CGP 25 | Crisis Management

Interview With Ashley Baich Of Accenture To Celebrate National Cybersecurity Awareness Month

Joining us for another episode of our special National Cybersecurity Awareness Month series is Ashley Baich. Ashley is the Readiness and Crisis Management Security Consultant at Accenture in their Cyber Investigation, Forensics, and Response (CIFR) practice, responsible for helping organizations flex their crisis response capabilities. She chats with host Sherry Bevan about her journey into cybersecurity and why she had her sights set on the field before even graduating. Ashley also speaks on the challenges and possible turnoffs going into such a male-dominated industry, the strides being made to close the gaps, and the opportunities for more women entering the field. Tune into this episode to learn more.

Listen to the podcast here

 

Interview With Ashley Baich Of Accenture To Celebrate National Cybersecurity Awareness Month

In this mini-series, to celebrate National Cybersecurity Awareness Month, I’m talking to several women about their careers in cybersecurity. In this episode, I’m delighted to be talking to Ashley Baich. Welcome, Ashley. Thank you so much for joining me.

Thanks for having me, Sherry.

Ashley is a readiness and crisis management security consultant and has been working for Accenture for the past two years. Let’s jump right in to find out more about Ashley’s career in cybersecurity. Ashley, I know you’re a fairly recent graduate. What did you study before you got started in your consultancy career?

I graduated from the University of North Carolina, Chapel Hill, which is on the East Coast of the United States. I graduated with a BS in Information Science and a BA in Journalism.

Information Science and Journalism are quite an interesting mix. Was there a lot of overlap between the two?

Not overlap, but they complemented each other pretty well. I always knew I wanted to go into cybersecurity in some capacity and use those four years of undergrad to decide what aspect of security I wanted to be a part of. My Journalism degree came from the desire to bridge the communication gap between IT and business. Unfortunately, my university didn’t have a degree in Cybersecurity. Information Science was the closest thing that I could major in that gave me a little glimpse into the cybersecurity world, but I still had a lot to know when I graduated in 2020.

I’m curious because I don’t know many people who go to university thinking they want to get a career in cybersecurity. What is it about cybersecurity that piqued your interest so young?

My father has been in cybersecurity for the past 30 years. It was definitely a topic at the dinner table. That’s definitely where I initially found a spark, but then I was gifted the very unique opportunity in my senior year of high school to write a white paper for a startup. I’ve always been very passionate about writing. I didn’t know what type of writing I necessarily would want to do long-term.

The startup approached me and asked if I would be interested in writing a white paper. That white paper turned into five wonderful years being on their marketing team as an independent contractor as I went through my university years. By the end, I was the longest-standing member of their marketing team. They were acquired by Symantec, which had turned into Broadcom.

It was a great experience, but that was my first exposure to cybersecurity personally, besides hearing about it. I saw the wide variety of opportunities within the field. Even if at the end of the day, I only wanted to write, it was a cool thing to write about. That passion shifted more to the incident response crisis management side of the house, but that’s how I started. It was in my senior year of high school. I was eighteen years old trying to make a little extra money and here I am now.

There’s a wide variety of opportunities within the field.

My father worked for IBM so it was almost a given that I was going to end up in technology in some shape or form, but it certainly wasn’t the career that I had planned on doing. Often, it’s those conversations around the dinner table that spark or ignite a thought of what you might want to do later in life. How did you make the move into the role that you are doing now? Tell us about what you do now.

In between my junior and senior years of college, I realized I probably should get myself an internship. I had a lot of Business major friends who were applying to consulting. I was like, “Interesting.” I didn’t know that much about it. I started looking and saw that cybersecurity is an aspect of consulting. You can consult for cybersecurity. As someone who didn’t have a lot of experience in cybersecurity besides my marketing experience and then my Information Science degree, I was like, “We can do that.”

I had the opportunity to intern for Accenture between my junior and senior years. I worked for Accenture Labs. It was internally facing. I was helping them bridge the communication gap between all the awesome research that our researchers were doing and their ability to communicate that with the consultants to then be able to share with our clients. I still got to use my journalism degree and do that, but get to touch on different aspects of cybersecurity that I didn’t have the opportunity to do on the marketing team.

I then received my return offer going into my senior year of college, which was great. I got to enjoy that senior year knowing that I had a full-time job waiting for me at the end. I joined our technology development program as a security analyst. It’s a soft line to financial services. What was great about that start was I got to touch on a wide variety of cybersecurity projects. I did policy writing, a merger of two large financial institutions, and picking and choosing the best of each security program. I got asked to be part of surge support for nine days for a client who needed more hands and more help. Nine days turned into four months. I enjoyed the crisis management and response work that I had the opportunity to do for that client.

Slowly but surely, I found my way to the CIFR team and officially joined in November of 2021. That was my journey to my current role. As part of the Cyber Investigation, Forensics and Response team, I have the opportunity to help organizations prepare for crises as a readiness consultant, but then I also have the opportunity to go in as part of the crisis management team during actual incident response to help the C-Suite manage the crisis.

That sounds like you’ve crafted your journey into cybersecurity and it sounds like you’ve landed on your feet. I can tell from your enthusiasm that you love what you do, which is always good when you’ve got work that you enjoy. Ashley, clearly you love what you do and you’re very passionate about it. What’s been your biggest challenge working in the cybersecurity world?

I think the biggest challenge that I’ve had to deal with is something that a lot of people have dealt with working through the reality of a huge organization. With Accenture, I think we are at 750,000 employees now. It’s a huge organization and what comes with that is a set of rules and procedures that must be followed. The largest challenge I have seen as it relates to that is when it comes to the promotion cycle. While I wish at the end of the day, it was solely based on performance and what you’re bringing to the cap table and what you’re capable of and the experiences that you’ve had, at the end of the day, there are rules around how long you have to stay at a level before you can be promoted.

CGP 25 | Crisis Management
Crisis Management: At the end of the day, there are rules around how long you have to stay at level before you can be promoted.

 

That can be a frustrating challenge to endure because as part of the crisis management team, I’ve had experiences where I am sitting next to the global CISO of a Fortune 100 company, working with them directly day-to-day, and have made considerable impacts on their crisis response. While that might fall under the roles and responsibilities of someone at a much higher level than myself, I am still under the pay band and roles and responsibilities of a consultant.

It’s a challenge I deal with daily, but one thing that makes it enjoyable still is the team that I work for. Having the opportunity to sit next to the CISO, even with the title of consultant is quite an honor. We run a relatively flat team, which makes me have those opportunities. While it’s still a challenge, I’m able to overcome it by thinking about it that way. At the end of the day, if I’m still able to perform the responsibilities that let’s say a manager would perform, I’m still fulfilled.

What about your proudest achievement?

I would say my proudest achievement to date was the opportunity to set foot on a client site during a major cyber crisis. I walked into their war room and see the absolute dread on some of these C-Suite faces not knowing what the week was going to hold and how they were going to recover from this incident. Sitting beside them for three months over the Christmas holiday and not leaving that project until there were smiles on their faces. We had overcome all of the challenges.

They were in recovery. They were transforming their security posture and had the buy-in from the rest of the C-Suite to do so. They were getting the money they needed from the board of directors to continue to make this transformation into a stronger security team. I can’t put into words how that makes you feel. You go in when they’re at their absolute worst and you don’t leave until they’re in a much better situation.

It gives you that warm fuzzy feeling to know that you’ve gone in when they’re in a crisis and you’ve left when they’ve got those smiles on their faces again.

You can see the impact that you’ve made. I truly feel like I’m making a difference and that’s very rewarding.

What do you see as being the most valuable skills working in this sector?

In my role, I would say that the most valuable skills are oftentimes soft skills. I have a wonderful incident response team that goes in and does the more technical responsibilities when it comes to responding to a crisis like doing the forensics, eDiscovery, and all of that. My role specifically is more soft skill driven. It’s the ability to understand what the incident response team is doing, what the findings are, and drive the business value from that. Also, be able to communicate that with my key stakeholders, but then also help my key stakeholders communicate that to the rest of the organization.

The most valuable skills are oftentimes the soft skills.

In the meantime also, the organization is a huge one. During a crisis, there are a lot of different workstreams going on. There are a lot of cooks in the kitchen and third parties that need to be considered and things of that nature. Helping the C-Suite be able to organize themselves and develop relevant tasks, prioritize those tasks, and assign them to the right individual is extremely valuable. In a high-stress “what’s going on” situation, it takes a lot of organization and the ability to step back, remove yourself from the stress, have an open mind, and think through the strategy of how you’re going to tackle the day, the hour, the next ten minutes, and things of that nature.

Those are the two key skills that have helped me be extremely successful in the crisis setting. In the readiness setting, since I don’t just do crises, those are very high intense and long day situations. When I have the opportunity to take a step back and do readiness work, go into a client and help them enhance their incident response plan or run a crisis simulation and things of that nature, communication is still important. Also, being able to think outside the box and think through the crisis situations that I’ve been a part of. Helping organizations proactively continue to improve their incident response capabilities so that they can respond the best when they do fall victim is another skill that is important in the incident response crisis management world.

Opportunities for women in the sector, I know that there seems to be a skills shortage generally, but what are the opportunities for women in the sector?

They’re endless. I’ve talked to marketing. I’ve talked to communications and the business side of things. There’s a huge technical shortage as well. For me, being a part of that technology development program to start helping me identify what niche I wanted to be a part of, and there are endless niches. You can create your own.

I don’t necessarily think that my career path is going to be just crisis management, but even crisis management as a workstream is something that is still so new. There are not many organizations that have invested in that workstream yet. The beauty of the opportunities is endless. You can have an open mind and create your own. At the end of the day, there are a lot of organizations that would love to invest in women who are interested in developing a skillset, and finding what they want their niche to be.

It’s identifying a current gap in the security program where you can use the skillset you have to provide unparalleled value. That’s a hard question to answer because there are so many different ways that I think you could. For anyone that’s interested in getting involved and doesn’t think that they have the background to make a decision on what niche they want to be a part of, to begin with, I know most organizations these days have that development program. They have the opportunity for you to start and look at cybersecurity as a whole. Pick what aspects you want to be a part of and try them out. That is extremely beneficial and a great approach to getting your feet wet.

CGP 25 | Crisis Management
Crisis Management: There’s a lot of organizations that would love to invest in women who are interested in developing a skill set, finding what they want their niche to be, and identifying a current gap in the security program where you can use the skill set you have to provide unparalleled value.

 

Ashley, you’ve talked about some of the skills that you use, but what do you think puts women off applying to work in cybersecurity?

There are two things and they go hand in hand. I’ll start with the first and that’s job postings being daunting in and of themselves. You look at the skills required or even what the description of the job is. This is not only in the cybersecurity field. Oftentimes, someone may not be super confident in the fact that they are the right fit. Typically, if I look at a job posting and I’m not sure if I’m the right fit, I would still apply and go through the interview process. That’s the whole point. You’re interviewing the company as much as they’re interviewing you so you can see if there is a good fit.

When it comes to cybersecurity and the gender gap that we already see within the field, it can be a turnoff for women. They look at the job posting. They’re unsure. Maybe they do still have the courage to apply, but then every interview that they have from that point on is by a very successful senior male figure. It’s hard for them to imagine themselves in that role as a female, knowing that they’re going into a very male-dominated environment.

It’s hard for women to imagine themselves in that role as a female, knowing that they’re going into a male-dominated environment.

I am the only female that is on the crisis management team, and one of three females on the readiness team at Accenture. I’ve had a great experience. Someone had to point out to me that I was the only female on the team, but I know everyone doesn’t have that experience. It takes a lot of courage to put yourself in those uncomfortable situations to even apply for a job you’re not fully confident in.

You add that to the mix and it can be extremely daunting and a turnoff to many. I think there’s a lot of change in the cybersecurity field these days. People are aware of the fact that it is male-dominated. I will give a shout-out to my male leaders. They pointed out and they have the conversations. They’re trying to make strides to minimize that gap. As women, we also have to apply for them to be able to minimize the gap. I don’t want to forget that part of the equation too.

Finally, what’s your top tip for anybody that wants to get into cybersecurity? What would you suggest they do?

I would go in head first. If I’m being honest, as we’ve talked a lot about here, there are so many different opportunities and skillset that you can leverage to be successful in the field. The way that I was able to find my path was going in head first trying a wide variety of things until I found my niche. I would encourage anyone who has any potential desire to be in cybersecurity to go in and give it a try. We have such a shortage. Everyone is going to be grateful that you’re there.

CGP 25 | Crisis Management
Crisis Management: For anyone who has any potential desire to be in cyber security, just go in and give it a try. We have such a shortage. Everyone’s going to be grateful that you’re there.

 

If you’re on the right team, they’re going to encourage you and teach you along the way. At the end of the day, it’ll be a great learning experience. At the very least, you might find your niche and passion, and years later, be excited to go to work every day and want to have the opportunity to be on shows like this to encourage others. I couldn’t say enough positive things about my experience thus far. I would recommend for anyone that’s potentially interested to go in head first and see how you feel a few months in.

Ashley, thank you so much. I’ve enjoyed hearing about your career, how you got started, and the skills you use. It’s fantastic to hear somebody talking about cybersecurity with such enthusiasm and passion. Thank you very much for joining me in this episode.

Thank you for the opportunity.

If this conversation has sparked or thought in your mind about how you recruit your female talent, let’s have a conversation. To give you the opportunity to ask any questions you have about the work I do with cybersecurity companies on attracting, developing, and retaining more female talent, simply email me at Sherry@SherryBevan.co.uk to book your call. Thank you and I’ll see you in the next episode.

 

Important Links

 

About Ashley Baich

CGP 25 | Crisis ManagementAshley is a security consultant whose work is focused on proactively improving organization’s resiliency to cyber threats and advising organizations through cyber crisis’. A readiness and crisis management consultant at Accenture in their Cyber Investigation, Forensics, and Response (CIFR) practice, she is responsible for helping organization’s flex their crisis response capabilities.

CGP 26 | Profit For Purpose

National Cybersecurity Awareness Month Special: The Profit For Purpose Mission In Cybersecurity With Dr. Jacqui Taylor Of Flying Binary

The cybersecurity career path appeals to women because it is purpose-driven. But most of technological innovation is driven by profit. Dr. Jacqui Taylor believes that the best of both worlds can be combined in what she calls a profit-for-purpose model. As the co-founder and CEO of Flying Binary, Jacqui is on a mission to create an inclusive technological future for everyone, and she believes the profit-for-purpose is the way to do it. In this conversation with Sherry, she explains how she made her way to a cybersecurity career and the massive role she’s now playing in detecting and fighting bad actors, including in what’s widely-considered to be the world’s first cyber-warfare history, which is currently underway in Ukraine. She also explains why the cybersecurity space is especially conducive to inclusion initiatives and how women and other underrepresented sectors can start their career path in the industry.

Listen to the podcast here

 

National Cybersecurity Awareness Month Special: The Profit For Purpose Mission In Cybersecurity With Dr. Jacqui Taylor Of Flying Binary

In this mini-series to celebrate National Cyber Security Awareness Month, I’m talking to a range of women about their careers in cybersecurity. I’m delighted to be talking to Dr. Jacqui Taylor. A very warm welcome to you, Jacqui. Thank you so much for joining me.

It’s great to be here with you, Sherry.

I feel very honored to have Jacqui as a guest and there’s so much I could say about her. She’s been voted one of the most influential women in UK technology. One of the most inspiring women in cyber. She’s been awarded an honorary Doctorate of Science and recognition for her international science work. There’s so much I could say.

In 2016, she pivoted her company FlyingBinary to meet the challenges of Web3, metaverse, and the industrial internet of things with spectacular results. Let’s jump right in to find out more about Jacqui’s career journey in the cyber world. Jacqui, I know you’ve been involved in technology in cybersecurity for a long time, but how did you get started?

I was due to take a management role in the UK’s post office and my mother took very serious ill and ultimately died in a few months. My whole career was upended because I had done an internship at a local aerospace engineering company. They came to me and said, “We can support you. We can support the family.” That was helped by the fact that my father was one of the directors, but they saw what I’d done as an intern and were keen to keep me.

I went into that and that was my start in aerospace engineering. It all went swimmingly well until I qualified. My dissertation was at a new jet engine technology to reduce the noise pollution in our cities and the first aircraft off the production were for a Middle East client. As a female engineer, I was not somebody suitable to run that.

My managing director said, “I wonder what will happen if I put an aerospace engineer into the technology department.” Then the answer was nothing because I was horrified by what I found. The long story short was, effectively, that was the beginning of software engineering for the aerospace industry because we needed to put engineering at the core of what we did because otherwise, planes would fall out of the skies, and it wouldn’t be a good thing. That’s a subtle piece that I did in terms of an industry intervention to solve the noise pollution of our aircraft. It’s something that has been a thread throughout my career.

How did you get started specifically in Cybersecurity then?

As a technologist, it’s something I have been interested in because it’s out there. It’s that societal piece. I have been a white hat for some time and I have worked with many people to do many different things. FlyingBinary’s mission is inclusion, leave no one behind. We firmly believe the future’s female and that the GDP growth that an inclusion agenda drives because I have done the assessment for 60% of the world’s GDP, so it’s a very powerful agenda.

Everything we do for the government across the world has a cyber component. We are a cyber essentials company using the national cybersecurity center accreditation, but that wasn’t our focus. Our focus was building technology for Generation Z or until I spoke at Davos in 2019 Generation Alpha and to unlock their talents for the world. We knew that technology could be leveraged and be an enabler and we were building that deep technology.

The websites that we pioneered that I got the honorary Doctorate for was the foundation of our engineering background because my cofounders are electrical engineers. The combination of that science, pioneering science and the engineering background gave us an offering that hadn’t been seen before and it’s still unique across the industry.

