Emily Wearmouth [00:00:01] Hello and welcome to another edition of the Security Visionaries Podcast, a place where we host experts discussing a wide range of topics that will be of interest to anyone in cyber data or related industries. I'm your host, Emily Wimmer. This week is International Women's Day, a day that I believe should be about activism rather than platitudes and spin. And so I've asked two women who have excelled through their career paths in technology to allow me to throw some pretty prickly and awkward questions and challenges their way. Let's get some introductions done. First of all, I'm really pleased that Emily Heath has joined us today. Two Emilys are always better than one, and this Emily has a fascinating cyber career. Starting off when she was a detective in the Fraud Squad with the UK police. She then went on to hold VP and CSO roles for the likes of United Airlines and DocuSign. Currently, Emily serves on the board of directors for a number of public and private organizations. Thank you for joining us, Emily.
Emily Heath [00:00:55] It's a pleasure to be here. Thank you for having me.
Emily Wearmouth [00:00:58] My guest has an equally impressive CV or résumé to talk American. Shamla Naidoo has served as a CISO for the likes of Starwood Resorts and IBM, and is also an adjunct professor of law at the University of Illinois. She serves as a board member or independent director for multiple public boards, and she's also head of cloud strategy and innovation at Netskope. And I'll be honest, I'm pretty intimidated right now. Welcome Shamla
Shamla Naidoo [00:01:21] Thank you for having me, Emily.
Emily Wearmouth [00:01:24] For a bit of context, recent government figures show that the percentage of women in cyber security roles in the UK dropped by almost a quarter over the last two years, from 22% to just 17%. And the UK is not alone in its struggles, really to make an impact, with the sector continuing to entice and retain men more successfully than women. But we also know from other research that diverse teams drive better business outcomes. There have been lots of long range research programs that show higher levels of gender diversity. On the likes of FTSE 350 boards positively correlate with financial performance. So I wanted to start by asking you both, what's your general initial reaction to such stark figures coming out of the UK government?
Emily Heath [00:02:08] Well, I'm happy to start. I'm actually shocked. I'm surprised that the numbers have gone down for a number of reasons. Firstly, I think both Shamla and I, we're out in the community a lot with fellow CISOs, and women are always underrepresented. There's no doubt. It's always a sea of men. But, I thought we were starting to see more women in cybersecurity, in particular in leadership roles. Now, perhaps what that indicates is the investment and, focus that we've had on bringing women into cyber, perhaps started a few years ago. And now those women are getting into more, high level leadership roles. But I'm surprised at the numbers because, I do see more women, but but albeit they're probably more in leadership roles than they are in some of the management layers and, and some of the other layers of security. So it worries me greatly because if we're not spending the time investing and making sure that women are represented at every level of an organization, then we're going to be in stark danger of not having more women in leadership roles in the future. So my initial reaction was like, wow, I'm actually shocked. I thought we were getting somewhere.
Emily Wearmouth [00:03:27] What about you, Shamla?
Shamla Naidoo [00:03:29] So, Emily, I will say that I am not surprised at all by those numbers. You know, I think Emily's right. Over the last couple of years, we've seen those numbers increase, and that was very good news. It was really good sign of the industry kind of changing and becoming a little bit more friendly toward women. And so we got some better numbers. However, remember we also got those better numbers because we started counting differently. So rather than looking for kind of pure cybersecurity skills and then adding that we started to become a little bit more generic. And so those numbers included things like technology leaders. And so, you know, while it's arguable whether they're in or they're out, I think those numbers were a little bit artificial simply because some of that increase was due to us counting differently. But the second thing that I think is more important is that over the last couple of years, we've seen a significant increase in mental health strain and stress, I think, on the whole industry. But for women in particular, you know, that, you know, we react more quickly and we react more seriously to those kinds of challenges and the job has become more stressful. The job has become almost impossible to sustain. And so I am not surprised at all that women are beginning to leave this field. And so those two things to me, given that those things were happening, does not surprise me at all that the numbers are getting lower, although very sad news.
