In the spring of 2022, Sherry Bevan hosted a round table where she invited several cybersecurity companies to talk about attracting and retaining more female talent into cybersecurity. Representatives from Blackberry, ISTARI, Beyond Trust, Redscan, and Adarma Security came along and participated in a fruitful discussion. They looked into attracting more women into cybersecurity, tackling unconscious biases in hiring, retaining female technical talent, internal role modeling, and closing the gender pay gap in the industry. In this episode, Sherry shares her reflections about the round table. Listen in as she breaks down the discussion’s salient points that reveal deep insights into the state of female talent in one of the fastest growing sectors of the economy.
—
Listen to the podcast here
Challenges And Best Practices In Attracting And Retaining Female Talent In Cybersecurity
Reflections On The Spring 2022 Round Table
In this episode, I’d like to share my reflections from my spring round table in which I invited several cybersecurity companies to come and talk about how we attract more women into cybersecurity, and once we’ve attracted them, how do we keep them there? Before I move on, I will tell you a little bit about my round tables. I run these twice a year. They’re very small exclusive events.
They’re an opportunity for you to get insights, ask questions, and share feedback with your peers in the community. Normally, no more than 6 to 8 companies with 1 or 2 representatives at most from each organization. Typically, the types of people who come along to the round table are HR directors, talent managers, diversity and inclusion, and heads of departments.
In 2021, my round table was on the impact of the hybrid world on the gender pay gap. You can still access and get a copy of the white paper that I wrote off the back of that. In spring 2022, we looked at how to attract and retain female talent, specifically in cybersecurity. If you’d like to join the next round table, when we’re going to be looking at how to engage our female talent in the sports technology world, please do get in touch.
I’m very grateful to the representatives who came along to the spring round table. We had representatives from Blackberry, ISTARI, Beyond Trust, Redscan, and Adarma Security – thank you very much. Everyone who came along, got engaged and contributed so that we had a fruitful discussion. Before the round table takes place, I send out an attendance list, who you’re going to meet, and tell you the talking points or what the questions are going to be. I will facilitate the discussion around those talking points.
For the last one, we looked at why does the sector need more women in cybersecurity? We looked at how we attract more women into cybersecurity, particularly in the hybrid work model that most of us are working with now. We looked at ways that organizations can tackle that unconscious bias in hiring. We also spent some time talking about the role of internal mobility. Can you move stuff from one department to another? That you attract and retain more of your female talent in the more technical or the engineering sides of the company. We spent some time looking at how to close the gender pay gap in cybersecurity.
Talent Shortage In Cybersecurity
Before we think about how we attract more women to cybersecurity, let’s spend a few moments thinking about what we already know about the sector itself. There was a government report published in 2020 talking and looking at cybersecurity skills in the UK labour market. What we do know is that cybersecurity is one of the fastest-growing sectors and there are certainly no signs of slowing down. There has been massive investment in the industry.
The report by DCMS suggests that the UK cyber industry is worth an estimated £8.3 billion. However, the challenge is that the number of trained and experienced cybersecurity professionals is simply not keeping up with demand. In fact, we don’t have a challenge of how to attract more women into cyber security. We have a challenge of how do we get more talent into cybersecurity.
There was a government report back in 2018. When I talk about UK businesses, I’m not talking about technology companies or companies that specialize in cybersecurity, but the UK businesses in the general UK market. More than 50% of them have a basic technical cybersecurity skills gap. We have a big challenge here. Three out of ten cyber firms or 29%, say that the job applicants they do get lack non-technical skills such as communication, relationship building, and leadership management skills, which is preventing the company from meeting its business goals.
Cybersecurity is one of the fastest-growing sectors, and there are certainly no signs of slowing down. However, the challenge is that the number of trained and experienced cybersecurity professionals is simply not keeping up with demand.
When we look at the cybersecurity sector as a whole, we lack strong female role models. There are some amazing role models in the industry. If you know a role model, then please do let me know because I’d love to interview her for the show. One of the critical barriers to female progression in the workplace and particularly in cybersecurity is the lack of professional flexibility.
