Event Report: Women in Cyber

Cyber SecurityWomen in Cyber Security
Monday, May 29, 2017
Publication author(s):
Office of the Cyber Security Special Adviser
Publication abstract:

Supported by the Minister Assisting the Prime Minister for Cyber Security, the Office of the Cyber Security Special Adviser (the Office) hosted a Women in Cyber event on 8 March, International Women’s Day, in association with Cisco Live in Melbourne. The event was co-hosted by the Office and Cisco, sponsored by Australian Computer Society, Australian Cyber Security Growth Network, ISACA, and (ISC)² and with support from Australian Information Industry Association, Australian Information Security Association and Australian Women in Security Network.

The event was held to understand and address the causes of low participation by women in cyber security careers, a key action outlined in Australia’s Cyber Security Strategy, under the theme of A Cyber Smart Nation. 

AttachmentSize
File Event Report: Women in Cyber212.92 KB

Event Report: Women in Cyber

Supported by the Minister Assisting the Prime Minister for Cyber Security, the Office of the Cyber Security Special Adviser (the Office) hosted a Women in Cyber event on 8 March, International Women’s Day, in association with Cisco Live in Melbourne. The event was co-hosted by the Office and Cisco, sponsored by Australian Computer Society, Australian Cyber Security Growth Network, ISACA, and (ISC)² and with support from Australian Information Industry Association, Australian Information Security Association and Australian Women in Security Network.

The event was held to understand and address the causes of low participation by women in cyber security careers, a key action outlined in Australia’s Cyber Security Strategy, under the theme of A Cyber Smart Nation.

Thanks to sources like the 2017 Global Information Security Workforce Study, Women in Cybersecurity report we know only 11% of the worlds information security workforce are women. What we don’t fully understand is why, and what can be done to address this. The Women in Cyber event was designed to ‘crowd source’ information from a wide range of stakeholders, and develop those ideas into concepts that can inform future Government policy.

Approximately 70 women and men from across the cyber security industry, ranging from students to senior business leaders came together to participate in a series of roundtable and panel discussions over three hours. Our aim was to identify and refine, the barriers to women and girls entering and staying in the cyber security industry, as well as determine practical actions government and business can take to address these barriers.

The event was met with an enormous amount of enthusiasm from both participants and the Office. The responses and conversations on the day demonstrated the eagerness and commitment many women and men have for both enhancing their current work environment and attracting more women into such a dynamic, diverse, and fulfilling career. Marketing, role models and hiring practices were identified as key barriers to women and girls entering the industry. And workplace culture, the need for flexible workplaces and failure were identified as key barriers to retaining women in cyber security careers.

This paper outlines the methodology used to generate ideas at the event and provides an initial distillation of the ideas that were discussed.  

Methodology

Questions, as well as subtopics to drill down into specific issues, were provided to each table for two roundtable discussions. Each roundtable was then followed by a panel discussion to bring key discussion points to the larger group. Discussion points were noted by table scribes and have been analysed below. 

Ideas, key themes and recommendations

The responses we received were diverse and informative, providing us with an enormous amount of insight into this issue. More importantly, participants raised a number of key points that we can use to develop Government and business policy and actions aimed at increasing the number of women in cyber.

First, we asked our participants:

What are the barriers to women choosing cyber security careers?  What can be done to address these barriers?

Subtopics:

  • What attracted you to the industry?
  • How do we increase the number of girls and women studying cyber security relevant topics?
  • How can women identify and market their transferable skills?
  • Do parents have untapped skills because they raise cyber natives? 

A significant portion of the responses from the round table discussions were directed at three key areas of interest: marketing, role models and hiring practices.  

Marketing: This was the most noted barrier to recruiting women into the cyber security industry.  Of particular interest was the many different ways marketing appears to impact on both girls and women’s career choice. This included the lack of emphasis on aspects of a cyber security career that might attract more women, with the destructive hacker stereotype often promoted in the media instead. Participants suggested emphasising the ability to nurture, protect or improve society by mitigating threats might appeal to those who seek to build rather than destroy. However, this is not to be confused with the idea of ‘soft’ versus ‘technical’ skills. Participants said roles exist for those with both technical and nontechnical skills, and in many cases these skills are not in fact ‘soft’ but precise and necessary business and administration skills. However, they said that women were often discouraged from embracing their technical capability, and instead pushed towards career pathways that make use of only their non-technical skills. Participants stated there was insufficient marketing about pathways into the industry, career paths once within the industry, and the diversity of career options available in cyber security. Participants said this could be addressed by career counsellors and teachers in general to promote cyber security in schools. Finally, there was discussion of the overall perception of cyber security as ‘nerdy’ and the need to address this through targeted, conscious action.

