Podcast: Gender Diversity in Security

December 17, 2019
| |
19 min read

Listen to this podcast on Apple Podcasts, SoundCloud or wherever you find your favorite audio content.

On this episode of the SecurityIntelligence podcast, host Pam Cobb connects with cybersecurity entrepreneur, bestselling author and keynote speaker Jane Frankland to dig into the topic of gender diversity in security. While parity gains are being made, there’s still room to grow — a recent (ISC)2 survey found that among staff members with cybersecurity responsibilities, just 24 percent were women. Here’s what Frankland and Cobb had to say about current challenges, potential paths to success and the case for cognitive diversity in IT security.

‘The Problem Isn’t Women’

Frankland makes it clear: “The problem isn’t women.” Instead, the problem is the system.

“We have women out there who want to work in our industry and are not being enabled,” she says. While Frankland points to the positive impact of increased industry awareness of the gap between male and female IT security pros, this isn’t enough in isolation. The hiring process needs to improve by enabling women to make the leap from other areas — such as HR, law, risk management or education — into security.

Maximize Your Visibility

What does this mean in practice? Frankland points to visibility, both on the part of hiring managers and women with an interest in cybersecurity work. On the hiring side of things, Frankland recommends “being visible out there and building a brand, so getting visible out there online, particularly, and offline within the company.”

This could take the form of writing about security topics, creating a corporate podcast or building company culture that both challenges and supports IT staff. The goal is being open and available for women who raise their hand and say, “I’m interested in this.”

For women, improving gender diversity in security means “bringing that personal brand and getting in front of the right people.” This means building professional networks and, subsequently, relationships to maximize visibility and boost their signal.

Understand What Really Interests You

Frankland also recommends that women take a step back and “really try and get clear on what aspect of security most interests you.” Is it network defense? Ethical hacking? Secure application design? Or is it more the nontechnical, business side of infosec?

All paths are viable, because for Frankland, “what security really is about is good thinking, so thinking based around risks, based around budgets and making better business decisions around risk.” Once women have narrowed down their interests, Frankland suggests going to YouTube, finding podcasts, reading security magazines, and attending conferences or webinars to gain a deeper understanding of security topics and start building critical skills.

The Case for Cognitive Diversity in Cybersecurity

While gender diversity statistics highlight an obvious gap the industry needs to close, Frankland notes that “diversity is a full spectrum as far as I’m concerned. It’s gender, it’s race, it’s ethnicity, it’s age, it’s socioeconomic and it’s religion.”

More importantly, it’s about “the diversity of thinking” — leveraging different cognitive approaches to drive successful security outcomes. For example, Frankland’s research found that women have a natural ability to remain calm during crisis situations, such as incident response, and also score highly on valued corporate metrics such as social and emotional intelligence. In addition, women are “great change agents” who open the door for more diversity and drive greater profitability and innovation compared to homogeneous teams.

Women remain underrepresented in cybersecurity — but the needle is starting to move. With expanding awareness, visibility and clarity around job roles coupled with improved hiring practices and a preference for cognitive diversity, there’s increasing recognition that improved parity imparts strategic security advantages.

If you’d like to learn more about the platform referenced in the episode, visit The Secret Code for more information.

Episode Transcript

David: Thirty-five to one. Pam, what is the significance of this ratio?

Pam: That is the ratio of men to women at my time in engineering school at Georgia Tech. I would be the only female in the entire class. And that’s a pretty common refrain in a lot of my career, because I went from Georgia Tech into electric utilities, and shipping and logistics in transportation, and then technology. And I will say, it’s pretty weird when you think about it. And I look around now, where we are at IBM, and it’s a lot more balanced. And sometimes it’s odd for me. It’s like, “Why, there’s a lot of ladies here.” I’m not used to that, because my formative years were so male-dominated.

David: I’ve noticed that too, where at IBM, things seem a little bit more balanced. And then when I’m at conferences, meeting with clients, it does go back to being really male-dominated. So it has to be, I guess, jarring is my take on it.