When we look at diversity, there are some statistics available, and what we see is that if we’re looking specifically at the cybersecurity sector, 15% of the workforce are female compared to 28% of the wider digital sector. Although, when we talked about this at the round table, quite a few of the companies represented there, where are they getting these people from because we’re not at 15%.
For information here, 16% are from ethnic minority backgrounds versus 17% from digital sectors. From that point of view, the difference isn’t so significant. What we also know is that 9% of the workforce in the cybersecurity sector is neurodivergent. Unfortunately, we don’t have any reliable comparisons for that across the wider digital sector.
In the discussions that we had at the round table, the biggest thing that came out of it for me is that if you’re struggling to recruit talent and particularly recruit female talent, you are not alone. Every single one of the participants at the round table said that they were struggling to get enough good female talent on the shortlist. In fact, they’re not struggling to get good female talent. They’re struggling to get good talent onto their shortlist.
The challenges are we have a skill shortage, there’s no doubt about that, but there are also some other issues. One of the big challenges that we seem to have in the cybersecurity world is that cyber is not the cool place to be. It’s not a cool place to be for women, which to my mind is crazy because for me, working in cybersecurity is about stopping the bad guys.
As one of the round table participants described, it’s a noble pursuit and has a noble purpose for companies. In my mind, that should appeal to women because women often feel more drawn to an organization or a company that seems to have a sense of purpose in the world rather than making money for money’s sake.
I wonder whether we need to have a PR campaign for a sector that could be seen as cool, fighting the bad guys, and making the place a better world, but it’s tricky to have a PR campaign for a sector that’s in the shadows. We don’t want to be going around telling people, “Watch out because your hospital is at threat of attack. Your bank is at threat of attack. There’s been an incident in the financial services sector.” Often when an organization has some cybersecurity incident or threat, it is not the thing they want to be talking about.
It would be amazing if we could develop a better image for cybersecurity, but it’s tricky because, at the same time, there’s not that openness about what we do and about what the organizations do when they get our support and our help. One of the other challenges in any sector of technology is flexibility. Women tend to prefer to want that flexible working. What we do know about flexible working is it tends to be parents with young children and people with disabilities who want it.
One of the critical barriers to female progression in the workplace, and particularly in cybersecurity, is the lack of professional flexibility.
Over the last few years, we’ve all had to move to that remote work, and hybrid working is very much at the forefront of our minds now. COVID has introduced new possibilities to us. One of the tricky things, though, is if you’re working in cyber and in that very technical side of things, we’ve got that challenge of needing to be on call 24/7.
It’s not for all people in the organization, but for certain groups, those who work on the incident or service desk, which can be more challenging if you’ve got young children or if you’re part of that sandwich generation. Maybe you’ve got young children at one end of the spectrum in your life, but you’re also caring for elderly relatives at the other end. More information about how to support your working carers in the last episode.
While remote working and hybrid working models have been absolutely brilliant for many of us who have not needed to commute to be more productive, and all of that good stuff that comes from hybrid working, there are some disadvantages. In the past, our penetration testers would have got some of that tacit knowledge transfer simply by being in the same room as the best testers in Europe and that’s not happening now because we’re all working remotely.
You’re not overhearing those conversations. You’re not able to step over to another person’s desk and say, “Could you help me with this?” It’s different because we have to work harder at making that knowledge transfer happen. We need to understand these obstacles to be able to remove them. Being more flexible in the way that we offer flexible working would be a great start.
Beyond The Hiring Process
We often talk about how we attract more women into cybersecurity, but it’s not about the hiring process. It’s moved beyond knowing how to have a shortlist with women on that. Lots of companies will work closely with the recruitment agency or their internal talent acquisition people. It’s not about the hiring process. It’s about attracting women in the first place. It comes down to your employer brand.