Emily Heath [00:05:02] The other thing, the other thing I wonder is, you know, we all know that changing these archaic norms of having such a low percentage of women over the years, we need our male allies in this too, right? We need male allies in order to help change those statistics and change those norms. And it takes a lot of focus and discipline to be able to do that. It doesn't just happen on its own. And I wonder whether for some of those impacts, mental health impacts that we would have been through Covid, as life changed and turned upside down over the last few years, I wonder whether, the focus and discipline that we had in making sure that cyber teams were well-represented in every kind of diversity has, for all the wrong reasons, taken a lower priority. I wonder whether that's the case, too. And and that, again, that worries me. There has to be a genuine intent to change these archaic norms. It's not just something you tack on to the end of a conversation. And I wonder whether some of those mental health challenges, which I think are very real, for both the male and the female folks in business. But I wonder whether that's got anything to do with it, too. But yeah, you make a great point.
Emily Wearmouth [00:06:17] Yeah, I've seen some suggestions that, women were hit hardest by industry layoffs. All that, when times got a bit trickier in recent years, the focus on diversity initiatives went out the window where people focused on sort of harder issues around, you know, business risk and business challenges. These initiatives that were perhaps seen as a bit fluffy, nice to have went out of the window when push comes to shove. And so I wonder how how if that is the case, how can we challenge that notion that women in cyber is a non-essential sideline project and really assert it's business critical?
Shamla Naidoo [00:06:54] You know, Emily, I think you kind of started out by saying in many ways this has been kind of a self-help kind of program, right? Where you give women a book, you say, read this book or read this article or go to this class or, you know, learn this material. Well, we used to think differently about that. We need to think more about this field as a apprenticeship type program. Somebody needs to hold your hand through these types of learnings. You know, if it was that easy, we would all read a book and we would we would gain the knowledge. It's not that easy. We know it, Emily, and I know it from having been there and done that. And so, you know, I think we need to think differently about these programs. This cannot be a self-help program. This has to be one of those hold my hand and lead me through this in order to to teach me so that I become more important, more relevant, more valuable. And when those layoffs show up, I'm not the first one you lay off, which, you know, if you think about it. I mean, historically, women have come into the cyber field, but in disproportionate numbers. They take on jobs of policy and governance and testing. And, you know, a lot of the kind of the administrative side of the job, which in hard times can often seem like the less important or less valuable. And that's why women are disproportionately impacted by these layoffs. So, you know, even that doesn't surprise me at all. What surprises me, though, is this idea that, you know, women are generally not technical enough. Perhaps we not bringing as much value into the teams because we are not bringing in those hardcore technical skills, and that's not quite sure.
Emily Heath [00:08:37] I completely agree with you, Sharma. I mean, you know, just on a personal note, I have been told more than once by men, white men, on both occasions. That I got the jobs that I got because I was a woman. And, to which I say, good. It's our time. You know what? If it opens a window this much? Because I'm a female. I make no apology for that whatsoever. And if it means that I get a chance at an opportunity of a job because I'm a female. Nobody's going to give me the job if I'm not qualified for the job. So if it opens a little crack in the window, I say, bolt through that window and push that door down. Because you know what? It's our time. And, I've never spoken to either one of those white men since that conversation, as I'm sure you can imagine. But, I think I'm hopeful that we've gotten away from that level of thinking these days. That was a number of years ago, but still, it's still shocking that somebody would actually say that out loud, that, you know, you only got that position because you're a female. And as women, this is this is what many women put up with in these corporate positions. But at every layer of an organization, if we're experiencing that at all level of an organization, can you imagine what women, other levels of organizations, are feeling? And this is why I talk about it publicly, because I think it's really important. I think it's important that we acknowledge that, yes, it's tough sometimes, and we do have some of these very challenging situations to get through. But the way we overcome it is, you know, to Shamla's point earlier, it's not just about hiring people for their titles. You've got to hire people for their skill sets. And when you start to think about hiring from skill sets, you open up a whole new world for yourself. And, I've seen this work incredibly well at different organizations over the years, and it's a mind shift to think about bringing people into your team that doesn't necessarily have pure cyber experience, but they've got damn good experience and skill sets that you need to contribute to your team. At the end of the day, smart people can learn stuff. Shamla and I did not start our journeys in the corporate world, thinking that we were going to be chief security officers. That job didn't exist back then, but smart people can learn things. We all learn things along the way, but we need to be given the opportunity. And if you're given the opportunity, because you're a woman, own it and say, yes, thank you. I take it with open arms and I will plow through that door, and I will prove to you why you made the right decision.
Shamla Naidoo [00:11:27] Emily, you know, what I would add to that is, maybe one gets the job because you're women, but you don't keep the job because you're women. Yeah, exactly. Because we are competent. Yeah. Exactly. Right.