Pam: It is. And with a lot of the work that I do where I’m looking at, like, speaker profiles, and like, “Hey, here’s a panel that we’re putting together.” And it’s work to put together and come up with a diverse panel to speak on something. And diversity, here, is not just male and female. It is backgrounds and ways of thinking, and you know, all of the different ways that we think of diversity, typically, you know, like out in the rest of the world that’s not cybersecurity.

David: Yeah. I’ve heard a great phrase a couple of weeks ago that we need cognitive diversity in cybersecurity. And as you unpack that a little bit, it can be men and women, it can be people of color, and it can be people that come from different economic backgrounds, different education, even different careers coming together within a domain like security to solve a problem. And that cognitive diversity is really curious to me, because it’s different ways of thinking, different ways of solving problems, and it then allows a team to mirror the attacker, right, the attack side doesn’t have a homogeneous sort of look. And it’s really nice when you have somebody who’s very smart, very clever on your team who thinks about things that you don’t and puts them forward. And so if you’re in a place with a 35 to 1 ratio as your likelihood of having the other type of thought, man, it feels like a disadvantage.

Pam: This is the SecurityIntelligence Podcast, where we discuss cybersecurity industry analysis, tips, and success stories. I’m Pam Cobb.

David: And I’m David Moulton.

Pam: For this episode, I spoke with Jane Frankland, who’s an entrepreneur and an author with over 20 years’ experience in the cybersecurity industry. Here’s our conversation.

All right, I am delighted today to be joined by Jane Frankland on the podcast. So, Jane, why don’t you tell us a little bit about yourself?

Jane: Okay. Well, I am a cybersecurity entrepreneur. I’m actually an award-winning cybersecurity entrepreneur, bestselling author, and a speaker, so a keynote speaker. And I’ve been in the industry for 22 years. I’ve built a very well regarded penetration testing company, a hacking company that we tend to call them now. I’ve worked for some of the world’s leading cybersecurity consultancies. I’ve advised accreditation companies, and I worked as a board advisor and judge today. So I’m judging about six awards and right now judging the SC Awards in the U.S., and then I’ve got to some more judging on the European Business Awards. So I do all that, and I own a company called Cyber Security Capital. What we’re doing is we’re training and educating individuals and businesses in cybersecurity, and we focus specifically on gender inclusion in science. So really, what that means is, you know, my company is working very hard to solve the problem of getting women into the industry and staying in the industry so that we can perform to a higher level.

Pam: What inspired you to really start looking at the idea of gender imbalance in cybersecurity?

Jane: It happened as an accident. I am forever telling this story. So I just felt compelled to write about it. It was time. It was something that I’ve been meaning to do for a long time. I’d read reports about it. But at this particular time, I picked up an (ISC)2 report, and I noticed or read that there were low numbers of women in the industry. And that really surprised me, because having been in it for such a long time when it was so rare to come across women, I mean, I literally remember celebrating one day, you know, “I’ve got a female call in.” It’s just like, wow, it was so unusual. And when I read that (ISC)2 report, I was really shocked, because I thought there were more women in the industry. And so that kind of…and that did bother me, but what bothered me more actually was seeing a trend.

So I could see that (ISC)2 were collecting data which was really useful, but the numbers of women in security were declining year-on-year, and that really bothered me. So I felt compelled to write about it, and that led to the book, and that led to a lot of talks. And ultimately, it’s led to me really redesigning my business, you know. So following my heart, which is to really help our industry, so I believe so passionately in what we’re doing as an industry, and it’s really…and I know categorically that by getting women into the industry and staying in it will help us improve our security, improve the innovation, and also improve the happiness in the working environments. So that’s really why I’m dedicating myself to this mission.

Pam: As you started writing about it, did you hear any stories from your readers that brought the problem to light even more?

Jane: So really, the book was a big research project. So I was very open, and still am, about the findings. I heard from men and women, because it was important for me to actually get as many voices from women around the world and also men from around the world so I could get some perspective on it. But I heard men say, “Women just don’t wanna do this,” you know, “They’re not interested in it,” “We can’t force them to,” or “I’ve tried to get women into this field, and it’s not worked.” Others were very positive and said, “Look, I do this. I work with women teams from all over the world, and this is working really, really well, and it’s an untapped pool.”

