cybersecurity – Sherry Bevan

Oct 1 2022 0 Comment

Delivering Trusted, Clean, And Accessible Knowledge With Rebecca Taylor Of Secureworks To Celebrate National Cybersecurity Awareness Month

Trusted information is crucial in an industry where one wrong move stands between being protected and attacked. This is the heart of Rebecca Taylor’s position as the Threat Intelligence Knowledge Manager at Secureworks. In this episode, she sits down with Sherry Bevan to tell us more about her role, along with the interesting career journey that took her from studying English and Creative Writing to the cybersecurity space. Rebecca talks about the importance of having trusted and clean knowledge accessible to the right teams. What is more, she also shares some of the challenges she faced as a woman in the industry, offering advice for others as they step into their career in a male-dominated space.

—

Listen to the podcast here

Delivering Trusted, Clean, And Accessible Knowledge With Rebecca Taylor Of Secureworks To Celebrate National Cybersecurity Awareness Month

Let’s get into our episode. In this mini-series to celebrate National Cybersecurity Awareness Month, I’m talking to women about their careers in cybersecurity. I’m delighted to be talking to Rebecca Taylor from Secureworks. Welcome, Rebecca. Thank you so much for joining me.

Thank you so much for inviting me.

I’m delighted to talk to you. Rebecca is the Threat Intelligence Knowledge Manager at Secureworks. Let’s find out a bit more about her career journey. Perhaps to set it into context, could you start by telling us a bit more about Secureworks and what they do?

Secureworks is a cybersecurity leader. We focus on enabling customers and partners to out space and outmaneuver adversaries in a more precise way so they can respond to cyber threats and risks. It is achieved in lots of different ways by using things like cloud-native, security platforms and different intelligence-driven security solutions. That’s backed up with lots of threat intelligence and research. We’ve got a lot of large teams that are equipped with the best people in the world to help protect customers.

How did you get started in an IT or cybersecurity career?

The biggest thing about knowledge is that it has to be trusted.

For me, it was very much by chance. When I was 24, I was working in kitchen goods dealing with kitchen insurance for appliances. I didn’t know what my calling was. I’d studied English and Creative Writing at the University of Portsmouth. I was finding my feet. At that time, I received a phone call from Secureworks Talent Acquisition asking if I would be interested in interviewing for a personal assistant role. I jumped at the chance.

When I’m walking through that door the first time, I knew very much that I’d found an organization and an entity that could give me a great platform for growth and development but also an industry that was always going to keep evolving, one that was never going to go away. Over the last few years, I’ve focused on studying, getting as much exposure to the organization, IT and cyber as possible, making a footprint and working hard. I’m in this fabulous position where I’m their Threat Intelligence Knowledge Manager and counter-threat unit.

What exactly is it that you do on a day-to-day basis?

From a high level, what it means is that I’m responsible for ensuring that we ingest all threat intelligence to the best of our ability and that it’s standardized, maintained and accessible for those who need it. On a day-to-day basis, my role can vary quite a lot. It depends on what we’re seeing, what we’re hearing and what we need to ingest and work on but ultimately, I need to make sure that what we have is accessible, our knowledge is clean and it can be used by whoever needs it.

When you say that our knowledge is clean, what does that mean?

CGP 21 | Cyber Knowledge — Cyber Knowledge: It isn’t necessarily about having these huge qualifications. It’s very much about just being open to listening and learning as things change around you.

It’s been put in the correct format that’s accessible to the right teams, stored in the appropriate ways and can be trusted because the biggest thing about knowledge is that it has to be trusted. If you start letting knowledge seep through that maybe isn’t accurate, it can not only affect us internally. It could be as simple as a threat researcher is misinformed or it could go the whole hog and end up being that a customer ends up misinformed. That’s the one thing we don’t want to happen. To make it clean means to make sure that it’s accurate and trustworthy.

Thinking about your career, what’s been your biggest challenge?

For me, it’s been a mixture of things. Like a lot of people, my biggest one has always been self-doubt. I knew for a long time that I wanted to progress and do more but it took me a very long time to get in the headspace to believe I could and that I could do it. I relied on quite a lot of mentors in my organization to help get me into that correct and good head space. The second real challenge for me has been a lot about gender stereotypes.

I am a mum. I do have that label and I carry that label as a woman but I also want to have a career. I do have my goals and ambitions. I found that I do work in cybersecurity but I didn’t want to necessarily be in the gender stereotypical role in the cyber field. Breaking through that, being able to become more technical and hopefully, in time, become a specialist has been a journey for me but also breaking down gender stereotypes that maybe friends or family have held of what I should be like and what I should do has been a challenge as I’ve pushed through with my career.

There’s that stereotype of people who work in cybersecurity being geeky and very introverted people. It is the stereotype that we often see but to be successful in cybersecurity, you need to have strong interpersonal and communication skills.

The real beauty of cyber security is that it’s not going away and that it’s very present.

It’s a mixture of assumptions of what a person in cyber is or should be. There’s the weight or the vision that we carry of what a woman or a mum should be. It’s taken me time to bring those all together and decide, “I don’t have to fit with any of them. I can be myself. I can have a footprint that is made by me in the way that I want it to be.” It took time for me to own that and be confident with that. Also, to know that I was doing the right thing by me.

When we realize that we can go to work, be ourselves and bring our whole selves to work is when we start to make progress in our careers and have the biggest success. It’s getting to that point and that can be challenging sometimes. You mentioned the mindset and referenced Imposter syndrome. What was the biggest thing that helped you get over that?

For me, I started to explore not only mentoring but training opportunities. I joined this Releasing Female Potential Program that was run by one of our sister companies. By doing that, I changed my perspective of I can do more and that it is okay to want more, regardless of the fact at that point in time, I didn’t necessarily have any technical qualifications. It’s all about what you make it. I knew that I wanted to do more, could do more and needed to get to do more.

I bounced off of that program and found myself a good mentor. I’ve got three because they all offer me very different perspectives, opinions and support. Finding the right mentor for me that could help drive me, help connect me with people that maybe were more like me or that could appreciate what I was trying to accomplish. It all helped me to get to that point.

Thinking about cybersecurity, there are training and qualifications. I imagine that to be successful in cybersecurity, you’ve got to constantly be training and learning new stuff.

The real beauty of cybersecurity is that it’s not going away and it’s very present. Keeping abreast of what’s happening in the media, making sure that you’re reading up and seeing what’s happening in itself is a way for you to learn and develop. You can begin to see new ways like what may be threats are behaving, new risks changes, evolutions and all these kinds of things.

At least at Secureworks, you do get to learn a lot on the job. By having that exposure, seeing the threat landscape change and evolve and having access to the latest threat intelligence and metrics, you can learn as you go along. It isn’t necessarily about having these huge qualifications. It’s very much about being open to listening and learning as things change around you. Technical qualifications can support. I did English and creative writing so I had in no way any kind of technical background.

You can pick up stuff as you learn and it doesn’t have to cost you a fortune. There are so many free courses available. You’ll probably find as well if you have a mentor that you can do lots of training through them. If you pick the right ones, at least they can teach you what they know and share that knowledge. Whilst there is sometimes the need for training qualifications, it isn’t the be-all and end-all.

Thank you for explaining a bit more about that. It’s quite interesting that 2 or 3 people that I’ve spoken to have studied English or History and then have gone on to have a career in cybersecurity. I find that quite fascinating. I’m wondering. What’s been your proudest achievement in your career?

I have a few. I spoke about that Releasing Female Potential Program. That was a big achievement at a time when I needed it to flick that switch and get that drive to progress in my career. I’m also very proud of the fact that I have pushed myself. I have got 2 amazing points in my career but I also have 2 children and like a lot of us, I have gone through the pandemic too.

The cybersecurity industry worldwide is facing a talent shortage.

Having that career, having that identity that fulfills me, owning my ambition and having that drive is something I’m super proud of. If I suppose, take it back to my career, being the first Instant Response Knowledge Manager and the first Threat Intelligence Knowledge Manager is a real pat on the back for my organization that they do believe and trust in me.

What is it that you enjoy about the work that you do?

I’m in a lovely position where I confidently know that I am making a difference and that I am contributing to the cybersecurity community. That’s something that does mean a lot to me and is something I enjoy. I’m able to do conferences, write blogs and mentor. I feel like I’m leaving a solid footprint and a good legacy, which is important to me. I’m lucky as well that Secureworks is a remote-first employer. That means that 90% of us are remote workers. That is something I enjoy about what I do because I don’t have the pressure of having to commute or make sacrifices in terms of being there for my family. I can have the best of both and be as involved in my career and with my colleagues as I can be with my family.

What do you see are some of the potential barriers for women in cybersecurity or perhaps aren’t in cybersecurity yet but would like to move into that area?

The biggest barrier was the lack of women in high-ranking cyber positions. Sitting there knowing that I wanted more but not seeing necessarily that inspirational figure, I didn’t know whom I could look up to who maybe had a similar path or a family like me. Also, similar ceilings like we have. That is improving. There is more representation but I do think for younger people or those who may be looking to progress into STEM, it’s hard if there is that continued lack of representation.

I still think there’s a lot that needs to be done from a diversity and inclusion perspective. As a woman, I do have different needs from my counterparts. I do face different adversities and have different stereotypes and external demands, potentially to some of my other colleagues. There’s this whole space that needs to be explored to make cyber more inclusive but until a lot of these larger cybersecurity organizations start pushing and changing their D&I initiatives, there’ll continue to be that gap and barrier for people wanting to have a cybersecurity career.

Having role models in more senior positions, you often hear people saying you can’t be what you can’t see. We’re starting to see change but sometimes it’s slower than I want it to be. It’s good to see that things are starting to change. You’ve talked about potential barriers. What about opportunities for women in the sector?

There are a lot of opportunities. The cybersecurity industry worldwide is facing a talent shortage. It is something we talk about quite often. We need millions more people so the opportunities are very real. There are lots of roles out there. We only need to apply for them and believe in ourselves to make that application. In the same way within our organizations, there are ways we can be advocating and promote opportunities for women, things such as via our employee resource groups, newsletters, reward and recognition. There are lots of different ways to help women rise.

Another huge opportunity is all these sub-security courses that are available. There are loads of free ones that I have used like FutureLearn, which I massively recommend. For me, mentorship was a real game changer. Finding the right mentor for you can open up so many more opportunities and give you that platform to excel and find the career you’re looking for.

