By Dr. Judith Wunschik, Chief Cyber Security Officer and Global Head of Cybersecurity, Siemens Energy

Diversity is a factor for success. In a team, the more diverse the members’ backgrounds are, the more varied their ideas, thinking, and solutions will be – and the greater their prospects for success and achievement. That finding has been reconfirmed in a study by the Boston Consulting Group that’s in the midst of a digital revolution, and that means massive changes for humanity. Digitally networked societies bring technological, economic, and human challenges – and at the same time, they’re faster and more powerful. On the one hand, there’s isolationism, nationalism, and the risk of complex cyberattacks, and on the other hand, there are vast opportunities for people, institutions, and companies. The energy business is also currently undergoing a technological revolution. And the more diverse the challenges in this dynamic environment, the more varied our responses to them need to be. And those responses should come from an entire network that crosses company and industry boundaries. It’s only by joining forces globally that we can make the most of the opportunities offered by digitalization and protect our critical infrastructures.

Diversity is a factor for success. In a team, the more diverse the members’ backgrounds are, the more varied their ideas, thinking, and solutions will be – and the greater their prospects for success and achievement. That finding has been reconfirmed in a study by the Boston Consulting Group (BCG). The BCG team found “a strong and statistically significant correlation between the diversity of management teams and overall innovation. (Surveyed) companies that reported above-average diversity on their management teams also reported innovation revenue that was 19 percentage points higher than that of companies with below-average leadership diversity – 45% of total revenue versus just 26%.”[1]

I also think that greater diversity has a very positive influence on our collaboration. The way we deal with others is friendlier, more empathetic, and less biased than in less diverse teams. But even though it’s a recipe for success, people don’t practice diversity everywhere, even though it’s a major strength in our globalized world. Companies can, and should make the most of that strength, especially if they have to ensure secure critical infrastructures – like the reliable, resilient generation and distribution of energy.

In the cyber world, many roads lead to Rome

But from a manager’s viewpoint, it’s not always easy to put diversity into practice. It means more than just achieving a good balance between genders, although that’s tricky enough in itself. A diverse team reflects our complex world and is open to everyone, no matter their religion, ethnicity, culture, or social group. Today diversity in business also includes employees of different ages and different educational backgrounds, sexual orientations, and disabilities. So, diversity naturally also entails inclusion. But in practice, this means that to fill openings from a pool of diverse candidates, you first need an appropriate selection of people to choose from…To read the full story, subscribe to CISO MAG.

This story first appeared in the March 2021 issue of CISO MAG.

About the Author

Dr. Judith Wunschik is the Chief Cyber Security Officer and Global Head of Cybersecurity for Siemens Energy since October 2019. She is accountable for securing Siemens Energy’s business operations, products, data, and assets as well as for ensuring compliance with cybersecurity regulations. She is serving as a thought leader for cybersecurity as well as an advisor to Siemens Energy’s senior leadership on cyber risks related to products, services, and operations. In her current professional role, she is building the future global cybersecurity capabilities for Siemens Energy, including Information Security Operations, Supply Chain Security Management, and Product & Solutions Security Services.

Previously, Dr. Wunschik held senior management roles in the European banking sector, most recently as Chief Information Security Officer for ING Germany and ING Groep N.V. in Amsterdam. She is highly experienced in working with deeply skilled expert groups and is a renowned public speaker and valued member of prestigious international security committees. Dr. Wunschik holds a Ph.D. in Solid State Physics and Computational Theoretical Physics from the University of Erlangen-Nuremberg.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Diversity is Our Prime Asset for Cybersecure Digitalization appeared first on CISO MAG | Cyber Security Magazine.

Here’s what the women in cybersecurity have to say on gender disparity, representation, and diversity in the industry:

Security is an aptitude

Right mindset: It has been widely preached that women lack adroitness in technical subjects. And to some extent, it has been imbibed in their beliefs as well. They are said to be good at creativity. What people don’t get is that the crux behind cybersecurity is the figurative thinking of great minds who are enthusiastic about exploring and exploiting cyberspace. So, the day we change the thought process of women that they are born with the skills required to survive in the field, is the day these trends will favor their growth. All that is required is a little practice and patience. It’s all about the mindset.

Gender disparity: I would second that the disparity traces its roots back to school. I have often heard people preaching that “Tech is for men and kitchen is for women”. On the contrary, I have witnessed some unparalleled men in the baking business and women in the tech space. It has nothing to do with gender. It is not just women but everyone in general who needs to be enlightened. Not much has been done about educating students about cybersecurity. I believe there has to be a separate program for bringing up cybersecurity awareness amongst the kids. The pros and cons of cyberspace need to be assimilated deep down into their roots right from the start. This is how we can make a change and our nation cyber safe. One more approach other than the awareness programs would be giving them exposure to unmediated scenarios in the form of games or challenges. This will catch their attention and make them brainstorm about the importance of security of their device and their data. This is how they would safely use their gadgets.

