breaking operations dominated by women, it is now very much a man’s world.
And the dire lack of women in the industry is putting Australia at risk, experts say.
Just
Estimates of just how big the cybersecurity skills shortage is vary from 11,000 to 22,000 new specialists needed over the next decade in Australia, to a global shortage that is on pace to hit 1.8 million people by 2022. But the lack of women is also a major challenge, experts argue, because in a world where cyber-attacks are increasing, there needs to be more diversity among those tasked with keeping Australia safe.
Cyber security incidents involving Australian networks of national interest jumped by more than 260 per cent from 2011 (313 incidents) to 2014 (1131 incidents), according to Australian Signals Directorate data.
Anne Coull, Westpac’s security risk and culture director, argues that many women have the lateral thinking and engagement skills needed for cybersecurity, including being able to think around problems and bring people together.
“Cybersecurity is not a technical problem anymore, it's a social problem,” says Coull, who has a maths, computer science, and organisational change management background and a masters degree in cybersecurity operations. “You need people who are good at organising, good at communicating, and good problem-solvers.
“Cyber-attacks don't take a direct approach. Most involve social engineering, which means manipulating people to behave in a certain way. For example, malvertisements where you are encouraged to click and they install malware on your machine.”
British entrepreneur and cybersecurity expert Jane Frankland adds that women tend to be more risk-averse.
“We are more inclined to look at behaviour and processes, rather than just a tech solution,” says Frankland, who was named the third most influential person in cybersecurity in the UK last year by industry publication IFSEC Global. “If women see risk in a different way from men, which we know that they do, then we are missing out if we do not use them … to become better at seeing risk in a different light and mitigating it.
“Our job in security is not to secure environments, it's to mitigate risk. The two roles are very different.”
Frankland, who runs consultancy Cyber Security Capital, has been shocked by the declining numbers of women in cybersecurity and is not expecting any improvements when the next biennial Global Information Security Workforce Study is released in 2019.
“I can't see really that we're making any progress,” Frankland says.
In her consultancy, Frankland comes across a huge range of issues – from the very serious, with women experiencing sexual harassment or even assault at work, to the deeply entrenched, such as companies not hiring women or making serious efforts to retain them. Many also fail to address poor work culture, have a lack of flexible working arrangements and turn a blind eye to discrimination.
“A lot of women who contact me are really fed up,” Frankland says.
In Australia, the government released a
Then a year later in 2017, the government and the University of NSW published the detailed
Of the 11 per cent of jobs held by women in global cybersecurity, more than half of those are entry-level or non-managerial positions, the report says. In the Asia-Pacific, women account for 1 per cent of executive management roles, despite entering the cybersecurity profession with higher education levels than men.
The government’s review noted women hold just 28 per cent of information, computer, technology (ICT) jobs and are largely concentrated on lower career rungs. Women receive an average lower pay than their male counterparts at nearly all levels.
It’s an issue in other countries too – in the US, 36 per cent of computing jobs were held by women in 1991. By 2015 that had fallen to about 25 per cent, according to the US Bureau of Labor.
The proportion of female ICT graduates in Australia has been steadily declining since the early 2000s. Today, only one in four ICT graduates are women. However, that’s better than engineering, where fewer than one in 10 graduates in Australia are women.
The leaky pipeline commences early – from primary school – and continues throughout women’s careers to the executive levels, according to the review. Barriers also exist at all stages of employment “from recruitment to career development and performance management, culminating in women leaving the industry”.
But through its National Innovation and Science Agenda, the Australian government invested $13 million over five years from 2016-17 to encourage young women to pursue careers in fast-growing STEM-related fields, which are feeders to cyber security.
Some of the more obvious issues are the industry’s own marketing, a lack of female role models and male-skewed hiring practices. Globally, the report observes women in cybersecurity experience widespread discrimination, persistent occupational segregation and wage inequality.
Gai Brodtmann, Australia’s shadow assistant minister for Cyber Security and Defence, says a 2016 survey suggested 60 per cent of women working in Silicon Valley had experienced unwanted sexual advances. “Two-thirds of these women reported the advances came from their superiors,” Brodtmann says.
The government’s Women in Cyber Security Literature Review makes two key recommendations – that the definition of cybersecurity skills be redefined to attract women from more diverse backgrounds, including human resources and business management. And that efforts need to be made to thaw the “chilly climate” women face in ICT and STEM jobs through increasing transparency, accountability and flexibility, rethinking the culture, preventing discrimination, harassment and bias, establishing clear career paths and supporting mentoring and other development opportunities for women.
Westpac’s Coull agrees there needs to be a broader talent pool and suggests women from all walks of life should be drawn into the industry. In her own team, Coull deliberately hired women of varying ages from diverse backgrounds.
“We've got a couple with a technical background, project management, change, communications, data analysis, marketing, someone from a call centre, and an ex-EA,” she says. “It's been seen as one of the most successful programs purely because we've got that mix.”
Coull wants to see broader pathways for women to get into the industry. “I actually think you can pull women in from all ages, with different experiences,” she says.
Brodtmann says more coordinated planning is desperately needed. She wants national jobs and skills maps that draw upon government, educational institutions and industry.
At the moment such mapping exists only in pockets, Brodtmann says. She puts the skills shortage in the next year at about 19,000. “That's a significant shortage, and that's why this [needs to be] a national project,” she says. “If we're going to keep this nation safe and prosperous and secure, we've got to address this yesterday.”
All sections of the “leaky pipeline” need to be attacked at the same time, Brodtmann says. “You can't be progressive on this, or sequential. We've got to address this at every level. We can't afford not to.”
While it's a major challenge to increase the number of women in cyber, “it is doable”, says Coull. “It's about sitting down, mapping it out, finding the right connections and getting the momentum. It just needs to be set up in the right way so that it becomes an integrated piece.”
This is an edited version of a story originally published on Westpac IQ.