I heard from women who went into schools and were teaching the next generation, the future generation of workers and entrepreneurs, you know, in actually really trying to get them interested on what we’re doing and discovering bias within schools and things like that, which exists. So it was very interesting to kind of compare their stories and also compare my story, and what I found, say, with me was that, because I’ve largely been an entrepreneur for most of my career, I certainly wasn’t aware of any bias that I’d encountered along the way. But I also found quite minimal certainly compared to a lot of the other stories that, you know, I heard and still do.

Pam: Yeah. I have found similar. So I’ve been in cybersecurity about 13 years, and before that, had been in other male-dominated industries. It was logistics and energy and utilities. And even before that, I have an engineering degree from Georgia Tech, and it was 35 men to 1 woman in any engineering class I was at.

Jane: Yes.

Pam: And I’m curious. So how do we build those skills up and try to overcome some of those blockers? You know, education aside, it is like, “Well, women aren’t going into computer science,” and you don’t really need a computer science degree to get into cybersecurity. So what other skills that you’ve seen in research are critical? And what are being overlooked?

Jane: So, I mean, cybersecurity is really diverse, or cybersecurity or information security, whatever you want to call that, but it is very, very diverse. So we’ve got the technical side, so the penetration testing, the hacking side, the encryption, to some extent, the coding side, the secure coding side. And then we’ve got more of the business side, the nontechnical side, so awareness, and operations, and program management, and leadership, I think would fall into that.

But the way that I see it is that we’ve got about four different skills that are needed. So we need performance, you know, so drawing on our actors really and good communicators. We need people like that really for tasks such as social engineering. That kind of plays into that acting, taking on a persona. We need good communicators, because they need to be able to almost, like, bridge that gap and work with the technical side and also the business side. So good communicators, good kind of linguists so that they can interpret what the techies are saying, what the business is saying, and join the dots. We need good leaders, and that’s really, really important so that they can drive the teams, drive performance, get people on-site develop these wonderful cultures. And we need great analysts, so those people who’ve got attention to detail that really enjoy diving in and looking for anomalies and spotting, you know, different patterns of behavior and things like that. So those are the kind of four skills, I think, that we need.

Pam: How do you think the route to a cybersecurity career or even job changes based on gender? I mean, we’ve talked about leadership and these other qualities, but what’s that gap being driven by?

Jane: I think awareness. So we are doing a much better job of awareness, but we’ve just got so much more, so much further to go on that. And you know, it’s tricky because our field has grown. So we’re still quite a new industry, and we were born from IT. In the early days, say, going back 15 or 20 years, it was very technical. Now, there’s much more behavior, there’s much more…yeah, behavior that goes on. So we’re looking at the behavior, you know, in terms of the awareness. So if we take the insider threat, you know, that’s really where the behavior side comes into it and really educating the workforce through training and teaching them exactly what is possible, so what to do, what not to do, and just the extent of the problem, so how to be better shields and better ambassadors for security in the workplace, but also outside of the workplace.

So right now, what I’m seeing is I’m seeing awareness going on, a lot of talk going on, some action going on. I don’t see that we actually understand the problem properly. More analysis, more data, and you and I have had this conversation before, more data, more research needs to go on. We really need to be asking better questions and doing the hard work, which is the research, to actually understand what the problem is. And you know, I do do a lot of research with my company.

I’ve got a research project out now which is looking at behavior, behavior at conferences, you know, and why aren’t we getting women at conferences, why is sexual harassment still continuing, what is the extent of it. You know, we’ve heard a lot of stories about it, but how bad is it really? And then looking at, you know, women’s voices, do they wanna speak, or don’t know, what can we do to help them, you know? And I’m not giving anything away by telling you the findings that I’ve found, you know, from it, but I’m sure you can imagine, you know, what some of those are.