Diversity in cybersecurity: Specifically, with cybersecurity, it’s a specialized niche where you want a varied group of folks to provide that input. Security is an aptitude to look into details and no one is better than women at it. Security is inbuilt in their DNA. The drawback of not having women’s participation is that we miss the most inquisitive minds that the universe has to offer.

The tech industry is grappling with two big challenges. First, it is struggling to fill jobs with qualified candidates. The second, the remedies to which will also help cure problem #1, is diversifying beyond the current homogeneous band that fills the high-tech halls. Both problems are even more acute in the cybersecurity sector.

It’s not a woman or race issue, it’s a people issue that we need to know and be aware of.

Inclusive workforce

Gender gap: Yes, there is a wide gender gap in the cybersecurity industry. According to (ISC)2 ’s Global Information Security Workforce Study, women in infosec represent 10% of the global workforce. Whereas 26% of IT professionals worldwide are women. There is a perception that cybersecurity is all about “HACKING” and this negative portrayal keeps women away from this industry. Most of them look for safe and respectable career options. Also, it’s a hard reality that cybersecurity is a male-dominated sector, with very few cybersecurity startups/organizations led by women.

To bridge the gap, we need to start with education and initiatives at schools and the college level. Industry connections with engineering colleges should facilitate workshops, classes, and demonstrations to create awareness about various roles and opportunities in the sector. This, in turn, can inspire students to strive for the right career path in cybersecurity.

Also, there is a lack of female role models in the cybersecurity industry. Appointing ambassadors and promoting women in this sector will inspire the younger generation.

Special scholarship programs for girls interested in cybersecurity, discounted trainings, and the participation of women cybersecurity leaders in security conferences will improve the visibility and participation of women in the industry. This participation can act as a strong myth-buster and remove all the negative impressions associated with the term ‘HACKING.’

Hiring opportunities: Given the huge skills gap in the cybersecurity industry, there is a strong need for an inclusive workforce. A diverse workforce is more productive and that research shows increased profitability in companies with more women, at the senior level.

Businesses can start with sharing the stories of women who are succeeding across all levels in the organization. The long-term approach can expand the early-in-career talent funnel that is reaching out to on-campus girl students for internships and placements.

As a matter of a fact, at DigiSec360 we have more women cybersecurity professionals than men.

Training and mentorship: There is no doubt that training and mentorship/coaching are the key initiatives for developing the women workforce in cybersecurity. Collaboration with industry leaders and non-profit organizations, and alignment with local chapters of organizations like WISP, DSCI, WiSYS, InfosecGirls, etc., will yield results.

However, when it comes to mentoring, though women tend to mentor other women more, considering very few women at the senior level, there is a strong need for building a pool of male mentors in the industry.

Sponsoring training and certification for enthusiastic and bright women employees is going to be a welcome step.

Women role models are scarce

Less representation of women: There is a societal view that a career in Cybersecurity/Information Technology is a path mostly for men even though there is nothing that predisposes men to be more interested in this field. Society has conditioned women to believe that Cybersecurity/Information Technology roles require technical skills or can be tedious, making women lean more towards social sciences.

This has geared the Women’s fold to have low interest even from using it as a career.

The lack of substantive and adequate role models in cybersecurity across the globe is also a contributing factor.

Lack of women role models: The rate of representation of women in cybersecurity is 24% and about 20% in technology; women role models are scarce that other women can look up to, in the field. This is because the cybersecurity field is perceived as a male-dominated one, and there are insufficient women at the leadership level.

Besides, the industry’s limited role models could be based on another perception that the industry abhors work-life balance. It is one of the possible reasons for the gender gap, but it is good to note that this narrative is gradually changing. If an increased number of women excel, it will encourage more ladies to join the industry.

Cybersecurity scholarships for women: In cybersecurity, scholarships are important to encourage more women to get into the field, and many STEM programs are geared towards this. Encouraging and effectively engaging women and young girls in STEM would boost their confidence and lay the groundwork for future leaders who would make substantial cybersecurity contributions.

Funding could be a major issue for female inclusion in the industry; scholarships for women will encourage women’s integration as certifications help prove the women’s capability on a merit basis rather than the subjective opinion of recruiters.

What can men do? As men hold the largest percentage in the workforce leadership, they can support women by leveling the playing field with men. The men in the leadership roles can join women in advocating for inclusion, mentoring, sponsorship, and ending the gendered division of labor in the workplace.

Trusting females with the more technical aspect of the field may help improve confidence and easy integration. Executive management and the board’s support are vital because we are still operating in a male-dominated leadership environment.

Set specific shared goals for the representation of women and regularly measure progress toward them.

The post Security is inbuilt in women’s DNA appeared first on CISO MAG | Cyber Security Magazine.