Emily Wearmouth [00:11:44] And there was a mention of white men in there. And I know Shamla you've got some thoughts as well, about how gender isn't the only diversity issue that we need to be bearing in mind with these conversations.
Shamla Naidoo [00:11:55] You know, as I was kind of thinking about this conversation, one of the things that's striking to me is, you know, we talk about gender, we talk about males and females, and gender has gotten more fluid in more recent years. And so that's a challenge we really have to face. But more importantly, I think there's another aspect to this conversation that needs to be included. If you look at the numbers that you cited, I'm not sure that we actually are calculating or giving visibility to the challenge that women of color and black women in particular face in this area. So if I give you an example, you know, in the US over the last 3 to 5 years, I would say the number of women in cybersecurity in particular has increased. Like I talked about earlier, some of it is because we counted differently. But frankly, I think, you know, a number of women have been hired into leadership roles and into the field. So that number is getting better. But if you just think that the number is now about 27% of women, hold those roles, then out of that, about 3% of those women are black women. And so they have an even more difficult time. You think, you know, we have a challenge of kind of, you know, getting to better numbers, getting to higher level roles, etc. Us black women are having a much harder time. And so we really need to wrestle with that as well, because if we think about being inclusive, it's not just being the gender inclusive, it's within the gender. The are categories of metrics and other goals that we need to be setting because they are, you know, other factors that actually make us more effective.
Emily Wearmouth [00:13:36] Absolutely. Now, I'm going to ask you both a really mean question. And I don't often ask a question that I don't know that there's whether there's an answer to, but I'm just going to do it. I'm wondering, I said in the beginning about these FTSE 350 piece of research, it was a longitudinal study from some like 2001 to about 2019. And so over that period of time, there's been a general belief in the figures that it helps business outcomes to increase diversity. Where can we look for similar sorts of numbers for cybersecurity that perhaps play on things like a correlation between diversity and risk profile? You know, what should we be looking at under the bonnet? That we can throw it in the faces of our detractors and say, look, it's worth doing.
Emily Heath [00:14:23] Yeah, it's a really tough one because cyber in particular, people don't share the metrics very often around success in the ways that they would do around other lines of business. So we're really limited in terms of what we can track as metrics that we can report on. But I think for me, and I've seen this, I've tried and tested this many times in my organizations and hired, incredibly diverse creative sets of people. Diversity, meaning from every walk of life, diversity of mind, diversity of thought, and yes, gender and race as well. And, when you have an organization that operates in a way that represents the world and not just represents historic corporate America, things change. It's really hard to put your finger on exactly what changes, but it's I've seen it in action. It's like magic when it works. There's almost this freedom that people feel. There's an equality that people feel. There's a different camaraderie and spirit and people run toward you instead of away from you. And so, I've been very blessed for my previous teams that, I'm no longer an operating CSO. But when I was my, my previous teams had very, very low attrition rates. And I attribute that to to the value that the entire team put together. It's nothing to do with me. It's not to do with me personally. It's to do with the spirit and the energy that the entire team put into creating an organization that really walked the walk and really meaningfully and genuinely want to represent how the world looks. And like I said at the very beginning, it takes time. It takes focus, it takes discipline. But attrition rates being exceptionally low. In my old previous organizations, my attrition rate was so low compared to some of the other groups that HR teams want to know what's what's wrong with my group. It's there's nothing wrong. People are happy. People are happy because they see representation and I have never had a problem hiring people because, you know, part of being a leader, it's our job to get out there and talk about why this matters to us so much. When you have those truly dynamic, engaging, creative, teams because they are so diverse. The attrition rates are really low. But the success of cyber is really difficult to measure, in and of itself because most people don't really share that information. You could probably have some measure internally. But it's really hard outside of I would say general HR statistics.