Positive role models and mentors: Both within the industry or externally, role models and mentors were a significant factor for participants pursuing a career in cyber security. These role models or mentors were not always female, some participants described males who had encouraged and supported them in their endeavours. Importantly, participants noted that role models could be anyone in their lives, from parents, to friends, to management staff, to people they had never met. 

The impact of role models is something that PM&C is working to promote. Following the 2016 Cyber Security Challenge, female participants joined us in Canberra for a two day workshop to link our future generation of cyber security professionals to women in leadership roles within the cyber security sector. Attendees were paired with a mentor in the industry to help guide them through the early stages of their cyber security career. We intend to run this program again in 2017 and we encourage event attendees to reach out through their industry bodies, formal and informal women in cyber security networks to become mentors and role models for women entering the industry.

Hiring practices: Many participants noted that hiring practices were a definite barrier to recruiting more women into cyber security. For example, the influence of unconscious bias was raised as a possible reason for why women were not hired into available positions. A number of participants also mentioned the tendency of male recruiters or managers to create job descriptions in their own image. These practices unwittingly discourage women from applying and may have a significant impact on the ability of women to break into the industry. Participants also said this is especially likely if there are no females in the recruitment or hiring process. Finally, as was identified in the 2016 AISA Cyber Security Skills Shortage report, a significant contributor to the national cyber skills shortage is the tendency for organisations to hire based on experience rather than potential, theoretically reducing their need to invest in training employees. This limits the ability for entry level professionals to gain access to the industry, decreasing the overall expansion of the cyber security workforce but may be even more disadvantageous to women who may have had to take more time off work or study than their male counterparts. 

Secondly, we asked our participants:

What are the reasons women leave the cyber security industry?  What can be done to address these?

Subtopics:

  • Why did you stay in the industry?
  • Why have others left?
  • What are the cultural challenges to retaining women in the industry?
  • How do we communicate the opportunity to build a fulfilling career? (Including job variety, promotion and mentoring
  • Is the workplace truly flexible?

Having more women apply for and recruited into jobs in the cyber security industry is critical to increasing the female participation rate; however, if they are then not willing to remain in the industry we are unlikely to ever truly increase participation and harness the full potential of our talent pool.

In response to this question, three areas of interest were highlighted by participants: workplace culture, the need for flexible workplaces and failure.  

Workplace culture: For a significant portion of our attendees, the culture of a workplace and their place within it was seen a significant reason why women left or might have considered leaving a workplace. For many, forming connections and feeling as though they were welcome and belonged was seen as difficult in a male dominated workplace. For women who are the only, or one of very few women in their office space, forming social connections could be difficult if topics of conversations were not inclusive or social events were hosted during times they could not attend. There was also discussion about the prevalence of bullying and discrimination which were not adequately combatted by supportive management practices or a workplace culture that actively reduced this.  An organisation’s attitude towards familial responsibilities and perceptions that women were being recruited to meet quotas were also identified as current workplace culture issues. Finally, a company’s lack of willingness to provide sufficient time or funding for staff to adequately do their jobs, was a major barrier to retention.  Cyber security jobs require ongoing training and learning and this affected both women and men.

Flexible workplaces: A lot of participants said cyber security was a relatively flexible career– it is one of the benefits that attracted them to the industry in the first place. However, many attendees said that organisations that did not advocate for a positive work life balance and allow for flexibility made it difficult for women to manage their responsibilities. Participants said that organisations that allowed them to work based on outcome rather than hours, to work from home, work different hours, allowed children in the office or limited breakfast and evening meetings, as examples, were anecdotally likely to retain more women. It was also important for businesses to recognise, and allow for both men and women equally, the need to attend to their caring responsibilities. Organisations that did not create a flexible workplace culture often forced women to move on.

Failure: Participants noted that women tend to be more afraid to fail, less confident and perhaps criticised more strongly when they do fail.  These attributes were seen as negatively impacting women’s career development and a barrier to retaining women. Participants said we need to let women fail and show them they can still succeed. Participants noted that currently, we’re only hearing the success stories, which can make it harder for women when they do struggle. 

Next Steps

This event provided us with further insight into the barriers to increasing women’s participation in the cyber security industry and identified areas for further investigation. Alongside our own work, PM&C is seeking interest from the sponsors and the participants to undertake further research about and actions to address the key areas identified. This may take the form of general research, think pieces, other publications or workplace action programs.

Partnership is arguably the cornerstone of the Cyber Security Strategy, and we know we cannot achieve the change we want to see alone. Industry, industry associations and academia may already be undertaking work in this field. We would like to facilitate information sharing and collaboration across the Australian cyber security eco-system to reduce redundancy and amplify our efforts. We therefore welcome you contacting us at cyber@pmc.gov.au to identify and discuss areas where you would like to contribute or highlight areas where work is already happening to promote your efforts.  In the interim, the Office will look to develop further articles outlining specific actions around the barriers identified and calling for partners who might be willing to assist. 

Back to Resource Centre