Let’s hear what Kavya Pearlman, Founder and CEO, XR Safety Initiative, has to say about Women in Cybersecurity:

Cybersecurity as a career: Two things come to mind: Pipeline and Retention. Pipeline – Cybersecurity is still portrayed as a career for the “hooded hacker dude,” and our cultural biases around gender roles and careers contribute to the issue. This male-dominating mindset exhibits a “dude-bro” culture, deterring more diverse candidates from entering the domain. On top of this, a misconception amplifies the trend that cybersecurity is a high-stress career with no work-life balance. This is only true for a small set of careers. For example, a Chief Information Security Officer (CISO) for a FinTech or high-risk organization may have less control over their lifestyle. Retention-Burnout, status-quo tech culture, biases, discrimination, harassment, and Diversity & Inclusion simply being used as a tool for PR, etc., are just some of the reasons why women are leaving the cybersecurity career for other more welcoming and diverse career options.

Oftentimes, it goes back to early education. There lies an opportunity to direct female students to choose technical education and building the soft skills necessary for the STEM career paths. We need to build a more robust pipeline for cyber talent. Schools should follow programs and frameworks such as the U.S. cyber challenge, National Initiative for Cybersecurity Education (NICE), K-12 cybersecurity framework that offers a set of best practices that help providers of cybersecurity education and training in the U.S. better prepare their students to enter the cybersecurity workforce and help employers to manage workforce shortages and recruit the talent needed to secure their systems. Privately organized Capture the Flag (CTFs) are also a great way to cultivate interest and desire to learn within young students.

Gender inequality: School must also be considered a potential boost for a cultural change in the way cybersecurity careers are seen. Despite the fact that women are more likely to enroll in university than men, tech jobs are still facing high levels of gender inequality. This will take time, but it’s crucial to use the aforementioned tools to mark a deeper transformation. In a way, given that some cultural constructs follow the society, this will naturally happen as demography is already making the world more diverse. The educational system plays a decisive role in making the change faster.

Gender and race: With the rise of AI-based solutions, the issue is becoming more and more relevant, and the over-representation of white men in the design of these technologies, could undo decades of advances in gender and racial equality. Equally important is a concerted effort to incorporate gender and racial balance in machine learning. It is crucial to prevent algorithms from perpetuating ideologies that disadvantage under-represented groups.

Disclaimer

Views expressed in this article are personal.

The post “Build a more robust pipeline for cyber talent” appeared first on CISO MAG | Cyber Security Magazine.

By Pooja Tikekar, Feature Writer, CISO MAG

Founded by Tazin Khan Norelius, Cyber Collective is the first and only women of color-owned data ethics, privacy, and cybersecurity research organization. CyCo’s strength lies in research, security awareness, privacy advocation, and data ethics consulting. Given the advancement of tools and systems used for the convenience of end-users, the company firmly believes in engaging in an open dialogue on the modern-day cyber landscape. It explores and analyzes the mechanisms that influence human-technology interactions. Today, engineers, data scientists, and infosec leaders, often find themselves in situations in which they use digital datasets that are collected or shared without informed consent, or those that are impacted by implicit biases. To address this inherent conflict between personal ethics and business goals, CyCo works directly with the community to educate and gather data transparently with an aim of creating a future where technology — though neutral — is overwhelmingly a force for good — for all.

CyCo uses the grounded theory approach in its creative, qualitative research, and then further uses the information to center marginalized folks — those who have historically been pushed to the margins by decision-makers in tech product and policy development — in conversations to impact the next generation of tech product and policy.

Integrating Pop Culture in Learning

Popular culture is an intrinsic element of our social and political lives. CyCo recognizes the value of pop culture in promoting digital literacy and building conversations around technical topics that impact our daily lives, including the impact of technology and how it shapes social dynamics. Using appealing memes, movie references, and unfiltered yet friendly language, the company educates the public and connects with a wider audience through virtual events on Zoom. Through creative and live audience research events, CyCo assesses their knowledge and gathers real-time insights to share workable findings that influence policy and industry. It also caters to its Instagram and Twitter following for social media outreach.

IFundWomen: By the People, For the People

The largest cybersecurity budgets belong mostly to Fortune 500 companies, further confirming that revenue generation or monetization strategies for startups around data privacy research are thinning. Through its IFundWomen Crowdfunding Campaign, CyCo intends to raise financial capital to foster research and bring awareness on the impact of technology on human lives.

Data Rights are Human Rights

Since the U.S. has no single federal law that regulates cybersecurity or data privacy, SMBs and marginalized communities encounter multiple challenges in the way data is consumed. Taking this concern into consideration, CyCo partnered with IT service provider Elroi and non-profit organization, The Markup. Collectively, they launched a new petition to demand the U.S. government to start working on a new national privacy law, to ensure the data protection of marginalized communities that big techs capitalize on. The company’s goal is to:

• Create diverse and public subcommittees as part of the regulation drafting.
• Seek an annual review of regulation compared to current technology advancements and interpretations.

