Diversity in the workforce is an issue that many industries are striving to improve. But what about cybersecurity? Jess Figueras sheds light on the matter with host Sherry Bevan. Jess is an independent tech industry strategy adviser and the Vice-Chair of the UK Cyber Security Council. She has experienced first-hand the lack of and the need for more women in the profession. In this episode, Jess discusses the cyber skills shortage and factors that contribute to a skewed diversity in the field. Technology is producing information faster than the professionals going in. So, what is putting people off from cybersecurity? And, is this a chance for more women to get into cybersecurity? Get the answer by tuning in.
—
Listen to the podcast here:
Diversity in Cybersecurity: Jess Figueras On What’s Causing The Cyber Skills Shortage
In this episode, I’m delighted to be talking to Jessica Figueras, a tech industry strategy advisor and Vice-Chair at the UK Cyber Security Council. What we are going to be looking at and exploring is how we attract and keep female talent in the cybersecurity space. If this is a topic of interest, I do still have a couple of spaces available on The Executive Round Table on this topic on the 24th of March 2022.
We will be looking at why the sector needs more women in cybersecurity. We will look at ways that organizations can tackle unconscious bias in hiring. We will have a look at the role that internal mobility plays and how to close that gender pay gap in cybersecurity. Back to our guest, a very warm welcome, Jessica. Thank you so much for joining me.
Thank you for having me.
Perhaps to set the scene, it would be helpful if you could tell us a bit more about your career and how you’ve got interested in digital trust and cybersecurity issues.
It is important to remember that you can start from anywhere. When I graduated with my English degree, I had no idea what I wanted to do. I ended up in Public Relations accidentally. It was technology public relations doing a lot of work for companies like Microsoft. As it turned out, PR was not for me. However, I found the technology industry fascinating and quickly gravitated to the most complex bits of emerging technology where pretty interesting industry dynamics were emerging. From there, I became an industry analyst.
I worked at a company for a long time, focusing on areas of emerging technology, where interesting dynamics are coming out. Companies are competing in different ways and using cases affecting society and changing consumer behaviors. That’s how I got in it in the first place. Digital trust started to interest me somewhere around 2014, 2015 when I started working in a role specializing in government and public sector use of technology, how government strategy, different emerging technologies, and methodologies were going to be playing out in that sector.
Lack of diversity is a problem. If you only have the same kinds of people trying to solve the problem, you don’t have a full toolbox.
The role of digital identity became important. At that point, the government has been trying to implement a new framework for digital identity in government for quite a long time. It was called the Verified Program. It’s a way for citizens to sign into digital services online and have their identity verified.
It was a very complex undertaking. The government ran into a lot of trouble with that program. It didn’t deliver. It has been phased out and replaced. You are looking at how that digital identity is not a technocratic question. It’s not a question of how you can make the tech work. It also raises interesting questions, which are more civil society questions about the role of citizenship if everybody has access to the credentials you need to prove your entitlements to use different government services.
That leads to questions around equality, all sorts of different kinds of dimensions. We saw it with the Windrush scandal when many British citizens were deprived of their citizenship simply because they had arrived in the country as children and didn’t have credentials. We can see the horrifying consequences when the government doesn’t get this right. That’s where my interest started.
How did you get involved in the UK Cyber Security Council? That sounds like a fascinating role to me.
The UK Cyber Security Council came out of the government’s National Cybersecurity Strategy in 2016. One of the weaknesses that the government identified in the UK’s overall security posture was the profession itself and lots of different dimensions there. Firstly, endemic skill shortage continues to be the problem. The demand for skilled people consistently outstrips supply.
There are a lot of issues around skills, career paths, professional development because of our young professionals. It’s changing and evolving very quickly. It’s very difficult for organizations to know what qualifications they should be asking for in their people and how they map onto each other. It’s about one million and one different qualification you can take. It’s not always obvious how they map.