I created the blueprint for Europe. I started my work in 2014 as an independent advisor to Minister Calvin’s office. I had the opportunity to create the blueprint for the future of Europe and for the industrial internet of things. That’s when we are all connected up and humans and robots. The day I did that was a major day in my life. I’d written my second book. I was there to present that work. It was the day that I had to come home to the UK.

I had to be on the last Eurostar train from Brussels and they guaranteed that for me. At 5:00, the doors opened. The men with guns arrived and said, “Which one of you is going to London?” That was the day that Paris was attacked. The reality of it was the technology we’d been building to create that societal intervention was also technology that the criminals didn’t have access to that allowed us to see what they brought to.

I came home on that Eurostar. I did my intervention with the high commissioner of Bangladesh on Saturday in London. We got back on that Eurostar on Sunday. Having pivoted the company to be accounts terrorism company and deploy that technology to safeguard us all against the terrorists, drug traffickers, and people traffickers. The reality of it was we had unlocked the societal piece, but there were those within society that were determined to destroy it.

800 people, 16 companies of what we built up far, down to 200 people, 6 companies that moved in to cancel terrorism agenda. Now up to seven companies because we have added something. That was around changing the way other people looked at technology, which was profit-driven. How do you make money out of this tag? To something that for us was purpose-driven, but it was with profit. It was a profit-for-purpose agenda, and that was the day that began and that caused me to look at everything in the world very differently.

Particularly what cyber was going to mean to us in the future, given the criminal activity that we had uncovered and why that was a key change in our whole industry, and then what we were going to do about it. We have been in that domain ever since. I have been in working in Ukraine since 10th of February, 2022 and we are in our seventh month now and the first ever cyber warfare that the world’s ever known. We will stay here. Our world has gotten more dangerous since that day on the 13th of November, 2015. FlyingBinary’s mission is inclusion but in a cyber safe way.

It’s very interesting that you mention this societal mission, this profit with purpose, because for lots of women, that appeals having a career with purpose. It seems to me that cyber security fits that brief. If you are working in cyber security, in very simplistic terms, it’s the goodies versus the baddies. If you are on the goodies side, then it fits that career with purpose that a lot of women want. I wondered how you feel about that.

It’s very interesting. It’s why I say the future’s female because we are able to look in a wider perspective as females. I want to stress one thing. I might be an engineer and I can spin you up some tech of whatever you need out of the top fifteen influential women in tech. Both Poppy and I can still do that. The rest of the women are guarding that agenda and are moving it forward.

It’s not a technical agenda cyber. It’s a multifaceted industry. Since the 13th of November of 2015, we have changed the way we look at it. When I stood on stage at Davos in January 2019, I articulated that all we needed was one event that we call a Zero-day Exploit in our cyber world. One event that would transform everybody’s view of what our industry was.

At the time, when I was speaking on stage, I was imagining because I knew they were under million children not vaccinated for measles in the US. I was imagining a measles epidemic. That would sweep across America and we would lose our children because we didn’t have a holistic view of what was happening, and that measles, once it’s ripe, as we find in other countries, just sweeps across the country.

I didn’t know that was going to be a Coronavirus. I was using that example because one of my colleagues from NATO in the audience challenged me. It’s so like, “What, Jacqui? What’s this Zero-day you imagine?” That’s what I said. That’s what happened and 1 billion more people came online, which gave us in our industry a new perspective on what cyber looked like.

We could no longer deal with a threat. The threat was there and it was omnipresent, and now we had to look at risk. That was where the delivery of the Empathy Economy technology. Profit-for-purpose is a new business model, but the overarching agenda is the Empathy Economy, which literally takes that original cyber view of saying technology is in the sharing economy. You get a premium model. You get this for free. You got to pay for that.

That has created the leaky bucket that I was talking about at Davos and the Empathy Economy is reimagine technology using deep tech to change the way we look at how we leverage technology. That profit for purpose and I find for many men, it’s not a female agenda, but the fact that what you are doing creates impact. What you do every day, what I do every day and what we all do in our industry is we do the work we do in order to create the world we all want to live in.

We do the work we do in order to create the world we all want to live in.

I’m talking to Sherry now when we are literally talking nuclear war or we are not talking any of that. Let’s say the chief protagonist is talking about that. We are all in our industry working towards a world we want to live in. That profit-for-purpose model has resonated hugely in the sense of that has to be the way technology is leveraged.

It’s not for its own rights. It’s not because it’s geeky. It’s not because it’s technically interesting. It’s all of those things, but what purpose does it have? What does it enable? What can we create with it? That’s where the profit-for-purpose sweet spot is. That’s unusual in our industry. Lots of great debates on it, but the societal approach is the underpinning piece of that, and the fact that we can all create the world we all want to live in. Its impact and purpose-driven.

What I find so fascinating about cybersecurity is when you are talking about Coronavirus, for example, and the way that pandemic spread. What I find quite fascinating about the cybersecurity in industry is that the biggest challenges it’s faced or the biggest is it’s overcome that we don’t hear about them because we’d be too scared if we knew everything that people who are working in information security and cyber security. If we heard everything that you’d tackled and dealt with and shut down. I’m sure we’d all be feeling a bit more anxious and nervous. I find that aspect of it. You are doing something with purpose, but it’s not something you can necessarily go and publicize.

One of the things that we say to our engineers is very much, “You’ll be zero to hero. You’ll be the most famous person that nobody ever knows.” If we are successful at what we do, you won’t hear from us. It’s very interesting. I was running an event about 25 minutes after I’d received the Russian translation about what Vladimir Putin had said. I said to them, “Who’s panicked here?” Everybody said, “No, because we are with you. You are not panicked. We are not panicked.”

CGP 26 | Profit For Purpose
Profit For Purpose: As a cybersecurity engineer, you’ll be zero to hero. You’ll be the most famous person that nobody ever knows because if you’re successful at what you do, no one will ever hear from you.

 

The thing about it is we are susceptible to what we hear. We don’t question the providence of what we hear very much because in the sharing economy. It’s a free resource. I always say the thing about that is that anything that’s free is an opinion and opinion is the lowest form of knowledge, but we consume that on a daily basis. Most of us.

The reality of it is because of that, we are affected by it. That’s because, from a neuroscience point of view, that’s how we work. Our input determines our experience and, therefore, what we create. It’s deliberate that we don’t say that. Not because we are trying to keep secrets from you, but because we want to make sure everybody else can get on with what only they can do.

We do this as cyber specialists, but then we know that enables you all to do what you are doing. For those that join our industry, that’s one of the biggest motivators. We unlock a society that allows people to imagine a completely new future. We are quite happy with that agenda because, in our own world, we are not in it for the ego.

That for-profit approach to this is where perhaps that ego piece has come in. Once you attach purpose to it, then effectively, we are all contributing the key differences. It’s competitive in the sharing economy. In the Empathy Economy, it’s collaborative. We all contribute and between us, we envisage and we build that new future.

To be honest with you, it’s a fascinating place to be and there’s absolutely room for everybody. I’m visually disabled. I’m also neuro-diverse. The world’s a hostile place to me before I start, but then that’s the perfect place to me to be in a hostile world. Dealing with other people who don’t have my learning differences and don’t have my approach in the world. They can’t outrun me because I don’t think the way they do.

I think that’s the thing. Everybody has talents. There’s a place for them in our industry. The first ever cyber warfare since 24th February 2022 means that those opportunities got bigger and interesting because so many people are now saying, “Even if I’m not in the industry, I need to take account of that.” I have got something to give to Sherry as a download because you’ve met me by Sherry. I will give you a download of what we have done in the World Economic Forum. I will tell you about being cyber safe and even if you don’t join our industry, how we are looking after you and also how to keep your home safe. What’s the most attacked device in your home and it’s not what you think?

There is a place for everybody’s talents in the cybersecurity space.

Thank you so much, Jacqui. That’s much appreciated. There is so much that we could talk about in cyber security. It’s one of those all-pervasive topics. It’s everywhere, isn’t it? Cybersecurity now in the same way as technology is everywhere now. We were talking earlier, before we started, how manufacturing companies, for example, are so much more technology-driven than they were decades ago. What do you see as being the real opportunities for people joining the sector, but in particular for women joining the sector is what I’m most interested in?

As an industry, certainly in the UK, we have repositioned during the pandemic because so many people came to join the efforts of what we were doing and we were given advice and were bringing people into our world that caused us to think again about career paths. We are looking for something that we are always going to use technology. That’s only going to be on the increase, but how do we use that inclusively? We need to perhaps take the biases of what we do now and make it a more inclusive agenda.

The thing that I love about it, the young people, I was advising a young lady who’s getting ready to do internships on this. She was saying, “How did you choose?” I said, “Don’t choose. Just start because it’s all laid out for us as women.” As we are purpose-driven and because we have a more holistic view of the world. I would argue more of a societal view because of the roles that we play.

The hardest thing is how to choose, and I always say, “Just start. Just pick the piece.” Perhaps aligns with what you are doing now, and then take it from there. The one thing that’s perhaps different about our cyber world that perhaps you wouldn’t find in any other career path is non-ecstatic. The criminals never tell us what they are going to do tomorrow. What we have to do tomorrow is always different.

CGP 26 | Profit For Purpose
Profit For Purpose: The cybersecurity career path is non-static. The criminals never tell us what they’re going to do tomorrow. So what we have to do tomorrow is always going to be different. And that means you get to make your own career pathway.

 

For that, that means you make your own career pathway. You pretty much can choose and tomorrow is always going to be more interesting than today. Every time we shut something down, understand what they are using, make it inaccessible, they will find something else. Then that means we are the real problem solvers to say, “Now I’m going to evolve what I do.”

The fact that there are no days the same means that any part you fancy doing has a role for you, whether it’s within our sector directly like in FlyingBinary or within like we were talking about manufacturing. The cyber piece is because we move to the industrial internet of things where everything’s connected. The cyber response becomes very different.

There’s unlikely several years from now that anybody reading this won’t be in some way involved. Whether you are in the midst of what we are doing and helping pioneer the next steps, that’s a choice. If you wanted to tell people about what we are thinking about and you wanted to share what’s going forward, then this show is great because effectively, you can share this show and say, “It’s going to be all of us, so do we want to know more?”

We are curious as females. We love the idea what’s that about. I want to understand that a bit better and it’s not scary because everything we all do makes the world a safer place. That’s why I turned that on its head and was interested to hear the pioneers I was talking to. We are not scared because you are here and you are quite calm.

Given the news we have had, I’m quite calm because I know that as a group, community, or as a collaborative force, we won’t be outsmarted. All of you reading may welcome to join us and enhance that purpose. I’m so confident it will be where I am and how exciting that we can design the world we want to live in because the technology allows us to do that, and the cyber response is a wrapper around it all.

CGP 26 | Profit For Purpose
Profit For Purpose: It’s exciting how we can design the world we want to live in because of technology. And the cyber-response is a wrapper around it all.

 

I love that expression. Don’t choose. Just start. That’s perfect for anybody trying to break into the technology or into the cyber security sector. Into any sector that you are trying to break into, just start because then paths will open up for you. Getting started is something I often say to people. Just do it. Just get started. Don’t dither. It’s never too soon. Never too late. Before we finish, Jacqui, I love talking to you and find it fascinating, but what’s your top tip for anybody who wants to know more about cyber security?

There are lots of resources out there, but it’s the people. You’ve got other cyber specialists. I count myself and that around this show. Find out more about what we are all doing. You’ve got, however many people you’ve got in this series. You’ve got immediate connections. We are all very open to talking about what we do. We put resources out. I predominantly put cyber resources out on LinkedIn because that’s where my community of businesses look to consume that, but we are all very approachable. We are all of us quite enthusiastic about what we do and why creating impact with the work we do is so rewarding.

Ping us, interact on a post, ask some questions because we know that effectively, it’s all of our responses that collective. The one thing we can guarantee is community defeats terrorists, drug traffickers, and people traffickers. Being part of that community, connecting with us all, asking questions, and reading the rest of the talks on this series. You are part of us because you are reading this and then you are part of the change we will make across the world. That’s my top tip. We are very approachable and very enthusiastic and just ask.

Community defeats terrorists, drugs traffickers, and people traffickers. And so being part of the community, connecting with cybersecurity professionals, asking questions, and listening to talks makes you part of the change that cybersecurity makes across the world.

Thank you so much to you, Jacqui. I have enjoyed talking to you about your career and your purpose mission. That is absolutely fascinating. I could go on talking for hours, but we won’t. For those of you who’ve been reading, I hope you’ve enjoyed this episode. More episodes on the show at SherryBevan.co.uk. If it sparked a thought in your mind, please do connect and let’s talk and book an exploratory call with me to give you the opportunity to ask any questions you have about the work I do with cybersecurity companies on attracting, developing, and retaining your female talent. Email me at SherryBevan.co.uk to book your call. Thank you so much, Jacqui, for joining me.

It’s been a real pleasure. Thanks for reading, everybody.

 

Important Links

 

About Dr. Jacqui Taylor

CGP 26 | Profit For PurposeAs #15 Most Influential Woman in UK Technology and 21 Most Inspiring Women in Cyber Dr Jacqui Taylor was awarded an Honorary Doctorate of Science in recognition of her international web science work. One of the 250 Founders of the UK’s Digital Economy, in 2016 she pivoted her company FlyingBinary to meet the challenges of Web 3.0, the Metaverse and the Industrial Internet of Things (IIoT) with spectacular results.

CGP 21 | Cyber Knowledge

Delivering Trusted, Clean, And Accessible Knowledge With Rebecca Taylor Of Secureworks To Celebrate National Cybersecurity Awareness Month

 

Trusted information is crucial in an industry where one wrong move stands between being protected and attacked. This is the heart of Rebecca Taylor’s position as the Threat Intelligence Knowledge Manager at Secureworks. In this episode, she sits down with Sherry Bevan to tell us more about her role, along with the interesting career journey that took her from studying English and Creative Writing to the cybersecurity space. Rebecca talks about the importance of having trusted and clean knowledge accessible to the right teams. What is more, she also shares some of the challenges she faced as a woman in the industry, offering advice for others as they step into their career in a male-dominated space.

Listen to the podcast here

 

Delivering Trusted, Clean, And Accessible Knowledge With Rebecca Taylor Of Secureworks To Celebrate National Cybersecurity Awareness Month

Let’s get into our episode. In this mini-series to celebrate National Cybersecurity Awareness Month, I’m talking to women about their careers in cybersecurity. I’m delighted to be talking to Rebecca Taylor from Secureworks. Welcome, Rebecca. Thank you so much for joining me.

Thank you so much for inviting me.

I’m delighted to talk to you. Rebecca is the Threat Intelligence Knowledge Manager at Secureworks. Let’s find out a bit more about her career journey. Perhaps to set it into context, could you start by telling us a bit more about Secureworks and what they do?

Secureworks is a cybersecurity leader. We focus on enabling customers and partners to out space and outmaneuver adversaries in a more precise way so they can respond to cyber threats and risks. It is achieved in lots of different ways by using things like cloud-native, security platforms and different intelligence-driven security solutions. That’s backed up with lots of threat intelligence and research. We’ve got a lot of large teams that are equipped with the best people in the world to help protect customers.

How did you get started in an IT or cybersecurity career?

The biggest thing about knowledge is that it has to be trusted.

For me, it was very much by chance. When I was 24, I was working in kitchen goods dealing with kitchen insurance for appliances. I didn’t know what my calling was. I’d studied English and Creative Writing at the University of Portsmouth. I was finding my feet. At that time, I received a phone call from Secureworks Talent Acquisition asking if I would be interested in interviewing for a personal assistant role. I jumped at the chance.

When I’m walking through that door the first time, I knew very much that I’d found an organization and an entity that could give me a great platform for growth and development but also an industry that was always going to keep evolving, one that was never going to go away. Over the last few years, I’ve focused on studying, getting as much exposure to the organization, IT and cyber as possible, making a footprint and working hard. I’m in this fabulous position where I’m their Threat Intelligence Knowledge Manager and counter-threat unit.

What exactly is it that you do on a day-to-day basis?

From a high level, what it means is that I’m responsible for ensuring that we ingest all threat intelligence to the best of our ability and that it’s standardized, maintained and accessible for those who need it. On a day-to-day basis, my role can vary quite a lot. It depends on what we’re seeing, what we’re hearing and what we need to ingest and work on but ultimately, I need to make sure that what we have is accessible, our knowledge is clean and it can be used by whoever needs it.

When you say that our knowledge is clean, what does that mean?

CGP 21 | Cyber Knowledge
Cyber Knowledge: It isn’t necessarily about having these huge qualifications. It’s very much about just being open to listening and learning as things change around you.

 

It’s been put in the correct format that’s accessible to the right teams, stored in the appropriate ways and can be trusted because the biggest thing about knowledge is that it has to be trusted. If you start letting knowledge seep through that maybe isn’t accurate, it can not only affect us internally. It could be as simple as a threat researcher is misinformed or it could go the whole hog and end up being that a customer ends up misinformed. That’s the one thing we don’t want to happen. To make it clean means to make sure that it’s accurate and trustworthy.

Thinking about your career, what’s been your biggest challenge?

For me, it’s been a mixture of things. Like a lot of people, my biggest one has always been self-doubt. I knew for a long time that I wanted to progress and do more but it took me a very long time to get in the headspace to believe I could and that I could do it. I relied on quite a lot of mentors in my organization to help get me into that correct and good head space. The second real challenge for me has been a lot about gender stereotypes.