Something occurred to me while you were talking. There are certainly lots of opportunities. It’s for us to go and reach out to those opportunities. If women are reading this who are thinking about a career in cybersecurity, what would you say are the skills that they need?

It does depend. When people think about cybersecurity, they think it’s sitting behind a computer, knowing technical skills, knowing how to hack or code and all these things but that isn’t it. There are so many different types of roles in cybersecurity. There are marketing teams, finance, design and speaking opportunities. There are so many different facets to cybersecurity so you don’t have to fit a mould that maybe you’ve built into your head. If you want to apply, think about what you enjoy doing and find the cyber role that fits that. You don’t have to change yourself just because you want to work in cybersecurity.

Rebecca, thank you so much. I enjoyed talking to you. If people want to get in touch with you, you’re on LinkedIn, aren’t you?

I am, indeed. I’m happy to take any questions or help where I can.

Thank you so much to my guest, Rebecca Taylor from Secureworks. I’ve enjoyed hearing about Rebecca’s career and her thoughts about being a woman in cybersecurity. If it sparked a thought in your mind, let’s talk. An exploratory call with me gives you the opportunity to ask any questions you have about the work that I do with cybersecurity companies on attracting, developing and retaining your female talent. Get in touch with me by email at Sherry@SherryBevan.co.uk to book your call.

Important Links

About Rebecca Taylor

Rebecca joined Secureworks in 2014, where she developed an immediate passion for cybersecurity. Rebecca quickly expanded her cyber acumen, moving into Secureworks first Threat Intelligence Knowledge Manager role in 2022.

Rebecca is primarily focused on the implementation of knowledge management processes and procedures for the Counter Threat Unit, the ingestion and management of Secureworks Threat Intelligence knowledge, and its associated quality, storage and maintenance.

Oct 1 2022 0 Comment

Taking On More Complex Projects In The Cyber Industry With Chloe Acebes Of Sophos To Celebrate National Cybersecurity Awareness Month

Podetize HostingPodcast

Going to the next level in your career means having to take on more complex projects. And our guest in this episode has done that while coaching and mentoring women in technology. Sherry Bevan interviews Chloe Acebes, the Director of Software Engineering at Sophos, with 20+ years’ experience in the cybersecurity industry. Chloe leads teams of Engineers who develop next-generation endpoint security products.

In this conversation, Chloe shares her career in cybersecurity, taking us along to both the challenging and proudest moments in her career thus far. She also talks about coping with the pandemic, the barriers for women working in the sector, and the future of her career balancing politics and technology.

—

Listen to the podcast here

Taking On More Complex Projects In The Cyber Industry With Chloe Acebes Of Sophos To Celebrate National Cybersecurity Awareness Month

In this episode, I’m talking to Chloe Acebes of Sophos about her career in cybersecurity. A very warm welcome to you, Chloe. Chloe is the Director of Software Engineering at Sophos. She’s going to be talking to us about her career in cybersecurity. Let’s get started. Perhaps you could tell me how you got started in IT or in cybersecurity.

I studied Physics and Astronomy at university. In my final project at uni, we did a little bit of C programming. I learned a little bit of C there and to say that I liked that and thought I might be interested in a career more towards IT. When I was finishing university, I applied for various different jobs in technology and in science. I applied for a job at Sophos, where they had a graduate program where they took people on from different disciplines. We got basic training on the job. We learned about coding, various aspects of technology and security. Basically, I’ve been at Sophos ever since.

That sounds amazing that you’ve been there ever since. It proves that those graduate programs, when you get them right, they do work and you get good staff. How did you get into cybersecurity more specifically?

It came to me by chance. As I said, I was interested in IT and technology. I applied for several different roles. When I came to interview at Sophos, they talked a lot about protecting customers and protecting small businesses. Sophos focused a lot on small and medium businesses, which means that we make the difference between a business doing well and a business being attacked and potentially losing money. That aspect of talking about helping people was what drove me into the industry. That’s what still gives me job satisfaction.

In thinking about your career overall, what has been your biggest challenge?

I think there are two that come to mind. The first one is starting the job. I came from a Physics and Astronomy background. I didn’t know a lot about computers. I didn’t know a lot about programming and hadn’t done computer science. There’s that foundation that you’re missing. That was a bit intimidating coming online and starting off the job, but that strong ramp up to start off with is a big challenge.

It’s a fast-moving world. You’re always trying to keep up with the bad guys, which means there’s always lots of stuff to learn.

The second one I could think of is during the pandemic. I was leading a project at Sophos to deliver a project where we had to coordinate with many different teams and many different business units, different time zones. I have led projects before, but this was the biggest and most complex one that I had ever done. That was the biggest but also more satisfying challenge I’ve had because we delivered what we were asked of on time and coordinated across many different teams, and it was a success.

At that time, you were doing it in lockdown when we were still getting used to the ways of remote working and hybrid working.

In a weird way, it was beneficial at some points because some of the teams we were working with were based in the US. We would have been on Zoom with them anyway. Sometimes when you’re in a call in the office and some people are in the office in the room and some people are on Zoom, it’s actually hard to engage both sites. Having everyone be on Zoom was a level playing field.

I think that’s been one of the advantages that we see now with more hybrid working. People are more understanding of the disadvantages of having a mixed group of people working in the office and from home. Being on Zoom and in the office all at the same time, it adds an extra layer of challenge to the way that communication works.

You have to be careful with things like drawing on the board. The meeting I was in right before this one actually, we had one person on Zoom, the rest were all in the office, and I wanted to draw on the board. We’re lucky enough that where I work, the cameras move around. You can point the camera at the board, not the people on the call, and have the person on Zoom still engaged with what’s going on in the call. You’re right, it’s an interesting challenge having people come back to hybrid, partly in the office and partly online.

I’ve seen that work well. I’ve also seen it work badly. You mentioned there about your biggest challenge and it sounded like a very complex project. I’m wondering, what about your proudest achievements in the work that you’ve done or that you do?

CGP 20 | Sophos — Sophos: We can work very hard to try and make the balances as good as we can, but if a few people are applying, it’s like fighting a lost battle.

There are a couple of things. I do some coaching and mentoring at Sophos. Some of it is around women in technology. I’m part of the Women in Technology Group at Sophos. We have a coaching scheme and a mentoring scheme as part of that. I have a mentor and I mentor other people. I also run a Women in Engineering Group where we try and get people together. We started that in the pandemic. New people would start during the pandemic, they didn’t have that natural meet the peers in the coffee area and find people around. I’m not at all saying that because there’s another female in the office, you should be friends with them because you’re females together, but you maybe have more in common with them.

Meeting people in the office is more natural. We couldn’t do that in the pandemic, so we started this Women in Engineering Group. We went out for dinner one night. We have an online teams thing where you have new starters join and realize there’s a community of other women at Sophos that they can meet up with. I’m quite working with the mentoring scheme. The project I mentioned was a big complex thing, and I’m proud of delivering that project. It set me up for more complex things in my career.

Obviously, you work in cybersecurity, and we know that the gender balance between men and women in technology as a whole is not great, but it’s even more marked in cybersecurity. What do you see as some of the potential barriers for women working in this sector?

I think part of it is fear of the unknown. I’m not seeing role models that are similar to yourself. The thing I struggled with the most is it’s quite difficult to fix having more people to apply because the pipeline isn’t big enough. It doesn’t have a strong enough pipeline of females. You have to go back to university or school, and change the attitude there so that they’re more likely to do science and technology subjects, and be more passionate about those so that when you get later on in life and you start to look for a job, there are more women looking for that. It’s almost a bit of a catch-22. We can work as hard, and we do work very hard to try and make the balance as good as we can and make cyber at Sophos more appealing to women. If there are fewer people applying, it’s like fighting a losing battle.

We know there’s a skill shortage generally in the cybersecurity sector. That does make it even harder.

There are fewer people, in general, doing degrees, never mind women.

The more diverse your workforce, the better the solutions you come to.

What about the opportunities for women in the sector? If you were to go and do a marketing piece and come and join the sector, what would you say to women?

This may sound weird, but I almost wouldn’t want to say that there’s anything specific to women that appeals to women in cyber. It’s just a good career for anyone. There isn’t anything specific to women or men. There are lots of challenges. It’s a fast-moving world. You’re always trying to keep up with the bad guys, which means there’s always lots of stuff to learn. There are always new challenges coming, and I think that should be exciting for anyone.

It sounds like that’s what you enjoy about the work that you do.

That’s part of the reason I’ve been in one company for so long. I think if I had been here and done the same thing for many years, I would be bored. I’ve moved around different teams. The challenges move on all the time. The bad guys are always doing different stuff, so the whole industry has to move along to keep up with that. There are always new things to look at, new techniques that you have to worry about. It keeps you on your toes.

In the role that you do, can you tell us a bit more about what you do on a day-to-day basis?

As a Director of Engineering, that means I basically manage multiple teams in one functional area. My role has transitioned a little bit. It was at first that I was the director of the endpoint detections for our endpoint software, which covers some Windows devices and Linux devices. I’ve shifted a little bit, and I now focus more on protecting Linux devices. I have 3 or 4 teams now that work on various aspects of our products, which protects Linux servers.

We help to work on strategy with product management to identify the roadmap and the areas that we want to deliver. I also work then with the teams to work on how we deliver those things, what technical choices we want to make, how we split the projects up, how we are using resources for the projects, what the timelines for those look like. How do we coordinate across the teams? How do we make sure we deliver it with quality?

A lot of your role at the level you’re at now is managing the teams to do the development and the delivery of those products.

I still have one team who reports directly. Maybe I do like day-to-day management with them and what tickets are we working on and what are we doing? I would like to hire a person to take on that role so that I can be exactly as you described, a slightly higher level. You’re worrying more about what direction the teams are going in and what direction the product itself is going and more strategic.

What do you see in the future for you and your career?

I think I would like to weigh in the scope of my responsibility and the area that I’m in. As I said, I’m responsible for taking care of the Linux product, which covers a lot of cloud workloads. A lot of customers have machines running in the cloud, AWS or Azure, and that’s a specific type of customer. That type of customer may use other tools and leverage other security tools to manage their cloud workloads. I’d like to extend my functional responsibility to cover those areas and have the responsibility within the department.

I don’t know how much further I would like to go up the ladder. The further up you go, the more removed you are from technology, the more of the politics game you have to play. I’m in the middle of that now, but I still have reasonable ideas about what technology the team is using and having a hand in the strategy. I still have to do some politics, but I’m not far enough up the ladder that that’s what I do day-to-day. That’s probably the next decision I have to make if I’m able to go farther up and do more of the politics and less of the technology, if that makes sense.

