Cyber should be much more diverse than it is.
• Jobs in cybersecurity are frequently gatekept by expectation.
• Skill levels and experience sometimes unrealistically rule out candidates from cybersecurity jobs.
• Representation is vital to the diversification of jobs in cybersecurity.
In our ongoing quest to talk to as many founders from this year’s UK Cyber Runway business accelerator cohort, we sat down with Lorna Armitage – Co-founder of cybersecurity education organization CAPSLOCK.
Lorna, unlike many founders on the accelerator, has been dedicatedly working in the cyber industry for 15 years.
We naturally wanted to know how it’s changed over that time.
LA:
It’s one of those strange situations. There’s been lots of change in lots of areas, but then conversely, some of it hasn’t changed at all. Some of the key changes are around ubiquitous computing, including the likes of IoT. Increased connectivity gave computing a big jump, and in the last 15 years, I think that’s really changed how we do cyber, as well as the different kinds of problems and challenges that you have been brought to the forefront of that.
We’re obviously dealing with much more sophisticated threats today, because that’s been a fairly constant process – as technology has become more and more sophisticated, so have the threats with which we’re dealing day to day.
Take phishing – 15 years ago that was the Nigerian prince who’d just inherited 50 million pounds and wanted to share. When you look at phishing attacks today, they’re very sophisticated and quite difficult to spot.
We’ve had regulatory changes, too – the biggest of which is the General Data Protection Regulation (GDPR). That was a big shift for organizations, and they had to really kind of sit up and take notice of that.
There’s been a big rise in nation state cyberattacks over the last 15 years, too – to the point where it’s something we really have to think about and plan for. That speaks to the challenges of cyber, and how we get to different solutions to some of these problems.
All of that has meant there’s had to be a growing awareness of cyber at the C-suite level, which is great, because it means there’s a bit there’s more spending from organizations.
THQ:
You’re not having to go over and over the same issues to unlock the magic money?
LA:
Exactly, but then on the flip side of that, we’ve still got a massive skills gap in cybersecurity. So for all there have been lots of changes, when you get right down to the problems that we see in cyber, a lot of them are still the same for organizations, you know? The core of the problems are very similar to what they were 10 years ago, 15 years ago. But I think the solutions are different – especially the technology solutions.
Same old situation on cybersecurity jobs?
When you’re looking at the technology and how that’s evolved, that’s a very different world to what it used to be. But the core of the problems in cybersecurity jobs have remained the same for a long time – joiners, movers, leavers, and fundamentally protecting your infrastructure. So, while there have been lots of changes, you can definitely track some similarities remaining over time.
THQ:
What’s that line? The more things change, the more they stay the same?
LA:
Absolutely.
THQ:
Let’s talk about the skills shortage in terms of the barriers that are most prevalent right now to people getting into the cyber sector. What are the most prevalent barriers you see? And how do we remove them?
LA:
There are a number of barriers, and at CAPSLOCK, we’re about removing as many of them as we can. Representation is a big issue, and seeing that representation, seeing people who look like you, sound like you, come from where you’ve come, from your background, can be key to ensuring that whoever you are, you feel you have a place in cyber. We still have a lot of work to do on that in cyber. Emma and Jonathan come from a military background. And there’s a real legacy of that military language in cyber, along with a lot of smoke and mirrors around cybersecurity that suggests it’s a thing only a select few people can do it.
You have to see it to be able to be it – especially in cyber.
That’s a real barrier for some people – “how do I even do that?” Even seeing it as an option for them is a real problem. And it’s such a vast area, how do you start to even look for where you should start? Which certification should you do? How do you know which areas you should go into?
As I say, there’s a lot of work to be done around that. It is moving forward, it is getting better, I don’t want to be all doom and gloom, but there’s still lots of work to do. And I think the recruitment processes is a big part of that – we work with over 100 employer partners, and we work actively with them about their recruitment. For instance, when they send in job descriptions, and it says “You need this and this, and this, this, and that, and that,” we ask what they actually need, because frequently you get that thing where they’re asking for an entry-level person who’s got five years’ experience, and those two things do not marry up.
THQ:
Well, clearly. “I did five years of work to gain this experience, why are you offering me only entry-level?” Particularly in this economic climate.
LA:
Right. And we still see that in a lot of what goes out. Do they need to have a degree? Do we need to still be looking at these traditional routes to come through? Or should we be looking at people with more diverse backgrounds who have transferable skills and knowledge from things that they’ve done previously? So I think that is still a big barrier to entry into cyber as well.
THQ:
Having spoken to some women CEOs in tech, their thing is that women generally won’t apply for roles unless they know they have more than 100% of what’s asked for, while men who are existing in a patriarchy which has always overvalued them on the basis of their gender will tend to wing it more, and believe that either they can do a thing, or that they’ll pick up what they need to know as they go.
LA:
Absolutely. Obviously, we’re generalizing, but there’s a lot of research that supports that, too. And that can be a blocker for a lot of people, not just women, because the same imposter syndrome is at work in everyone who’s not part of the patriarchy’s ideal – which is white, cis het, non-disabled men. The recruitment process can perpetuate things like that imposter syndrome, because of the language we use, and the smoke and mirrors surrounding cyber.
The importance of representation.
THQ:
In a tangential vein, how important is it that there are more and more female-led firms in the cyber sector, given the generally limited number of women in tech?
Cyber depends on a recruitment process that needs improving.
LA:
It’s crucial. That kind of representation is vital. The number of learners who come through CAPSLOCK, who, when we get the feedback about why they came to us says they came to us because the business is led by women is high, and that’s really important, because generally across cyber, it’s a rarity. We all need role models, we all need to see people who’ve done it before us, who thought like us.
Again, over the last 15 years, there’ve been big changes, and we are definitely moving forward. But there is still a lot of work that needs to be done in this area. And it’s not just gender either, it’s race, ethnicity, socioeconomic status, it’s all of those things that we need to look at to make sure that cyber is as diverse as it possibly can.
Because here’s the thing: the people who are attacking our cyber-systems? They’re diverse. Our customers are diverse. So the people providing the solutions to the attacks, to the problems, need to be diverse too, or we’re not matching enough of the skillsets and experiences to do our job effectively.
The numbers on women in cyber have come on, but they’re still truly depressing.
THQ:
So simply from a bottom-line principle, there’s every statistic you could possibly want to throw at it that says the more diverse an industry is, the more effective it is, the more productive it is, and ultimately, the more profitable it is.
LA:
Absolutely, I use this all the time. Even if diversity doesn’t make sense to you from let’s say a social or ethical standpoint, it makes sense from a business perspective. It’s better for a business to diversify the people who fill your cybersecurity jobs. Here are the figures that prove it. It’s going to make you money.
In part 6 of this article, we’ll explore the nature and necessity of trust in the modern cyber-world.
5 March 2024
