As someone who has spent decades in the technology industry, I’ve seen the landscape transform dramatically. However, one issue remains persistent: the lack of gender and racial diversity in cybersecurity.
As part of our recent SASE Week, I had the opportunity to speak with Emily Heath, General Partner at CyberStarts, and Shamla Naidoo, Head of Cloud Strategy and Innovation here at Netskope, to discuss how we bring more women into cyber – and just as importantly how we ensure they thrive in their roles so we can retain their talents.
Perhaps inevitably, when advertising on social media that the session was upcoming I saw a number of comments from male industry participants questioning the need for any focus on diversity. Hopefully those men joined the session and now have a clearer understanding of the matter. If not, this summary post might help.
The Complexity of the Gender Gap
Recent figures show a concerning trend that the percentage of women in cybersecurity roles in the UK dropped by almost a quarter over the last two years, from 22% to just 17%. The UK is not unique—the cybersecurity industry worldwide consistently struggles to attract and retain women in cybersecurity roles. But there’s more to this than just statistics.
Fifteen years ago a study of diversity on FTSE 350 boards showed that higher levels of gender diversity positively correlated with financial performance. The revelations of the research genuinely changed the debate among feminists and naysayers alike—finally there was proof that diversity was worth pursuing for hard-nosed business reasons. But these latest figures from the UK show that acceptance of the value of diversity in a board context doesn’t seem to have filtered down into the way we structure cyber security teams.
If diverse teams drive better business outcomes, how might they impact cybersecurity and risk outcomes?
Hiring for Skill Sets, Not Titles
When we spoke, Emily Heath was clear that changing the long-standing norms and biases that have existed across the tech sector requires commitment and concerted effort. However, she was confident that—with the right strategy—we can work toward closing the gender gap. She believes that one effective approach is shifting our focus from hiring based on titles to hiring based on skill sets.
Emily: “When you start to think about hiring for skill sets, you open up a whole new world for yourself. At the end of the day, smart people can learn. Shamla and I did not start our journeys in the corporate world thinking that we were going to be chief security officers. That job didn’t exist back then, but we all learn things along the way.”
Some women fear a backlash from diversity efforts—and understandably so, given we heard in the discussion of specific examples where women’s achievements or advancement were attributed to their gender. But Emily was unequivocal about the reality:
Emily: “I have been told more than once, by men, that I got the jobs that I got because I was a woman. To which I say, good. It’s our time and—you know what?—if it opens a window because I’m a female, I make no apology for that whatsoever. If you’re given the opportunity, because you’re a woman, own it. I take it with open arms and I plough through that door and prove why you made the right decision.”
Shamla: “I would add that maybe you get the job because you’re a woman, but you don’t keep the job because you’re a woman. We keep the job because we are competent.”
Transparency through statistics
I asked Shamla and Emily what sort of data we might be able to look at to assess the impact of diversity on cyber outcomes.
Shamla: “Your question presupposes that the information exists somewhere, and we could just lift off the covers and pull it out. And that’s not true, right? But why is it not true? We don’t collect information and report on information that we think doesn’t reflect well on us.”
Emily: “It’s really tough because in cyber in particular, people very often don’t share their metrics around success in the ways that they would do around other lines of business. So we’re really limited in terms of what we can track as metrics that we can report on.”
Shamla: “Most organisations are not going to bring out data that doesn’t put them in good light in the industry. So it’s hard to say ‘collect the data’ because at some point that means they have to admit there’s something they have to do, something is not working.
I feel like we need to be thinking about this a little bit differently. It’s not to punish anyone, but to create equity in how we might view the data. And then as consumers, we make our own decisions.”
Emily: “I think that’s a great point actually, because, I think we’re starting to see this a little bit with some of the ESG initiatives. Now, a lot more companies are a lot more likely to publicly disclose their diversity statistics, for example, than they ever used to be before as a result of the pressure that they’re seeing from the investor community and from Wall Street and making sure that things like ESG initiatives are not lip service or greenwashing, but that there is a genuine intent to change.”
Bridging the Gap for a Stronger Future
Addressing the gender gap in cybersecurity requires a multifaceted effort. We must start by acknowledging the issue, embracing diverse skill sets, and encouraging women to seize the opportunities they are given. But transparency in reporting diversity statistics and a genuine appetite to consider the business advantages of diversity are paramount. If diversity is always seen as benefiting solely the individual, we will struggle to turn the budding discussions into anything more profound than a sideline initiative – and that will in turn kneecap efforts to make real progress in increasing representation of diverse groups among our cyber teams.