There’s a lack of diversity as well, which is a problem. If you only have the same people trying to solve the problem, you don’t have a full toolbox. It also plays into the skill shortage. That’s why the UK Cyber Security Council was set up. Initially, it was sponsored by the government and set up by the industry. I was taken on as 1 of 4 founding trustees. Our job was to bring the work done to fruition to launch the council as an independent charity. The fact that I had a long background in technology but also that I had a lot of experience in charity governance as well, that was why I ended up joining. That has been very exciting.
What’s the role of the UK Cyber Security Council? What can organizations get from it? How can it help them?
We are here to strengthen the profession. We do that in lots of ways. We map all of the different qualifications out there. We have a career pathways map. We map that onto the jobs available in the market. We give a lot of information and advice to people interested in careers in the sector. We will be doing professional registration at some points. The government is starting to look at whether any form of regulation needs to be put in place. We support that process. We are supporting the drive for diversity as well.
Cybersecurity is quite a young profession. It has not been around forever kind of thing. How do you think it’s doing in terms of promoting diversity?
The data that has been collected so far on this suggest that technology, in general, has a diversity problem and cybersecurity has even more of a problem within the tech sector. The stat side source suggested that the tech sector is about 20% female. Cybersecurity is about 15%. That’s the big gap. There is also a lack of diversity in terms of ethnicity, particularly with the lack of Black people working in the industry as well. It’s not diverse.
However, one interesting fact about the cybersecurity profession, which probably will be recognized by people working in it because often doesn’t get recognized externally is in terms of narrow diversity. The interesting thing is more neurodiverse people are working in cyber than in the general population. It’s more inclusive. Like most professions, they have a bias toward certain types of demographics. It’s quite common. Looking at the whole picture of who we’ve got lots of and less of, it’s the female candidates, which is the glaring omission.
There are more neuro-diverse people working in cybersecurity than in the general population.
What’s the benefit to cybersecurity companies to have more female candidates in their ranks? How does it benefit them?
I find it hard to answer this question, honestly, without resorting to stereotypes. In the cyber profession generally, one of its weaknesses is the ability to communicate more broadly. That’s where the weaknesses are. We know that the weaknesses are two crucial ones. It’s around lack of user awareness, which is why our users are still clicking on dodgy links and doing all sorts of things that they shouldn’t be doing.
Secondly, the business as a whole, is it from the board level down? Does it understand what the risks are? In both of those cases, you have skilled professionals working in the organization on the ground and it’s their responsibility to communicate with those groups and get themselves into positions of influence in the organization where they can change thinking.
That is much more likely if those professionals are great communicators. We have talked about how the profession is skewed towards certain demographics. It’s skewed away from the people who would naturally see their job primarily being about communication and engagement. People with those skills tend to find them in commercial jobs, sales, marketing, and policy. We know that there’s a huge agenda bias there.
Effectively what you see is that cybersecurity could do with better communication skills and engagement skills, understanding the business, the risks for the business as a whole and not for individuals, and being able to communicate that to our users. Perhaps having more women in there, I don’t mind going back to the stereotypes but women tend to have perhaps more polished or better communication skills. I also wonder whether that’s also one of those skills that are perhaps less valued in the business.
A big weakness of the profession is the image of the cyber security professional, the cyber security hack or whoever it is. It’s these hackers in hoodies thing. It’s glamorized in an unhelpful way. It’s both off-putting to people that don’t see themselves in that way, which applies to many men as it does to women. It causes us to mix up two things because there are people who we are up against it. Although, the enemy is very organized and professionalized.
The response has to come from the whole of the business and civil society. We are not criminals. It has to come from mainstream organizations. You have to understand how these people think but if we say that we can only respond to the cybersecurity threats via a tiny elite character, a very unusual people, we’ve got a real problem. The solution has to be a lot bigger than that.
There’s a global demand for cybersecurity professionals and pacing supply. There’s not enough talent. Could this be a real golden opportunity to get more women into cybersecurity?
It is. Some organizations are doing innovative and cool things around upskilling, training, certifications and so forth, where they are very explicitly targeting groups that have been typically underrepresented, particularly women, which is fantastic. The key is there are two things. Number one is we have to do something about the level of gatekeeping in the profession. To my mind, the most pernicious thing is the demand for competing degrees or more cybersecurity degrees. When we ask for that, we immediately cut off 80% of the women. Those degrees we know so gender imbalanced in the UK. That’s arguably where the problem starts.