To make its petition actionable, CyCo hosted a virtual event on January 28, 2021 – National Privacy Day. The event was graced by Rachel Cash, CEO and Founder of Elroi; Nabiha Syed, President of The Markup; and Brittany Kaiser, Co-Founder at Own Your Data Foundation and Cambridge Analytica whistleblower.

From February 1 to March 30, 2021, CyCo will continue to host webinars, workshops, and seminars to collect information that helps identify the gaps in our systems. It will also investigate tech’s impact on people who have historically been pushed to the margins by decision-makers in tech and policy.

No industry, program, or topic can truly grow if it remains within the parameters of its comfort. It’s 2021, we should all know by now why we “need more women in cybersecurity,” if you don’t, well shame on you. But the women are here, and we’re making space for ourselves. The change is inevitable, it’s just up to us to make it. Be the change you want to see, or watch things stay the same. At Cyber Collective, we are the change and we’re bringing everyone with us,” says Founder & CEO Tazin Khan Norelius.

About the Author

Pooja Tikekar is a Feature Writer and part of the editorial team at CISO MAG. She writes news reports and feature articles on cybersecurity technologies and trends.

More from the author. 

The post Empowering Marginalized Voices in a Digital World appeared first on CISO MAG | Cyber Security Magazine.

Rajpreet helps IT leaders in resolving their network security issues across hybrid environments. Her research focuses on network security technologies such as Web application firewalls, DDoS mitigation services, advanced threat detection, deception platforms, and network security policy management tools. Rajpreet also discusses security gap analysis, DDoS threat mitigation, and ways to build cyber resiliency.

Edited experts of the interview follow:

A detailed assessment of security architecture from a technical standpoint helps identify and mitigate hidden risks that threat actors are likely to exploit. What are the most common and critical risks associated with network security that need remediation and improvement for building resiliency and improving an organization’s security posture?

Organizations must be aware of how the threat landscape and the business landscape shift. 2020 ONWARDS there have been swift changes to threats with increased remote work and targeted malware campaigns that take advantage of worldwide events, such as COVID-19. The networks have evolved and hence network security must evolve to secure these hybrid networks. Phishing and other human-facing social engineering tactics remain the primary vectors of successful attacks; however, credential stuffing and scan-and-exploit tactics are also increasing. Digital business and edge computing have inverted access requirements, with more users, devices, applications, services, and data located outside of an enterprise than inside and users working from home.

Performing security gap analysis helps circumvent cybersecurity vulnerabilities. However, this evaluation may vary as compliance standards differ from one organization to another, depending on the scale of the business. And compliance doesn’t necessarily achieve security. How do we close the gaps between security and compliance?  

Compliance as a checklist approach can never help an enterprise to achieve continuous and adaptive security in an enterprise. Enterprises must use a continuous and adaptive risk and trust assessment strategic mindset to enable prediction and prevention, where feasible, and deploy detect and respond capabilities to adjust to changing threats. Enterprises must always remember that compliance is the baseline; our protection is business-risk-driven.

Most DDoS attacks rely on rented botnets. What other attack vectors do adversaries use to launch DDoS attacks? And how can CISOs adopt smarter ways to combat them?

DDoS attacks have become more intense and sophisticated in this pandemic world. Bots have been a primary source to generate these attacks. Security and risk management leaders must anticipate business interruptions by including DDoS preparedness in business continuity/disaster recovery procedures as well as incident response. Also, implement a layered DDoS defense by utilizing the best of cloud scrubbing center, cloud web application firewall, bot mitigation, DNS protection, internet service provider, and on-premises DDoS appliances consistent with your risk assessment.

You hold a master’s degree in Computing Systems and Infrastructure and your research focuses on network security, including technologies such as IPS, web application firewalls, and APT detection. However, sometimes, gender stereotypes and cultural norms falter girls’ interest in STEM. How can educators and industry experts foster a mindset that alters perceptions?

I am observing a strong interest in girls fighting beyond the cultural boundaries and showing great interest and adopting STEM subjects. Girls are making huge strides there. And these achievements of women in the industry have started to change the perception. Things are pretty different in different regions though, in many emerging regions like Asia, we see parents encouraging girls to adopt STEM subjects as it leads to better jobs with good income. I personally believe girls are naturally blessed analysts and can make great research scholars that their contribution to the STEM industry is critical and the employees need to support that along with the society to support them.

Women’s representation in cybersecurity has been less than a quarter (of the total workforce) and has remained that way for almost a decade, if not more. Do you think more inclusive mentors could change this?

I think the primary reason for lesser women in it is that cybersecurity careers don’t have fixed working hours and might require late-night meetings, traveling, etc., considering the criticality of the industry and many find it difficult to manage with no support. Having good mentors can make a huge difference no matter what the gender is. Offering flexibility to help find them a work-life balance is very important. Work from home has provided many women a more flexible working schedule and helping them to find a balance.