I am a mum. I do have that label and I carry that label as a woman but I also want to have a career. I do have my goals and ambitions. I found that I do work in cybersecurity but I didn’t want to necessarily be in the gender stereotypical role in the cyber field. Breaking through that, being able to become more technical and hopefully, in time, become a specialist has been a journey for me but also breaking down gender stereotypes that maybe friends or family have held of what I should be like and what I should do has been a challenge as I’ve pushed through with my career.

There’s that stereotype of people who work in cybersecurity being geeky and very introverted people. It is the stereotype that we often see but to be successful in cybersecurity, you need to have strong interpersonal and communication skills.

The real beauty of cyber security is that it’s not going away and that it’s very present.

It’s a mixture of assumptions of what a person in cyber is or should be. There’s the weight or the vision that we carry of what a woman or a mum should be. It’s taken me time to bring those all together and decide, “I don’t have to fit with any of them. I can be myself. I can have a footprint that is made by me in the way that I want it to be.” It took time for me to own that and be confident with that. Also, to know that I was doing the right thing by me.

When we realize that we can go to work, be ourselves and bring our whole selves to work is when we start to make progress in our careers and have the biggest success. It’s getting to that point and that can be challenging sometimes. You mentioned the mindset and referenced Imposter syndrome. What was the biggest thing that helped you get over that?

For me, I started to explore not only mentoring but training opportunities. I joined this Releasing Female Potential Program that was run by one of our sister companies. By doing that, I changed my perspective of I can do more and that it is okay to want more, regardless of the fact at that point in time, I didn’t necessarily have any technical qualifications. It’s all about what you make it. I knew that I wanted to do more, could do more and needed to get to do more.

I bounced off of that program and found myself a good mentor. I’ve got three because they all offer me very different perspectives, opinions and support. Finding the right mentor for me that could help drive me, help connect me with people that maybe were more like me or that could appreciate what I was trying to accomplish. It all helped me to get to that point.

Thinking about cybersecurity, there are training and qualifications. I imagine that to be successful in cybersecurity, you’ve got to constantly be training and learning new stuff.

CGP 21 | Cyber Knowledge
Cyber Knowledge: Finding the right mentor for you can open up so many more opportunities and give you that platform to excel and find the career you’re looking for.

 

The real beauty of cybersecurity is that it’s not going away and it’s very present. Keeping abreast of what’s happening in the media, making sure that you’re reading up and seeing what’s happening in itself is a way for you to learn and develop. You can begin to see new ways like what may be threats are behaving, new risks changes, evolutions and all these kinds of things.

At least at Secureworks, you do get to learn a lot on the job. By having that exposure, seeing the threat landscape change and evolve and having access to the latest threat intelligence and metrics, you can learn as you go along. It isn’t necessarily about having these huge qualifications. It’s very much about being open to listening and learning as things change around you. Technical qualifications can support. I did English and creative writing so I had in no way any kind of technical background.

You can pick up stuff as you learn and it doesn’t have to cost you a fortune. There are so many free courses available. You’ll probably find as well if you have a mentor that you can do lots of training through them. If you pick the right ones, at least they can teach you what they know and share that knowledge. Whilst there is sometimes the need for training qualifications, it isn’t the be-all and end-all.

Thank you for explaining a bit more about that. It’s quite interesting that 2 or 3 people that I’ve spoken to have studied English or History and then have gone on to have a career in cybersecurity. I find that quite fascinating. I’m wondering. What’s been your proudest achievement in your career?

I have a few. I spoke about that Releasing Female Potential Program. That was a big achievement at a time when I needed it to flick that switch and get that drive to progress in my career. I’m also very proud of the fact that I have pushed myself. I have got 2 amazing points in my career but I also have 2 children and like a lot of us, I have gone through the pandemic too.

The cybersecurity industry worldwide is facing a talent shortage.

Having that career, having that identity that fulfills me, owning my ambition and having that drive is something I’m super proud of. If I suppose, take it back to my career, being the first Instant Response Knowledge Manager and the first Threat Intelligence Knowledge Manager is a real pat on the back for my organization that they do believe and trust in me.

What is it that you enjoy about the work that you do?

I’m in a lovely position where I confidently know that I am making a difference and that I am contributing to the cybersecurity community. That’s something that does mean a lot to me and is something I enjoy. I’m able to do conferences, write blogs and mentor. I feel like I’m leaving a solid footprint and a good legacy, which is important to me. I’m lucky as well that Secureworks is a remote-first employer. That means that 90% of us are remote workers. That is something I enjoy about what I do because I don’t have the pressure of having to commute or make sacrifices in terms of being there for my family. I can have the best of both and be as involved in my career and with my colleagues as I can be with my family.

What do you see are some of the potential barriers for women in cybersecurity or perhaps aren’t in cybersecurity yet but would like to move into that area?

The biggest barrier was the lack of women in high-ranking cyber positions. Sitting there knowing that I wanted more but not seeing necessarily that inspirational figure, I didn’t know whom I could look up to who maybe had a similar path or a family like me. Also, similar ceilings like we have. That is improving. There is more representation but I do think for younger people or those who may be looking to progress into STEM, it’s hard if there is that continued lack of representation.

CGP 21 | Cyber Knowledge
Cyber Knowledge: There are so many different facets to cybersecurity. You don’t have to fit a mold that maybe you’ve built into your own head.

 

I still think there’s a lot that needs to be done from a diversity and inclusion perspective. As a woman, I do have different needs from my counterparts. I do face different adversities and have different stereotypes and external demands, potentially to some of my other colleagues. There’s this whole space that needs to be explored to make cyber more inclusive but until a lot of these larger cybersecurity organizations start pushing and changing their D&I initiatives, there’ll continue to be that gap and barrier for people wanting to have a cybersecurity career.

Having role models in more senior positions, you often hear people saying you can’t be what you can’t see. We’re starting to see change but sometimes it’s slower than I want it to be. It’s good to see that things are starting to change. You’ve talked about potential barriers. What about opportunities for women in the sector?

There are a lot of opportunities. The cybersecurity industry worldwide is facing a talent shortage. It is something we talk about quite often. We need millions more people so the opportunities are very real. There are lots of roles out there. We only need to apply for them and believe in ourselves to make that application. In the same way within our organizations, there are ways we can be advocating and promote opportunities for women, things such as via our employee resource groups, newsletters, reward and recognition. There are lots of different ways to help women rise.

Another huge opportunity is all these sub-security courses that are available. There are loads of free ones that I have used like FutureLearn, which I massively recommend. For me, mentorship was a real game changer. Finding the right mentor for you can open up so many more opportunities and give you that platform to excel and find the career you’re looking for.

Something occurred to me while you were talking. There are certainly lots of opportunities. It’s for us to go and reach out to those opportunities. If women are reading this who are thinking about a career in cybersecurity, what would you say are the skills that they need?

It does depend. When people think about cybersecurity, they think it’s sitting behind a computer, knowing technical skills, knowing how to hack or code and all these things but that isn’t it. There are so many different types of roles in cybersecurity. There are marketing teams, finance, design and speaking opportunities. There are so many different facets to cybersecurity so you don’t have to fit a mould that maybe you’ve built into your head. If you want to apply, think about what you enjoy doing and find the cyber role that fits that. You don’t have to change yourself just because you want to work in cybersecurity.

Rebecca, thank you so much. I enjoyed talking to you. If people want to get in touch with you, you’re on LinkedIn, aren’t you?

I am, indeed. I’m happy to take any questions or help where I can.

Thank you so much to my guest, Rebecca Taylor from Secureworks. I’ve enjoyed hearing about Rebecca’s career and her thoughts about being a woman in cybersecurity. If it sparked a thought in your mind, let’s talk. An exploratory call with me gives you the opportunity to ask any questions you have about the work that I do with cybersecurity companies on attracting, developing and retaining your female talent. Get in touch with me by email at Sherry@SherryBevan.co.uk to book your call.

 

Important Links

 

About Rebecca Taylor

CGP 21 | Cyber KnowledgeRebecca joined Secureworks in 2014, where she developed an immediate passion for cybersecurity. Rebecca quickly expanded her cyber acumen, moving into Secureworks first Threat Intelligence Knowledge Manager role in 2022.

Rebecca is primarily focused on the implementation of knowledge management processes and procedures for the Counter Threat Unit, the ingestion and management of Secureworks Threat Intelligence knowledge, and its associated quality, storage and maintenance.

CGP 20 | Sophos

Taking On More Complex Projects In The Cyber Industry With Chloe Acebes Of Sophos To Celebrate National Cybersecurity Awareness Month

Going to the next level in your career means having to take on more complex projects. And our guest in this episode has done that while coaching and mentoring women in technology. Sherry Bevan interviews Chloe Acebes, the Director of Software Engineering at Sophos, with 20+ years’ experience in the cybersecurity industry. Chloe leads teams of Engineers who develop next-generation endpoint security products.

In this conversation, Chloe shares her career in cybersecurity, taking us along to both the challenging and proudest moments in her career thus far. She also talks about coping with the pandemic, the barriers for women working in the sector, and the future of her career balancing politics and technology.

Listen to the podcast here

 

Taking On More Complex Projects In The Cyber Industry With Chloe Acebes Of Sophos To Celebrate National Cybersecurity Awareness Month

In this episode, I’m talking to Chloe Acebes of Sophos about her career in cybersecurity. A very warm welcome to you, Chloe. Chloe is the Director of Software Engineering at Sophos. She’s going to be talking to us about her career in cybersecurity. Let’s get started. Perhaps you could tell me how you got started in IT or in cybersecurity.

I studied Physics and Astronomy at university. In my final project at uni, we did a little bit of C programming. I learned a little bit of C there and to say that I liked that and thought I might be interested in a career more towards IT. When I was finishing university, I applied for various different jobs in technology and in science. I applied for a job at Sophos, where they had a graduate program where they took people on from different disciplines. We got basic training on the job. We learned about coding, various aspects of technology and security. Basically, I’ve been at Sophos ever since.

That sounds amazing that you’ve been there ever since. It proves that those graduate programs, when you get them right, they do work and you get good staff. How did you get into cybersecurity more specifically?

It came to me by chance. As I said, I was interested in IT and technology. I applied for several different roles. When I came to interview at Sophos, they talked a lot about protecting customers and protecting small businesses. Sophos focused a lot on small and medium businesses, which means that we make the difference between a business doing well and a business being attacked and potentially losing money. That aspect of talking about helping people was what drove me into the industry. That’s what still gives me job satisfaction.

In thinking about your career overall, what has been your biggest challenge?

I think there are two that come to mind. The first one is starting the job. I came from a Physics and Astronomy background. I didn’t know a lot about computers. I didn’t know a lot about programming and hadn’t done computer science. There’s that foundation that you’re missing. That was a bit intimidating coming online and starting off the job, but that strong ramp up to start off with is a big challenge.

It’s a fast-moving world. You’re always trying to keep up with the bad guys, which means there’s always lots of stuff to learn.

The second one I could think of is during the pandemic. I was leading a project at Sophos to deliver a project where we had to coordinate with many different teams and many different business units, different time zones. I have led projects before, but this was the biggest and most complex one that I had ever done. That was the biggest but also more satisfying challenge I’ve had because we delivered what we were asked of on time and coordinated across many different teams, and it was a success.

At that time, you were doing it in lockdown when we were still getting used to the ways of remote working and hybrid working.

In a weird way, it was beneficial at some points because some of the teams we were working with were based in the US. We would have been on Zoom with them anyway. Sometimes when you’re in a call in the office and some people are in the office in the room and some people are on Zoom, it’s actually hard to engage both sites. Having everyone be on Zoom was a level playing field.

I think that’s been one of the advantages that we see now with more hybrid working. People are more understanding of the disadvantages of having a mixed group of people working in the office and from home. Being on Zoom and in the office all at the same time, it adds an extra layer of challenge to the way that communication works.

You have to be careful with things like drawing on the board. The meeting I was in right before this one actually, we had one person on Zoom, the rest were all in the office, and I wanted to draw on the board. We’re lucky enough that where I work, the cameras move around. You can point the camera at the board, not the people on the call, and have the person on Zoom still engaged with what’s going on in the call. You’re right, it’s an interesting challenge having people come back to hybrid, partly in the office and partly online.

I’ve seen that work well. I’ve also seen it work badly. You mentioned there about your biggest challenge and it sounded like a very complex project. I’m wondering, what about your proudest achievements in the work that you’ve done or that you do?

CGP 20 | Sophos
Sophos: We can work very hard to try and make the balances as good as we can, but if a few people are applying, it’s like fighting a lost battle.

 

There are a couple of things. I do some coaching and mentoring at Sophos. Some of it is around women in technology. I’m part of the Women in Technology Group at Sophos. We have a coaching scheme and a mentoring scheme as part of that. I have a mentor and I mentor other people. I also run a Women in Engineering Group where we try and get people together. We started that in the pandemic. New people would start during the pandemic, they didn’t have that natural meet the peers in the coffee area and find people around. I’m not at all saying that because there’s another female in the office, you should be friends with them because you’re females together, but you maybe have more in common with them.

Meeting people in the office is more natural. We couldn’t do that in the pandemic, so we started this Women in Engineering Group. We went out for dinner one night. We have an online teams thing where you have new starters join and realize there’s a community of other women at Sophos that they can meet up with. I’m quite working with the mentoring scheme. The project I mentioned was a big complex thing, and I’m proud of delivering that project. It set me up for more complex things in my career.

Obviously, you work in cybersecurity, and we know that the gender balance between men and women in technology as a whole is not great, but it’s even more marked in cybersecurity. What do you see as some of the potential barriers for women working in this sector?

I think part of it is fear of the unknown. I’m not seeing role models that are similar to yourself. The thing I struggled with the most is it’s quite difficult to fix having more people to apply because the pipeline isn’t big enough. It doesn’t have a strong enough pipeline of females. You have to go back to university or school, and change the attitude there so that they’re more likely to do science and technology subjects, and be more passionate about those so that when you get later on in life and you start to look for a job, there are more women looking for that. It’s almost a bit of a catch-22. We can work as hard, and we do work very hard to try and make the balance as good as we can and make cyber at Sophos more appealing to women. If there are fewer people applying, it’s like fighting a losing battle.

We know there’s a skill shortage generally in the cybersecurity sector. That does make it even harder.

There are fewer people, in general, doing degrees, never mind women.

The more diverse your workforce, the better the solutions you come to.

What about the opportunities for women in the sector? If you were to go and do a marketing piece and come and join the sector, what would you say to women?

This may sound weird, but I almost wouldn’t want to say that there’s anything specific to women that appeals to women in cyber. It’s just a good career for anyone. There isn’t anything specific to women or men. There are lots of challenges. It’s a fast-moving world. You’re always trying to keep up with the bad guys, which means there’s always lots of stuff to learn. There are always new challenges coming, and I think that should be exciting for anyone.

It sounds like that’s what you enjoy about the work that you do.

That’s part of the reason I’ve been in one company for so long. I think if I had been here and done the same thing for many years, I would be bored. I’ve moved around different teams. The challenges move on all the time. The bad guys are always doing different stuff, so the whole industry has to move along to keep up with that. There are always new things to look at, new techniques that you have to worry about. It keeps you on your toes.

In the role that you do, can you tell us a bit more about what you do on a day-to-day basis?

As a Director of Engineering, that means I basically manage multiple teams in one functional area. My role has transitioned a little bit. It was at first that I was the director of the endpoint detections for our endpoint software, which covers some Windows devices and Linux devices. I’ve shifted a little bit, and I now focus more on protecting Linux devices. I have 3 or 4 teams now that work on various aspects of our products, which protects Linux servers.

CGP 20 | Sophos
Sophos: The further up you go, the more removed you are from technology and the more of the politics game you have to play.

 

We help to work on strategy with product management to identify the roadmap and the areas that we want to deliver. I also work then with the teams to work on how we deliver those things, what technical choices we want to make, how we split the projects up, how we are using resources for the projects, what the timelines for those look like. How do we coordinate across the teams? How do we make sure we deliver it with quality?

A lot of your role at the level you’re at now is managing the teams to do the development and the delivery of those products.

I still have one team who reports directly. Maybe I do like day-to-day management with them and what tickets are we working on and what are we doing? I would like to hire a person to take on that role so that I can be exactly as you described, a slightly higher level. You’re worrying more about what direction the teams are going in and what direction the product itself is going and more strategic.

What do you see in the future for you and your career?

I think I would like to weigh in the scope of my responsibility and the area that I’m in. As I said, I’m responsible for taking care of the Linux product, which covers a lot of cloud workloads. A lot of customers have machines running in the cloud, AWS or Azure, and that’s a specific type of customer. That type of customer may use other tools and leverage other security tools to manage their cloud workloads. I’d like to extend my functional responsibility to cover those areas and have the responsibility within the department.

I don’t know how much further I would like to go up the ladder. The further up you go, the more removed you are from technology, the more of the politics game you have to play. I’m in the middle of that now, but I still have reasonable ideas about what technology the team is using and having a hand in the strategy. I still have to do some politics, but I’m not far enough up the ladder that that’s what I do day-to-day. That’s probably the next decision I have to make if I’m able to go farther up and do more of the politics and less of the technology, if that makes sense.

The cyber industry is looking for many passionate people who want to solve problems.

Thinking back to your original degree, I think you said it was Physics and Astronomy. Is there anything from what you studied in your degree that you’re actually using in your work?

No. I think the main thing is ability to solve problems. Anyone who does a Science degree learns how to have a logical approach and how to approach solving problems. That is invaluable. You’ve proven that you can understand the problem and that there are various ways to approach it, and that absolutely applies in software engineering. That’s one of the main things we look for when we get graduates to join.