One of the things that came out of the discussion with the cybersecurity companies who came to the round table is that we’re all competing for the same talent. What we don’t want to do is to end up doing what we’ve seen in other sectors in the past, where they have gone to extreme lengths to attract women. When companies find out that women are on maternity leave, they contact them directly to offer them incredible packages so that they can stay on full paid leave for a whole year and then come back to work for a different employer.
What we need to do is to establish that strong employer brand, but not just the employer, the industry brand. That will help the whole pipeline and the whole sector. All of the representatives at the round table felt that it’s not about focusing on your own requirements because otherwise, you’ll end up competing against the same female talent. What will happen is we end up in this spiral of offering these massive packages, large salaries, flexible working, bonuses, and all those kinds of things.
One of the topics we also did talk about was internal and social mobility. How can we encourage women who work in the cybersecurity industry but perhaps not in those technical roles? How can we attract them to retrain? What can you do? In some organizations that I’ve talked to, they have schemes where people can go on secondment for a short period of time into the more technical sections of the organization to find out more about the role, whether or not it’s something that they could do.
Attracting more women into cybersecurity is not about the hiring process. It comes down to your employer brand.
What about bringing in people without experience and training them up? Is that something that you could consider? I know there are companies out there and if you are a company that’s doing that, I’d love to hear from you and your experiences, and share something with that on the show, so get in touch if you’re bringing in people without any cyber experience at all and you’re training them up.
Could you persuade someone to make a sideways move? After all, this is a career for life. After a couple of years of training, you’ve got that career locked in. Let’s face it, it’s not a career without its financial advantages and it pays well. Perhaps, you’ve looked at things such as CAPSLOCK, a scheme where it does take people without experience and does train them up and then gets them into positions in companies as well. There is a lot of willingness to try and explore internal mobility, but perhaps still in its infancy.
Coming back to recruitment, we’ve seen other sectors in the past going to those crazy and ridiculous lengths to poach bait women. We’ve seen that in some of the financial services in the past. Maybe we might start to see that in cybersecurity. I hope not. One of the important things, when we look at recruitment, is about educating your hiring managers. It’s important to think about cybersecurity on its whole. What are the technical and non-technical skills required?
Often, women will see cybersecurity as a very technical role, problem-solving, and multitasking. It’s much more than that. We need our recruiters and hiring managers to use language, which addresses the entirety of what the role requires. Talking about not the technical skills but also talking about the non-technical skills. What sometimes people describe as soft skills, but I don’t like that terminology because it devalues the skills. Thinking about those skills, such as leadership skills, collaboration skills, and building relationships, often these are things that women tend to be better at. They tend to perform better in those kinds of skills.
I mentioned that 29% of cyber firms say that job applicants lack those non-technical skills such as communication, leadership, and management skills, and that is what’s stopping them from meeting their business goals. However, we do have 50% of the population that tend to be the skills that women are better at. I’m always talking about general tendencies. I’m not talking about all men or women.
It’s about how those hiring and line managers describe the roles and the qualities and behaviors that they’re looking for. In some organizations, we’ve seen tick box requirements where it’s essential that you’ve got experience in a particular way or thing. Try and think outside the tick box. Could that specific experience be gained in other ways?
One of the round table participants talked about how it was a requirement to spend some time on an oil rig in the oil industry. Often for women, particularly if they’ve got young children, it is very tricky and difficult to manage, so they lack that particular experience. It meant that it was very difficult for them to move into certain roles because they didn’t have that experience. The company started to look at other ways to gain that experience.
Look at those shorthand descriptors that you use and break them down. As the talent manager or HR professional challenges the hiring managers, “What does that mean? Why do you need that? What’s the purpose of that skill?” Make sure that you include women in the interview process. I appreciate that some of this is stuff that you’re perhaps already doing.
Attracting women still needs to be a meritocracy. Women need to have the skills and experience. It’s not about tokenism. In fact, women don’t want to be seen as token women in the office.