The cyber industry is looking for many passionate people who want to solve problems.

Thinking back to your original degree, I think you said it was Physics and Astronomy. Is there anything from what you studied in your degree that you’re actually using in your work?

No. I think the main thing is ability to solve problems. Anyone who does a Science degree learns how to have a logical approach and how to approach solving problems. That is invaluable. You’ve proven that you can understand the problem and that there are various ways to approach it, and that absolutely applies in software engineering. That’s one of the main things we look for when we get graduates to join.

These days, many more people will do Computer Science degrees than back when I was at university. We always look for people who have a Computer Science degree because they have that foundation that I mentioned earlier, but they also have shown that ability to solve problems. We do also sometimes consider people from other backgrounds if they’ve shown that ability to do the problem-solving.

What other skills are you looking for apart from problem-solving and that kind of foundation in Computer Science?

Definitely communication. That’s something that’s changed in the time that I’ve worked in the industry. When I first joined Sophos, there were lots of people who would be handed a little bit of work to do. They would sit in their corner. They’d write their code and then they pass it back and they almost would avoid talking to other people. The industry has gone through quite an epic change where the focus is much more on Agile programming and collaboration.

That’s important to know that when we solve problems, we often do it as a team. You have to be able to stand up in front of a whiteboard, draw a picture, explain the problem and what your approach should be, and then collect information from other people and come to some consensus about, “Let’s take a little bit from everyone’s solution.” Come to a consensus, something common. To be able to do that, you have to communicate. You have to actively listen. Those are the two other key things that we look for.

At the end of the day, that means that you’re going to end up with a better product because it’s not just one person’s thoughts or ideas on how to deliver or how to develop that product.

That’s where the diversity comes in. The more diverse your workforce, the better the solutions you come to.

Before we finish, Chloe, any tips for people thinking about working in cybersecurity or thinking about going into that as their career after university?

Just apply. The cyber industry is looking for lots of people who are passionate and want to solve problems. You don’t need previous cyber experience to do well. You just need someone who’s passionate, able to communicate well, can sell yourself and can solve problems. Those are the things we’re looking for. I’d recommend that you read up a little bit about, in general, what cyber is about, but just go for it. We’re desperate for new blood.

I hear that all the time from lots of the companies I’ve been talking to. The skill shortage is very real. I was talking to someone else who was saying, “We don’t mind whether they’re male or female. They could come from planet Mars, as long as they have got communication skills and problem-solving skills because we’re so short on good talent.” It sounds like it’s a brilliant sector to work in with the future of technology, isn’t it?

Yes. For me, the thing I mentioned earlier about the fact that you’re helping people, you don’t get that in many other technology industries. You could work in finance, doing fintech, or you could work in IT, building computers for people, but you don’t get the same satisfaction. You’re helping protect people. You’re helping keeping their assets secure. For the small businesses, you’re basically helping keeping them going. If they had a ransomware attack, they could potentially go out of business.

It’s that sense of purpose that you get working in that sector. Thank you so much for joining me. I do appreciate it. Thank you, everyone, for reading. I’ve been talking to Chloe Acebes from Sophos. She’s a Director of Engineering there. I enjoyed hearing about Chloe’s career as a woman in cybersecurity, but also her journey from coming from a Physics and Astronomy degree, and then finding out about coding and then eventually joining Sophos as a graduate.

You can find out about more episodes at SherryBevan.co.uk. If it sparked a thought in your mind about how to attract more talent to your organization, particularly if you’re looking at attracting female talent, then please do get in touch. An exploratory call with me will give you the opportunity to ask any questions you have about the work I do with cybersecurity companies on attracting, developing, and retaining your female talents. You just need to get in touch with me by email, Sherry@SherryBevan.co.uk. Thank you again, Chloe. It’s been great talking to you. Enjoy the rest of your day.

Thank you very much.

Important Links

Oct 1 2022 0 Comment

National Cybersecurity Awareness Month Special: Navigating The Unconventional Route A Cybersecurity Career With Emma Jones

Podetize HostingPodcast

This episode offers you the senior consultant of Crowdstrike, Emma Jones, to celebrate National Cybersecurity Awareness Month. Emma shares the unintentional move of her career in cybersecurity. Given that she has no background in the role, the transferable core skills she possessed allowed her to fare pretty well in the space. She enjoyed each moment of her journey and never looked back on her previous career. Like everyone else, Emma faced some challenges along the way in her career, but how did she deal with them? What insights could she offer to anyone thinking of taking the cybersecurity route? Tune in to this episode and learn more.

—

Listen to the podcast here

National Cybersecurity Awareness Month Special: Navigating The Unconventional Route A Cybersecurity Career With Emma Jones

In this mini-series, to celebrate National Cybersecurity Awareness month, I’m talking to women about their careers in cybersecurity. I’m delighted to be talking to Emma Jones from CrowdStrike. Welcome, Emma. Thank you so much for joining me.

Thanks for having me. It’s a pleasure to be on the show. Thank you.

Emma is a Senior Consultant at CrowdStrike. She’s going to tell us a bit more what that involves. Let’s get started and find out about her career journey. To set it into context, could you start by telling us a little bit more about CrowdStrike and what they do?

CrowdStrike, for those who haven’t heard of them, we are a global cybersecurity technology company. Our mission is ultimately to stop breaches. Essentially, they work with a whole range of products and services and strategies to protect customers and clients from the cyber threat and from the adversity that we face in that space. That’s a little bit about CrowdStrike. My role with them is based in the services part of the business. Essentially, I work with organizations across the UK, Europe, Middle East and Africa on a huge range of cyber incident response and readiness activities to help them prepare for the threat and increase their security posture and readiness.

Tell me how you got started in your IT career.

Overcome the imposter syndrome because otherwise, it would impact you personally and professionally.

Completely unintentional move into IT/cybersecurity. Actually, I went straight into cybersecurity. My previous occupation was in UK Law Enforcement. I was in a National Law Enforcement Organization working on a whole range of crime types, different threats, different teams, non-related to technology or cyber.

What happened was I went through a promotion process and they’re quite huge campaigns, I should say, where you apply for the rank or for the grade or the position rather than a specific role. You go through a campaign, they will assess and determine who’s suitable for that particular level, then at that point they will appoint individuals into the role across the organization and across the UK.

I went through a campaign and was successful in that campaign and was really pleased to hear that. It was at that point, I found out which role I was being posted into. Honestly, I expected it would be a role that I had done before with EMA, or had exposure to a crime type I was more familiar with. No one was as surprised as me to find out that I was posted to the National Cyber Crime Unit. I had a moment where I thought, “What on earth has happened here? There must have been a mistake. Why am I going into cyber? That’s not my background. I don’t have an IT skillset.”

I wondered what had happened in the process, but actually people had recognized transferable skills as being incredibly important in cybersecurity, not least of course because the industry is still fairly new compared to many of the areas of work and disciplines, but actually very fortunately the panel who decided recognized that I had some experience that would benefit the cyber side of the team. I found myself in a position there, which entailed creating and delivering and establishing a brand new unit for all UK Law Enforcement. It was all focused on prepared activities.

I had to start from scratch, learn about the threat, and then develop a team which would do a range of different projects from exercise and through operational learning all focused on cyber incidents. It was completely unexpected, but I’ve never looked back. I enjoy every moment of it. Here I am now in CrowdStrike in the private sector.

CGP 23 | National Cybersecurity Awareness Month — National Cybersecurity Awareness Month: Familiarity and awareness increase the effectiveness and the speed of your ability to respond.

I love hearing stories of people who have had an unconventional route into cybersecurity. I think it’s a very positive and powerful message to hear. You mentioned there that your campaign is you’re applying for a rank rather than for a specific role, and that somebody had obviously spotted specific transferable skills that you had. Would you mind sharing a bit more about what you believe those transferable skills were or are?

I would describe them best as core skills. Some people say soft skills, I’m not a huge fan of that. I think it can really imply that you are lesser than or it’s not as important. I like to say core skills. Essentially, I would say there are probably three areas. The first is communication. With that, obviously running a team that had a national unit, you would need to work with people in many different sectors, many different organizations, both public sector and private sector, and at different levels, operational levels, all the way through to senior leaders and strategic forum.

Communication absolutely was the top skill that mattered most in this space, so that you could essentially translate a conversation or a topic and achieve what you needed to achieve in that role. The second skill I would say is probably the leadership skills and strategic thinking. Many conversations I’ve had throughout my career, people have said, “Leaders and leadership skills are saved for the senior roles.” I think anyone can be a leader in your space. If you are developing something, if you were doing something novel or creative, or you have simply taken a step forward to help bring people together, then that absolutely means you are a leader, regardless of your role.

Whilst I was in a management and leadership position, I think those skills were deemed pivotal to be able to take an idea and a vision forward, and get people to understand why you were doing some and what the outcome and benefit for everybody would be in that space. Definitely communication and leadership. Finally, and I suppose it’s an element of communication, but it’s about listening skills and the ability to understand the situation that’s presented to you, and tailor and flex your style and ability and approach.

Obviously, there are many different views and ideas that you can take forward in your space that you need to be tuned in to what the actual requirement may be. Attention to detail and that listening ability, and then translating it into the next project. I certainly think those are some top skills I had to draw upon to my journey in that role specifically.

Comparison is the thief of joy.

As you described, they are definitely core skills that anybody needs in any industry and sector, but I think particularly so in the way that cybersecurity space is evolving at the moment, then those skills are in high demand. Tell us a bit more about what you do on a day-to-day basis in your role at CrowdStrike.

No two days are the same, as cliché as it may be. There are themes and similarities but lots of different conversations. There are a few paths on my role. The first is around working with our organization to enhance the incident response readiness. What I mean by that is getting prepared ahead of an incident to be able to deal and respond to that particular situation that they face. There’s a whole range of benefits in doing that. Not least familiarity and awareness, increase in the effectiveness and the speed of your ability to respond, given that time is always of the essence in these circumstances. That’s a huge focus for me is that preparedness initiative drilling down on some key aspects, whether that’s how you seek support in responding to an incident, what barriers you may potentially face, and how can we overcome them proactively.

The other aspect of my work is more strategic in the sense of supporting organizations in their broader security programs. Working with them to understand what keeps them up at night, what’s the biggest concern, what’s the priority, and how we can help them address those concerns and priorities. Security programs are always changing. They’re always evolving, very dynamic, and you can never do everything all at once.