These days, many more people will do Computer Science degrees than back when I was at university. We always look for people who have a Computer Science degree because they have that foundation that I mentioned earlier, but they also have shown that ability to solve problems. We do also sometimes consider people from other backgrounds if they’ve shown that ability to do the problem-solving.

What other skills are you looking for apart from problem-solving and that kind of foundation in Computer Science?

Definitely communication. That’s something that’s changed in the time that I’ve worked in the industry. When I first joined Sophos, there were lots of people who would be handed a little bit of work to do. They would sit in their corner. They’d write their code and then they pass it back and they almost would avoid talking to other people. The industry has gone through quite an epic change where the focus is much more on Agile programming and collaboration.

That’s important to know that when we solve problems, we often do it as a team. You have to be able to stand up in front of a whiteboard, draw a picture, explain the problem and what your approach should be, and then collect information from other people and come to some consensus about, “Let’s take a little bit from everyone’s solution.” Come to a consensus, something common. To be able to do that, you have to communicate. You have to actively listen. Those are the two other key things that we look for.

CGP 20 | Sophos
Sophos: When we solve problems, we often do it as a team. You have to be able to stand up in front of a whiteboard, draw a picture and explain the problem and your approach, and then collect information from other people to come to a consensus.

 

At the end of the day, that means that you’re going to end up with a better product because it’s not just one person’s thoughts or ideas on how to deliver or how to develop that product.

That’s where the diversity comes in. The more diverse your workforce, the better the solutions you come to.

Before we finish, Chloe, any tips for people thinking about working in cybersecurity or thinking about going into that as their career after university?

Just apply. The cyber industry is looking for lots of people who are passionate and want to solve problems. You don’t need previous cyber experience to do well. You just need someone who’s passionate, able to communicate well, can sell yourself and can solve problems. Those are the things we’re looking for. I’d recommend that you read up a little bit about, in general, what cyber is about, but just go for it. We’re desperate for new blood.

I hear that all the time from lots of the companies I’ve been talking to. The skill shortage is very real. I was talking to someone else who was saying, “We don’t mind whether they’re male or female. They could come from planet Mars, as long as they have got communication skills and problem-solving skills because we’re so short on good talent.” It sounds like it’s a brilliant sector to work in with the future of technology, isn’t it?

Yes. For me, the thing I mentioned earlier about the fact that you’re helping people, you don’t get that in many other technology industries. You could work in finance, doing fintech, or you could work in IT, building computers for people, but you don’t get the same satisfaction. You’re helping protect people. You’re helping keeping their assets secure. For the small businesses, you’re basically helping keeping them going. If they had a ransomware attack, they could potentially go out of business.

It’s that sense of purpose that you get working in that sector. Thank you so much for joining me. I do appreciate it. Thank you, everyone, for reading. I’ve been talking to Chloe Acebes from Sophos. She’s a Director of Engineering there. I enjoyed hearing about Chloe’s career as a woman in cybersecurity, but also her journey from coming from a Physics and Astronomy degree, and then finding out about coding and then eventually joining Sophos as a graduate.

You can find out about more episodes at SherryBevan.co.uk. If it sparked a thought in your mind about how to attract more talent to your organization, particularly if you’re looking at attracting female talent, then please do get in touch. An exploratory call with me will give you the opportunity to ask any questions you have about the work I do with cybersecurity companies on attracting, developing, and retaining your female talents. You just need to get in touch with me by email, Sherry@SherryBevan.co.uk. Thank you again, Chloe. It’s been great talking to you. Enjoy the rest of your day.

Thank you very much.

 

Important Links

CGP 22 | Cybersecurity

Cultural Change, Continuous Learning, And Cybersecurity With Dora Ross For National Cybersecurity Awareness Month

There’s always something to learn. You don’t have to know everything, but you should look for innovative ways to acquire new knowledge every day to achieve the success you are meant to have. This interview is one of a series of interviews with women in cybersecurity. The series is published in October 2022 to celebrate National Cybersecurity Awareness Month. Our guest, Dora Ross, shares her knowledge of the barriers and challenges of cybersecurity. Dora is a security culture transformation specialist. She works with organizations to define and implement risk-based, human-centered security culture and training strategies enabling positive behavioral change. In this episode, she emphasizes that there are so many different areas in Security, and the landscape is constantly changing. Tune in to learn more about what people do daily in cybersecurity, the importance of communication skills, and shaping cultural change.

Listen to the podcast here

 

Cultural Change, Continuous Learning, And Cybersecurity With Dora Ross For National Cybersecurity Awareness Month

In this mini-series to celebrate National Cybersecurity Awareness Month, I’m talking to a range of women about their careers in cybersecurity. I’m delighted to be talking to Dora Ross. Welcome, Dora. Thank you so much for joining me.

Thank you so much for having me.

She is a security culture transformation specialist. We’re going to find out what that involves and hear about Dora’s career journey. Perhaps you could start off by telling us how you got started in IT and how you made that move over into the role you do now.

My first several years weren’t in IT or cybersecurity at all. I was working in marketing, communications, and business change management. I transitioned into IT unintentionally. When I was a business change manager working for a social and housing organization, I needed to understand work processes and ways of working for different departments. That is in compatible systems in IT as of products used. That was my way into the world of IT.

It’s quite a different career, but you got those transferable skills. What do you find is different about working in IT compared to the roles you had before?

It is different compared to what I have done before. I feel like I need to understand a bit more because IT is a wide spectrum of topics and systems that are used. I constantly feel like I need to understand more and learn more, and it can be technical. Sometimes, I feel like I need to research a lot more to be able to understand what people do and how they do it, especially with engineering teams. They are so different and technologically advanced people that I feel sometimes I get a little bit of impostor syndrome with them because I might not be able to understand as much as they are.

To be applying for something that’s completely out of your comfort zone is a really big thing.

However, in my world and in business change management, it’s number one to be able to ask questions. It doesn’t matter, even if I don’t understand something. It is being able to ask questions. There might be some complex topics that I need to translate into an easily digestible format for the rest of the organization. Although I used to have impostor syndrome, and sometimes I still have that, I have to be okay with knowing that it’s okay not to know everything.

That is one of the traps that some women tend to fall into wanting to know everything, needing to be the expert, and having all the detail on everything. The more you move up in an organization, the less feasible that is practically to have the time in the day to know the detail about everything. I’m glad you have talked about that. That is positive that you have taken that learning on board. Tell us a bit more about what you do because your job title is a bit different than some of the other women in this area. You’re a security cultural change specialist. What does that mean? What is it that you do on a day-to-day basis?

As the title said, it is not heavily technically involved at all. It’s more of a softer side, people side, and psychology and behavioral side of elements. I am responsible for embedding secular behaviors into that corporate culture. That means I work with all different parts of the business, different functions, and departments to understand what they do and how they do it. I help them during the workforce in more secular ways.

They’re able to protect the company data, but besides that, it’s not just the company, customer data, and employee data that are important. What I enjoy about this is that people can learn tips and techniques and best practices on how to protect themselves in their own personal lives, their families, when they do banking, or even on social media, and how much they share.

It’s an interesting role to be able to help the organization build up cyber resilience and also help people on a personal level. My role could be different on another day. I could be writing blogs or user guides, preparing for some training or workshops, working on creating cyber secretary training and culture strategies, or some incident communications that could happen any day. It’s varied in terms of the role.

What about the skills that you need for that particular role?

CGP 22 | Cybersecurity
Cybersecurity: Be motivated and have that hunger for knowledge, so you continuously learn and expand your horizon.

 

My career started doing marketing communication and business change, especially for this work, this cultural change. Change management is important to know how people go through change cycles and how to influence behaviors. Also, the marketing side is quite good to have so that you know how to write communication and business training materials. It captures people’s attention. You can help them learn new skills in an easily digestible format.

Once I started being interested more in security, I went on a couple of courses at Open University. There are free courses out there that can be taken. You can go on a different learning journey. I have qualified by SANS, which is a paid five-year course. You need to learn about how to manage and measure secondary awareness practices and interventions. There are different ways you can go about it, and you can learn on the job. I do find some qualifications help you to be better at this role.

That qualification gives you a certain level of authority and credibility in what you do.

Exactly. However, there are some rules. Sometimes, there are too many qualifications that may be asked. People are not going to apply for those because they don’t have them. They might have the skills and experience but not the qualification for various reasons. Qualification might not always be the most important thing. However, there are certain ones that are worthwhile to see.

I remember years ago, I was hiring a network administrator. We interviewed some people who had the qualification, and some of them didn’t have the qualification that we were looking for. Some of those people without certificates were fantastic, knowledgeable, and experienced. Some of the ones with the certificate didn’t know what they were doing. There is an element of that. It’s a mixture of having the qualification and the experience, but those qualifications certainly give you that credibility. In your career, what’s been your proudest achievement?

I can mention a couple. I will bring down the two main ones. When I was working at a social housing association back in 2012, I was still in my marketing role. PWC came in to look at our target operating model or the stigma that we can get some savings. I applied for a role, besides my marketing role, to help PWC with this big piece of work and be marvelous for six months.

To be able to collaborate with people, having good communication and social skills are the keys.

I was fortunate enough to be accepted for this program. That completely changed the course of my career life. That’s where I learned about business change management, organizations, and different departments and got to know the business and how they operate. That was mind-blowing to learn all of these things. That was one of my proudest moments because I was in marketing. To be applying for something that’s completely out of my comfort zone was a big thing for me. It changed the course of my life.

The other one I would mention was before COVID hit. It was in February 2020. We had the ties in International Security Summit. I was one of the speakers, and that was the last live event before we stopped the live conferences. I was able to speak about security culture and education among many credible and amazing speakers. That was one of my biggest highlights. To be able to be on stage with those people, commenting and giving advice on best practices, and imparting my knowledge around security culture was an incredible moment.

The opportunity to work alongside PWC, what better organization to learn from a big consultancy firm like that? I can imagine that’s given you a strong foundation in business change. I’m thinking about getting more women into cybersecurity. What do you think are the barriers or challenges to doing that?

When I transitioned from the business change adamant into more of the technological side, I mentioned impostor syndrome. You might feel you don’t have enough knowledge to get into a certain industry or tech industry. That could be a barrier. People believe in themselves, move forward, and go for those interviews or look at those opportunities. You know there was a way in.

I would encourage women to have mentors because they can be a great help to get into cybersecurity or IT. Find communities and networks that support each other in the area of interests and performance people, and they will be able to show them opportunities, skills festivals, or something like that. There are opportunities to meet future employees. You can ask them, “What do you need, or what requirements do you have?” Start the initial conversation. You will get a better chance of getting into this industry.

You sound like you love your work. Your enthusiasm and passion for it come across when you’re talking. What do you see as being the key skills that are required not just for women but for people to be successful in this industry?

CGP 22 | Cybersecurity
Cybersecurity: Working with people and getting to know the business through the different departments and what people do in different functions is really satisfying. It’s creating those relationships and actually making a difference.

 

Social skills are important. To be able to collaborate with people, you have to have good communication skills. Sometimes that’s a little bit lacking. If someone has got a lot of technological knowledge, they are not able to translate what needs to be done about the systems in an easy and clear way to people. Collaboration is one of those keys. Be motivated and have that hunger for knowledge so that you learn more and continuously learn and expand your horizon.

What is it that you love about the work that you do?

I love our security culture. It does not just work for me. I personally love this. I’m the one who can go out with friends or family. I’m giving them best practices sometimes. They don’t even want it.

You can’t help yourself. That’s what is valuable about the work that you or the people like you do. What you’re doing is protecting companies, but that information and knowledge help individuals protect themselves. In this cyber world, that is important.

Working with people and getting to know the business, different departments, and what people do in different functions are satisfying. Creating those relationships in each department depends on their needs in providing them suitable training or whatever guidance they need. Creating those relationships is amazing and you are making a difference.

When you see a communication strategy come to life, people come to you, and they’re starting the conversation. It’s a two-way conversation. That’s where the magic happens. You’re not pushing out information, but the people receiving them now ask questions about the ending in the changing behaviors because of that. That unfolds the beauty of other cyber security cultures.

When you see a communication strategy come to life and people actually come to you and start the conversation that’s really where the magic happens.

What has been your biggest challenge since you have been working in cybersecurity?

I would mention learning more about the technical side. Initially, because I’m coming from business change, plans the psychology of change, and how to communicate changes to people, but to understand and be credible on a different topic is learning about the system, the threats, and the risks a little bit more.

That was a bit of a challenge for me because I knew how to communicate about certain topics, and I found that I needed to find out. I did feel like if I knew a little bit more, I don’t always have to ask those questions because I understand what people are talking about. It’s easier to impart that knowledge to other people. It’s learning a bit more about the technical side.

Having that depth of knowledge and information makes it easier for you to communicate in ordinary English that a non-technical person can then understand. One of the hardest pieces about working in technology is doing that translation from tech speak to normal person speak.

There is so much out there, and you could get lost in the knowledge because there is much information out there. I hear a word over here about technological solutions. You instantly research, but you can get into too much research and get lost because there is more information. There has never been a stop to it. There is a lot more that you can do, and you have to know where to stop. You’re not getting overwhelmed by all the information that comes in.

Understand what you need to understand and ask questions. If you ask people, “Can you explain it a bit more because I don’t know about this? Could you demonstrate it to me?” They like to help. People are naturally quite helpful. It’s good to ask for knowledge. You need to research and stop there. If you need more, get more later.

CGP 22 | Cybersecurity
Cybersecurity: You could get lost in the knowledge of someone because there’s just so much information out there.

 

If there are women reading this who are looking to get into cybersecurity, what are your best tips for them?

If you can sign up for mentorship, you can do it within your own organization or somewhere externally. I have had mentors before, but one in particular, Deborah Haworth from the publishing company where I worked previously has been amazing to me. She has opened doors for me that I don’t think I could have opened myself in terms of getting to know people and introducing me to many people. From then on, I could learn more.

My number one advice if someone would like to get into the industry is to find a mentor who is in that industry that you would like to get into, and they will be able to help you. The second last tip is to find the community. There are many communities like the SANS or SASIG community that are helpful. The people there can help you with whatever career you would like to take. There are lots of advice on training or conferences on how to develop your skills.

With more women working in cybersecurity, finding a mentor and finding the right communities are getting easier than it was several years ago because there are that many more women now in the sector. We don’t yet have a gender balance. I don’t think that’s going to be anytime immediately soon, but we’re getting there, aren’t we?

We are getting there, but there’s no balance yet. In the last few places where I worked, my immediate team, the smaller team, had a high number of women working in the department. When you look at the widest perspective, the whole IT or security, there are more male-oriented than female. I have worked with incredible women.

Hopefully, there are more women who want to get into this industry because it’s amazing. There is so much variety in work, and you could progress into different roles. Mine is not too technical. Social skills are required, but I can digress in the future years to more technical elements and do something completely different. There is so much there and everyone can choose whatever system works for them.

Dora, if people want to get in touch with you, I’m guessing LinkedIn is the best place.

LinkedIn is the best space.

Thank you so much to my guest, Dora Ross. I have enjoyed hearing about Dora’s career as a woman in cybersecurity, particularly because she is doing a role a little bit differently, looking at the cultural transformation. For more episodes, go to SherryBevan.co.UK. If this has sparked a thought in your mind about how you can do more to attract, develop, and retain your female talent, please do get in touch. Email me at Sherry@SherryBevan.co.UK. Thank you so much, Dora.

Thank you.

 

Important Links

 

About Dora Ross

CGP 22 | CybersecurityDora is a security culture transformation specialist. She works with organisations to define and implement risk-based, human-centred security culture and training strategies enabling positive behavioural change. She has a true passion for information security, demystifying security threats and policies, so that people know what to do in certain situations to better protect themselves and their organisations from cyber threats.

CGP 23 | National Cybersecurity Awareness Month

National Cybersecurity Awareness Month Special: Navigating The Unconventional Route A Cybersecurity Career With Emma Jones

This episode offers you the senior consultant of Crowdstrike, Emma Jones, to celebrate National Cybersecurity Awareness Month. Emma shares the unintentional move of her career in cybersecurity. Given that she has no background in the role, the transferable core skills she possessed allowed her to fare pretty well in the space. She enjoyed each moment of her journey and never looked back on her previous career. Like everyone else, Emma faced some challenges along the way in her career, but how did she deal with them? What insights could she offer to anyone thinking of taking the cybersecurity route? Tune in to this episode and learn more.

Listen to the podcast here

 

National Cybersecurity Awareness Month Special: Navigating The Unconventional Route A Cybersecurity Career With Emma Jones

In this mini-series, to celebrate National Cybersecurity Awareness month, I’m talking to women about their careers in cybersecurity. I’m delighted to be talking to Emma Jones from CrowdStrike. Welcome, Emma. Thank you so much for joining me.

Thanks for having me. It’s a pleasure to be on the show. Thank you.

Emma is a Senior Consultant at CrowdStrike. She’s going to tell us a bit more what that involves. Let’s get started and find out about her career journey. To set it into context, could you start by telling us a little bit more about CrowdStrike and what they do?

CrowdStrike, for those who haven’t heard of them, we are a global cybersecurity technology company. Our mission is ultimately to stop breaches. Essentially, they work with a whole range of products and services and strategies to protect customers and clients from the cyber threat and from the adversity that we face in that space. That’s a little bit about CrowdStrike. My role with them is based in the services part of the business. Essentially, I work with organizations across the UK, Europe, Middle East and Africa on a huge range of cyber incident response and readiness activities to help them prepare for the threat and increase their security posture and readiness.

Tell me how you got started in your IT career.

Overcome the imposter syndrome because otherwise, it would impact you personally and professionally.