Shamla Naidoo [00:17:09] So, you know, Emily, the way you ask the question like, evokes for me a reaction which is, you know, your question presupposes that the information exists somewhere, and we could just lift off the covers and put it out. And that's not true. Right? But why is it not true? We don't collect information and report on information that we think doesn't reflect well on us. Right. Most organizations aren't going to bring out data that doesn't put them in good light in the industry. So it's hard to say collect the data because at some point, if they collect it, that means they have to admit it's something they have to do. Something is not working. And so to me, I think, you know, a lot of this never gets collected. And so you're not going to find it. But let's just take some examples. Right. So if I think about revenue per employee, we know how to calculate that. Every company knows how to calculate that. Why? Because revenue is a publicly available number. You have to report it so everyone knows what your revenue is. And everyone typically knows what your employee count is. So revenue by employee is an easy metric. It's an easy one for us to calculate. Also, if we didn't calculate it others can. And so we need to think about diversity. And these kinds of metrics in similar ways is, you know, how do you make that information public. How do you create disclosure that is equitable. So it's not just one company who's who's reporting it because they have good numbers to report. And so they go out there and talk their numbers. But how do you make that a requirement across the board so that everyone is looking at this from the same lens and so good and bad is then in the eye of the investor or in the eye of the of the, you know, receiver of this information. I feel like we need to be thinking about this a little bit differently. It's not to punish anyone, but it's to create equity in how we might view the data. And then as consumers, we make our own decisions.
Emily Heath [00:19:12] Yeah, I think that's a great point actually, because and I think we're starting to see this a little bit with some of the ESG initiatives. Now a lot more companies are a lot more likely to publicly disclose their diversity statistics, for example, than they ever used to be before. A lot of them now are on the public websites as a result of the pressure that they're seeing from the investor community and from Wall Street, around making sure that that ESG initiatives are not greenwashing or not lip service, that somebody actually is truly, again, I say there has to be a genuine intent to change. You can't you cannot whitewash like greenwash any of this. You just can't. It's it's got to be a genuine intent. But, but you're right. So some of that, some of those statistics externally, have not historically been available. Hopefully we'll start to see that a little bit more as these initiatives start to grow.
Emily Wearmouth [00:20:10] Maybe we need an industry taskforce.
Shamla Naidoo [00:20:13] Well, you could you could get an industry task force or you could do you know what I think is kind of happening organically, being on multiple public company boards, you know, Emily and I both know this, when the board starts to pay attention to the topic. And in the US in particular, they have started paying attention to, you know, ESG type initiatives. When they get involved, people magically show up with the data because they are now overseeing, and they can expect someone to come and report. And in order for the CEO to report that information, they better be collecting it. And more importantly, they better show that they have a pattern of getting the numbers to improve over time. And so I think that that's creating a little bit of organic pressure. Of course, you know, it's not a mandate by any means, but certainly when your board starts talking about it, the CEO pays attention. And when they pay attention, usually that impacts culture. And then across the board you end up with this kind of cultural change of, hey, let's think harder about it. And it shouldn't just be a paper based exercise or just words on on a piece of paper. It should actually be, you know, complemented with action, investment and then results.
Emily Wearmouth [00:21:24] That ties into, one of the last questions I wanted to ask you. And I know Shamla, you've just published a book all about the cyber savvy board. And we're having conversations that sort of all meet at this point in the middle. We know that ESG is growing in importance for boards. We know that cyber conversations and discussions around risk are growing in importance for boards. How do we bring these threads all together? And also a sort of a second part of that question is the board level where we need to be having these conversations, or does it need to be had at an executive level or a manager level or all three?
Shamla Naidoo [00:21:58] So let me just start by saying, you know, boards need to have a basic understanding of what really goes on, right? One of the things you've heard talked about in the last decade has been that we don't have enough skills in the cyber field to do what we need to do. And that really is frustrating to me because you've got a whole body of expertise. You've got, you know, people are interested. You have people who can be taught there, people who want, careers in this field. And so we've got that group of people, including women and people of color, etc.. And on the other side, businesses say, I don't have enough skills, I don't have enough people to do the job to do the cybersecurity job. Well, why not bring those two things together and figure out models that actually solve for the problem, rather than saying, well, we don't have enough skills, we'll go build the skills. Don't expect to just buy it, figure out ways to go building. And that's how you become more inclusive. You know, you asked earlier, Emily, about, how, you know, how do we measure this? Right. And how do we show that, having a diverse workforce in cybersecurity in particular adds value? We know from scientific research that when groups of teams and teams of people include both genders, males and females, now any other gender identification that they naturally take more risk. Companies make money because they take more risk. And that. And so this just fits naturally into that equation. So even if you not able to calculate it today, if you believe the signs and you know that having diverse teams are going to help you take more risk, when you take more risky, likely to make more money, or you're likely to fail more quickly and more people are going to be aware of it and stop you stability. So we need to be thinking about this from a workforce perspective. This is not just a check the box exercise. Put more women in or put more people of color in. But it's like solve a real business problem, build more skills. And these people are they be available, why don't we take them? And so the the opportunity and the openness that we find in businesses.