So that’s my view. We need to enable. We need to do a better job of the hiring process. Right now, it’s really stuck. So women are raising their hand, particularly women who want to pivot, so women who want to come into our industry, women who’ve heard how wonderful it is, women who feel on a mission, you know, to protect more individuals, more companies, and countries, you know, so. And I’m finding that we’re not enabling that. The entry-level is really, really hard. And particularly, I think, for women who have great skills, you know, they might be coming in from tech, they might be coming in from HR, or law, or risk, or audit, or education, or whatever, hairdressing, you know. Because people can come in from any single industry that they want, but what I am finding is that the doors are being shut.

And what…I’ve gotta tell you what really irritates me. I really want to use a stronger word for that. But what really irritates me is the fact that a lot of the time that we are being told that the problem is women. “Women don’t wanna do this.” “Women da da da.” “If only women would do this.” The problem isn’t women. The problem isn’t women. The problem is the system. We have women out there who want to work in our industry and are not being enabled. And some of those women, and I wrote about this in my book and there had been many stories since the book, are on the verge of giving up or have given up after two years.

I’m obsessional about this, you know, to change, to be that change agent, and to enable both women coming into it and women already in it so that they can progress through the industry at whatever level that they want to be at.

Pam: So let’s talk about the first line of defense. And at IBM, we have a saying that the first line manager is the hardest job of any job. And so I’d like to pick your brain a little bit on what managers can do, hiring managers even, you know, further up leadership. What can they do to create more equality and to kind of help overcome some of the system challenges that we face?

Jane: If we’re talking about awareness, one of the things they can do is actually build that personal effectiveness. So really, that comes from being visible out there and building a brand, so getting visible out there online, particularly, and offline within the company. So really being an advocate for security and opening up those doors and talking about what it is that we do, writing about what it is that we do, podcasting, getting on a podcast and talking about what it is that we do to an audience that may be interested in understanding about that.

Often, what I see, I see leaders out there doing this, but they’re not being available to the interested parties. So it’s very much a push. You know, in marketing, they call it push communication, push marketing, as opposed to that engagement. And that’s hard work and that is time-consuming, and they’re a waste that you can build this whilst taking some of the pressure off you, but you do have to, if you are going to do that, you have to be available for those who actually raise their hand and say, “I’m interested in this. Tell me more. How do I get into it?”

From the other side, there’s a great…the onus can’t purely be on the hiring managers and those seeking the next workforce, in my opinion. It’s a case of those who are interested actually finding a way, so doing a better job of themselves being visible, of themselves bringing that personal brand of getting in front of the right people. And that means networking. And I know when it comes to networking, women typically don’t do a great job of this. I mean, we’re perfectly skilled for this, but we don’t tend to invest in it, you know, or find a reason not to, you know, “Maybe that’s because I’m an introvert.” Well, again, I would say, that’s not an excuse. I’m an introvert, I know loads of introverts, and we still make the time to build our networks, and importantly, build those relationships. You’ve got to do that.

And then if we look at, you know, in the workplace, from an equality perspective, then it really comes down to culture and it’s really making sure that we are walking the talk. There’s some great effort, amazing effort going out there, and I can reel off incredible leaders, you know, who are doing some wonderful things, and also some companies as well. But equally, I know that there’s a lot of lip service that is being played out. So what’s important is to create these cultures that are fit for all people, and what I always say is what’s good for women is good for men.

Pam: So if you were talking to a young woman that’s just starting out and breaking into the field, cybersecurity or another STEM field, what kind of advice and encouragement would you offer her aside from the “be visible” that you’ve already touched on?

Jane: In fact, I’d go back a step. I would actually really try and get clear on what aspect of security most interests you. So is it the technical side? And if so, what aspect specifically? And if you don’t know, that’s okay. Or is it that the nontechnical side, the more business side, you know? And which specific area in that are you most interested in? And then, also, I would say…I would ask them to really think about, “do you want to work in a consultancy, that type of company, or do you want to work in more of an end-user company,” and explain the differences between the two and get them thinking about that. Because that will also help them to build their networks, and it will also help them for learning. And of course, learning…our industry is changing all the time. It is so dynamic.