Completely unintentional move into IT/cybersecurity. Actually, I went straight into cybersecurity. My previous occupation was in UK Law Enforcement. I was in a National Law Enforcement Organization working on a whole range of crime types, different threats, different teams, non-related to technology or cyber.

What happened was I went through a promotion process and they’re quite huge campaigns, I should say, where you apply for the rank or for the grade or the position rather than a specific role. You go through a campaign, they will assess and determine who’s suitable for that particular level, then at that point they will appoint individuals into the role across the organization and across the UK.

I went through a campaign and was successful in that campaign and was really pleased to hear that. It was at that point, I found out which role I was being posted into. Honestly, I expected it would be a role that I had done before with EMA, or had exposure to a crime type I was more familiar with. No one was as surprised as me to find out that I was posted to the National Cyber Crime Unit. I had a moment where I thought, “What on earth has happened here? There must have been a mistake. Why am I going into cyber? That’s not my background. I don’t have an IT skillset.”

I wondered what had happened in the process, but actually people had recognized transferable skills as being incredibly important in cybersecurity, not least of course because the industry is still fairly new compared to many of the areas of work and disciplines, but actually very fortunately the panel who decided recognized that I had some experience that would benefit the cyber side of the team. I found myself in a position there, which entailed creating and delivering and establishing a brand new unit for all UK Law Enforcement. It was all focused on prepared activities.

I had to start from scratch, learn about the threat, and then develop a team which would do a range of different projects from exercise and through operational learning all focused on cyber incidents. It was completely unexpected, but I’ve never looked back. I enjoy every moment of it. Here I am now in CrowdStrike in the private sector.

CGP 23 | National Cybersecurity Awareness Month
National Cybersecurity Awareness Month: Familiarity and awareness increase the effectiveness and the speed of your ability to respond.

 

I love hearing stories of people who have had an unconventional route into cybersecurity. I think it’s a very positive and powerful message to hear. You mentioned there that your campaign is you’re applying for a rank rather than for a specific role, and that somebody had obviously spotted specific transferable skills that you had. Would you mind sharing a bit more about what you believe those transferable skills were or are?

I would describe them best as core skills. Some people say soft skills, I’m not a huge fan of that. I think it can really imply that you are lesser than or it’s not as important. I like to say core skills. Essentially, I would say there are probably three areas. The first is communication. With that, obviously running a team that had a national unit, you would need to work with people in many different sectors, many different organizations, both public sector and private sector, and at different levels, operational levels, all the way through to senior leaders and strategic forum.

Communication absolutely was the top skill that mattered most in this space, so that you could essentially translate a conversation or a topic and achieve what you needed to achieve in that role. The second skill I would say is probably the leadership skills and strategic thinking. Many conversations I’ve had throughout my career, people have said, “Leaders and leadership skills are saved for the senior roles.” I think anyone can be a leader in your space. If you are developing something, if you were doing something novel or creative, or you have simply taken a step forward to help bring people together, then that absolutely means you are a leader, regardless of your role.

Whilst I was in a management and leadership position, I think those skills were deemed pivotal to be able to take an idea and a vision forward, and get people to understand why you were doing some and what the outcome and benefit for everybody would be in that space. Definitely communication and leadership. Finally, and I suppose it’s an element of communication, but it’s about listening skills and the ability to understand the situation that’s presented to you, and tailor and flex your style and ability and approach.

Obviously, there are many different views and ideas that you can take forward in your space that you need to be tuned in to what the actual requirement may be. Attention to detail and that listening ability, and then translating it into the next project. I certainly think those are some top skills I had to draw upon to my journey in that role specifically.

Comparison is the thief of joy.

As you described, they are definitely core skills that anybody needs in any industry and sector, but I think particularly so in the way that cybersecurity space is evolving at the moment, then those skills are in high demand. Tell us a bit more about what you do on a day-to-day basis in your role at CrowdStrike.

No two days are the same, as cliché as it may be. There are themes and similarities but lots of different conversations. There are a few paths on my role. The first is around working with our organization to enhance the incident response readiness. What I mean by that is getting prepared ahead of an incident to be able to deal and respond to that particular situation that they face. There’s a whole range of benefits in doing that. Not least familiarity and awareness, increase in the effectiveness and the speed of your ability to respond, given that time is always of the essence in these circumstances. That’s a huge focus for me is that preparedness initiative drilling down on some key aspects, whether that’s how you seek support in responding to an incident, what barriers you may potentially face, and how can we overcome them proactively.

The other aspect of my work is more strategic in the sense of supporting organizations in their broader security programs. Working with them to understand what keeps them up at night, what’s the biggest concern, what’s the priority, and how we can help them address those concerns and priorities. Security programs are always changing. They’re always evolving, very dynamic, and you can never do everything all at once.

It’s about having conversations with our clients across this region about what matters to them, and how best we support their effort so that they increase their resilience and readiness in that space. That’s broadly speaking of the day job. I’m really fortunate to have a couple of extra pieces of work that I can do in CrowdStrike relating to inclusion and thought leadership as well, which is fantastic. I’m very fortunate to have the time and opportunity in that perspective.

It sounds like you really enjoy the work that you do, which is brilliant. When you enjoy your work, it makes it so much easier. Since you’ve moved into the IT or the cybersecurity sector, what has been your biggest challenge in your career so far?

CGP 23 | National Cybersecurity Awareness Month
National Cybersecurity Awareness Month: To be inclusive with others, we can have thematic and strategic conversations around diversity and inclusion.

 

I would certainly say it’s around building confidence. We talked about how many people find themselves in cyber in unconventional ways, different routes and paths. I think that contributes to things like Imposter syndrome. Many people, if not everyone, suffer that, and it comes in peaks and troughs, but that was an area that I struggled with to begin with.

What comes hand-in-hand with that is building confidence and having faith and belief in my skillset and my abilities. That was quite difficult to begin with because when you would look around in cyber, it’s still fairly male-dominated. There’s still quite a technical focus rather than a core skill focused certainly at the time that I came into the industry. That sometimes can make you feel like, “I’m not quite like person X, I don’t have that knowledge of person Y, and I wouldn’t take that approach.”

Sometimes, you can then doubt your abilities and whether you’re in the right space and doing the right thing. For me, I had to overcome that because otherwise, you would be impacted both personally and professionally, and suffer in terms of not being able to really do and be who you wanted to be. I had to take the time to reflect and realize that I was in a position I was because of the skills and experience I had. They may have been different for other people, a different perspective, a different mindset or a different approach. I had to remind myself of that on a regular basis.

There’s a quote, “Comparison is the thief of joy.” That’s absolutely true. Remember the skills that you do have, and it’s not necessarily all about certifications. I came into the industry without anything like that. It was about lived experience and ability to apply knowledge. Realizing that position was fundamental to overcome that challenge. Don’t get me wrong, it can still be a challenge now, but it’s much more in check. I also have a wonderful mentor who I met through a Women in Technology program, who supports me create the safe space and has honest conversations, and helps me understand more about my potential and current value as well. That’s certainly been the biggest barrier that I’ve had to overcome.

It’s interesting you talked about a mentor because one of the other women in this mini-series talked about having a mentor as well, and how helpful that had been for her to believe in herself and to apply for the next role and to develop her career. It’s good to hear you talking about that as well. What about your proudest achievement? What’s that been?

If you wait until you feel ready, it’s usually too late.

This is always difficult to talk about. It’s not a question people ask one another so often. For me, I was nominated for a Global Women In Tech Award. That means a lot to me because it focused not just on my work in cyber incident response, but also predominantly about the work I’ve done for inclusion and inclusive practices with incidents.

I would say I’m probably most proud of it because it was the results of the work that I did a few months ago with the forum of incident response and security team. I was selected to speak at their conference. I thought about what we can do to be inclusive with them. For me, a lot of conversations and a lot of narrative, quite rightly, is always about thematic and strategic conversations around diversity and inclusion. Sometimes, those in teams and every individual every day might not feel that relates to them directly.

I wanted to take a moment to speak to those individuals within teams within the global forum to say, “This is what we can do as individuals and actually make it specific real examples, bringing it back and relate for their daily work. That was a fabulous opportunity for me to bring two topics I love together, and a wonderful moment to hear about the nomination as well. That’s where I’m at in terms of proudest achievements.

You’ve done a lot of work around inclusion and representation. What do you see are some of the potential barriers for women working in this sector?

The most prominent barrier at the moment is a lack of representation of women in two areas. The first in senior leadership roles and the second in technical roles. The industry is very vocal and passionate and supportive of having diverse representation, having women in the workforce. There are conversations about how cyber is not just technical, so women in roles that are non-technical and that are outside of the day-to-day hands-on keyboard activity, and they intersect with cyber, was certainly getting there and recognizing that and bringing women into the sector in that regard.

CGP 23 | National Cybersecurity Awareness Month
National Cybersecurity Awareness Month: Choose opportunities that you think will be best for you to support your interests in that area.

 

When it does come to senior leadership and technical hands-on keyboard positions, that is where we lack the visibility and representation. It’s important for me because we want to feel like we can have a career path and that we can do something. Everyone likes to see someone role model that opportunity. Without that can make it quite a challenge to showcase and explain to individuals and to women what a great path this career can take you on.

You’re right. There are a lot of organizations that are actively wanting to improve diversity and increase inclusion, but it’s not having those role models at the senior levels and in the technical areas. There’s that quote, “You can’t be what you can’t see.” The more we have those role models, then the more it becomes a snowball effect. Any top tips for anybody who wants to get into cybersecurity via a conventional or an unconventional route?

There are many, and I’m sure you’ll hear some fabulous tips from all of the guests on this mini-series, but I think there are two. The first is to leverage what’s out there to support women. There are amazing networks, free training programs, and I mentioned the Women In Technology mentoring program that I joined a number of years ago. There’s so much out there, so just have a look, make the most of it, choose opportunities that you think will be best for you to support your interests in that area. You don’t need to be in a cyber role to join any of those. You could just be thinking about IT and tech position. Definitely leverage those opportunities. There’s more now than there’s ever been before.

The second tip I would have is there’s no better time than doing it now. Both for those reasons around the opportunities, but also because someone once said to me that if you wait until you feel ready, it’s usually too late. I completely agree with that. Taking a moment to leap into a new opportunity or just signing up to a program or a training course. Even if it doesn’t fully fit with what you’ve got going on right now or if you think, “I need another six months and then I’ll be ready,” just do it because something will always come in the way. That’s my main tip and something which stayed with me for my entire career so far.

I love that piece of advice. I think it’s so true because so often we put off doing things because, “I’m not quite ready or I don’t quite have the right experience yet,” then you can look back later and think, “If only I had done it sooner, if only I’d just taken up that plunge.” Emma, thank you so much for joining me. It has been interesting to hear about your slightly unconventional route into cybersecurity, but I think that’s a very positive thing to hear. I’ve loved the tips that you’ve shared as well. If people want to get in touch with you, I guess LinkedIn is the best place to do that, correct?

Yes, absolutely. Please reach out. I’m always happy to provide pointers and advice on joining the sector and where to leverage those opportunities.

Thank you so much, Emma, for joining me. We’ve been reading about Emma Jones talking about her career as a woman in cybersecurity. If there’s a spot of thought in your mind, let’s talk. Let’s talk about any questions you might have about the work I do in cybersecurity companies on attracting, developing, and retaining your female talent. Just email me at Sherry@SherryBevan.co.uk to book your free consultation call. Thank you, Emma.

Thanks. It’s been a pleasure.

 

Important Links

 

About Emma Jones

CGP 23 | National Cybersecurity Awareness MonthEmma is a Senior Consultant with CrowdStrike, who works with organisations across the UK, Europe, Middle East and Africa on a range of cybersecurity incident response and readiness initiatives. Alongside her day job, she is passionate about fostering inclusion and championing diversity, and is involved in multiple associated projects.

CGP 24 | National Cybersecurity Awareness Month

National Cybersecurity Awareness Month Special: Cybersecurity Is A Mission, Not A Job With Laura Whitt-Winyard

 

Cybersecurity is a mission, not a job. Today’s guest has 20+ years of experience to prove that. As part of our National Cybersecurity Awareness Month miniseries, we talk to Laura Whitt-Winyard, CISSP, CISM, CISA, CRISC, a Fellow at the Institute for Critical Infrastructure Technology and International Advisory Board Member at HMG Strategy. Laura got herself to cybersecurity through a slightly unconventional route. Now, she is one of the industry’s respected thought leaders and a role model for women in the space. Tune in as she joins Sherry Bevan to talk about her typical day as a CISO, the challenges she had to go through in her career, what she enjoys about her work, and the wisdom she can impart to women working in the sector.

Listen to the podcast here

 

National Cybersecurity Awareness Month Special: Cybersecurity Is A Mission, Not A Job With Laura Whitt-Winyard

In this mini-series, to celebrate National Cybersecurity Awareness month, I’m talking to a range of women about their careers in cybersecurity. In this episode, I’m delighted to be talking to Laura Whitt-Winyard. A very warm welcome to you, Laura.

Thanks, Sherry. Thanks for having me.

Laura has a whole string of letters after her name. She’s got a range of qualifications. She has worked for some leading companies, including Comcast and Bloomberg. Let’s jump right in and find out more about Laura’s career in the cyber world. Laura, could you start by telling us how you started in IT and cybersecurity and how your role has evolved over time?

I have been in cybersecurity for many years. I started in IT, and it was by accident that I went into cybersecurity. One of the companies that I was working for was Allstate Insurance Company. They were doing a lot of business with CNA Insurance Company in Chicago. Having talked with the CISO of a CNA insurance company, it turned out that their security architects had sabotaged their networking.

He asked me if I thought it was something I’d be interested in trying to help him fix, so I did. That’s how I got into cybersecurity. Subsequent to that, I realized that cybersecurity was my passion. It’s always changing. You never get bored. You’re constantly learning. You have the ability to affect positive change. Subsequent to that, I moved from CNA to Bloomberg, where I worked for some amazing people. I went to Comcast and worked for even more amazing people. It was a wonderful experience. It’s always an opportunity to learn.

That was quite a start in cybersecurity, being asked to pick up where somebody else has done some real damage, by the sounds of it.

CGP 24 | National Cybersecurity Awareness Month
National Cybersecurity Awareness Month: Typically, when you start a new company as a female, they assume you understand regulations compliance, and maybe the legal aspect, but definitely not the technical aspect.

 

It was crazy. I had to learn on the fly, which is probably one of the best ways to learn.

It’s interesting that you’ve got a slightly unconventional route into cybersecurity. That seems to be a common theme in this mini-series. Quite a few of the women I’ve interviewed already have not actively looked for a career in cybersecurity but landed in it by chance, almost.

Back in the day, very few people intended to go into cybersecurity. It wasn’t a career route that most people even knew about.

It’s very true. Perhaps you could tell us a bit more about what you do on a day-to-day basis in your role.

On a day-to-day basis, you spend quite a bit of time working on strategy and vision, trying to discern where the company is going, aligning the security strategy with business objectives, as well as staying on top of the latest trends, understanding a couple of years ago nobody thought too much about quantum computing. They thought it was so far off. Now it seems it’s on our doorstep. You spent a lot of time looking at what’s advancing in security and the latest trend and factors, but then taking that and marrying it with your strategy and the company objectives.

That sounds like a lot of thinking power that goes on in that type of role because you are having to look at what’s coming and predict how that might influence or affect operations for your business.

Cybersecurity is always changing. You never get bored, you’re constantly learning and you have the ability to effect positive change.

There’s quite a bit of a prediction, and I would venture to say even guessing. You look at what’s going on and try to ascertain how it could impact your company and its customers. Sometimes you get it right. Sometimes you get it wrong. Sometimes you’re too advanced for the company or are a little bit ahead of the time, and you’re not ready for it. A good example was when I was at Bloomberg. I was exploring anomalous detection back in 2005 and 2006. The cybersecurity world wasn’t ready for it, and neither was Bloomberg. Now, everybody talks about anomaly detection.

That’s one of the interesting things about working in this sector, particularly in technology, because it’s evolving quickly. There have been quite big changes as well over the last couple of years. Nowadays, the general public has more awareness and understanding of cybersecurity in general.

It’s extremely beneficial to a CISO. There’s a saying that says, “Don’t let a breach go unutilized.” The fact that it’s become more prevalent in the news, less and less executives and companies as a whole are saying, “That happens to other people. It doesn’t happen to companies like ours. We’re too small. Nobody knows who we are.” Now they’re realizing that is not accurate.

That general awareness has increased amongst the business itself rather than just being something that IT and the technical people understood. That’s a real positive in some ways.

It helps security leadership be able to explain the ramifications of not doing certain things and the benefits of doing certain things. It makes it much more applicable to the business in their everyday life when they see what can happen to other companies.

Tell me a bit about your career. What’s been the biggest challenge that you’ve had to deal with?

CGP 24 | National Cybersecurity Awareness Month
National Cybersecurity Awareness Month: There’s not one single person in cybersecurity who knows everything. Find your niche, find what you love to do in cybersecurity and focus on it.

 

I would say probably as a female being perceived as not technical. That’s the biggest challenge. Typically, you start a new company, they see you as a female, and they assume you understand regulations, compliance, and maybe the legal aspect, but not the technical aspect. It’s always, in a way, a little bit fun once they realize how extremely technical I am and the shock on their face. That’s one of the biggest challenges.

How do you get around that challenge? What do you that makes that less of a challenge?

It takes time working with the engineers, engineering leaders, and product leaders and being able to make recommendations that aren’t so along the lines of checking a box for compliance to say, “Maybe we can’t do this, but here are some opportunities and options that we could do something else.” Security coverage is typically surprised about the technical record I make, and it takes time being able to explain that to people.