It’s about having conversations with our clients across this region about what matters to them, and how best we support their effort so that they increase their resilience and readiness in that space. That’s broadly speaking of the day job. I’m really fortunate to have a couple of extra pieces of work that I can do in CrowdStrike relating to inclusion and thought leadership as well, which is fantastic. I’m very fortunate to have the time and opportunity in that perspective.

It sounds like you really enjoy the work that you do, which is brilliant. When you enjoy your work, it makes it so much easier. Since you’ve moved into the IT or the cybersecurity sector, what has been your biggest challenge in your career so far?

I would certainly say it’s around building confidence. We talked about how many people find themselves in cyber in unconventional ways, different routes and paths. I think that contributes to things like Imposter syndrome. Many people, if not everyone, suffer that, and it comes in peaks and troughs, but that was an area that I struggled with to begin with.

What comes hand-in-hand with that is building confidence and having faith and belief in my skillset and my abilities. That was quite difficult to begin with because when you would look around in cyber, it’s still fairly male-dominated. There’s still quite a technical focus rather than a core skill focused certainly at the time that I came into the industry. That sometimes can make you feel like, “I’m not quite like person X, I don’t have that knowledge of person Y, and I wouldn’t take that approach.”

Sometimes, you can then doubt your abilities and whether you’re in the right space and doing the right thing. For me, I had to overcome that because otherwise, you would be impacted both personally and professionally, and suffer in terms of not being able to really do and be who you wanted to be. I had to take the time to reflect and realize that I was in a position I was because of the skills and experience I had. They may have been different for other people, a different perspective, a different mindset or a different approach. I had to remind myself of that on a regular basis.

There’s a quote, “Comparison is the thief of joy.” That’s absolutely true. Remember the skills that you do have, and it’s not necessarily all about certifications. I came into the industry without anything like that. It was about lived experience and ability to apply knowledge. Realizing that position was fundamental to overcome that challenge. Don’t get me wrong, it can still be a challenge now, but it’s much more in check. I also have a wonderful mentor who I met through a Women in Technology program, who supports me create the safe space and has honest conversations, and helps me understand more about my potential and current value as well. That’s certainly been the biggest barrier that I’ve had to overcome.

It’s interesting you talked about a mentor because one of the other women in this mini-series talked about having a mentor as well, and how helpful that had been for her to believe in herself and to apply for the next role and to develop her career. It’s good to hear you talking about that as well. What about your proudest achievement? What’s that been?

If you wait until you feel ready, it’s usually too late.

This is always difficult to talk about. It’s not a question people ask one another so often. For me, I was nominated for a Global Women In Tech Award. That means a lot to me because it focused not just on my work in cyber incident response, but also predominantly about the work I’ve done for inclusion and inclusive practices with incidents.

I would say I’m probably most proud of it because it was the results of the work that I did a few months ago with the forum of incident response and security team. I was selected to speak at their conference. I thought about what we can do to be inclusive with them. For me, a lot of conversations and a lot of narrative, quite rightly, is always about thematic and strategic conversations around diversity and inclusion. Sometimes, those in teams and every individual every day might not feel that relates to them directly.

I wanted to take a moment to speak to those individuals within teams within the global forum to say, “This is what we can do as individuals and actually make it specific real examples, bringing it back and relate for their daily work. That was a fabulous opportunity for me to bring two topics I love together, and a wonderful moment to hear about the nomination as well. That’s where I’m at in terms of proudest achievements.

You’ve done a lot of work around inclusion and representation. What do you see are some of the potential barriers for women working in this sector?

The most prominent barrier at the moment is a lack of representation of women in two areas. The first in senior leadership roles and the second in technical roles. The industry is very vocal and passionate and supportive of having diverse representation, having women in the workforce. There are conversations about how cyber is not just technical, so women in roles that are non-technical and that are outside of the day-to-day hands-on keyboard activity, and they intersect with cyber, was certainly getting there and recognizing that and bringing women into the sector in that regard.

When it does come to senior leadership and technical hands-on keyboard positions, that is where we lack the visibility and representation. It’s important for me because we want to feel like we can have a career path and that we can do something. Everyone likes to see someone role model that opportunity. Without that can make it quite a challenge to showcase and explain to individuals and to women what a great path this career can take you on.

You’re right. There are a lot of organizations that are actively wanting to improve diversity and increase inclusion, but it’s not having those role models at the senior levels and in the technical areas. There’s that quote, “You can’t be what you can’t see.” The more we have those role models, then the more it becomes a snowball effect. Any top tips for anybody who wants to get into cybersecurity via a conventional or an unconventional route?

There are many, and I’m sure you’ll hear some fabulous tips from all of the guests on this mini-series, but I think there are two. The first is to leverage what’s out there to support women. There are amazing networks, free training programs, and I mentioned the Women In Technology mentoring program that I joined a number of years ago. There’s so much out there, so just have a look, make the most of it, choose opportunities that you think will be best for you to support your interests in that area. You don’t need to be in a cyber role to join any of those. You could just be thinking about IT and tech position. Definitely leverage those opportunities. There’s more now than there’s ever been before.

The second tip I would have is there’s no better time than doing it now. Both for those reasons around the opportunities, but also because someone once said to me that if you wait until you feel ready, it’s usually too late. I completely agree with that. Taking a moment to leap into a new opportunity or just signing up to a program or a training course. Even if it doesn’t fully fit with what you’ve got going on right now or if you think, “I need another six months and then I’ll be ready,” just do it because something will always come in the way. That’s my main tip and something which stayed with me for my entire career so far.

I love that piece of advice. I think it’s so true because so often we put off doing things because, “I’m not quite ready or I don’t quite have the right experience yet,” then you can look back later and think, “If only I had done it sooner, if only I’d just taken up that plunge.” Emma, thank you so much for joining me. It has been interesting to hear about your slightly unconventional route into cybersecurity, but I think that’s a very positive thing to hear. I’ve loved the tips that you’ve shared as well. If people want to get in touch with you, I guess LinkedIn is the best place to do that, correct?

Yes, absolutely. Please reach out. I’m always happy to provide pointers and advice on joining the sector and where to leverage those opportunities.

Thank you so much, Emma, for joining me. We’ve been reading about Emma Jones talking about her career as a woman in cybersecurity. If there’s a spot of thought in your mind, let’s talk. Let’s talk about any questions you might have about the work I do in cybersecurity companies on attracting, developing, and retaining your female talent. Just email me at Sherry@SherryBevan.co.uk to book your free consultation call. Thank you, Emma.

Thanks. It’s been a pleasure.

Important Links

About Emma Jones

Emma is a Senior Consultant with CrowdStrike, who works with organisations across the UK, Europe, Middle East and Africa on a range of cybersecurity incident response and readiness initiatives. Alongside her day job, she is passionate about fostering inclusion and championing diversity, and is involved in multiple associated projects.

Oct 1 2022 0 Comment

Interview With Ashley Baich Of Accenture To Celebrate National Cybersecurity Awareness Month

Podetize HostingPodcast

Joining us for another episode of our special National Cybersecurity Awareness Month series is Ashley Baich. Ashley is the Readiness and Crisis Management Security Consultant at Accenture in their Cyber Investigation, Forensics, and Response (CIFR) practice, responsible for helping organizations flex their crisis response capabilities. She chats with host Sherry Bevan about her journey into cybersecurity and why she had her sights set on the field before even graduating. Ashley also speaks on the challenges and possible turnoffs going into such a male-dominated industry, the strides being made to close the gaps, and the opportunities for more women entering the field. Tune into this episode to learn more.

—

Listen to the podcast here

Interview With Ashley Baich Of Accenture To Celebrate National Cybersecurity Awareness Month

In this mini-series, to celebrate National Cybersecurity Awareness Month, I’m talking to several women about their careers in cybersecurity. In this episode, I’m delighted to be talking to Ashley Baich. Welcome, Ashley. Thank you so much for joining me.

Thanks for having me, Sherry.

Ashley is a readiness and crisis management security consultant and has been working for Accenture for the past two years. Let’s jump right in to find out more about Ashley’s career in cybersecurity. Ashley, I know you’re a fairly recent graduate. What did you study before you got started in your consultancy career?

I graduated from the University of North Carolina, Chapel Hill, which is on the East Coast of the United States. I graduated with a BS in Information Science and a BA in Journalism.

Information Science and Journalism are quite an interesting mix. Was there a lot of overlap between the two?

Not overlap, but they complemented each other pretty well. I always knew I wanted to go into cybersecurity in some capacity and use those four years of undergrad to decide what aspect of security I wanted to be a part of. My Journalism degree came from the desire to bridge the communication gap between IT and business. Unfortunately, my university didn’t have a degree in Cybersecurity. Information Science was the closest thing that I could major in that gave me a little glimpse into the cybersecurity world, but I still had a lot to know when I graduated in 2020.

I’m curious because I don’t know many people who go to university thinking they want to get a career in cybersecurity. What is it about cybersecurity that piqued your interest so young?

My father has been in cybersecurity for the past 30 years. It was definitely a topic at the dinner table. That’s definitely where I initially found a spark, but then I was gifted the very unique opportunity in my senior year of high school to write a white paper for a startup. I’ve always been very passionate about writing. I didn’t know what type of writing I necessarily would want to do long-term.

The startup approached me and asked if I would be interested in writing a white paper. That white paper turned into five wonderful years being on their marketing team as an independent contractor as I went through my university years. By the end, I was the longest-standing member of their marketing team. They were acquired by Symantec, which had turned into Broadcom.

It was a great experience, but that was my first exposure to cybersecurity personally, besides hearing about it. I saw the wide variety of opportunities within the field. Even if at the end of the day, I only wanted to write, it was a cool thing to write about. That passion shifted more to the incident response crisis management side of the house, but that’s how I started. It was in my senior year of high school. I was eighteen years old trying to make a little extra money and here I am now.

There’s a wide variety of opportunities within the field.

My father worked for IBM so it was almost a given that I was going to end up in technology in some shape or form, but it certainly wasn’t the career that I had planned on doing. Often, it’s those conversations around the dinner table that spark or ignite a thought of what you might want to do later in life. How did you make the move into the role that you are doing now? Tell us about what you do now.

In between my junior and senior years of college, I realized I probably should get myself an internship. I had a lot of Business major friends who were applying to consulting. I was like, “Interesting.” I didn’t know that much about it. I started looking and saw that cybersecurity is an aspect of consulting. You can consult for cybersecurity. As someone who didn’t have a lot of experience in cybersecurity besides my marketing experience and then my Information Science degree, I was like, “We can do that.”