Women, sometimes, experience uncertainty at their workplace. What cohesive steps can men/businesses implement to them feel confident and support them to ascend the corporate ladder?

I have been very lucky to have great managers who have hugely contributed to my career, and all of them were men. They strongly practiced gender equality, treating me equally, giving me equal opportunities, and making me a confident employee. Corporate policies implementing strong gender balance and equality can play a critical role to make their women team members feel motivated and equal.

About the Author

Pooja Tikekar is a Feature Writer and part of the editorial team at CISO MAG. She writes news reports and feature articles on cybersecurity technologies and trends.

More from the author.

The post “I personally believe girls are naturally blessed analysts and can make great research scholars” appeared first on CISO MAG | Cyber Security Magazine.

Let’s hear what Heather Bentley, Senior Vice President – Customer Success and Support, Mimecast, has to say about Women in Cybersecurity:

On the gender gap: I think reaching out to young women is important to help them understand that they can have a great career in cybersecurity. As more and more of our lives rely on technology, this is a field that isn’t going to go away. I’m surprised that many young people are unaware of this opportunity. As a community, we need to do a better job of highlighting the different opportunities and roles that are available in the cybersecurity sector. You don’t have to be a programmer to hunt the bad guys! Also, we should show how exciting and how much fun the cybersecurity industry is to young people. There are not many industries that offer that many opportunities and new challenges to learn, develop new skills, and grow your career.

Better hiring practices for women: Businesses need to make sure they have a diverse pool of candidates. For many roles, there are few, if any, women candidates. I am a strong advocate of giving people opportunity. Not all roles require you to be a technical expert on day one. With the cybersecurity skills gap we see, there has never been a better time to invest in training academies and provide hard workers the ability to gain new skills. For women especially, businesses need to be flexible. As COVID-19 has shown us, it is possible to be successful and work from home. With the balance many women have between their families and their careers, moving away from a traditional 9 to 5 office environment is key. Let’s embrace this, provide flexibility, and get a more diverse workforce as a result.

Training and mentorship for women: Training and mentorship programs are the best opportunities we have to get more women into cybersecurity. It’s important for women to see other women being successful. I do a lot of outreach in schools and I’m surprised how many young female pupils will say “computers are for boys.” We must move beyond this thinking. There is so much opportunity now and in the future in this industry. We need to make sure young women are welcomed and supported. Many women in cybersecurity will tell you, they are often the only woman in a meeting. I am starting to see that change, but more needs to be done to continue to develop and support female leaders in this space.

Disclaimer

Views expressed in this article are personal.

Download CISO MAG’s March issue on Women in Cybersecurity. Preview here. Subscribe now!

The post For many roles, there are few, if any, women candidates appeared first on CISO MAG | Cyber Security Magazine.

Here’s what Carolyn Crandall, Chief Security Advocate and CMO, Attivo Networks, has to say about gender discrimination and career opportunities in cybersecurity:

Gender discrimination: Working in the tech industry as a woman is inherently difficult, even with a deep technical background or degree. Sadly, I’ve found that perceptions about women in the cybersecurity world are even harder to break. This can range from how people interact with me, to acceptance as a conference speaker, to being turned down as a volunteer contributed writer, despite being more qualified than many of their current male writers. I am not a person who typically points out unfairness, but sometimes it can be blatant. I have worked hard in my career to become a CMO that truly understands technology. I speak regularly at conferences, write technical bylines, regularly blog on technology, and create and deliver a significant amount of content on product and solution offerings. However, it is irritating when certain organizations automatically rule me out for opportunities simply because I am a female CMO.

I encourage all women to walk with swagger and believe that they do belong in cybersecurity. I find that doing this, it makes it easier to gain acceptance. I also love working at Attivo Networks as I have not once felt that people think twice about gender, race, or religious beliefs. Everything is all based on the impact you can make. It’s quite refreshing and appreciated.

Opportunities: New and diverse perspectives are the key to innovation, and it is critical for the advancement in the cybersecurity and technology spaces. I am a strong advocate both in my work environment as well as in volunteer activities to help educate and drive the advancement of women in technology. Attivo Networks has been aggressive in its college graduate hiring program and I have taken this opportunity to bring several millennial women on to the team. I often speak with undergrad and MBA students at Santa Clara University and I have spoken at When She Speaks, WITI, and most recently at the Silicon Valley TIE CMO Inflect event. This helps me build relationships, introduce cybersecurity as a career path, and actively recruit. For our newly hired recruits, we conduct weekly training on cybersecurity, our technology, and how to apply our technology to solve cybersecurity issues.

Beyond comfort zone: We also encourage the team to participate in external training forums like (ISC)2, SANS, ISSA, and Cybrary. Notably, my team is ¾ women. I also encourage the women on the team to stretch beyond their comfort zone. I have found that many women want to master an area before they commit to advance. They sometimes tend to shy away from jobs or projects where they don’t have all the skills, whereas their male counterparts tend to be willing to go out on a limb and apply for jobs they are not fully qualified for. Throughout my career, I have always sought out jobs that had scared me in some way.