That’s true in any organization, but perhaps more so for a female entering a very technical career, which is a bit frustrating at times. Hopefully, over the next few years, we’ll start to see that changing, and it would be becoming less of an issue. What about the things you’ve been most proud of in your career so far?

Becoming a CISO. I was very excited and proud. I must admit I was a little bit too excited and in disbelief that I had made it to the pinnacle of my career. Some of the other things I’m proud of is coaching some of the folks that have reported to me into other security leadership roles. I still maintain those relationships with them to this day and ensure that they pay it forward, and then also take chances on people who have never even once worked in cybersecurity but have a security mindset. Maybe they do Capture The Flag competitions and win in their free time, but they’ve never worked in cybersecurity or been educated in taking a chance on them and watching them flourish. That is also a very proud moment for me.

That must be a real fuzzy feeling moment for you to see people you have taken a risk with and to see them flourish. In some ways, it is even more rewarding than taking someone on who’s got the experience and the qualifications, and they flourished. Taking someone on where you’ve taken a risk is something extra.

Cybersecurity is not a job. It’s a mission. You’re not just there to protect the company. You’re there to protect their customers and their employees.

I hired a grocery store manager who didn’t have a degree at all, had no cybersecurity certifications, had never worked in cybersecurity, but had a massive server environment in his basement and entered Capture The Flag competitions in his free time. These are hacking competitions and had won several. He did not apply for the job. Someone that was a friend of his said, “You should look at this guy.” In talking to him, I was amazed.

It was the fact that nobody would ever pick a chance on him. He’s now flourishing. He’s doing so well. He’s paying it forward. He’s helping bring new people into the security community, which is half the battle. As you know, we have a skills shortage, and there are not enough cybersecurity people. For him to pay it forward to every person that I help pays it forward is a wonderful thing to see.

Paying it forward is so important, particularly since there is a skills shortage in cyber. The more good people, the more good talent we can bring in. Often they can be the ones who will be perhaps better at persuading others who don’t have that cyber experience. This is a field that you can work in and can flourish. That’s good. What is it that you enjoy about the work that you do? You clearly enjoy developing people, coaching, and watching them grow, but what else is it that you enjoy about the work?

It’s the ability to affect positive change to do good. When you work in cybersecurity, it’s not a job. It’s a mission. You’re not just there to protect the company. You’re there to protect their customers and their employees. It has a ripple effect. If I saved one customer from having a security incident or losing their data, that would affect their livelihood.

That also, in turn, affects their family. That ripple effect is part of why I do this. I also love speaking about cybersecurity. I’m passionate about it. You can ask my husband, who rolls his eyes every time we’re watching a show, and I’m talking about cybersecurity. In the cybersecurity community, this mission that we’re on is much bigger than the individual and the company. It’s a global issue.

What do you see as some of the potential barriers or challenges for women, in particular, starting or getting promoted in cybersecurity?

CGP 24 | National Cybersecurity Awareness Month
National Cybersecurity Awareness Month: Get as much knowledge as you can. Anytime you read something that is not resonating, Google it, research it, YouTube it, learn as much as you can.

 

One of the barriers is that they’re afraid of not knowing something and looking like a fool. One thing I’ve always said is there’s not one single person in cybersecurity who knows everything. It’s impossible. Find your niche. Find what you love to do in cybersecurity and focus on it. Don’t let anyone tell you that you don’t have enough skills or knowledge because you will get it. Not everyone has all of it.

What do you see as being the most important skills for anybody working in cybersecurity?

It’s the ability to translate technical into business. Being bilingual is one of the hardest skills to learn to be able to explain to the business something extremely technical but in a manner in which it relates to them and their business.

It’s that communication piece. That’s true no matter what part of technology you go into, particularly cybersecurity because it has a potential impact on the business itself. You need to be able to explain things in a way that others can understand so that it makes sense to them and that they know what decisions they’re making and what the ramifications are.

I still struggle with that. Many people in cybersecurity are of a different mindset. We’re very technical, logical, literal, and to be able to go into a conversation with varying personalities, if you’re speaking to the board or someone in risk, or development even, and to be able to set aside your technical knowledge and put it into language they understand. I have trouble with it even still to this day.

That’s true, no matter what field you work in. When you’re an expert in what you do and that knowledge is part of who you are, then it’s easy enough to take for granted what other people’s knowledge and understanding are. It’s such a common thing. What are the tips that you might have for women who are thinking about getting into cybersecurity? What would you suggest they do if it’s getting into the sector or want to make progress in the sector?

It’s really important to find out what your passion is within cybersecurity – what interests you, what really drives you. Hone in on that and learn as much as you can.

Read as much as you can. By read, I don’t mean books. By the time a book is released, some of that technology is already legacy. Read cybersecurity news. Set up alerts on your phone about anything cybersecurity. If you read a news article and you’re wondering, “What does this mean?” google it. Learn it. Try and research it. There’s free cybersecurity training out there all over the place. Go to security conferences. The security community nowadays is very different from what it was several years ago.

The security community nowadays is very much a community. Whereas several years ago, it was the most knowledge wins. I’m not sharing my information with you because you’ll be as smart as I am. There are things called BSides. There are tons of security conferences. The one I go to every year is DEF CON. It’s an annual hackers convention where anywhere from 20,000 to 30,000 hackers from around the world attend. It’s a very inexpensive conference compared to the others. Get as much knowledge as you can. Anytime you read something that is not resonating, google it. Research it. YouTube it. Learn as much as you can.

I was talking to somebody on a completely different subject the other day. We’re talking about bike mechanics. I cycle. I remember her saying, “You can learn whatever you need to learn nowadays. You can just YouTube it, and you’ll find out whatever it is you need to know.” The same is true for cybersecurity because so many people now are sharing their knowledge so much more openly on the podcast, YouTube, blogs, and things like that.

How many times have you had something going on at home, like your dishwasher or something, and you go to YouTube for a video on how to fix it? The same is true with cybersecurity. There’s so much to learn. There are so many different aspects of cybersecurity as well. Like I said, it’s important for you to find out, “What is your passion within the cybersecurity arena? What interests you? What drives you?” Hone in on that and learn as much as you can.

Thank you so much for sharing those tips. That knowledge piece is helpful. Often, women tend to have a tendency to think if they don’t know all the answers, therefore, they’re not good enough, expert enough, or don’t have the relevant experience. As you say, you can research so much nowadays online that there’s no reason to feel like that.

That happened to me early on in my career. I would not speak up. I would not say much in meetings for fear of looking like I didn’t know what I was talking about. It’s that insecurity. If I could say something to myself back then, it would be, “Don’t worry about being insecure. Almost everyone at the table is as insecure as you are. Not everybody knows everything.”

CGP 24 | National Cybersecurity Awareness Month
National Cybersecurity Awareness Month: Don’t worry about being insecure. Almost everyone at the table is just as insecure as you are and not everybody knows everything.

 

It’s such a good thing to remember. Thank you so much for your time, Laura. If people want to get in touch with you, is LinkedIn the best place to do that?

LinkedIn or Twitter, either one.

Thank you so much for joining us. I’ve enjoyed hearing about your career in cybersecurity. I love the fact that your start in cybersecurity was less than conventional, but being asked to go in and fix something that had gotten broken. That’s good to hear from that point of view how you got into cybersecurity. It’s clearly an industry that you’re passionate about and love.

Thank you so much for having me. Anyone who would like some free tips, coaching, or any websites I recommend for following the news or free cybersecurity training, can always reach out to me on LinkedIn or Twitter.

Thank you so much. If you’ve enjoyed reading about Laura’s career as a woman in cybersecurity, you can find more episodes at SherryBevan.co.uk. If this has sparked a thought in your mind about how to develop and retain your female talent in cybersecurity, please do get in touch with me, and let’s arrange an exploratory call. Thank you so much, Laura. Thank you to everyone who’s reading. See you next episode.

 

Important Links

 

About Laura Whitt-Winyard

CGP 24 | National Cybersecurity Awareness MonthLaura Whitt-Winyard is a Fellow at the Institute for Critical Infrastructure Technology and an International Advisory Board Member and Women in Technology board member at HMG Strategy. Previously, she was the CISO of Malwarebytes, Global CISO for DLL Group, Director of Security for Billtrust, and held senior leadership positions in security at Comcast and Bloomberg, LP.

CGP 19 | Leadership Coaching

Narrowing The Gender Pay Gap Through Leadership Coaching

Too often, we question the impact a leadership coach can make. Is it practical, when do you need one, and will it be worth the investment? In this episode, host Sherry Bevan shares tips and important points to consider when selecting a leadership coach. Choosing the right coach can contribute to achieving your goal as a company, team, or individual. Tune in and discover how leadership coaching can work for you.

Listen to the podcast here

 

Narrowing The Gender Pay Gap Through Leadership Coaching

In this episode, I’m going to share with you how leadership coaching can help strengthen your female talent pipeline and close your gender pay gap. In my years of working in technology and ten years, in particular, specializing working as a leadership coach in the technology sector, I have absolutely seen the transformative power that leadership coaching can have on individuals, teams, and whole companies. What I want to share with you is how it works, when it might be a good time to consider using a leadership coach, when it’s most effective, and what the benefits of coaching are.

How Does Coaching Work?

We’ll spend a little bit of time thinking about the pros and cons of whether or not you use an internal versus an external coach. If you are going to go external or even look at somebody internally, what to look for in that coach. I will talk a little bit about the coaching process and what else you might want to consider running alongside coaching. First, let’s think about how coaching work. What’s the point of leadership coaching? How is it going to help you strengthen your female talent pipeline, and in the long-term, how is it going to help you close your gender pay gap?

When you are working with a coach, there are a few real positives that individuals will get from the coaching process. For a start, it helps to build self-awareness and awareness of your strengths and your skills. Also, opportunities for improvement – where you have knowledge gaps and where you have confidence gaps so that you can then decide whether or not you want to fill those gaps depending on the progress that you are looking for in your career.

Building that self-awareness and getting crystal clear on your skills and your strengths so that in itself gives that individual more courage and confidence. Therefore, they will be more likely to take that next step in their career. Coaching works because of that strengthening of your self-awareness that will enable an individual to have that courage, to have that confidence, to increase their visibility so they make a bigger impact.

That means that they are able to improve and strengthen stakeholder relationships that they might have so they get more visible in the workplace. Therefore, they are more likely to be front of mind when it comes to considering candidates for new opportunities, promotion, or getting involved in other activities.

It’s that self-awareness and that recognition of your own strengths and talents that give individuals the courage to take more risks. More risks often result in more creative and innovative thinking, which can help that individual to make a bigger impact. At the end of the day, if they are coming up with more creative and innovative thinking, that can be a real benefit for your organization.

Coaching often starts with small changes, then gradually, over time, moves up to making bigger changes.

Often, when somebody is going through leadership coaching, they are more willing and open to look beyond their immediate team and their company for fresh ideas and perspectives. It can be valuable when you are looking to develop new lines or to strengthen the relationships you have with your clients.

It’s that courage to take more risks that allows them to make braver decisions. Perhaps decisions, they might be feeling a little bit tentative about making and a little bit hesitant, but having that confidence once they start to see what else they can do. Often with coaching, it starts off with small changes and then gradually, over time, moves up to taking bigger changes, which at the start might have been too big a step to take.

As time goes on and the coach will work with the individual to build their confidence and courage so that they feel they can take those brave decisions three months into a coaching relationship. Those decisions might not feel as big, scary, or as daunting because, over time, they have developed that confidence and courage in themselves.

It’s that better decision-making that will help to develop their leadership skills and confidence. The one thing that I would also point out with leadership coaching and I have seen this on occasion. When you take on a coach, whether you bring that person in from externally or you match somebody up to work with an internal coach, sometimes it might lead to decisions that you weren’t expecting.

I have seen it where somebody has gone through leadership coaching, looked at their strengths and values, how that was in alignment or not with the company’s values, and decided they don’t want to stay with the company anymore. It can lead to people leaving. That is the caveat that the more you are giving that individual, the more confidence, increasing their visibility, encouraging them to think differently and creatively, and have the courage to take more risks. One of those risks might be to leave.

When Is A Good Time To Use A Coach?

When is a good time to use a coach? Often, I see that people will bring coaching in when there’s a particular change of experience. For example, if somebody is being promoted into a new role, they are taking on new responsibilities, or they are taking the same role, but in a different department, that often can be a good time to focus on getting that person settled into their new role and hitting the ground running.

CGP 19 | Leadership Coaching
Leadership Coaching: Coaching helps to build self-awareness of your strengths and skills and opportunities for improvement.

 

That’s one time when you might feel it’s appropriate to bring in a coach. Another time that often sees if you are making a company-wide change management program. Perhaps you’ve gone through a restructuring, developing new service lines, or targeting a new sector. That often is a good time to bring in a coach to help and support your leaders, start to think in a different way, think more creatively, and foster that innovative thinking. That’s another opportunity for you to bring in coaching.

Another time that I often see companies bring in a leadership coach is for people who are coming back from maternity leave to help them get settled back into their roles. Often if they have taken nine months or a year out, or they have taken shared parental leave, a lot can change in an organization in that time.

Sometimes, coming back from maternity leave, you have left one job and you’ve come back, and the role has changed or maybe they have changed department or the structure of their team has changed. Having that coaching on that return can be valuable to rebuild that person’s confidence and leadership skills. Help them redevelop or create new stakeholder relationships. Coming back from maternity leave or some other long-term absence, perhaps if the person has taken long-term sickness, for example, or had to take time out for caring responsibilities.

When Is Coaching Most Effective?

Coaching itself is most effective if the individual who is being coached has a willingness and an open mind to the change and embraces new patterns of behavior. It helps if they can be humble about what they do know and what they don’t know, somebody who is curious to explore new perspectives. Coaching can be effective when somebody is willing, able, and ready to recognize and accept their strengths, challenges, and blind spots, and if they are willing to learn more about themselves. That’s when coaching can be powerful.

It’s that curiosity to explore new perspectives and to be open to new ideas and possibilities. Some of which may come from simply having that time and space to articulate their thoughts and ambitions. Some of that may come with being willing to explore further outside of the organization and get that fresh perspective and ideas from outside or in date, ideas from the coach themselves.

We know that coaching works. From your point of view and the company’s point of view, it means that more women are more likely to put themselves forward for promotion or more likely to apply for new roles, so you get more women in those leadership positions. That becomes a self-perpetuating cycle, doesn’t it? We all have heard that thing that you can’t be what you can’t see. The more women you do have in those more senior roles, the more likely it is that other women in your organization, perhaps junior talent or your future talent, will see that that is possible. That is something that I can aspire to, and at the end of the day, that is what is going to start to close your gender pay gap.

Coaching can be effective when somebody is willing, able, and ready to recognize and accept their strengths, challenges, and blind spots.

The Power And Value Of Coaching

Coaching is powerful. It’s so valuable. It develops a person in the workplace, but it also develops that individual outside of work as well. That in itself is not perhaps necessarily going to benefit you as an employer. What it does do is increase, strengthen, and build employee engagement. That, in turn, is going to help you to build a strong employer brand and an employer brand that’s going to attract the best of the female talent that is out in the market.

By strengthening your female talent pipeline, it’s going to help you to increase retention. It is reducing attrition, which means you will save money because you will no longer be going to have to go through the recruitment process on such a regular basis. It’s also going to get the absolute best out of those individuals that you put on a coaching path because it means they are going to be able to maximize their performance and productivity. It helps them to develop their leadership skills so that the team as a whole, not just that individual, will be able to increase their performance and productivity.

Working With An Internal Coach Versus An External Coach

Often, when I’m working with clients, they might not be sure at first whether or not they want to use an internal coach or an external coach. Let me take a couple of moments to think about, explore, and ask you some questions about which do you think is going to be the most valuable. When you are working with an internal coach, one of the big benefits of that is the person already knows the organization. They truly understand the culture and the values. They will understand the unspoken rules, if you like, of the organization.

That in itself can be a limiting factor because it also means they might not be as open to new ideas. They are less likely to question or challenge something that the coachee, the person being coached, an idea that they come up with because it fits into the company’s existing culture and values. From the coachee’s perspective, they might wonder whether or not that individual has an ulterior motive or a hidden agenda for being their coach.

That’s unlikely to be a conscious thing, but it might stymie or hamper conversation so much because if you are working with somebody and you are worried about whether or not what I say is going to get back to my manager or to my manager’s manager, it might mean that conversation is not as open and honest as it could be if you are working with an external coach.

There’s that potentially slight niggle of the back of the mind around confidentiality. If you go to an external coach, for example, so somebody like myself, where I come in and work with individuals in your organization or with a team of people in your organization, obviously, there are going to be some advantages in that.

CGP 19 | Leadership Coaching
Leadership Coaching: When you take on a coach, whether you bring that person in from externally or match somebody up to work with an internal coach, it sometimes leads to decisions you weren’t expecting.

 

I am completely independent. As far as I’m concerned, I have no hidden agenda. I don’t have a reason for wanting that person to take on a particular role or for that person to want to be more assertive or less challenging. I don’t have a reason for wanting that person to change their behavior so I can be completely independent.

Confidentiality is something absolutely that you can rely and depend upon, as can the coachee themselves. That does mean it can change the nuance of the conversation because coaching is about creating that safe, protected space for the individual to articulate their thoughts, beliefs, and feelings. If they know that it is absolutely confidential and isn’t going to pass outside of the room, they are more likely to relax and open up, which means in the coaching process, that transformation can be much deeper.

As an outsider, I bring in a fresh perspective, fresh ideas, and different ways of thinking, and that can be helpful. Particularly, if you want the person to take on coaching because you want them to be more creative and innovative in the way that they develop their team or the way that you develop your services or work with your clients.