What security really is about is good thinking, so our thinking based around risks, based around budgets, and things like that, but it’s about making better business decisions around risk. And so once they had kind of narrowed those fields down, I would then tell them to go and start learning in that field, and thinking about their own educational preference style, it could be reading, it could be listening, it could be watching. And if it’s all three of those, then great. Go and access YouTube. Go and, you know, get on a podcast, listen to a podcast, find out which podcasts you like. Read, get on LinkedIn, create a profile, and read as much as you can. Look at the magazines. And if you are able to, attend conferences, you know, or webinars if you’re not able to attend the conferences or if you’re able to attend the webinars. And I say if you’re able to because not all conferences, all webinars are available to students.

Pam: True. I think there’s been a lot more movement in the industry when it comes to making things accessible to students. Just having run webinars for IBM, I know we get a fair number of students who pop in to listen. And I think student pricing is helpful, but then there’s still travel and entertainment. I mean, the biggest conferences in the U.S. are in San Francisco. That’s not an inexpensive city to get to or stay in by any means.

Jane: Yeah, absolutely. And you know, in the UK, it might be London. You know, a lot of the conferences, the big conferences are in London. Yeah. And it’s also finding a way. So it’s not being complacent, it is about finding a way. So how are you gonna do that? There is always a way, and don’t let money stop you. Be creative with your thinking, get pitching, you know, sell yourself, you know, get some sponsorship if you can. You have to find a way. Money is not…money is only the blocker if you enable it to be the blocker. There is always a way.

Pam: Very true. So I’d like to wrap up and talk about some of the benefits of a more diverse workforce and what that actually means. It’s more than just gender and balance, 50-50. It’s so much more than demographic composition. But what does diversity mean in this context to you? And what are some of those benefits that we see?

Jane: Well, diversity is…when we talk about diversity, a lot of the time, it’s inferred gender-diverse. Gender diversity is implied, you know, and that’s a mistake. It’s a failing. It’s not correct. So I encourage people to get really specific with their language and not lazy. So diversity is a full spectrum as far as I’m concerned. It’s gender, it’s race, it’s ethnicity, it’s age, it’s socioeconomic, and it’s religion. So there’s a wide variety when it comes to diversity. You can look at diversity from experience as well, you know. And I think, really, in security, what we’re after is ultimately the diversity of thinking. You know, that is what we want.

So for me, I champion women because, one, I am a woman, two, there is some data on it, and three, also, from the research that I’ve done and accessed, you know, women are different to men. So we see risk in a different way to men, and that’s really important, you know, when we’re dealing a risk, because that’s what we’re dealing in when it comes to security. Women assess odds in a different way to men, and that manifests itself in risk, in lowering of risk, an aversion to risk. We like safety. We see risk in a very different way.

The other thing that I found from my research is that women have a natural ability to remain calm during times of turbulence. So that’s a trait that’s needed when we come across a crisis or an incident and so forth. That’s a good skill to have. And then, of course, women historically score really highly when it comes to social intelligence and emotional intelligence. They have high EQs typically. When we have more women in a group, the intelligence of the group increases. And it’s not a case of women are better than men, it just signifies and signals that when men and women come together and work together, then better things occur. We evolve, we progress.

And we are great change agents, which means, and research has proven this as well, that women are the change agents for more diversity. When women come into those positions, we open up the doors, you know, we give back to communities and so forth. So there’s a lot of good things that come aside from the things that I’ve spoken about that are to do with security.

Now, the other thing that happens when you get women into any industry, not just security: we get greater profits, profitability, innovation, and we stay on budget much more compared to homogeneous teams. So for me, when I look at this, yes, it is the right thing to do as a woman. It’s just not fair that we are still being penalized in terms of access to jobs, access to projects, and pay. But strategically, when I look at it from a business perspective, it’s strategically advantageous.

Pam: Jane, it’s been so wonderful to talk to you and hear your perspective on your research and what you’ve found in our industry. Thank you so much for joining us.

Jane: Thank you, it’s been an absolute pleasure. Thanks so much for having me.

Pam: So, David, I’m curious. In your experience in all of the interweb corners that you have visited, what’s been the most interesting job description or maybe recruiting tactic that you’ve seen for cybersecurity?

