It’s no secret that the current skills shortage is especially acute in the area of cybersecurity. A 2018 study by the International Information System Security Certification Consortium, or (ISC)², reported a shortage of nearly 3 million cybersecurity professionals globally, including a gap of roughly 500,000 trained staff in North America alone. And CIO/CTO respondents to Protiviti’s latest Top Risks survey identified succession challenges and the ability to attract and retain top talent their second top risk overall, right after economic concerns.
The shortage not only creates greater vulnerability for IT systems, but it also puts current cybersecurity personnel under increased pressure and leads to job stress and dissatisfaction, according to the report.
Closing that talent gap was one of the main topics of a Women Leaders in Cyber Security panel in mid-December that we attended (Scott as moderator and Trish as attendee). The panel was held under the aegis of the Delaware chapter of the Information Systems Security Association. Some of the suggestions made by the panelists we anticipated, such as raising the proportion of female professionals, who account for only 24% of the cybersecurity workforce, according to (ISC)². Other comments, however, were eye openers, such as how to attract more women to the field and the overall value of gender diversity.
Among the biggest surprises: Only two of the panelists started their career with a technical background, and yet all of them found success as female cyber leaders. The one trait they had in common was that they excel in translating security problems into business terms, which they believe is the key to their success.
Their experience should be instructive to IT executives going forward, according to Donna Ross, senior vice president and chief information security officer (CISO) at Radian Group.
Value of Diversity
“Cyber needs diversity,” Ross said. “When you are in the war room, you need diverse ideas, and diversity comes in many different types — gender is just one of them.”
Ross’ use of the war room metaphor has a basis in fact. A study produced by the U.S. military, “Women in Battle: What Women Bring to the Fight,” found that the overall intelligence of a combat group increases as the proportion of women rises. Protiviti has compiled similar research and identified the gender imbalance in the technical fields as an emerging risk.
Diversity should trump technical experience, according to Kelly Uhrich, senior vice president and deputy CISO of KeyBank. Uhrich was one of the panelists with previous technical skills. Despite her capabilities, she had to apply for a lower-level position to get into IT security.
Companies should consider widening the aperture of candidates by focusing on sourcing for foundational competencies they are looking for, such as critical thinking, communication skills, leadership and business acumen and then training up for specific skills, according to Uhrich. Diversity needs to be at the forefront of these efforts.
“Organizations put up artificial walls and barriers,” she said. “They should look at their job descriptions and ask themselves, ‘Have we made it too difficult to source good candidates by artificially inflating the requirements to fulfill the job?’”
More than that, women need to be encouraged to take the leap of pursuing a new professional area, according to Nancy Hunter, vice president and CISO of the Federal Reserve Bank of Philadelphia, who came from a programming background.
“Many women will not apply for a position unless they meet 95% of the qualifications,” she said. “By contrast, men tend not to wait. They get the interview and the job.”
Hunter’s advice to students and new hires is instructive: “You may be the only woman in the room. Remember: You have earned the right — step up and sit at the table. If you are at the table, you have the right to give your opinion — you have been invited to give your opinion.”
Culture Is Important
Even if a woman lands a job in cybersecurity, it is only the beginning of the process, noted Tammy Klotz, director of information security at Versum Materials, a subsidiary of Merck KGaA. For female cyber workers to thrive, the company culture must be inclusive.
“Look at the language used in meetings,” she said. “Is it confrontational? It shouldn’t be. You want your culture to be accepting and supportive. The tone starts at the top, and it should support both men and women in taking risks.”
For their part, women can help their own cause. Ellen Rinaldi, retired chief security officer and CISO of the Vanguard Group, urged women to “pursue a certification and do the homework” and to be more social in every venue of the workplace. “Often, women will sit in the back of the room and wait to be called on,” Rinaldi observed. “But they must learn how to introduce themselves, how to have two or three questions at the ready to work a room. Even if it doesn’t come naturally, they can learn to be part of the conversation. It’s such a valuable tool.”