As I’m not so familiar with your culture and values, I don’t know what the expected behavior is. I’m more likely to help the coachee question. I’m more likely to challenge the coachee if they say, “We can’t do it like that.” I’m more determined to say, “Why not? I have seen it done like that in other organizations.”

There is an advantage of bringing somebody in from outside. It can change the whole feeling around the coaching. There’s that confidentiality. It’s that fresh perspective, but on the other hand, I’m not going to know the company culture and values, or understand the intricacies of the organization and how your matrix management works, for example. However, as a coach, I would always argue. I don’t need to know that detail because I’m not coaching you about your organization. I’m coaching you about your strengths, skills, values and leadership skills, helping the individual to make decisions on how to improve their performance at work.

Having thought about the pros and cons of working with an internal coach versus an external coach, the next thing to think about is what you look for in a coach. That professionalism, integrity, and confidentiality for me are absolutely key. I would always encourage you to work with somebody that you feel you can trust.

One key skill when working in a coaching relationship is the ability to hear and recognize what’s not being said.

When you have that coaching relationship, it can be quite a powerful relationship between the coach and the coachee. Most definitely, it needs to be a good sense of rapport between the coachee and the coach. I wouldn’t necessarily recommend that if you are looking to bring leadership coaching for your female talent, I might not be the right person to work with every single one of your female leaders, but I will be the right person to work with some of your female leaders.

Making The Relationship Work

There’ll be other coaches with who the relationship will be better suited for different people. One of the key things in a coaching relationship is the actual relationship like, “How is this going to work? Do you trust me? Do you have confidence in me? Do you feel that you can be open and honest when you are working with me?”

The other thing I would say when you are looking at coaches is making sure that you are finding somebody who’s got experience in coaching. It’s very difficult to be completely transparent about the people that I have worked with because often, the confidentiality follows through after the coaching relationship has finished. I couldn’t necessarily tell everybody I have worked with because not everybody is willing to share that information. Knowing that I have got that experience and worked with companies in your sector is a real bonus when it comes to selecting the right coach.

Having worked in technology all my life, having been a woman or a female leader in technology, I completely understand and empathize with the challenges that a woman brings. Also, the opportunities. I have seen how that works in lots of different organizations. I’m bringing that experience with me to the table.

The coaching process itself, let me spend a couple of moments thinking about that. One of the key things with the coaching processes is to create a safe space for the participant so that they have the confidence, the safety, and the openness if you like to be able to express their inner thoughts, beliefs, and feelings, the more that you can articulate those thoughts. For example, I have been working with somebody who, at the back of her mind, niggle about her future career prospects at her current employer.

Together, we have formulated a plan so that she can go and talk to her manager about that. That is going to free up her mind so that she can then focus and concentrate on other aspects of her work in a more authentic way. It’s about creating that safe space so that you can articulate those thoughts, beliefs, and feelings that might be nibbling away at the back of your head, and you can’t quite put your finger on why you are not happy or why this feels in conflict. It’s that safe space that is powerful and important.

CGP 19 | Leadership Coaching
Leadership Coaching: One of the key things with the coaching process is creating a safe space for the participant so that they have confidence, safety, and openness.

 

What does a coach do when they are coaching? This sounds so simple. It’s crazy that people pay me to do this, but basically, the crux of it is I sit, I listen, and I ask questions. I will ask open questions, but at times I will challenge and reflect back on what I’m hearing. One of the key skills when you are working in a coaching relationship, if you are the coach, is the ability to hear and recognize what’s not being said.

That is so important because when you are working with somebody inside the organization and you are having a conversation at lunchtime. Perhaps you are stuck on a problem, or you are wondering how to tackle a particular challenge. Talk to somebody else in the organization. We all inevitably fall into the same way of thinking, in particular, company culture. You might not get that different perspective. You might not get the person questioning or challenging you. What’s making you think about doing that, or what else could you do?

It’s simple as it sounds, but it’s very powerful. Coaches listen but they also ask questions. They reflect, they challenge, but also, they hear what’s not being said. One of the fundamental parts of the whole coaching process is that the coach will always ask the client to make a commitment and be very specific about the actions that they are going to undertake before that next coaching session.

Personally, as a coach, I will always ask the person to write down the action and say it out loud to me. What I do at the end of the session is ask that person to read out what they have said. I record it as well so that when we come back at the next session, I can say, “How did you get on with X?” If they didn’t get on with X for whatever reason, “What got in the way? What can we do about that? How can we stop that blockage from happening next time?”

Coaching can be a powerful process. It sounds super simple and I talk about it in those terms, but it’s a powerful tool to develop the leadership skills in your female talent and strengthen your female talent pipeline. At the end of the day, you are going to increase retention, reduce attrition, and close that gender pay gap.

Thank you so much for joining me. I hope you found it useful to hear about how leadership coaching can work and how it can help you to close your gender pay gap. More episodes on closing the gender pay gap at SherryBevan.co.uk. If this has sparked an idea for you and your organization, or if you have been thinking about bringing in some leadership coaches, please do book an exploratory chat with me.

That will give you the opportunity to ask any questions you have about the leadership coaching that I do, either individual or team level. A variety of levels, from your future leadership candidates to heads of departments or directors. I do that coaching right now with a range of cybersecurity and technology companies to support them in staunching the female talent pipeline. If that’s of interest, please do get in touch with me by email, Sherry@SherryBevan.co.uk, to book your call. Thank you for reading. I will be back next time.

 

Important Links

CGP 18 | Cybersecurity Female Talent

Challenges And Best Practices In Attracting And Retaining Female Talent In Cybersecurity

In the spring of 2022, Sherry Bevan hosted a round table where she invited several cybersecurity companies to talk about attracting and retaining more female talent into cybersecurity. Representatives from Blackberry, ISTARI, Beyond Trust, Redscan, and Adarma Security came along and participated in a fruitful discussion. They looked into attracting more women into cybersecurity, tackling unconscious biases in hiring, retaining female technical talent, internal role modeling, and closing the gender pay gap in the industry. In this episode, Sherry shares her reflections about the round table. Listen in as she breaks down the discussion’s salient points that reveal deep insights into the state of female talent in one of the fastest growing sectors of the economy.

Listen to the podcast here

 

Challenges And Best Practices In Attracting And Retaining Female Talent In Cybersecurity

Reflections On The Spring 2022 Round Table

In this episode, I’d like to share my reflections from my spring round table in which I invited several cybersecurity companies to come and talk about how we attract more women into cybersecurity, and once we’ve attracted them, how do we keep them there? Before I move on, I will tell you a little bit about my round tables. I run these twice a year. They’re very small exclusive events.

They’re an opportunity for you to get insights, ask questions, and share feedback with your peers in the community. Normally, no more than 6 to 8 companies with 1 or 2 representatives at most from each organization. Typically, the types of people who come along to the round table are HR directors, talent managers, diversity and inclusion, and heads of departments.

In 2021, my round table was on the impact of the hybrid world on the gender pay gap. You can still access and get a copy of the white paper that I wrote off the back of that. In spring 2022, we looked at how to attract and retain female talent, specifically in cybersecurity. If you’d like to join the next round table, when we’re going to be looking at how to engage our female talent in the sports technology world, please do get in touch.

I’m very grateful to the representatives who came along to the spring round table. We had representatives from Blackberry, ISTARI, Beyond Trust, Redscan, and Adarma Security – thank you very much. Everyone who came along, got engaged and contributed so that we had a fruitful discussion. Before the round table takes place, I send out an attendance list, who you’re going to meet, and tell you the talking points or what the questions are going to be. I will facilitate the discussion around those talking points.

CGP 18 | Cybersecurity Female Talent
Cybersecurity Female Talent: We don’t have a challenge in attracting more women into cybersecurity. We have a challenge in getting more talent into cybersecurity.

 

For the last one, we looked at why does the sector need more women in cybersecurity? We looked at how we attract more women into cybersecurity, particularly in the hybrid work model that most of us are working with now. We looked at ways that organizations can tackle that unconscious bias in hiring. We also spent some time talking about the role of internal mobility. Can you move stuff from one department to another? That you attract and retain more of your female talent in the more technical or the engineering sides of the company. We spent some time looking at how to close the gender pay gap in cybersecurity.

Talent Shortage In Cybersecurity

Before we think about how we attract more women to cybersecurity, let’s spend a few moments thinking about what we already know about the sector itself. There was a government report published in 2020 talking and looking at cybersecurity skills in the UK labour market. What we do know is that cybersecurity is one of the fastest-growing sectors and there are certainly no signs of slowing down. There has been massive investment in the industry.

The report by DCMS suggests that the UK cyber industry is worth an estimated £8.3 billion. However, the challenge is that the number of trained and experienced cybersecurity professionals is simply not keeping up with demand. In fact, we don’t have a challenge of how to attract more women into cyber security. We have a challenge of how do we get more talent into cybersecurity.

There was a government report back in 2018. When I talk about UK businesses, I’m not talking about technology companies or companies that specialize in cybersecurity, but the UK businesses in the general UK market. More than 50% of them have a basic technical cybersecurity skills gap. We have a big challenge here. Three out of ten cyber firms or 29%, say that the job applicants they do get lack non-technical skills such as communication, relationship building, and leadership management skills, which is preventing the company from meeting its business goals.

Cybersecurity is one of the fastest-growing sectors, and there are certainly no signs of slowing down. However, the challenge is that the number of trained and experienced cybersecurity professionals is simply not keeping up with demand.

When we look at the cybersecurity sector as a whole, we lack strong female role models. There are some amazing role models in the industry. If you know a role model, then please do let me know because I’d love to interview her for the show. One of the critical barriers to female progression in the workplace and particularly in cybersecurity is the lack of professional flexibility.

When we look at diversity, there are some statistics available, and what we see is that if we’re looking specifically at the cybersecurity sector, 15% of the workforce are female compared to 28% of the wider digital sector. Although, when we talked about this at the round table, quite a few of the companies represented there, where are they getting these people from because we’re not at 15%.

For information here, 16% are from ethnic minority backgrounds versus 17% from digital sectors. From that point of view, the difference isn’t so significant. What we also know is that 9% of the workforce in the cybersecurity sector is neurodivergent. Unfortunately, we don’t have any reliable comparisons for that across the wider digital sector.

In the discussions that we had at the round table, the biggest thing that came out of it for me is that if you’re struggling to recruit talent and particularly recruit female talent, you are not alone. Every single one of the participants at the round table said that they were struggling to get enough good female talent on the shortlist. In fact, they’re not struggling to get good female talent. They’re struggling to get good talent onto their shortlist.

CGP 18 | Cybersecurity Female Talent
Cybersecurity Female Talent: It would be amazing if we could develop a better image for cybersecurity, but it’s tricky because, at the same time, there’s not enough openness about what we do and about what the organizations do when they get our support.

 

The challenges are we have a skill shortage, there’s no doubt about that, but there are also some other issues. One of the big challenges that we seem to have in the cybersecurity world is that cyber is not the cool place to be. It’s not a cool place to be for women, which to my mind is crazy because for me, working in cybersecurity is about stopping the bad guys.

As one of the round table participants described, it’s a noble pursuit and has a noble purpose for companies. In my mind, that should appeal to women because women often feel more drawn to an organization or a company that seems to have a sense of purpose in the world rather than making money for money’s sake.

I wonder whether we need to have a PR campaign for a sector that could be seen as cool, fighting the bad guys, and making the place a better world, but it’s tricky to have a PR campaign for a sector that’s in the shadows. We don’t want to be going around telling people, “Watch out because your hospital is at threat of attack. Your bank is at threat of attack. There’s been an incident in the financial services sector.” Often when an organization has some cybersecurity incident or threat, it is not the thing they want to be talking about.

It would be amazing if we could develop a better image for cybersecurity, but it’s tricky because, at the same time, there’s not that openness about what we do and about what the organizations do when they get our support and our help. One of the other challenges in any sector of technology is flexibility. Women tend to prefer to want that flexible working. What we do know about flexible working is it tends to be parents with young children and people with disabilities who want it.

One of the critical barriers to female progression in the workplace, and particularly in cybersecurity, is the lack of professional flexibility.

Over the last few years, we’ve all had to move to that remote work, and hybrid working is very much at the forefront of our minds now. COVID has introduced new possibilities to us. One of the tricky things, though, is if you’re working in cyber and in that very technical side of things, we’ve got that challenge of needing to be on call 24/7.

It’s not for all people in the organization, but for certain groups, those who work on the incident or service desk, which can be more challenging if you’ve got young children or if you’re part of that sandwich generation. Maybe you’ve got young children at one end of the spectrum in your life, but you’re also caring for elderly relatives at the other end. More information about how to support your working carers in the last episode.

While remote working and hybrid working models have been absolutely brilliant for many of us who have not needed to commute to be more productive, and all of that good stuff that comes from hybrid working, there are some disadvantages. In the past, our penetration testers would have got some of that tacit knowledge transfer simply by being in the same room as the best testers in Europe and that’s not happening now because we’re all working remotely.

You’re not overhearing those conversations. You’re not able to step over to another person’s desk and say, “Could you help me with this?” It’s different because we have to work harder at making that knowledge transfer happen. We need to understand these obstacles to be able to remove them. Being more flexible in the way that we offer flexible working would be a great start.

CGP 18 | Cybersecurity Female Talent
Cybersecurity Female Talent: Often, women will see cybersecurity as a very technical role. It’s much more than that. We need our recruiters and hiring managers to use language which addresses the entirety of what the role requires.

 

Beyond The Hiring Process

We often talk about how we attract more women into cybersecurity, but it’s not about the hiring process. It’s moved beyond knowing how to have a shortlist with women on that. Lots of companies will work closely with the recruitment agency or their internal talent acquisition people. It’s not about the hiring process. It’s about attracting women in the first place. It comes down to your employer brand.

One of the things that came out of the discussion with the cybersecurity companies who came to the round table is that we’re all competing for the same talent. What we don’t want to do is to end up doing what we’ve seen in other sectors in the past, where they have gone to extreme lengths to attract women. When companies find out that women are on maternity leave, they contact them directly to offer them incredible packages so that they can stay on full paid leave for a whole year and then come back to work for a different employer.

What we need to do is to establish that strong employer brand, but not just the employer, the industry brand. That will help the whole pipeline and the whole sector. All of the representatives at the round table felt that it’s not about focusing on your own requirements because otherwise, you’ll end up competing against the same female talent. What will happen is we end up in this spiral of offering these massive packages, large salaries, flexible working, bonuses, and all those kinds of things.

One of the topics we also did talk about was internal and social mobility. How can we encourage women who work in the cybersecurity industry but perhaps not in those technical roles? How can we attract them to retrain? What can you do? In some organizations that I’ve talked to, they have schemes where people can go on secondment for a short period of time into the more technical sections of the organization to find out more about the role, whether or not it’s something that they could do.

Attracting more women into cybersecurity is not about the hiring process. It comes down to your employer brand.

What about bringing in people without experience and training them up? Is that something that you could consider? I know there are companies out there and if you are a company that’s doing that, I’d love to hear from you and your experiences, and share something with that on the show, so get in touch if you’re bringing in people without any cyber experience at all and you’re training them up.

Could you persuade someone to make a sideways move? After all, this is a career for life. After a couple of years of training, you’ve got that career locked in. Let’s face it, it’s not a career without its financial advantages and it pays well. Perhaps, you’ve looked at things such as CAPSLOCK, a scheme where it does take people without experience and does train them up and then gets them into positions in companies as well. There is a lot of willingness to try and explore internal mobility, but perhaps still in its infancy.

Coming back to recruitment, we’ve seen other sectors in the past going to those crazy and ridiculous lengths to poach bait women. We’ve seen that in some of the financial services in the past. Maybe we might start to see that in cybersecurity. I hope not. One of the important things, when we look at recruitment, is about educating your hiring managers. It’s important to think about cybersecurity on its whole. What are the technical and non-technical skills required?

Often, women will see cybersecurity as a very technical role, problem-solving, and multitasking. It’s much more than that. We need our recruiters and hiring managers to use language, which addresses the entirety of what the role requires. Talking about not the technical skills but also talking about the non-technical skills. What sometimes people describe as soft skills, but I don’t like that terminology because it devalues the skills. Thinking about those skills, such as leadership skills, collaboration skills, and building relationships, often these are things that women tend to be better at. They tend to perform better in those kinds of skills.

CGP 18 | Cybersecurity Female Talent
Cybersecurity Female Talent: There is no magic solution. We do have a skills shortage in the cybersecurity sector, but there are lots that you can do to nurture and retain your female talent in the workplace.

 

I mentioned that 29% of cyber firms say that job applicants lack those non-technical skills such as communication, leadership, and management skills, and that is what’s stopping them from meeting their business goals. However, we do have 50% of the population that tend to be the skills that women are better at. I’m always talking about general tendencies. I’m not talking about all men or women.

It’s about how those hiring and line managers describe the roles and the qualities and behaviors that they’re looking for. In some organizations, we’ve seen tick box requirements where it’s essential that you’ve got experience in a particular way or thing. Try and think outside the tick box. Could that specific experience be gained in other ways?

One of the round table participants talked about how it was a requirement to spend some time on an oil rig in the oil industry. Often for women, particularly if they’ve got young children, it is very tricky and difficult to manage, so they lack that particular experience. It meant that it was very difficult for them to move into certain roles because they didn’t have that experience. The company started to look at other ways to gain that experience.

Look at those shorthand descriptors that you use and break them down. As the talent manager or HR professional challenges the hiring managers, “What does that mean? Why do you need that? What’s the purpose of that skill?” Make sure that you include women in the interview process. I appreciate that some of this is stuff that you’re perhaps already doing.