David: Yeah. So there’s a number of things that maybe come to mind, but at the very top of the heap is actually a story from the leader of our red team here, and it was his approach to finding talent. He actually would see if people like to play video games, and you know, it’s maybe counter to what we’ve all heard of “video games aren’t gonna help you professionally.”

And yet his take was, “What is a video game?” You have to stay in front of a screen, you have to solve a tough problem, you have to stick with it and be creative and try different things out, all things that they were looking for. And then if you go one step further, and I’ve seen this thread pop up here and there, you have to be a team player, right, you have to have the ability to communicate what you’re going to do with your team, and understand, and maybe even anticipate what your teammates are going to do.

So we’re maybe crossing genres a little bit in gaming, but to think that all of the platforms for gaming a place to mine for talent, I think that’s an interesting way to lean into a job description that isn’t traditional corporate, here’s the degree that’s required, number of years’ experience required, systems required. It’s like maybe looking at it like what kind of outcomes do you want. Do you want a team player or stick-to-itiveness and grit? Yeah. Yeah, I do. Well, okay. That’s a gamer, man.

Pam: So as a person who spent my formative college years in that 35 to 1 ratio, getting to the boss level on both “Doom” and “Wolfenstein,” like I am all in for a boss fight in cybersecurity.

David: Yeah, you would be golden. Speaking of golden, “GoldenEye,” man. Like, if we were gonna really take it back, build in 64 right there. That’s fun. That’s fun. I don’t know that that makes me a cyber-warrior, but you know.

Pam: I’ll take it.

David: Red team, if you’re listening, yeah, I was pretty good in college.

Pam: I once broke up with a boyfriend using “Mortal Kombat,” and I dealt a fatality. It was pretty sweet. I chopped his head right off.

David: That is ice cold. “Finish him,” right?

Pam: Yes.

David: No, I feel like “Mortal Kombat,” you know, just to kind of squirrel for a second, that is the epitome of a kid who looked in their toy box and like found all their toys that made no sense together and then figured out how to play with them together. Because you’re like, “Oh, here’s a cop and here’s a ninja, and you know, here’s a guy with lots of arms. And we’re just gonna, like, they’re gonna fight. Okay, that’s a game. I love it.”

Pam: Yeah. And it was pretty lame to, like, be the only woman there in the group, and then they’d be like, “Oh, you could be a lady character.” I’m like, “No, no.” Like, props to her for kicking butt, but no, I’m gonna show up and I’m gonna be this dude with the crazy hat that grows blades on it and like chops off people’s heads. It’s like that was my guy.

So, David, do you have any good news for us?

David: For those of you who have stuck with us through the season and are thinking, “You know what, I want to be in a cybersecurity job,” and/or you know somebody who’s thinking about it. There are a number of nontechnical degrees that are found to be really successful: math, business, psychology, sociology, philosophy, music.

And I think that opening up the aperture that wide and looking at it and then finding out that you could have a degree in one of these areas, and I think math was particularly called out as useful, but being able to think through human interactions or interactions between different groups or think about the philosophy of why somebody’s doing something, of course, that makes sense, but it isn’t where we’ve mined for talent. And so to all those grabbing those types of degrees that aren’t traditional cybersecurity oriented, welcome to the club. We need your help.

Pam: Yeah, for sure. Check out that article on Dark Reading if you haven’t seen it. And I will say, gosh, about a month ago, maybe two months ago, I was contacted by a fellow IBMer who had recently joined IBM and was a podcast listener and who had joined IBM and reached out to say, “I’m so excited that I just get to contact you, because I’m a podcast listener.”

David: So we have a fan? I love it. That’s fantastic. Welcome to IBM and thanks for being a fan.

Pam: And so we got a fan to join the company. Fantastic. Absolutely.

So that’s all we have for this episode. Thanks to Jane Frankland for joining us as a guest.

David: Subscribe to this podcast on Apple Podcasts or Soundcloud or Spotify or Overcast or whatever podcatcher you use to make sure that you never miss an episode. Thanks so much for listening.

Douglas Bonderud
Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and innovation. In addition to working for...
read more