Carolyn holds the roles of Chief Security Advocate and CMO at Attivo Networks. She is a high-impact technology executive with over 30 years of experience in building new markets and successful enterprise infrastructure companies. She has a demonstrated track record of effectively taking companies from pre-IPO through to multi-billion-dollar sales and has held leadership positions at Cisco, Juniper Networks, Nimble Storage, Riverbed, and Seagate.

She is recognized as a global thought leader in technology trends and for building strategies that connect technology with customers to solve difficult operational, digitalization, and security challenges. Her current focus is on breach risk mitigation by teaching organizations how to shift to an active security defense that prevents, detects, and derails cyberattacks.

Disclaimer

Views expressed in this article are personal.

CISO MAG’s March issue on Women in Cybersecurity is out. Preview here. Subscribe now!

The post “Introduce cybersecurity as a career path, and actively recruit” appeared first on CISO MAG | Cyber Security Magazine.

Here’s what Jacquie Young, Sr. Director of Channels, APAC, Tenable, has to say about gender disparity, representation, and diversity in cybersecurity:

The representation of women in cybersecurity is just 24%. What are the reasons for these? 

Not only in cybersecurity but in STEM fields broadly, the industry suffers from a lack of women, particularly women of color. This is because young girls are often discouraged from pursuing STEM fields at an early age for a variety of reasons – low expectations from teachers and parents, cultural perception of what’s considered a successful career, limited mentors, lack of exposure, and longstanding stereotypes that underestimate young women’s and minorities’ capabilities.

This leads to an unhealthy lack of self-belief when it comes to filling a role that’s traditionally male-dominated. We need to break through these stereotypes and encourage women to take on roles that excite them regardless and encourage young girls to pursue an education that will lead them to this path.

Do you think there is a dearth of women role models in technology and cybersecurity?

If you look at the Fortune 500 list, there are 37 women-led companies – that’s just 7.4% of the largest corporations. Twenty years ago there were only two women-led companies. While the numbers are heading in the right direction, companies today are nowhere near where they should be to experience the true benefits of diverse workforces and leadership teams.

It’s important for women to have role models in technology, and companies should do everything possible to encourage this because diversity breeds diversity. When women see other women in the industry it sends a powerful message that “you can do it, too.”

Do you think for areas like cybersecurity which often require certifications, scholarships for women are important?

While formal certifications in cybersecurity are useful, organizations also need to think about different career pathways into the security field. Employers should be looking to upskill their new and current workforce and provide them with accessible tools to acquire cybersecurity skill sets.

How can men support women in terms of climbing the corporate ladder?

Be an advocate for women. If you hear a woman being spoken over, call it out. If you see that a woman may need encouragement to put themselves forward for a new or promoted role, help her. It takes everyone paying attention to create cultural change to make an organization more diverse and inclusive. In order to achieve progress in gender parity, mentorship programs, sponsorship opportunities, and the development of a positive office culture has to take place from across all levels of the organization.

Jacquie Young is the Senior Director of Channels for the Asia-Pacific region at Tenable with over 20 years of experience specializing in Consumer Electronics, Networking, Channel Development, and Sales Strategy. She oversees channel strategy, market analysis, and target partner selection across APAC ensuring a robust collaboration between Tenable’s sales teams and its partners across countries.

She was previously at Cisco for seven years, including leading strategic planning with partners across APAC. In 2011, she established MBT Consultancy, a management consulting firm specializing in strategy & planning in the IT industry after obtaining her Masters in Business and Technology from the University of New South Wales in 2011. Prior to joining Tenable, Jacquie also led APAC Channels at Nokia.

Disclaimer

Views expressed in this article are personal.

CISO MAG’s March issue on Women in Cybersecurity is out. Preview here. Subscribe now!

The post “In STEM fields broadly, the industry suffers from a lack of women, particularly women of color” appeared first on CISO MAG | Cyber Security Magazine.

By Augustin Kurian, Senior Feature Writer, CISO MAG

While history remembers the contributions of Alan Turing and his celebrated feat of breaking the enigma code helping Britain win World War II, these were his western counterparts who achieved a feat similar to the cryptographers at Bletchley Park. These women of prodigious intellect worked day in and day out translating documents and forming teams to solve the elaborate, ever-changing codes of the Japanese and German navies. Life wasn’t easy for them as they dealt with bureaucratic rivalries and administrative sexism. Liza Mundy in her book “Code Girls: The Untold Story of the American Women Code Breakers of World War II” tells the stories of these female cryptographers who cracked several diabolically difficult systems. In 1944, the code-breakers intercepted and decoded 30,000 water-transport messages a month. They were instrumental in enabling the U.S. Navy to pinpoint and sink several supply ships heading to the Philippines and South Pacific. They also created and spread false intel about Allied landing sites for the Germans to intercept.