I had the opportunity to intern for Accenture between my junior and senior years. I worked for Accenture Labs. It was internally facing. I was helping them bridge the communication gap between all the awesome research that our researchers were doing and their ability to communicate that with the consultants to then be able to share with our clients. I still got to use my journalism degree and do that, but get to touch on different aspects of cybersecurity that I didn’t have the opportunity to do on the marketing team.

I then received my return offer going into my senior year of college, which was great. I got to enjoy that senior year knowing that I had a full-time job waiting for me at the end. I joined our technology development program as a security analyst. It’s a soft line to financial services. What was great about that start was I got to touch on a wide variety of cybersecurity projects. I did policy writing, a merger of two large financial institutions, and picking and choosing the best of each security program. I got asked to be part of surge support for nine days for a client who needed more hands and more help. Nine days turned into four months. I enjoyed the crisis management and response work that I had the opportunity to do for that client.

Slowly but surely, I found my way to the CIFR team and officially joined in November of 2021. That was my journey to my current role. As part of the Cyber Investigation, Forensics and Response team, I have the opportunity to help organizations prepare for crises as a readiness consultant, but then I also have the opportunity to go in as part of the crisis management team during actual incident response to help the C-Suite manage the crisis.

That sounds like you’ve crafted your journey into cybersecurity and it sounds like you’ve landed on your feet. I can tell from your enthusiasm that you love what you do, which is always good when you’ve got work that you enjoy. Ashley, clearly you love what you do and you’re very passionate about it. What’s been your biggest challenge working in the cybersecurity world?

I think the biggest challenge that I’ve had to deal with is something that a lot of people have dealt with working through the reality of a huge organization. With Accenture, I think we are at 750,000 employees now. It’s a huge organization and what comes with that is a set of rules and procedures that must be followed. The largest challenge I have seen as it relates to that is when it comes to the promotion cycle. While I wish at the end of the day, it was solely based on performance and what you’re bringing to the cap table and what you’re capable of and the experiences that you’ve had, at the end of the day, there are rules around how long you have to stay at a level before you can be promoted.

CGP 25 | Crisis Management — Crisis Management: At the end of the day, there are rules around how long you have to stay at level before you can be promoted.

That can be a frustrating challenge to endure because as part of the crisis management team, I’ve had experiences where I am sitting next to the global CISO of a Fortune 100 company, working with them directly day-to-day, and have made considerable impacts on their crisis response. While that might fall under the roles and responsibilities of someone at a much higher level than myself, I am still under the pay band and roles and responsibilities of a consultant.

It’s a challenge I deal with daily, but one thing that makes it enjoyable still is the team that I work for. Having the opportunity to sit next to the CISO, even with the title of consultant is quite an honor. We run a relatively flat team, which makes me have those opportunities. While it’s still a challenge, I’m able to overcome it by thinking about it that way. At the end of the day, if I’m still able to perform the responsibilities that let’s say a manager would perform, I’m still fulfilled.

What about your proudest achievement?

I would say my proudest achievement to date was the opportunity to set foot on a client site during a major cyber crisis. I walked into their war room and see the absolute dread on some of these C-Suite faces not knowing what the week was going to hold and how they were going to recover from this incident. Sitting beside them for three months over the Christmas holiday and not leaving that project until there were smiles on their faces. We had overcome all of the challenges.

They were in recovery. They were transforming their security posture and had the buy-in from the rest of the C-Suite to do so. They were getting the money they needed from the board of directors to continue to make this transformation into a stronger security team. I can’t put into words how that makes you feel. You go in when they’re at their absolute worst and you don’t leave until they’re in a much better situation.

It gives you that warm fuzzy feeling to know that you’ve gone in when they’re in a crisis and you’ve left when they’ve got those smiles on their faces again.

You can see the impact that you’ve made. I truly feel like I’m making a difference and that’s very rewarding.

What do you see as being the most valuable skills working in this sector?

In my role, I would say that the most valuable skills are oftentimes soft skills. I have a wonderful incident response team that goes in and does the more technical responsibilities when it comes to responding to a crisis like doing the forensics, eDiscovery, and all of that. My role specifically is more soft skill driven. It’s the ability to understand what the incident response team is doing, what the findings are, and drive the business value from that. Also, be able to communicate that with my key stakeholders, but then also help my key stakeholders communicate that to the rest of the organization.

The most valuable skills are oftentimes the soft skills.

In the meantime also, the organization is a huge one. During a crisis, there are a lot of different workstreams going on. There are a lot of cooks in the kitchen and third parties that need to be considered and things of that nature. Helping the C-Suite be able to organize themselves and develop relevant tasks, prioritize those tasks, and assign them to the right individual is extremely valuable. In a high-stress “what’s going on” situation, it takes a lot of organization and the ability to step back, remove yourself from the stress, have an open mind, and think through the strategy of how you’re going to tackle the day, the hour, the next ten minutes, and things of that nature.

Those are the two key skills that have helped me be extremely successful in the crisis setting. In the readiness setting, since I don’t just do crises, those are very high intense and long day situations. When I have the opportunity to take a step back and do readiness work, go into a client and help them enhance their incident response plan or run a crisis simulation and things of that nature, communication is still important. Also, being able to think outside the box and think through the crisis situations that I’ve been a part of. Helping organizations proactively continue to improve their incident response capabilities so that they can respond the best when they do fall victim is another skill that is important in the incident response crisis management world.

Opportunities for women in the sector, I know that there seems to be a skills shortage generally, but what are the opportunities for women in the sector?

They’re endless. I’ve talked to marketing. I’ve talked to communications and the business side of things. There’s a huge technical shortage as well. For me, being a part of that technology development program to start helping me identify what niche I wanted to be a part of, and there are endless niches. You can create your own.

I don’t necessarily think that my career path is going to be just crisis management, but even crisis management as a workstream is something that is still so new. There are not many organizations that have invested in that workstream yet. The beauty of the opportunities is endless. You can have an open mind and create your own. At the end of the day, there are a lot of organizations that would love to invest in women who are interested in developing a skillset, and finding what they want their niche to be.

It’s identifying a current gap in the security program where you can use the skillset you have to provide unparalleled value. That’s a hard question to answer because there are so many different ways that I think you could. For anyone that’s interested in getting involved and doesn’t think that they have the background to make a decision on what niche they want to be a part of, to begin with, I know most organizations these days have that development program. They have the opportunity for you to start and look at cybersecurity as a whole. Pick what aspects you want to be a part of and try them out. That is extremely beneficial and a great approach to getting your feet wet.

Ashley, you’ve talked about some of the skills that you use, but what do you think puts women off applying to work in cybersecurity?

There are two things and they go hand in hand. I’ll start with the first and that’s job postings being daunting in and of themselves. You look at the skills required or even what the description of the job is. This is not only in the cybersecurity field. Oftentimes, someone may not be super confident in the fact that they are the right fit. Typically, if I look at a job posting and I’m not sure if I’m the right fit, I would still apply and go through the interview process. That’s the whole point. You’re interviewing the company as much as they’re interviewing you so you can see if there is a good fit.

When it comes to cybersecurity and the gender gap that we already see within the field, it can be a turnoff for women. They look at the job posting. They’re unsure. Maybe they do still have the courage to apply, but then every interview that they have from that point on is by a very successful senior male figure. It’s hard for them to imagine themselves in that role as a female, knowing that they’re going into a very male-dominated environment.

It’s hard for women to imagine themselves in that role as a female, knowing that they’re going into a male-dominated environment.

I am the only female that is on the crisis management team, and one of three females on the readiness team at Accenture. I’ve had a great experience. Someone had to point out to me that I was the only female on the team, but I know everyone doesn’t have that experience. It takes a lot of courage to put yourself in those uncomfortable situations to even apply for a job you’re not fully confident in.

You add that to the mix and it can be extremely daunting and a turnoff to many. I think there’s a lot of change in the cybersecurity field these days. People are aware of the fact that it is male-dominated. I will give a shout-out to my male leaders. They pointed out and they have the conversations. They’re trying to make strides to minimize that gap. As women, we also have to apply for them to be able to minimize the gap. I don’t want to forget that part of the equation too.

Finally, what’s your top tip for anybody that wants to get into cybersecurity? What would you suggest they do?

I would go in head first. If I’m being honest, as we’ve talked a lot about here, there are so many different opportunities and skillset that you can leverage to be successful in the field. The way that I was able to find my path was going in head first trying a wide variety of things until I found my niche. I would encourage anyone who has any potential desire to be in cybersecurity to go in and give it a try. We have such a shortage. Everyone is going to be grateful that you’re there.

If you’re on the right team, they’re going to encourage you and teach you along the way. At the end of the day, it’ll be a great learning experience. At the very least, you might find your niche and passion, and years later, be excited to go to work every day and want to have the opportunity to be on shows like this to encourage others. I couldn’t say enough positive things about my experience thus far. I would recommend for anyone that’s potentially interested to go in head first and see how you feel a few months in.

Ashley, thank you so much. I’ve enjoyed hearing about your career, how you got started, and the skills you use. It’s fantastic to hear somebody talking about cybersecurity with such enthusiasm and passion. Thank you very much for joining me in this episode.

Thank you for the opportunity.

If this conversation has sparked or thought in your mind about how you recruit your female talent, let’s have a conversation. To give you the opportunity to ask any questions you have about the work I do with cybersecurity companies on attracting, developing, and retaining more female talent, simply email me at Sherry@SherryBevan.co.uk to book your call. Thank you and I’ll see you in the next episode.

Important Links

About Ashley Baich

Ashley is a security consultant whose work is focused on proactively improving organization’s resiliency to cyber threats and advising organizations through cyber crisis’. A readiness and crisis management consultant at Accenture in their Cyber Investigation, Forensics, and Response (CIFR) practice, she is responsible for helping organization’s flex their crisis response capabilities.

May 31 2022 0 Comment

Challenges And Best Practices In Attracting And Retaining Female Talent In Cybersecurity

Podetize HostingPodcast

In the spring of 2022, Sherry Bevan hosted a round table where she invited several cybersecurity companies to talk about attracting and retaining more female talent into cybersecurity. Representatives from Blackberry, ISTARI, Beyond Trust, Redscan, and Adarma Security came along and participated in a fruitful discussion. They looked into attracting more women into cybersecurity, tackling unconscious biases in hiring, retaining female technical talent, internal role modeling, and closing the gender pay gap in the industry. In this episode, Sherry shares her reflections about the round table. Listen in as she breaks down the discussion’s salient points that reveal deep insights into the state of female talent in one of the fastest growing sectors of the economy.

