It's become a staple of many technology conferences - the almost mandatory "Women in..." panel. Amy Roberts, from the Australian Cyber Security Centre chaired a "Women in Cyber" panel at this year's Technology in Government event, held in Canberra. She started the discussion by asking the question "Why do we need a women in cyber panel?. Shouldn't the discussion be based on merit?". That's something I've often pondered and it kicked off an interesting discussion.
When considering the question of what roles exist in cybersecurity, Professor Jill Slay, the La Trobe Chair of Cyber Security, said the nobody really understands what Cybersecurtity is. And without a clear definition, it becomes hard to attract talent. Slay said documents such as the widely used NIST framework help but without a common understanding of what cyber is, it's very difficult to attract more women.
Charlotte Wood is the acting Director of Cyber Security Operations at the Office of the NSW Government Chief Information Security Officer. Wood added to this saying there was a need to be specific about different roles as the skill sets required across the cybersecurity sector are very diverse. Building on comments made by Slay who, after a long and distinguished career working in cybersecurity since before the field even had a label, has still been told she isn't "technical enough", Wood said there's a need for seasoned practitioners to mentor less experienced entrants to the field and provide them with advice and guidance.
Wood broadened the discussion further, raising issues of diversity. Many companies seem prepared to up-skill potential recruits with more technical training but are less conformable in developing other skills. For example, she said there are many skilled migrants and refugees who have strong technical skills but whose communication skills are not at the same level. Businesses don't have the same commitment to developing language and communication skills as they have to developing technical skills.
The third panellist, Richard Addiscott, the Chief Security Officer at the Silver Chain Group, said there was a need to bust the myths around cyber. He said we need to have a broader discussion around information security. And the diversity discussion needs to go further than gender and include age, nationality and education. Addiscott said the focus needs to be on engagement and communications skills as it's more important to recruit the "right people" as technical skills can be taught.
Roberts asked each member of the panel what one thing they would do to address diversity.
Wood said workplace flexibility was important but the need for flexibility had to be balanced with the needs of the organisations. For example, she said face-to-face meetings in her workplace were only conducted between 10:00AM and 3:00PM. That way, people had negotiated school-friendly work hours wouldn't be excluded from meetings. Wood also noted the importance of calling out unconscious bias. That bias might come in the form of some staff being included in regular trips to a coffee shop, after hours social activities non-inclusive language or events that inadvertently exclude people.
Slay reiterated the importance of clear job requirements so that positions are well defined. This will help ensure the right people are recruited and the "not technical enough" tag can be avoided.
Addiscott wondered whether interviewing was the best tool when selecting people for cybersecurity roles. He said we should place a higher premium on experience, the context of that experience and the candidate's interest in a role. "Technology is a commodity" he said. He said the focus in recruitment ought to be about people and processes which you may not be able to access through traditional recruitment pathways.
For security team leaders, Addiscott said by focussing on individuals and building teams with the best people, you end up creating a diverse team wth people of different genders, backgrounds and experiences. He also said there needs to be a focus on servant leadership.
Reiterating the importance of mentorship and sponsorship, Slay said it is important to look for people who were willing to grow and want to be mentored and not just managed.
Building on that, Wood added that it was important to seek mentors who are not the same as ourselves.