The other thing also is we need to think about, “What does a career in cybersecurity look like? What does a cyber security job look like?” It’s much more diverse than we usually think. There are some areas where there are probably a lot of women working. If you expand it to the broader risk management, there are lots of women working in that field, working as in-house legal councils, working in data protection and in all sorts of areas, which should be thought of as if not complimentary, in the discipline. The question is who’s at the table? When is an organization making decisions about this stuff? Does it have a broad enough group of people there?
It’s interesting what you are saying about the demand when people are looking to fill talent spots that they are looking for a degree in Computing, Computer Science, Cybersecurity or something. You are a prime example of somebody who’s done English as a degree, and then you are working in that space. There are plenty of valuable skills you get from studying other subjects. It doesn’t have to be English or History. There are analytical skills that are very valuable in cybersecurity.
Anything that teaches you critical thinking and the ability to appraise evidence is going to be valuable. The challenge for employers generally, and this is not specific to cybersecurity but it goes to many technical professions is that we often hear from employers that there is a mismatch between the skills that graduates have and the skills that they want in their entry-level people. They often want their entry-level people to do very practical things.
We have to do something about the level of gatekeeping to the profession.
If they’ve gone to university, they may have spent three years studying a lot of theoretical concepts. Particularly in computing, by the time you have done your three years, not of universities, you are already going to be out of time. A lot of universities are not good at keeping the material up to date. There are general questions about education and preparation for technical jobs.
To my mind, what excites me is those providers who are explicitly looking for people with no relevant background at all who will take people from whatever level they are. They will give them practical training. There is some good work being done in the open university. There’s a company I have come across that has great upskilling programs. That’s where to look.
Some of the other companies I have been talking to are very much looking at internal mobility and who they already have in the organization that they could upscale or retrain and allow for those sideways to move. It reduces the cost of onboarding because those people already know the organization and are familiar with the company’s values. They know they are a good fit. That’s a real rich vein of talent sitting there waiting for you to come and ask them to do something different.
It’s important also to make clear that cybersecurity professionals in an organization do have lots of opportunities to progress. That’s one thing that people will want to know. That’s the whole package. Are we making it an attractive job? The one piece of feedback we hear a lot, which is worrying, is the level of burnout in the profession and how stressful many of those roles are.
It’s a problem for many professions. It’s not bad luck but it’s happening at a time when some of the most crucial professions for keeping us all safe are burnt out. You see it in health and social care, too. At the time of COVID, that’s the profession we need to be looking after. We can’t afford for them to be burnt out and cybersecurity is true as well.
It’s not because we’ve got that gap in supply so there’s more demand. We need more of these people to exist.
Technology is producing more and more intelligence that professionals can act on. It’s overwhelming people. You see the same dynamics inside social media platforms. They have moderation teams who are responsible for looking at the worst of the worst that goes on. You see similar dynamics there like stress and burnout because there’s a sense that whatever you do, it will never be enough.
Organizations, to my mind, have a moral duty to look after these people. What particularly troubles me is when you hear stories about organizations that have developed a bit of nasty blame culture. You can see why it happens. When particularly companies in the public eye suffer a cybersecurity breach, it can be financially and operationally damaging. On top of that, if you end up with a regulator investigation get hit with a fine, that’s bad.
We are in this mentality of shame, cover-up, people are fired, heads roll, and hasn’t fixed the problems often. This is complex. The solution is multilayered and complex. Probably outside the most egregious cases of negligence is how can it be effective or fair to pin the blame on one person. As long as we have that culture around cybersecurity, secrecy shame, and blame, we are not going to end up in a good place. Getting over that and getting to a good place is also about accepting the fact that this is an endemic problem, which everybody has. Everybody has weaknesses and is under threat.
Before we finish, I want to ask you about one more thing. I read an interview with you at Information Age and you talked about occupational feminization. I would love to hear more about that and how that affects cybersecurity.