Emily Wearmouth [00:24:10] Emily, did you have any thoughts then?
Emily Heath [00:24:12] Yeah, I couldn't agree more. And it's, within the cyber security realms, of course, we're already in a situation where we have a lack of diversity in cyber as a subset, of a corporate environment. As you start talking about where the change happens, the change always happens at the top and every other layer. In my opinion, it has to take every layer of an organization to really, truly shift change. But you need people at the top of the organization who represent that change because the rest of an organization, if they see an all white board or white male board, and then people talking about the initiatives around diversity, that's not walking the walk, it's not believable. It doesn't come across as genuine. And it's, it needs to be represented at every layer of the company. The challenge we have is how do we get. And I'm talking specifically around cyber. How do we get women and people of color in cyber into the public boardroom? Because many, many security executives want to be in the public boardroom, but they don't necessarily have the full experience that they need to do that. The first thing that they need to do is, corporations need to give chief security officers, the ability to contribute at every level of an organization, meaning they need to truly be C-suite. We need to stop messing around with reporting structures, security offices, are business leaders first and security leaders second. This is technology. And security has become way too big of an impact on most organizations now that we need to give them the experience to operate in the C-suite so that they have experience beyond security as to how an organization actually operates, what drives revenue, and have them contribute to that at that level, then they will be better situated in order to get on to public boards. Because if you think about it, public boards have somewhere between 9 and 12 seats. And when it comes to the topic of cyber security, security officers usually home only have about 20 or 30 minutes in front of an audit committee or sometimes the full board to talk about cyber security. But boards of directors could be a day and a half, two days long. So what else are the board talking about? And so how do we equip our security officers with the ability to be able to contribute beyond just the security conversation in a public boardroom? And I think this conversation has to start with we have to elevate this position. Otherwise we're going to have a major supply and demand problem. We're going to have high demand for security expertise, on public boards, including women and people of color. But the supply is going to be way too short. So we need to solve this problem now by allowing security officers, the opportunity to learn and, be a part of the conversation of the C-suite.
Emily Wearmouth [00:27:08] Thank you. Well, before we wrap up, any final thoughts or takeaways from either of you?
Emily Heath [00:27:13] The one final takeaway for me from this conversation is, you know, we need to really get a little introspective and think about, have we as a cyber security industry, become too elite? Have we become too elite to allow women and people of color into our area of expertise and into this field? You know, is there a certain amount of arrogance that has crept into this field that says those of us who are women and those of us who are people of color don't belong or we don't know enough or we're not competent enough to be in this area, I feel like that's a conversation we need to have, and it's something that we need to really go in and dig deeper and inspect in our own decision making what are we doing to be inclusive and how we actually finding ourselves in this kind of situation where we feel like we better than others.
Emily Heath [00:28:04] Yeah, I'm for me, I'll keep it simple. But for me, I've said it many times you have to have a genuine desire to shift archaic norms. It does not happen overnight and it doesn't happen without focus, discipline and a genuine, authentic heart. To be able to want to change this industry for the better. And if you have good intentions and you have that authenticity about you, people will run toward you. People want to belong to teams, whether that's a board or whether it's a C-suite or whether it's a cyber team. People want to belong to teams that care deeply about diversity and about creativity and inclusion. Leaders have to have it in their heart to drive this topic forward, or else we're never going to get rid of those archaic norms.
Shamla Naidoo [00:28:54] And on top of that, you say you have a skills shortage. It is our responsibility to solve for the skill shortage. This is a simple, easy answer.
Emily Wearmouth [00:29:04] Just as I suspected it might be, this conversation is absolutely fascinating and I would love it to continue forever. I really just wanted to thank you both for joining us today to talk about this topic. I think it's incredibly important, and hopefully the conversation will continue beyond this short window of time. I hope others have found it is interesting to listen to as I have. You have been listening to the Security Visionaries podcast, and I have been your host, Emily Wimmer. If you enjoyed this episode, please do share it. But also make sure that you follow us on your favorite podcast platform. If you're new to the podcast, there's a great back catalog you can catch up on. Since September, we've been publishing a new episode every two weeks about hosted by me and some by the marvelous Max Havey. If you subscribe, you'll never miss a new one. I'll catch you next time.
Why Netskope 
){kind=icon}