The Code Girls were arguably America’s first ethical hackers, or rather the modern-day bluestockings — similar to the intellectual women of the 18^th century.

Mundy’s book quotes a code-breaker named Ann Caracristi as saying, “It was generally believed that women were good at doing tedious work, and… the initial stages of cryptanalysis were very tedious, indeed.” She reflected “never in my life since have I felt as challenged as during that period… When the needs of society and the needs of an individual come together, we were fulfilled.”

But after the war was over, the women were expected to give up their jobs and jump right back on the baby-making bandwagon. Only a few were able to get high-level positions at the NSA, while for the rest, their tremendous achievements were buried deep in the classified pages of war secrets.

Cut to the present and women in cybersecurity have been a widely discussed topic. Women make up only 24% of the global cybersecurity workforce. “In the United States, I’ve observed that women consider the field to be too technical, preferring to work with people rather than technology. I don’t see that same reluctance among my international female students. I have to think it must be something tied to the culture—a meme that ‘girls don’t like this work,’” points out Barbara Endicott-Popovsky, Executive Director, Center for Information Assurance and Cybersecurity; Fellow, Aberystwyth University, Wales. “Some say that women don’t like the culture of cybersecurity organizations—they are too rough, too male, unfriendly—perhaps intimating bias. I’ve only had to address a couple of instances of clear female bias in my career; it may have been more prevalent, but my nature is goal-driven and curious, so I don’t allow myself to be distracted from my goals. In my experience, if you are passionate about what you are doing, distracting nonsense fades into the background. Find your passion, know how to prepare yourself, and then the rest of this resolves in the background.”

The first step towards solving any problem must be identifying that there is one. Several studies around women in cybersecurity point out how the disparity traces its roots back to school. “Lack of awareness among those advising students/girls of the many opportunities in high-paying cybersecurity careers is at the root of the problem. Colleagues who have held cybersecurity events specifically for young women have found a huge interest can be developed. The field is fun, exciting, ever-changing—like being a sleuth, tracking down adversaries, putting a puzzle together,” suggests Barbara. “This field wasn’t here 20 years ago when educators and advisors were getting prepared to teach and counsel. We need targeted programs to raise awareness among educators from K-12 through bachelor’s degree programs. We need a pipeline.”

In an online survey, Kaspersky Labs and Arlington Research pointed out that the average age at which young women decide on their future career is 15 years and 10 months, and those that haven’t decided by this time expect to have decided by the age of 21 and 9 months, making it very difficult for cybersecurity firms to influence their choices after this point. In 2010, even though 57% of undergraduate degree recipients were female, only 14% of them pursued majors in the same field.

Often, even when women do venture into the field, they struggle to make it into management positions. A global survey of nearly 22,000 firms revealed that “almost 60% of firms have no female board members, just over half have no female ‘C-suite’ executives, and roughly one-third of the sample has no women in either C-level or board positions. The results suggest that the presence of women on corporate boards and in C-suite positions may contribute to firm performance. The impact is greatest for female executive shares, followed by female board shares; the presence of female CEOs has no noticeable effect. This pattern underscores the importance of creating a pipeline of female managers and not simply getting women to the very top.

Gender diversity comes coupled with surprising benefits

“Let me start by explaining why I think having more women in cybersecurity makes us all safer. In cyber, you need diverse points of view or you’ll miss potential threats. You must be right 100 percent of the time. The flawed hypothesis methodology – with which I fully agree — ensures having a diversity of perspectives when you form a vulnerability assessment team. This diversity is critical because if your organization recruits people with similar backgrounds, you’ll end up seeing everything the same way; however, if you have a diversity of views, then your organization will benefit from a wider situational awareness of possible flaws in the system. What I would really recommend women do is set their sails and don’t look back,” Barbara stresses.

According to her, “There is something for everybody – pathways range from purely managerial to deeply technical. Go through the framework and find what you’re interested in. Think about your gaps and how to fill them with further education and training. I encourage women to do what they’re passionately interested in and be persistent in pursuing their goals.”

Women were in the vanguard of cybersecurity and played a pivotal role in World War II, but their potential has not been tapped in the digital war the world is currently fighting.

While CISO MAG has discussed, Turing possibly being the first and the greatest ethical hacker who ever lived, the stories of these young women aren’t that different from his. They were among the first to work in cryptography and early ethical hacking, making huge advancements for their country in a time of war. In an industry that has been marred by the oft-reported lack of gender diversity, these women’s stories should remind us that the realm of information security wasn’t always dominated by men. Their stories should also highlight the fact that we have a long way to go, as the 1940s weren’t all that different from some women’s experiences today in some respects. As Mundy points out in her book, “It was not easy being a smart girl in the 1940s. People thought you were annoying.”

About the Author

Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.