—

Listen to the podcast here

Challenges And Best Practices In Attracting And Retaining Female Talent In Cybersecurity

Reflections On The Spring 2022 Round Table

In this episode, I’d like to share my reflections from my spring round table in which I invited several cybersecurity companies to come and talk about how we attract more women into cybersecurity, and once we’ve attracted them, how do we keep them there? Before I move on, I will tell you a little bit about my round tables. I run these twice a year. They’re very small exclusive events.

They’re an opportunity for you to get insights, ask questions, and share feedback with your peers in the community. Normally, no more than 6 to 8 companies with 1 or 2 representatives at most from each organization. Typically, the types of people who come along to the round table are HR directors, talent managers, diversity and inclusion, and heads of departments.

In 2021, my round table was on the impact of the hybrid world on the gender pay gap. You can still access and get a copy of the white paper that I wrote off the back of that. In spring 2022, we looked at how to attract and retain female talent, specifically in cybersecurity. If you’d like to join the next round table, when we’re going to be looking at how to engage our female talent in the sports technology world, please do get in touch.

I’m very grateful to the representatives who came along to the spring round table. We had representatives from Blackberry, ISTARI, Beyond Trust, Redscan, and Adarma Security – thank you very much. Everyone who came along, got engaged and contributed so that we had a fruitful discussion. Before the round table takes place, I send out an attendance list, who you’re going to meet, and tell you the talking points or what the questions are going to be. I will facilitate the discussion around those talking points.

Cybersecurity Female Talent: We don’t have a challenge in attracting more women into cybersecurity. We have a challenge in getting more talent into cybersecurity.

For the last one, we looked at why does the sector need more women in cybersecurity? We looked at how we attract more women into cybersecurity, particularly in the hybrid work model that most of us are working with now. We looked at ways that organizations can tackle that unconscious bias in hiring. We also spent some time talking about the role of internal mobility. Can you move stuff from one department to another? That you attract and retain more of your female talent in the more technical or the engineering sides of the company. We spent some time looking at how to close the gender pay gap in cybersecurity.

Talent Shortage In Cybersecurity

Before we think about how we attract more women to cybersecurity, let’s spend a few moments thinking about what we already know about the sector itself. There was a government report published in 2020 talking and looking at cybersecurity skills in the UK labour market. What we do know is that cybersecurity is one of the fastest-growing sectors and there are certainly no signs of slowing down. There has been massive investment in the industry.

The report by DCMS suggests that the UK cyber industry is worth an estimated £8.3 billion. However, the challenge is that the number of trained and experienced cybersecurity professionals is simply not keeping up with demand. In fact, we don’t have a challenge of how to attract more women into cyber security. We have a challenge of how do we get more talent into cybersecurity.

There was a government report back in 2018. When I talk about UK businesses, I’m not talking about technology companies or companies that specialize in cybersecurity, but the UK businesses in the general UK market. More than 50% of them have a basic technical cybersecurity skills gap. We have a big challenge here. Three out of ten cyber firms or 29%, say that the job applicants they do get lack non-technical skills such as communication, relationship building, and leadership management skills, which is preventing the company from meeting its business goals.

Cybersecurity is one of the fastest-growing sectors, and there are certainly no signs of slowing down. However, the challenge is that the number of trained and experienced cybersecurity professionals is simply not keeping up with demand.

When we look at the cybersecurity sector as a whole, we lack strong female role models. There are some amazing role models in the industry. If you know a role model, then please do let me know because I’d love to interview her for the show. One of the critical barriers to female progression in the workplace and particularly in cybersecurity is the lack of professional flexibility.

When we look at diversity, there are some statistics available, and what we see is that if we’re looking specifically at the cybersecurity sector, 15% of the workforce are female compared to 28% of the wider digital sector. Although, when we talked about this at the round table, quite a few of the companies represented there, where are they getting these people from because we’re not at 15%.

For information here, 16% are from ethnic minority backgrounds versus 17% from digital sectors. From that point of view, the difference isn’t so significant. What we also know is that 9% of the workforce in the cybersecurity sector is neurodivergent. Unfortunately, we don’t have any reliable comparisons for that across the wider digital sector.

In the discussions that we had at the round table, the biggest thing that came out of it for me is that if you’re struggling to recruit talent and particularly recruit female talent, you are not alone. Every single one of the participants at the round table said that they were struggling to get enough good female talent on the shortlist. In fact, they’re not struggling to get good female talent. They’re struggling to get good talent onto their shortlist.

Cybersecurity Female Talent: It would be amazing if we could develop a better image for cybersecurity, but it’s tricky because, at the same time, there’s not enough openness about what we do and about what the organizations do when they get our support.

The challenges are we have a skill shortage, there’s no doubt about that, but there are also some other issues. One of the big challenges that we seem to have in the cybersecurity world is that cyber is not the cool place to be. It’s not a cool place to be for women, which to my mind is crazy because for me, working in cybersecurity is about stopping the bad guys.

As one of the round table participants described, it’s a noble pursuit and has a noble purpose for companies. In my mind, that should appeal to women because women often feel more drawn to an organization or a company that seems to have a sense of purpose in the world rather than making money for money’s sake.

I wonder whether we need to have a PR campaign for a sector that could be seen as cool, fighting the bad guys, and making the place a better world, but it’s tricky to have a PR campaign for a sector that’s in the shadows. We don’t want to be going around telling people, “Watch out because your hospital is at threat of attack. Your bank is at threat of attack. There’s been an incident in the financial services sector.” Often when an organization has some cybersecurity incident or threat, it is not the thing they want to be talking about.

It would be amazing if we could develop a better image for cybersecurity, but it’s tricky because, at the same time, there’s not that openness about what we do and about what the organizations do when they get our support and our help. One of the other challenges in any sector of technology is flexibility. Women tend to prefer to want that flexible working. What we do know about flexible working is it tends to be parents with young children and people with disabilities who want it.

One of the critical barriers to female progression in the workplace, and particularly in cybersecurity, is the lack of professional flexibility.

Over the last few years, we’ve all had to move to that remote work, and hybrid working is very much at the forefront of our minds now. COVID has introduced new possibilities to us. One of the tricky things, though, is if you’re working in cyber and in that very technical side of things, we’ve got that challenge of needing to be on call 24/7.

It’s not for all people in the organization, but for certain groups, those who work on the incident or service desk, which can be more challenging if you’ve got young children or if you’re part of that sandwich generation. Maybe you’ve got young children at one end of the spectrum in your life, but you’re also caring for elderly relatives at the other end. More information about how to support your working carers in the last episode.

While remote working and hybrid working models have been absolutely brilliant for many of us who have not needed to commute to be more productive, and all of that good stuff that comes from hybrid working, there are some disadvantages. In the past, our penetration testers would have got some of that tacit knowledge transfer simply by being in the same room as the best testers in Europe and that’s not happening now because we’re all working remotely.

You’re not overhearing those conversations. You’re not able to step over to another person’s desk and say, “Could you help me with this?” It’s different because we have to work harder at making that knowledge transfer happen. We need to understand these obstacles to be able to remove them. Being more flexible in the way that we offer flexible working would be a great start.

Cybersecurity Female Talent: Often, women will see cybersecurity as a very technical role. It’s much more than that. We need our recruiters and hiring managers to use language which addresses the entirety of what the role requires.

Beyond The Hiring Process

We often talk about how we attract more women into cybersecurity, but it’s not about the hiring process. It’s moved beyond knowing how to have a shortlist with women on that. Lots of companies will work closely with the recruitment agency or their internal talent acquisition people. It’s not about the hiring process. It’s about attracting women in the first place. It comes down to your employer brand.

One of the things that came out of the discussion with the cybersecurity companies who came to the round table is that we’re all competing for the same talent. What we don’t want to do is to end up doing what we’ve seen in other sectors in the past, where they have gone to extreme lengths to attract women. When companies find out that women are on maternity leave, they contact them directly to offer them incredible packages so that they can stay on full paid leave for a whole year and then come back to work for a different employer.

What we need to do is to establish that strong employer brand, but not just the employer, the industry brand. That will help the whole pipeline and the whole sector. All of the representatives at the round table felt that it’s not about focusing on your own requirements because otherwise, you’ll end up competing against the same female talent. What will happen is we end up in this spiral of offering these massive packages, large salaries, flexible working, bonuses, and all those kinds of things.

One of the topics we also did talk about was internal and social mobility. How can we encourage women who work in the cybersecurity industry but perhaps not in those technical roles? How can we attract them to retrain? What can you do? In some organizations that I’ve talked to, they have schemes where people can go on secondment for a short period of time into the more technical sections of the organization to find out more about the role, whether or not it’s something that they could do.

Attracting more women into cybersecurity is not about the hiring process. It comes down to your employer brand.

What about bringing in people without experience and training them up? Is that something that you could consider? I know there are companies out there and if you are a company that’s doing that, I’d love to hear from you and your experiences, and share something with that on the show, so get in touch if you’re bringing in people without any cyber experience at all and you’re training them up.

Could you persuade someone to make a sideways move? After all, this is a career for life. After a couple of years of training, you’ve got that career locked in. Let’s face it, it’s not a career without its financial advantages and it pays well. Perhaps, you’ve looked at things such as CAPSLOCK, a scheme where it does take people without experience and does train them up and then gets them into positions in companies as well. There is a lot of willingness to try and explore internal mobility, but perhaps still in its infancy.

Coming back to recruitment, we’ve seen other sectors in the past going to those crazy and ridiculous lengths to poach bait women. We’ve seen that in some of the financial services in the past. Maybe we might start to see that in cybersecurity. I hope not. One of the important things, when we look at recruitment, is about educating your hiring managers. It’s important to think about cybersecurity on its whole. What are the technical and non-technical skills required?

Often, women will see cybersecurity as a very technical role, problem-solving, and multitasking. It’s much more than that. We need our recruiters and hiring managers to use language, which addresses the entirety of what the role requires. Talking about not the technical skills but also talking about the non-technical skills. What sometimes people describe as soft skills, but I don’t like that terminology because it devalues the skills. Thinking about those skills, such as leadership skills, collaboration skills, and building relationships, often these are things that women tend to be better at. They tend to perform better in those kinds of skills.

Cybersecurity Female Talent: There is no magic solution. We do have a skills shortage in the cybersecurity sector, but there are lots that you can do to nurture and retain your female talent in the workplace.

