In this exclusive interview ahead of her session at Cyber Security Hub’s All Access: Cyber Security Global, executive director of Women in Cyber Security (WiCyS) Lynn Dohm shares her views on why diversity is integral to cyber security and how to encourage this within the industry.
Cyber Security Hub: Why do you think women are underrepresented in cybersecurity?
Lynn Dohm: Well, that is a very challenging and complicated question.
Historically, cyber security has been predominantly male dominated. So, the question really is: ‘how can we create more accessibility and more availability to underrepresented and underserved populations to get into cyber security? How can we create a broader awareness and break away from that groupthink mindset? How can we shake up the status quo and enter into a space where cyber security is a career choice, where we are all involved?
A lot of times in these conversations, we discuss diversifying the workforce. We also know, however, that sometimes diversity, equity and inclusion (DEI) initiatives can turn into a feel-good metric over taking actual action. Diversity is a metric that you can measure and can grow. If you see that growth, you might feel good about it and pat yourself on the back. This is focusing on bringing the pipeline into cyber security, but what about the ‘leaky pipe’, meaning retention?
At Women in Cyber Security (WiCyS) our mission is to recruit, retain and advance women in cybersecurity. You certainly cannot do this if they are not staying in their careers. So, that is really our core area of focus and progress is going to be made in the cyber security workforce when we really focus on what the state of inclusion looks like for women. Once you narrow down your focus and start tackling those challenges, you will cultivate this culture of inclusion – not just for women but for all underrepresented populations – and diversity will be able to expand in that space.
CSH: Looking at the idea of the ‘leaky pipe’ in the pipeline, what advice would you give to women who are facing this dilemma and may be considering exiting the cyber security industry due to the pressures that they might be facing? What advice would you give them regarding staying in the industry?
LD: Well, of course, stay in the industry! We are facing a critical workforce shortage, and we have worked so hard to be in the position that were are in right now.
To stay in the industry is important, but it is not necessarily always for everyone. It is definitely a personal journey. Some come into cyber security through traditional education, some through non-traditional education and some by default. This is the same as they navigate through their careers.
Opening up avenues and continuing to make networking connections, exploring other possibilities but also knowing that you have the camaraderie and the community there to support you is so important within the industry.
If you are at this point in your career and you are considering stepping out of it, I would recommend considering the options of leaning in and thinking about what would drive the change that is needed for you to stay.
For WiCyS as an organization, we are here to create opportunities, to provide resources and to create an inclusive space, including a mentor-mentee program. We have many different communities, including student chapters and 58 professional affiliates all over the world.
We also have specialty affiliates in artificial intelligence, CISOs, critical infrastructure, cloud security, neurodiversity, LGBTQ+ pride, people of color and more. You name it, we have a space in a community where you can not only learn through the resources that we have available on our website, and learn through the resources accessible through our mentor-mentee program, but also have that shared space of understanding and be able to continue rising in a space that you can really thrive in.
CSH: From an initial career perspective, what do you think can be done to encourage more women and girls to look at cyber security as a career option?
LD: When you peel back the layers, it is hard to be what you cannot see. I did not have a cyber security professional that I aspired to be until I was 35-36 years old, and that has its challenges. When trying to promote the cyber security industry, representation matters. When planning things like speaking engagements or conference planning, we need to be conscious of what these events look like in terms of representation.
Additionally, when we look at our own teams, that representation matters too. Having a diverse team can help solve problems within the cyber security space that have never previously existed. In cyber security we need different mindsets and skill sets, we need that multi-dimensional, powerful diversity of thought.
There are many different ways to bring out strengths that are integral to our gender identities, ethnicities, cultures, backgrounds, experiences, and more once we rise to the table. Once we have that, there will be momentum. Cyber security is a great career for many individuals, but this needs to be seen and heard, so others will aspire to be in it.
CSH: As you just mentioned, diversity is important in cyber security. Why is it so integral to enhance diversity for cyber security?
LD: Right now, we know that we have to shift the expectations of hiring practices and really create more accessibility. So, what does that mean? It can be interpreted in many different ways.
For example, one of my favorite stories is that two to three years ago, a man following my session at a conference in Columbus, Ohio,was proud to share that he has 35 percent representation of women on his team, and he said he would not stop until this is at 50 percent. So, I asked him what he was doing differently, and he was very thoughtful. Eventually, he said that he was paying attention.
When you have mindful practices and you are paying attention, then progress will be made. If you say that no underrepresented populations, for example no women, non-binary people or people of any other genders other than male, are applying for your positions this comes with assumptions that they do not exist, and this is not the case. There are things that individuals can do and if CISOs are concerned about building a diverse workforce, which they certainly should, then they should pay attention.
Part of this should be looking at their job requirements. There is some really wonderful data out there that supports this, for example I have heard that there are more cyber security jobs that have a CISSP requirement than there are actually CISSP certified individuals in existence. So, this is an unrealistic expectation and that we have to change. We are facing a critical staff shortage and are trying to build up our workforce.
Recently the International Information Systems Security Certification Consortium ((ISC)²) has estimated that 62 percent of those in cyber securiry roles in the US have less than four years of experience. We know that a workforce can be built without these really strict, stringent barriers of three to five years experience requirement. We need to take off everything that is unnecessary and only include the core needs as requirements, knowing that cyber security is like an apprenticeship.
Once a role is filled, the employee is likely going to be learning new tools and skill sets and ways to do their work. It’s important to take that interest in having a more open-minded understanding of job roles and requirements and move forward with those job postings that make more sense for the community.
Hear more from Lynn Dohm at the panel discussion, Towards a representative workforce: reducing gender disparity in cybersecurity, at Cyber Security Hub’s All Access: Cyber Security Global.
Read the original article HERE