This is a term to describe this interesting phenomenon, which is where a profession that starts off being dominated by men. The professions that we know are mostly our work. Over time as they attract more women, they become less well-rewarded and prestigious. To give an example, we are here in the UK. Many years ago, the figure of a school teacher was an important local authority. The schoolmaster would have been then. I don’t know what the exact figure is but women play a big role in education. It is not respected in the way it was then. It’s certainly less well remunerated.
With tech, what’s interesting is the reverse has happened. It has been a reverse occupational feminization. We go back to the ’50s and ’60s. The tech as it was then was dominated by women. Women were mainly the first coders. The tech industry back then was payroll processing and huge rooms full of most gigantic IBM mainframes. It would have been dominated by women, creating the punch cards writing their routines.
We’re very comfortable with the idea of a male tech genius but it doesn’t seem to work for women, does it?
At some point in the mid-’80s, that started to change. The tech industry started to become an industry. It started to attract attention, investments, and funding. Pretty quickly, here we are. It’s male-dominated and has been probably since the ’90s. As an industry, it’s probably secondary to banking in terms of levels of paying remuneration. Prestige, here we are with big tech ruling the world.
The amount of power the tech industry has gathered is extraordinary and that has gone hand in hand with a relegation of the role of women. I would humbly suggest it is not coincident. We see this occupational feminization as something that has been studied by academics, looking at big data sets covering different professions. It’s a phenomenon.
I started in technology in the mid-’80s. In the department I worked in, we were easily 50% female, probably more than that. I worked in that company for a long time and probably left there towards the end of the ’90s. I hadn’t realized there was a problem for women in technology because I had been surrounded by other women in technology at the company where I worked. It feels like things have gotten worse ever since. It’s a male-dominated industry. The industry as a whole is missing out on having that diversity.
It is about where prestige attaches. Where are the female equivalents of Elon Musk and Mark Zuckerberg? I find it interesting also that we do have the odd powerful female figure in tech of the likes of Sheryl Sandberg, who has been an incredible advocate for women, and how much criticism she’s taken, so much of it from women. There’s a real tall poppy syndrome going on there. I find it troubling. We are very comfortable with the idea of the male tech genius but it doesn’t seem to work for women.
It doesn’t fit with our unconscious ideas and perceptions of how a woman should behave. Jessica, I have loved talking with you. Thank you so much. If people want to get in touch with you, how do they do that?
You can go to my website, JessicaFigueras.com, and send me a message or look me up on Twitter or LinkedIn, whatever your platform of choice. I love to hear from you. Thanks so much for having me. It’s been great.
Thank you so much for joining me with Jessica Figueras. We have been talking about we improve diversity in cybersecurity. You can find more episodes at SherryBevan.co.uk. If you want to take a deep dive with other HR and talent professionals, how we can attract and retain more women in cybersecurity, please do get in touch because I do have a couple of spaces left on my Round Table on this topic on the 24th of March 2022.
If this conversation has sparked a thought in your mind, let’s talk. An exploratory call with me will allow you to ask any questions you have about the work that I do with cybersecurity companies on how to do more, attract, develop and retain your female talent. You can close the gender pay gap. Get in touch by emailing me. Thank you for reading. Thank you again, Jess.
Important Links:
- UK Cybersecurity Council
- The Executive Round Table
- Information Age – Article
- JessicaFigueras.com
- Twitter – Jessica Figueras
- LinkedIn – Jessica Figueras
- https://www.ISC2.org//-/media/ISC2/Research/2021/ISC2-Cybersecurity-Workforce-Study-2021.ashx
- https://www.Gov.uk/government/publications/cyber-security-skills-in-the-uk-labour-market-2020/cyber-security-skills-in-the-uk-labour-market-2020
About Jessica Figueras
Jess is a tech industry strategy adviser. She works with start-ups and scale-ups on growth strategy and product development, and advises UK government on tech policy relating to security, trust and online harms.
She’s also Vice Chair at the UK Cyber Security Council and former Chair of NCT, the UK’s leading charity for parents.