I mentioned that 29% of cyber firms say that job applicants lack those non-technical skills such as communication, leadership, and management skills, and that is what’s stopping them from meeting their business goals. However, we do have 50% of the population that tend to be the skills that women are better at. I’m always talking about general tendencies. I’m not talking about all men or women.

It’s about how those hiring and line managers describe the roles and the qualities and behaviors that they’re looking for. In some organizations, we’ve seen tick box requirements where it’s essential that you’ve got experience in a particular way or thing. Try and think outside the tick box. Could that specific experience be gained in other ways?

One of the round table participants talked about how it was a requirement to spend some time on an oil rig in the oil industry. Often for women, particularly if they’ve got young children, it is very tricky and difficult to manage, so they lack that particular experience. It meant that it was very difficult for them to move into certain roles because they didn’t have that experience. The company started to look at other ways to gain that experience.

Look at those shorthand descriptors that you use and break them down. As the talent manager or HR professional challenges the hiring managers, “What does that mean? Why do you need that? What’s the purpose of that skill?” Make sure that you include women in the interview process. I appreciate that some of this is stuff that you’re perhaps already doing.

Attracting women still needs to be a meritocracy. Women need to have the skills and experience. It’s not about tokenism. In fact, women don’t want to be seen as token women in the office.

A lot of what we’re talking about here is equally applicable, whether you’re trying to attract women into cybersecurity or into technology. If you go back to my previous episode where we looked at all the different initiatives and the ones where the research tells us that they’re most effective on how to attract and retaining women into technology. Go and look at that episode because that’s equally applicable to the cyber sector.

It is important to include women in that interview process. The important thing is I’m not saying, “Go and recruit wherever women you can find.” It still needs to be a meritocracy. Women need to have the skills and experience. It’s not about tokenism. In fact, women don’t want to be seen as token women in the office. They don’t want to be making up the numbers to fulfill the quota.

Quotas have a place. Often people don’t like quotas because they feel it takes away the ability to select the right person for the right role. Also, quotas on your shortlist perhaps can be the only way that you get more women into the interview room in the first place, but women themselves don’t want to be seen as token women because it devalues their skills and experiences. They don’t want to be thought of as only getting the job, promotion, or sideways move because they’re a woman.

Do you have role models in your workplace? If you do have role models, how can you showcase them in the workplace? There’s very much that thing. You can’t be what you can’t see. We need more female talent in the cyber security industry. Once we start to get more female talent into the sector, then it will start to snowball a bit more. Your female role models, could they mentor other women? Perhaps, women who are considering or seem to be demonstrating the relevant skills to take a sideways move and move over into your engineering or into your technical team.

Although one of the challenges discussed by a couple of the participants at the round table was that when you do showcase your female talent and you’re doing that to build your employer brand, then what happens is you’re putting a target on their back and they get inundated with headhunters and recruiters. That’s partly because there are so few female experts in the sector at the moment. If you can at least role model them internally, it would be great to get to the stage where we showcase female talent and it’s not putting a target on the back because there’s such a plethora of female talent to pick from.

Technical And Non-technical Skills In Cybersecurity

One last point when we were looking at recruitment, because of the skill shortage, often when people move to another employer, they’re getting offered packages that you might not feel you could offer them for them to stay. They’re getting high salary offers and high bonuses. They then hand in their notice and then people rush around, “We want you to stay,” and then you start to offer more money. One of the things that we went back to is good performance management principles. Are you looking after the staff that you don’t want to leave and not the ones who talk loudly about how many times they’ve been approached on LinkedIn?

I’m very grateful to the participants from Blackberry, ISTARI, Beyond Trust, Redscan, and Adarma Security for participating in the round table on how to attract and retain female talent in the cybersecurity sector. We didn’t come up with any light bulb moments in terms of magic solutions. There is no magic solution. We do have a skills shortage in the cybersecurity sector, but there are lots that you can do to nurture and retain your female talent in the workplace.

There’s work that you can do on those good performance management principles and taking some of the initiatives that we use in technology as a wider sector to encourage more women into the cybersecurity workplace. If you’d like to get involved in my next round table, which would be in October 2022, please do reach out. I do keep a waitlist if you want to get involved or if you want to find out what the topic is going to be.

Thank you so much for reading, more episodes of the show at SherryBevan.co.uk. If this discussion has sparked an idea for you and your organization, please get in touch and book an exploratory chat with me that will give you the opportunity to ask any questions you have about the work that I do with cybersecurity companies on how to attract, develop, and retain your female talent so that you can close the gender pay gap. Get in touch by email at Sherry@SherryBevan.co.uk to book your call.

Important Links

Feb 8 2022 0 Comment

Diversity in Cybersecurity: Jess Figueras On What’s Causing The Cyber Skills Shortage

Podetize HostingPodcast

Diversity in the workforce is an issue that many industries are striving to improve. But what about cybersecurity? Jess Figueras sheds light on the matter with host Sherry Bevan. Jess is an independent tech industry strategy adviser and the Vice-Chair of the UK Cyber Security Council. She has experienced first-hand the lack of and the need for more women in the profession. In this episode, Jess discusses the cyber skills shortage and factors that contribute to a skewed diversity in the field. Technology is producing information faster than the professionals going in. So, what is putting people off from cybersecurity? And, is this a chance for more women to get into cybersecurity? Get the answer by tuning in.

—

Listen to the podcast here:

Diversity in Cybersecurity: Jess Figueras On What’s Causing The Cyber Skills Shortage

In this episode, I’m delighted to be talking to Jessica Figueras, a tech industry strategy advisor and Vice-Chair at the UK Cyber Security Council. What we are going to be looking at and exploring is how we attract and keep female talent in the cybersecurity space. If this is a topic of interest, I do still have a couple of spaces available on The Executive Round Table on this topic on the 24th of March 2022.

We will be looking at why the sector needs more women in cybersecurity. We will look at ways that organizations can tackle unconscious bias in hiring. We will have a look at the role that internal mobility plays and how to close that gender pay gap in cybersecurity. Back to our guest, a very warm welcome, Jessica. Thank you so much for joining me.

Thank you for having me.

Perhaps to set the scene, it would be helpful if you could tell us a bit more about your career and how you’ve got interested in digital trust and cybersecurity issues.

It is important to remember that you can start from anywhere. When I graduated with my English degree, I had no idea what I wanted to do. I ended up in Public Relations accidentally. It was technology public relations doing a lot of work for companies like Microsoft. As it turned out, PR was not for me. However, I found the technology industry fascinating and quickly gravitated to the most complex bits of emerging technology where pretty interesting industry dynamics were emerging. From there, I became an industry analyst.

I worked at a company for a long time, focusing on areas of emerging technology, where interesting dynamics are coming out. Companies are competing in different ways and using cases affecting society and changing consumer behaviors. That’s how I got in it in the first place. Digital trust started to interest me somewhere around 2014, 2015 when I started working in a role specializing in government and public sector use of technology, how government strategy, different emerging technologies, and methodologies were going to be playing out in that sector.

Lack of diversity is a problem. If you only have the same kinds of people trying to solve the problem, you don’t have a full toolbox.

The role of digital identity became important. At that point, the government has been trying to implement a new framework for digital identity in government for quite a long time. It was called the Verified Program. It’s a way for citizens to sign into digital services online and have their identity verified.

It was a very complex undertaking. The government ran into a lot of trouble with that program. It didn’t deliver. It has been phased out and replaced. You are looking at how that digital identity is not a technocratic question. It’s not a question of how you can make the tech work. It also raises interesting questions, which are more civil society questions about the role of citizenship if everybody has access to the credentials you need to prove your entitlements to use different government services.

That leads to questions around equality, all sorts of different kinds of dimensions. We saw it with the Windrush scandal when many British citizens were deprived of their citizenship simply because they had arrived in the country as children and didn’t have credentials. We can see the horrifying consequences when the government doesn’t get this right. That’s where my interest started.

How did you get involved in the UK Cyber Security Council? That sounds like a fascinating role to me.

The UK Cyber Security Council came out of the government’s National Cybersecurity Strategy in 2016. One of the weaknesses that the government identified in the UK’s overall security posture was the profession itself and lots of different dimensions there. Firstly, endemic skill shortage continues to be the problem. The demand for skilled people consistently outstrips supply.

There are a lot of issues around skills, career paths, professional development because of our young professionals. It’s changing and evolving very quickly. It’s very difficult for organizations to know what qualifications they should be asking for in their people and how they map onto each other. It’s about one million and one different qualification you can take. It’s not always obvious how they map.

CGP 16 | Diversity In Cybersecurity — Diversity In Cybersecurity: Cybersecurity skewed away from the kinds of people who would naturally see their job primarily being about communication and engagement.

There’s a lack of diversity as well, which is a problem. If you only have the same people trying to solve the problem, you don’t have a full toolbox. It also plays into the skill shortage. That’s why the UK Cyber Security Council was set up. Initially, it was sponsored by the government and set up by the industry. I was taken on as 1 of 4 founding trustees. Our job was to bring the work done to fruition to launch the council as an independent charity. The fact that I had a long background in technology but also that I had a lot of experience in charity governance as well, that was why I ended up joining. That has been very exciting.

What’s the role of the UK Cyber Security Council? What can organizations get from it? How can it help them?

We are here to strengthen the profession. We do that in lots of ways. We map all of the different qualifications out there. We have a career pathways map. We map that onto the jobs available in the market. We give a lot of information and advice to people interested in careers in the sector. We will be doing professional registration at some points. The government is starting to look at whether any form of regulation needs to be put in place. We support that process. We are supporting the drive for diversity as well.

Cybersecurity is quite a young profession. It has not been around forever kind of thing. How do you think it’s doing in terms of promoting diversity?

The data that has been collected so far on this suggest that technology, in general, has a diversity problem and cybersecurity has even more of a problem within the tech sector. The stat side source suggested that the tech sector is about 20% female. Cybersecurity is about 15%. That’s the big gap. There is also a lack of diversity in terms of ethnicity, particularly with the lack of Black people working in the industry as well. It’s not diverse.

However, one interesting fact about the cybersecurity profession, which probably will be recognized by people working in it because often doesn’t get recognized externally is in terms of narrow diversity. The interesting thing is more neurodiverse people are working in cyber than in the general population. It’s more inclusive. Like most professions, they have a bias toward certain types of demographics. It’s quite common. Looking at the whole picture of who we’ve got lots of and less of, it’s the female candidates, which is the glaring omission.

There are more neuro-diverse people working in cybersecurity than in the general population.