Attracting women still needs to be a meritocracy. Women need to have the skills and experience. It’s not about tokenism. In fact, women don’t want to be seen as token women in the office.

A lot of what we’re talking about here is equally applicable, whether you’re trying to attract women into cybersecurity or into technology. If you go back to my previous episode where we looked at all the different initiatives and the ones where the research tells us that they’re most effective on how to attract and retaining women into technology. Go and look at that episode because that’s equally applicable to the cyber sector.

It is important to include women in that interview process. The important thing is I’m not saying, “Go and recruit wherever women you can find.” It still needs to be a meritocracy. Women need to have the skills and experience. It’s not about tokenism. In fact, women don’t want to be seen as token women in the office. They don’t want to be making up the numbers to fulfill the quota.

Quotas have a place. Often people don’t like quotas because they feel it takes away the ability to select the right person for the right role. Also, quotas on your shortlist perhaps can be the only way that you get more women into the interview room in the first place, but women themselves don’t want to be seen as token women because it devalues their skills and experiences. They don’t want to be thought of as only getting the job, promotion, or sideways move because they’re a woman.

Do you have role models in your workplace? If you do have role models, how can you showcase them in the workplace? There’s very much that thing. You can’t be what you can’t see. We need more female talent in the cyber security industry. Once we start to get more female talent into the sector, then it will start to snowball a bit more. Your female role models, could they mentor other women? Perhaps, women who are considering or seem to be demonstrating the relevant skills to take a sideways move and move over into your engineering or into your technical team.

Although one of the challenges discussed by a couple of the participants at the round table was that when you do showcase your female talent and you’re doing that to build your employer brand, then what happens is you’re putting a target on their back and they get inundated with headhunters and recruiters. That’s partly because there are so few female experts in the sector at the moment. If you can at least role model them internally, it would be great to get to the stage where we showcase female talent and it’s not putting a target on the back because there’s such a plethora of female talent to pick from.

Technical And Non-technical Skills In Cybersecurity

One last point when we were looking at recruitment, because of the skill shortage, often when people move to another employer, they’re getting offered packages that you might not feel you could offer them for them to stay. They’re getting high salary offers and high bonuses. They then hand in their notice and then people rush around, “We want you to stay,” and then you start to offer more money. One of the things that we went back to is good performance management principles. Are you looking after the staff that you don’t want to leave and not the ones who talk loudly about how many times they’ve been approached on LinkedIn?

I’m very grateful to the participants from Blackberry, ISTARI, Beyond Trust, Redscan, and Adarma Security for participating in the round table on how to attract and retain female talent in the cybersecurity sector. We didn’t come up with any light bulb moments in terms of magic solutions. There is no magic solution. We do have a skills shortage in the cybersecurity sector, but there are lots that you can do to nurture and retain your female talent in the workplace.

There’s work that you can do on those good performance management principles and taking some of the initiatives that we use in technology as a wider sector to encourage more women into the cybersecurity workplace. If you’d like to get involved in my next round table, which would be in October 2022, please do reach out. I do keep a waitlist if you want to get involved or if you want to find out what the topic is going to be.

Thank you so much for reading, more episodes of the show at SherryBevan.co.uk. If this discussion has sparked an idea for you and your organization, please get in touch and book an exploratory chat with me that will give you the opportunity to ask any questions you have about the work that I do with cybersecurity companies on how to attract, develop, and retain your female talent so that you can close the gender pay gap. Get in touch by email at Sherry@SherryBevan.co.uk to book your call.

 

Important Links

CGP 17 | National Carers Week

National Carers Week: Show Support For Your Working Carers

Statistically, three in five women say that their caring role has blocked their career progress. For men, one in five say caring had stopped them from applying for promotion or a new job. As we can see, the act of balancing work and caring responsibilities is a challenge that poses a risk to the growth of both employees and the business. This June, we will celebrate National Carers Week. It brings a good opportunity for you to show support for your working carers. Join Sherry Bevan in this episode as she highlights the difficulties working carers face, what it says about being a woman, how it affects the gender pay gap, and what this celebration can do to your people. It is time to take better care of our working carers. Let them know you value them. 

Listen to the podcast here

National Carers Week: Show Support For Your Working Carers

Welcome to the show. I work as a Leadership Consultant partnering with cybersecurity and technology companies to help them develop and retain their female talent so that they close the gender pay gap. Thank you so much for joining me. I’d love for you to check out this episode and then come back to the next episode. To make it easier, you simply need to subscribe to the show. Let’s get into this episode.

The Challenges Faced By Working Carers

I would like to share some thoughts on how you can use National Carers Week to support your working carers. National Carers Week is in June. It’s a really important week to demonstrate that you support and value your working carers. Before I talk about how you can make use of National Carers Week, let me first try and set the scene for you to give you some context so that you can understand how many of your staff does this potentially affects. You might’ve seen in an issue of HR Director that 3 in 5 women say that their caring role has blocked their career progress. That is based on some research conducted with Ipsos and Business in the Community.

6 out of 10 women, so 58%, stopped applying for a promotion or for a new job because of the pressure of their caring responsibilities. It doesn’t just affect women. It does affect men as well. For example, 1 in 5 men, or 20%, said caring had stopped them from applying for promotion or a new job. It does affect them, but it affects women much more. A much higher percentage have stopped themselves from applying for a promotion or a new job.

1 in 5 have handed in their notice and quit their job because the act of trying to balance work and caring responsibilities was too much. In fact, I’ve got personal experience of this because when my father died, overnight, I became a full-time carer for my stepmother, who was bedridden and had dementia. It was impossible to balance work and caring responsibilities.

35% of all adults and 44% of working adults do have some sort of caring responsibilities, but it’s not spread equally. What we see is that women make up 85% of sole carers for children and 65% of sole carers for older adults. What we also see is that there are more people from ethnic minority backgrounds, so 42% have caring responsibilities than those from White backgrounds.

We have rapidly become a society of sandwich carers because we’re having children later and we’re living longer.

You might not realize how this affects your company, but in fact, 6.5 million people in the UK are working carers, and when I talk about working carers, I’m talking about carers specifically who are looking after elderly parents or relatives. I’m not talking about people who’ve taken on childcare responsibilities. In this particular episode, I’m going to focus on those working carers who are looking after an elderly parent or elderly relative.

Sixty-two percent of those carers do that caring for elderly relatives on top of their full-time paid work, and the thing is, very often, they don’t tell anyone at work, but it’s hard to balance work and caring. It means that they’re at risk of exhaustion, stress, and overwhelm. This potentially can have a huge impact on your gender pay gap because it’s mostly women who take on the caring responsibility, particularly over the age of 40. In other words, that’s your senior female talent pool, the ones you hope will be your next generation of leaders or the women who should be at the peak of their careers.

We have rapidly become a society of sandwich carers because we’re having children later and we’re living longer. That peak age for being a sandwich carer is between 40 and 49. There’s no surprise that women are much more likely to be sandwich carers caring for both a young child and an elderly parent. I’ve told you quite a bit about how the percentages and the data show more women doing this than men, but this isn’t just about supporting women to balance their work and caring responsibilities. We need to make it okay for men to have that flexible working for caring responsibilities, whether that’s caring for a child or for an elderly relative.

Gender Pay Gap

Let’s look a bit more closely at how this does affect your gender pay gap, and the main reason it affects your gender pay gap is that so many carers find it difficult to balance and combine paid work with caring. What happens is that they start to reduce their working hours so that they feel able to cope. They turn down job offers or they turn down promotions, or they decide against applying for new roles going up in their career. It’s often because they’re starting to experience some emotional and physical exhaustion.

They’re often very highly stressed and overwhelmed, so they tend to start to experience difficulties with concentration at work. What happens is they start to use up their annual leave or they take sick time in order to provide that care. The result of that means they’re not getting any personal free time, which means they’re even more at risk or in danger of burnout. What we see as well for some people is they start to work at the weekends or they work late in the evenings to make up the hours that they might’ve had to spend caring during the day.

CGP 17 | National Carers Week
National Carers Week: We need to make it okay for men to have that flexible working for caring responsibilities, whether that’s caring for a child or for an elderly relative.

The Ipsos and the BITC, the Business in the Community, research came up with some recommendations for employers. Their first recommendation was that you need to consider that caring is the norm and that it’s not the exception. Being a carer affects so many of us, so you need to take that into consideration when you’re looking at your employee experience developing your policies. It’s important to champion equitable access to care for all genders, men and women, in your policies. Don’t think about this being a woman’s thing. Foster a culture that supports men to care.

Often, men struggle more with those caring responsibilities when they are the primary carer because they don’t feel it is okay to ask. They don’t feel it’s appropriate. They feel that peer pressure. Look at promoting and fostering a coach that supports men’s care, particularly being very clear that you promote and support flexible working for men.

Why It Is Important To Support Carers

Let’s look at why it’s important to support your carers. Let’s look at this from a business perspective. It’s going to enhance your reputation as an employer. If you’re an employer who is seen to promote and support a flexible working culture or a culture that supports carers, it’s going to build a strong employer brand.

That, in turn, will help you to attract good talent and keep that good talent so that they don’t quit because they’re struggling to balance work, life, and caring responsibilities. It’s going to reduce stress and sickness levels, and therefore the cost of covering sickness absence or other absence, and it’s going to increase overall employee productivity and employee engagement.

From a legal perspective, it’s important to support your carers because you have obligations under the flexible working regulations and under the equality legislation relating to disability, which could apply to carers. You can’t treat carers less favorably than others who do not have caring responsibilities. It’s important to remember that carers do have the right to take unpaid time off work for dependents in an emergency.

So many carers find it difficult to balance and combine paid work with caring.

From a moral perspective, it’s the right thing to do, and we know that working carers who feel supported are less likely to give up their job altogether or ask for part-time or flexible hours. They’re less likely to find it difficult to concentrate at work. They’re less likely to turn down a promotion or to decide against applying for a new role. They’re less likely to take sick leave to provide that care and less likely to take unpaid leave to provide that care.

We know that employers and line managers want to be supportive. They want to support, care for, and value their teammates or their colleagues who are working carers. They have that empathy for the needs of their employees, but often, they feel they don’t have the time to help or support their employees. Very often, they don’t know what they can do. They’re unclear about what a possibility is and what not a possibility is. Sometimes, they lack the capacity to do so. It’s not that they don’t want to do it, but they don’t know what to do.

What Working Carers Value

There was some research published in June 2020 by CIPD with the University of Sheffield. They looked at what working carers value. What do they want from their employer? This is a list of those things that came up in that research. Working carers want to be able to use a telephone or to have private time during the day to make or receive calls.

You can’t predict when you’re going to get a phone call from the care home to say your mother has had a fall. The carers value where employers offer counseling or well-being support, so if that’s something that you’re looking at or exploring, or if you already have it, how are you promoting that to your working carers?

They find it helpful when employers have a formal policy on offering unpaid or paid leave for carers. It makes it so much easier when there is a formal policy that everybody’s aware of, that their line managers know how to make use of that and that their carers are encouraged to make use of it. They want to know where they can go for support. It could be signposting to external sources of support. They want to have guidance on what organizational support is available. You might have policies or an employee assistance program, but how easy is it for people to find out about it?

CGP 17 | National Carers Week
National Carers Week: Foster a culture that supports men to care.

Working carers also value having a network or a forum within the company that is specifically for other working carers. That can be helpful. They value it when you take action and demonstrate your support on an awareness base. We’ve got National Carers Week from the 6th to the 12th of June 2022, so this is a perfect opportunity for you to show your support and how much you value these working carers.

What working carers also want is autonomy and flexibility in their working hours. It’s that flexible working that really is flexible. It’s not having to say in advance that they’re going to start at 10:00 AM and finish at 5:00 PM, but perhaps maybe starting at 8:00 AM one day and starting at 9:00 AM the next day, or maybe not starting until 11:00 AM, so that they’ve got time to go and deal with those unexpected minor emergencies that need to be dealt with.

Perhaps, it can also be looking at other flexible working options. It’s the ability to work from home on some days without giving lots of reasons and filling in lots of forms. Consider using job share or compressed hours. There are lots of ways that flexible working can be a real benefit, and our working carers value it.

The CIPD has lots of recommendations for you, so I’m going to walk you through what they suggest and recommend. The first thing is that you should develop and communicate a carer policy or a framework or guidance. Have a clear definition of what it means to be a carer. Develop that policy, framework, or guidance, so it’s clear to everybody, whether that’s the individual employees, line managers, or senior management. Outline the different roles and responsibilities. What’s available? Where can people go to get support? Then, make sure that you’ve communicated that approach so that you start to embed that culture of support.

If you haven’t already, take time to consider how you introduce and when you introduce flexible working specifically to support working carers. When you’re hiring, start off by making it very clear from the start that you are flexible and that you do offer flexible working practices. Be really transparent about what that means. Empower your line managers to support those flexible workers and support working carers who perhaps need more flexibility than others.

Working carers who feel supported are less likely to give up their job altogether or ask for part-time or flexible hours.

There is also providing carer’s leave, whether that’s paid or unpaid. The key thing with the carer’s leave is that you don’t always know when you’re going to need it. You don’t know when your father or mother might take a fall, or when your father gets sick and you suddenly need to be providing extra cafe. You can provide the carer’s leave as unpaid or paid, but it needs to be so that it can be requested at short notice. It’s being adaptable about it, being requested at short notice, and being empathic and sympathetic about that.

It’s great to have policies and to have support available, but what’s important is to empower your line managers so that they can support the carers in their teams. You can do that by promoting open culture. Make sure that your line managers have awareness and knowledge about your organization’s approach to supporting carers.

Provide training for them so that they know what they can do and what support is available. It’s important to engage those senior leaders so that they can support carers and start creating those inclusive cultures. We all know those inclusive cultures. When you start to build that inclusive culture, it’s making work for everyone and not just for working carers or for parents of young children.

The final recommendation from the CIPD is about providing information and peer-to-peer support. Provide information on what workplace support is available to carers. Look at developing some in-house support group or forum for your carers, and do make sure that you signpost to other sources of information. I’ve already mentioned that National Carers Week is coming up, and I have put together two awareness packs for you that you can use to support your working carers.

National Carers Week

Your ideal opportunity to launch a campaign or raise awareness and demonstrate that you care is during National Carers Week, from the 6th to the 12th of June 2022. If you’ve not heard about this before, it’s an annual campaign to raise awareness of caring and to highlight the challenges that unpaid carers face. The theme this 2022 is to make caring visible, valued, and supported. To help you do that, I’ve created two awareness packs that you can use in a variety of ways to enhance your reputation as a carer-friendly workplace, increase staff engagement, and know that you can signpost staff to additional resources so that they are more productive and less likely to burn out or quit.

CGP 17 | National Carers Week
National Carers Week: When staff feels more supported in the workplace, you’re going to increase staff engagement and retention in the long run.

There are two awareness packs. One is for working carers themselves and the other one has been designed to support your line managers. The first pack is aimed at working carers. It’s to give them information and tips on how to balance work and caring for elderly relatives. It’s been designed to give them the opportunity to explore how to do that and how to look after their own well-being because often, we all know we should look after our own well-being as well. It’s important but it often gets dropped first.

The pack will also help you to signpost your working carers to their legal rights and to other support and resources that may be available. If they’re able to balance their work and their caring responsibilities better, it means they’ll be less likely to take time off-cycle to go into overwhelm, stress, and burnout. That means they’ll be more productive at work as well.

If they know what other support is available, because often, working carers aren’t aware of what else is available to support them with caring for elderly relatives, it means they’ll be less likely to need to take time off work. It means that productivity will be increased and their exhaustion and burnout will hopefully go down as well. When staff feels more supported in the workplace, it means that you’re going to increase staff engagement and retention as well in the long run.

The line manager awareness pack has been designed to raise awareness among your leaders and line managers so that they feel better equipped to support their teams and to find out more about the challenges that carers face, so they have more empathy and that they can support them more effectively and with more understanding.

It’s been designed so that they get real clarity on what support and benefits are available for caring workers, whether that’s support, benefits, and policies within your company or outside. If they’re better able to support their working carers, it means your carers are less likely to quit or turn down promotions because they’ll feel valued and supported. It’s about making sure that your line managers understand the relevant policies that you have in place.

The two awareness packs that I have available include a PowerPoint file and a resources sheet. The PowerPoint file and the resources sheet are editable. The great thing about that is that it means you can apply your in-house branding. Plus, you can tailor those resources so that you can include information on your company’s relevant policies. You can either use the pack to develop a PDF or virtual or in-person awareness sessions so that staff can benefit wherever they’re based.

You can either publish that on your internet or run some in-person sessions during National Carers Week in June. If you’re interested in this, each one of these packs is £300 or if you want to buy both, it’s £450. This is your golden opportunity to enhance your reputation as a carer-friendly inclusive workplace where you’re working carers feel valued and supported so that they don’t burn out or quit. If you’re interested, then do get in touch quickly because you want to get those wellness packs well in time for National Carers Week, which runs from the 6th to the 12th of June. Email me if you’re interested in those.

Hopefully, that’s been helpful to look at some of the ways you can support your working carers and why it’s important to do that, and what the benefits are for your employees and you as an employer. Thank you so much for joining me. If you want to check out more episodes of the show, you can go and visit SherryBevan.co.uk.

If this has sparked an idea for you and your organization, I’d love for you to book an exploratory chat with me. This will give you the opportunity to ask any questions you have about the work that I do with cybersecurity and technology companies on attracting, developing, and retaining your female talent so that you close the gender pay gap. Get in touch with me by email at Sherry@SherryBevan.co.uk to book your call.

Thanks so much for tuning in. I’ll be back soon.

Important Links