As part of ISC2’s focus on Women in Cybersecurity and to mark both Women’s History Month and International Women’s Day, a panel of industry leaders discussed why increasing representation matters and how individuals and organizations can play a role in making change.
While women such as Grace Hopper helped to lay the foundation for the cybersecurity field, today women represent only about 20 – 25% of the profession. Addressing this imbalance, and with it encouraging and supporting more women in cybersecurity roles is a task that many are taking on.
In the webinar “From the Inside Out: Increasing Representation and Inclusion of Women in Cybersecurity” a panel of comprised of Holly Schneider Brown, senior director at the Center for Cyber Safety and Education, ISC2’s charitable arm; Ana Cecilia Pérez Rosales, CISSP, director at Capa8 and a member of the ISC2 Mexico City Chapter; and Magda Skorupa, president of the ISC2 Poland Chapter discussed this.
Inspiring Women in the Industry
Moderator Sharon Pole, CISSP asked each panelist for an example of an inspiring woman from the field of cybersecurity.
Schneider Brown highlighted Dr. Claudia Natanson MBE, who has held a number of senior cybersecurity roles and is currently CEO of the UK Cyber Security Council, whom Holly described as “a luminary in cybersecurity”. Pérez Rosales chose the “mother of intrusion detection”, Rebecca Bace. “During her time at the National Security [Agency], she became a driving force in advancing security research and later as a venture capitalist, she invested in and mentored emerging cybersecurity companies”. Skorupa chose a name unfamiliar to most: Elizabeth Zabatska. As Skorupa explained: “She was an extraordinary Polish female who played a crucial role in intelligence, cryptography and secure communications during World War Two”, continuing: “Her work in secure communications, encryption, intelligence was playing the key role in covert operations and counterintelligence. These areas are directly connected to modern cyber security. She's often overlooked in history, but she was a true pioneer in intelligence security”.
Pole next question to the panel was looking at the key skills required for a role in cybersecurity. Skorupa cited “being open and open to opportunities”, noting also that her curiosity had been a great boost to her growth in cybersecurity along with the fact that she had developed experience by taking many “opportunities that no-one wanted to touch”. Pérez Rosales’ focus was on soft skills; critical thinking and problem solving were high on the list, as were an ethical mindset and an ability to adapt. Communication was also called out as important, specifically: “communication and also storytelling regarding the audience in which you're going to talk about cybersecurity”, she said, noting that “when you talk about risks in cybersecurity, you need to translate them into a business language so everybody can understand them”. Schneider Brown, the self-proclaimed “least technical person” on the panel, talked about what she described as “things that I wouldn't have thought were part of cybersecurity”. Planning for worst-case scenarios was one of the key messages, along with a focus on people: “protecting people, protecting those who are vulnerable”.
Addressing Gender and Culture Issues
The next question focused on gender and the challenges that, as women, the panelists had faced in their cybersecurity careers. Culture – social biases and stereotypes – was one of Pérez Rosales’ points, along with family considerations faced by women: “Many cybersecurity roles, particularly in incident response, SOC teams and leadership require long, unpredictable hours, making it challenging for mothers to balance work and family”. She also cited pay gaps and the lack of access to leadership roles – which she addressed via the rather lateral approach of starting her own company. The glass ceiling and male bias were on Skorupa’s list too, though she also touched on the lack of assistance in developing. “Women still face lack of mentorship, a lack of sponsors within the company, someone who could not only mentor, but who could be … a sounding board, helping to answer a lot of questions”. Schneider Brown cited Deloitte’s research into women in cybersecurity, which she said busted a few myths around things like the gender balance. “Men's interest in cybersecurity really is only marginally higher than women's”, she pointed out, continuing by saying that “women also just often feel like they don't belong … 51% of women said that they didn't think there was room for someone like them in cybersecurity”.
Pole posed a question submitted by a male audience member, asking the panel if they had any recommendations for how men could support women in the field? Schneider Brown spoke about consciously pushing women to take opportunities, citing the example of Prof. Brian Callahan from the Rensselaer Polytechnic Institute, whom she knew to be a big promoter of opportunities for female students. Pérez Rosales’ view was also that men could provide more support: “I think with men - it's part of this awareness about the importance of including women in the cybersecurity industry - their support becomes a really, very big collaboration”. Skorupa’s focus was on encouraging women to be seen and heard. “[Give] them a voice to speak up, because very often we somehow tend to stay silent, although we have important questions to ask that could sometimes change the whole discussion”.
Geographic Experiences
Given that the panelists were in different parts of the world, they were asked whether their experience as women in cybersecurity were similar or different. Skorupa, noting that she is from a military family, said: “Maybe [my] military background helped me a bit not to give up, always speak up and not to be afraid, because there is nothing worse [than] to be afraid. If you have doubts, you should just speak up”. Pérez Rosales’ view was that her desire for knowledge and development stood her in good stead: “I think the main things is that you need to develop yourself, to raise [yourself] in technical and soft skills training, as we mentioned before, to demonstrate the knowledge that you have”. Schneider Brown told the group that she had encountered many women leaders, and that: “These are women who are willing to be bold, take risks, find their way”.
Next was a discussion of how young women can be helped into cybersecurity roles at the community level. “Is it about STEM in eighth grade?” asked Pole, “Is it about getting them involved in middle school and elementary school? Is it more about college? Is it formal? Is it informal?”
Skorupa talked of attracting people to take part in events and discussions; speaking of the ISC2 Poland chapter, she said: “We organize meetings every month for knowledge sharing and I could see even on the last one, there was twice as many women than I saw at the previous one. So that is growing”. Pérez Rosales’ focus was on groups and events where the goals were to specifically attract women, for instance a female-oriented task force run by the ISC2 Mexico City chapter: “We are inviting all women that want to develop and start knowing more about the cybersecurity industry and want to start to be recognized – their knowledge and their skills – with the support of ISC2 certifications”. Schneider Brown finished up by talking about some of the work of the Center for Cyber Safety and Education. “We have a variety of volunteer opportunities for you to do exactly what we're talking about”, she said, which is “really helping to cultivate the next generation, getting young women into the field”.
Related Insights