What’s the benefit to cybersecurity companies to have more female candidates in their ranks? How does it benefit them?

I find it hard to answer this question, honestly, without resorting to stereotypes. In the cyber profession generally, one of its weaknesses is the ability to communicate more broadly. That’s where the weaknesses are. We know that the weaknesses are two crucial ones. It’s around lack of user awareness, which is why our users are still clicking on dodgy links and doing all sorts of things that they shouldn’t be doing.

Secondly, the business as a whole, is it from the board level down? Does it understand what the risks are? In both of those cases, you have skilled professionals working in the organization on the ground and it’s their responsibility to communicate with those groups and get themselves into positions of influence in the organization where they can change thinking.

That is much more likely if those professionals are great communicators. We have talked about how the profession is skewed towards certain demographics. It’s skewed away from the people who would naturally see their job primarily being about communication and engagement. People with those skills tend to find them in commercial jobs, sales, marketing, and policy. We know that there’s a huge agenda bias there.

Effectively what you see is that cybersecurity could do with better communication skills and engagement skills, understanding the business, the risks for the business as a whole and not for individuals, and being able to communicate that to our users. Perhaps having more women in there, I don’t mind going back to the stereotypes but women tend to have perhaps more polished or better communication skills. I also wonder whether that’s also one of those skills that are perhaps less valued in the business.

A big weakness of the profession is the image of the cyber security professional, the cyber security hack or whoever it is. It’s these hackers in hoodies thing. It’s glamorized in an unhelpful way. It’s both off-putting to people that don’t see themselves in that way, which applies to many men as it does to women. It causes us to mix up two things because there are people who we are up against it. Although, the enemy is very organized and professionalized.

The response has to come from the whole of the business and civil society. We are not criminals. It has to come from mainstream organizations. You have to understand how these people think but if we say that we can only respond to the cybersecurity threats via a tiny elite character, a very unusual people, we’ve got a real problem. The solution has to be a lot bigger than that.

There’s a global demand for cybersecurity professionals and pacing supply. There’s not enough talent. Could this be a real golden opportunity to get more women into cybersecurity?

It is. Some organizations are doing innovative and cool things around upskilling, training, certifications and so forth, where they are very explicitly targeting groups that have been typically underrepresented, particularly women, which is fantastic. The key is there are two things. Number one is we have to do something about the level of gatekeeping in the profession. To my mind, the most pernicious thing is the demand for competing degrees or more cybersecurity degrees. When we ask for that, we immediately cut off 80% of the women. Those degrees we know so gender imbalanced in the UK. That’s arguably where the problem starts.

The other thing also is we need to think about, “What does a career in cybersecurity look like? What does a cyber security job look like?” It’s much more diverse than we usually think. There are some areas where there are probably a lot of women working. If you expand it to the broader risk management, there are lots of women working in that field, working as in-house legal councils, working in data protection and in all sorts of areas, which should be thought of as if not complimentary, in the discipline. The question is who’s at the table? When is an organization making decisions about this stuff? Does it have a broad enough group of people there?

It’s interesting what you are saying about the demand when people are looking to fill talent spots that they are looking for a degree in Computing, Computer Science, Cybersecurity or something. You are a prime example of somebody who’s done English as a degree, and then you are working in that space. There are plenty of valuable skills you get from studying other subjects. It doesn’t have to be English or History. There are analytical skills that are very valuable in cybersecurity.

Anything that teaches you critical thinking and the ability to appraise evidence is going to be valuable. The challenge for employers generally, and this is not specific to cybersecurity but it goes to many technical professions is that we often hear from employers that there is a mismatch between the skills that graduates have and the skills that they want in their entry-level people. They often want their entry-level people to do very practical things.

We have to do something about the level of gatekeeping to the profession.

If they’ve gone to university, they may have spent three years studying a lot of theoretical concepts. Particularly in computing, by the time you have done your three years, not of universities, you are already going to be out of time. A lot of universities are not good at keeping the material up to date. There are general questions about education and preparation for technical jobs.

To my mind, what excites me is those providers who are explicitly looking for people with no relevant background at all who will take people from whatever level they are. They will give them practical training. There is some good work being done in the open university. There’s a company I have come across that has great upskilling programs. That’s where to look.

Some of the other companies I have been talking to are very much looking at internal mobility and who they already have in the organization that they could upscale or retrain and allow for those sideways to move. It reduces the cost of onboarding because those people already know the organization and are familiar with the company’s values. They know they are a good fit. That’s a real rich vein of talent sitting there waiting for you to come and ask them to do something different.

It’s important also to make clear that cybersecurity professionals in an organization do have lots of opportunities to progress. That’s one thing that people will want to know. That’s the whole package. Are we making it an attractive job? The one piece of feedback we hear a lot, which is worrying, is the level of burnout in the profession and how stressful many of those roles are.

It’s a problem for many professions. It’s not bad luck but it’s happening at a time when some of the most crucial professions for keeping us all safe are burnt out. You see it in health and social care, too. At the time of COVID, that’s the profession we need to be looking after. We can’t afford for them to be burnt out and cybersecurity is true as well.

It’s not because we’ve got that gap in supply so there’s more demand. We need more of these people to exist.

CGP 16 | Diversity In CybersecurityCGP 16 | Diversity In Cybersecurity — Diversity In Cybersecurity: The amount of power the tech industry has gathered is extraordinary and that has gone hand in hand with ta relegation of the role of women.

Technology is producing more and more intelligence that professionals can act on. It’s overwhelming people. You see the same dynamics inside social media platforms. They have moderation teams who are responsible for looking at the worst of the worst that goes on. You see similar dynamics there like stress and burnout because there’s a sense that whatever you do, it will never be enough.

Organizations, to my mind, have a moral duty to look after these people. What particularly troubles me is when you hear stories about organizations that have developed a bit of nasty blame culture. You can see why it happens. When particularly companies in the public eye suffer a cybersecurity breach, it can be financially and operationally damaging. On top of that, if you end up with a regulator investigation get hit with a fine, that’s bad.

We are in this mentality of shame, cover-up, people are fired, heads roll, and hasn’t fixed the problems often. This is complex. The solution is multilayered and complex. Probably outside the most egregious cases of negligence is how can it be effective or fair to pin the blame on one person. As long as we have that culture around cybersecurity, secrecy shame, and blame, we are not going to end up in a good place. Getting over that and getting to a good place is also about accepting the fact that this is an endemic problem, which everybody has. Everybody has weaknesses and is under threat.

Before we finish, I want to ask you about one more thing. I read an interview with you at Information Age and you talked about occupational feminization. I would love to hear more about that and how that affects cybersecurity.

This is a term to describe this interesting phenomenon, which is where a profession that starts off being dominated by men. The professions that we know are mostly our work. Over time as they attract more women, they become less well-rewarded and prestigious. To give an example, we are here in the UK. Many years ago, the figure of a school teacher was an important local authority. The schoolmaster would have been then. I don’t know what the exact figure is but women play a big role in education. It is not respected in the way it was then. It’s certainly less well remunerated.

With tech, what’s interesting is the reverse has happened. It has been a reverse occupational feminization. We go back to the ’50s and ’60s. The tech as it was then was dominated by women. Women were mainly the first coders. The tech industry back then was payroll processing and huge rooms full of most gigantic IBM mainframes. It would have been dominated by women, creating the punch cards writing their routines.

We’re very comfortable with the idea of a male tech genius but it doesn’t seem to work for women, does it?

At some point in the mid-’80s, that started to change. The tech industry started to become an industry. It started to attract attention, investments, and funding. Pretty quickly, here we are. It’s male-dominated and has been probably since the ’90s. As an industry, it’s probably secondary to banking in terms of levels of paying remuneration. Prestige, here we are with big tech ruling the world.

The amount of power the tech industry has gathered is extraordinary and that has gone hand in hand with a relegation of the role of women. I would humbly suggest it is not coincident. We see this occupational feminization as something that has been studied by academics, looking at big data sets covering different professions. It’s a phenomenon.

I started in technology in the mid-’80s. In the department I worked in, we were easily 50% female, probably more than that. I worked in that company for a long time and probably left there towards the end of the ’90s. I hadn’t realized there was a problem for women in technology because I had been surrounded by other women in technology at the company where I worked. It feels like things have gotten worse ever since. It’s a male-dominated industry. The industry as a whole is missing out on having that diversity.

It is about where prestige attaches. Where are the female equivalents of Elon Musk and Mark Zuckerberg? I find it interesting also that we do have the odd powerful female figure in tech of the likes of Sheryl Sandberg, who has been an incredible advocate for women, and how much criticism she’s taken, so much of it from women. There’s a real tall poppy syndrome going on there. I find it troubling. We are very comfortable with the idea of the male tech genius but it doesn’t seem to work for women.

It doesn’t fit with our unconscious ideas and perceptions of how a woman should behave. Jessica, I have loved talking with you. Thank you so much. If people want to get in touch with you, how do they do that?

You can go to my website, JessicaFigueras.com, and send me a message or look me up on Twitter or LinkedIn, whatever your platform of choice. I love to hear from you. Thanks so much for having me. It’s been great.

Thank you so much for joining me with Jessica Figueras. We have been talking about we improve diversity in cybersecurity. You can find more episodes at SherryBevan.co.uk. If you want to take a deep dive with other HR and talent professionals, how we can attract and retain more women in cybersecurity, please do get in touch because I do have a couple of spaces left on my Round Table on this topic on the 24th of March 2022.

If this conversation has sparked a thought in your mind, let’s talk. An exploratory call with me will allow you to ask any questions you have about the work that I do with cybersecurity companies on how to do more, attract, develop and retain your female talent. You can close the gender pay gap. Get in touch by emailing me. Thank you for reading. Thank you again, Jess.

Important Links:

UK Cybersecurity Council
The Executive Round Table
Information Age – Article
JessicaFigueras.com
Twitter – Jessica Figueras
LinkedIn – Jessica Figueras
https://www.ISC2.org//-/media/ISC2/Research/2021/ISC2-Cybersecurity-Workforce-Study-2021.ashx
https://www.Gov.uk/government/publications/cyber-security-skills-in-the-uk-labour-market-2020/cyber-security-skills-in-the-uk-labour-market-2020

About Jessica Figueras

Jess is a tech industry strategy adviser. She works with start-ups and scale-ups on growth strategy and product development, and advises UK government on tech policy relating to security, trust and online harms.

She’s also Vice Chair at the UK Cyber Security Council and former Chair of NCT, the UK’s leading charity for parents.