A lot of what we’re talking about here is equally applicable, whether you’re trying to attract women into cybersecurity or into technology. If you go back to my previous episode where we looked at all the different initiatives and the ones where the research tells us that they’re most effective on how to attract and retaining women into technology. Go and look at that episode because that’s equally applicable to the cyber sector.
It is important to include women in that interview process. The important thing is I’m not saying, “Go and recruit wherever women you can find.” It still needs to be a meritocracy. Women need to have the skills and experience. It’s not about tokenism. In fact, women don’t want to be seen as token women in the office. They don’t want to be making up the numbers to fulfill the quota.
Quotas have a place. Often people don’t like quotas because they feel it takes away the ability to select the right person for the right role. Also, quotas on your shortlist perhaps can be the only way that you get more women into the interview room in the first place, but women themselves don’t want to be seen as token women because it devalues their skills and experiences. They don’t want to be thought of as only getting the job, promotion, or sideways move because they’re a woman.
Do you have role models in your workplace? If you do have role models, how can you showcase them in the workplace? There’s very much that thing. You can’t be what you can’t see. We need more female talent in the cyber security industry. Once we start to get more female talent into the sector, then it will start to snowball a bit more. Your female role models, could they mentor other women? Perhaps, women who are considering or seem to be demonstrating the relevant skills to take a sideways move and move over into your engineering or into your technical team.
Although one of the challenges discussed by a couple of the participants at the round table was that when you do showcase your female talent and you’re doing that to build your employer brand, then what happens is you’re putting a target on their back and they get inundated with headhunters and recruiters. That’s partly because there are so few female experts in the sector at the moment. If you can at least role model them internally, it would be great to get to the stage where we showcase female talent and it’s not putting a target on the back because there’s such a plethora of female talent to pick from.
Technical And Non-technical Skills In Cybersecurity
One last point when we were looking at recruitment, because of the skill shortage, often when people move to another employer, they’re getting offered packages that you might not feel you could offer them for them to stay. They’re getting high salary offers and high bonuses. They then hand in their notice and then people rush around, “We want you to stay,” and then you start to offer more money. One of the things that we went back to is good performance management principles. Are you looking after the staff that you don’t want to leave and not the ones who talk loudly about how many times they’ve been approached on LinkedIn?
I’m very grateful to the participants from Blackberry, ISTARI, Beyond Trust, Redscan, and Adarma Security for participating in the round table on how to attract and retain female talent in the cybersecurity sector. We didn’t come up with any light bulb moments in terms of magic solutions. There is no magic solution. We do have a skills shortage in the cybersecurity sector, but there are lots that you can do to nurture and retain your female talent in the workplace.
There’s work that you can do on those good performance management principles and taking some of the initiatives that we use in technology as a wider sector to encourage more women into the cybersecurity workplace. If you’d like to get involved in my next round table, which would be in October 2022, please do reach out. I do keep a waitlist if you want to get involved or if you want to find out what the topic is going to be.
Thank you so much for reading, more episodes of the show at SherryBevan.co.uk. If this discussion has sparked an idea for you and your organization, please get in touch and book an exploratory chat with me that will give you the opportunity to ask any questions you have about the work that I do with cybersecurity companies on how to attract, develop, and retain your female talent so that you can close the gender pay gap. Get in touch by email at Sherry@SherryBevan.co.uk to book your call.
Important Links
- National Carers Week: Show Support For Your Working Carers – Previous episode
- CAPSLOCK
- Joysy John And Hana Abdi: How To Motivate Women To Find A Career In Technology – Previous episode
- Sherry@SherryBevan.co.uk
- https://escalla.co.uk/blog-women-in-cyber-security/
- http://www.SherryBevan.co.uk/diversity-in-cybersecurity-jess-figueras-on-whats-causing-the-cyber-skills-shortage/
- http://www.SherryBevan.co.uk/initiatives-and-actions-you-can-do-to-close-the-gender-pay-gap/
- https://www.Gov.uk/government/publications/cyber-security-skills-in-the-uk-labour-market-2020/cyber-security-skills-in-the-uk-labour-market-2020