CISO MAG’s March issue on Women in Cybersecurity is out. Preview here. Subscribe now!

The post Code Girls: The Bluestockings of Cybersecurity appeared first on CISO MAG | Cyber Security Magazine.

Today we’re fighting cyber wars and our adversaries know we’re understaffed. To discuss the shortage of talent pool, initiatives for women’s education in cybersecurity, and lack of industry awareness, Pooja Tikekar, Feature Writer at CISO MAG, had a conversation with Monica Verma, Chief Information Security Officer (CISO) at The Norwegian Directorate of Health. Monica has more than 13 years of experience in information and cybersecurity, and has previously held the CISO role and worked as Head of Security, Risk, and Business Continuity for the finance sector. After supporting the financial industry for more than a decade with security, privacy, risk management, digitalization, vendor management, and cloud security, she wanted to contribute to and promote the health sector with her passion and expertise in this area.

Monica is also a board member of Cloud Security Alliance Norway and Women in Cybersecurity Norway. As her contribution towards a safer and more secure society and business world, she leads initiatives such as MonicaTalksCyber.com and the We Talk Cyber podcast series. In 2019, she also won the “The Outstanding Security Performance Awards” for Outstanding Security Adviser in Norway, which is awarded by The Norwegian Business and Industry Security Council.

Monica got interested in technology at the age of 10 when she was invited to see the inside of a cockpit for the first time. She started her career as a developer and an ethical hacker.

Edited excerpts of the interview follow:

The world continues to battle COVID-19, and most industries continue to suffer. Right from the time the pandemic hit, many organizations suffered ransomware and phishing attacks. How are CISOs collaborating in the use of technologies, tools, people, and processes in a smart way?

Over the last decades, we have talked about various technical controls that to date are an important part of basic cyber hygiene. CISOs understand the importance of getting the basics right, even as the digital landscape evolves and gets complex. A lot of the investment done today still goes into that basic hygiene, which in return can help reduce the odds, the impact, or both, when organizations are hit by ransomware or phishing attacks. These include, but are not limited to, backups including offline backups on tapes, (virtual) network segmentation, layered defense approach, multi-factor authentication, antivirus, and spam filters, patching, zero-trust approach to identity and access management, etc.

However, time and again, we have realized that investing in people and protecting the human aspect of cybersecurity is equally critical. The human element and controls around it are an equally important part of basic hygiene. One can have the best technical controls in place but when a user unintentionally clicks a malicious link and these controls are bypassed, the overall consequences can be huge. In fact, we have seen various ransomware attacks and breaches happen as a result of simple but successful phishing attacks. We are seeing a gradual shift in the mindset, from “Humans are the weakest link” to “How can we better protect our users and the human aspect of cybersecurity.” This shift in mindset is critical and needs to continue and take precedence in every organization.

In addition to basic hygiene and preventive controls, it’s equally important to be prepared for when the worst comes. Things can and will go wrong. CISOs are deploying detection and response capabilities, incorporating failsafe and adaptive mechanisms, ensuring up-to-date business continuity plans, and conducting table-top exercises for timely and efficient incident and crisis management. We are also seeing higher collaboration with the national cybersecurity centers and law enforcement agencies in case of cyberattacks, like ransomware, to handle them efficiently and lawfully as well as to reduce the impact on the organizations, their employees, customers, and other actors in the supply chain.

The nature of cyberattacks on health care related to COVID-19 varied greatly and affected the digital landscape. How has it affected the Norwegian Directorate of Health and what key measures have you focused on?

The pandemic changed our (digital) lives drastically and the way we interact, work, and collaborate. It made us more dependent on digital solutions that became even more tightly integrated into our everyday lives. At the same time, our digital life also makes us more vulnerable to loss of information and other consequences as a result of malicious actions, accidents, and mistakes. As a key player in COVID-19 management, the Norwegian Directorate of Health is exposed to an increased threat and risk profile. To support national crisis management, as we go through a challenging time, there has been an increased focus on robustness and our capabilities to better manage risks and cyber crises. Therefore, information security has been and continues to be a high priority within the organization and towards COVID-19 crisis management.

Additionally, there has been an increased focus on security awareness among the employees with regards to the changing digital landscape, increase in cyber risks, and measures to prevent falling prey to phishing and ransomware attacks. The key has been to train the users to educate them, not to trick them. Norwegian Directorate of Health has worked in a structured way to ensure a strengthened security culture, secure work from home, and effective business continuity and crisis management towards increased cyber risk as a result of COVID-19.

On one hand, there has been continued focus to ensure basic cyber hygiene is in place, such as the principle of least privilege, network segmentation, patching, etc. On the other hand, there’s been a risk-based approach to include different aspects of people, processes, and technology as a part of the overall information security plan. To ensure that we understand our increased risks and that they are managed effectively, there has been an increased focus on the human aspect of cybersecurity and security awareness, in addition to vendor management, increased robustness, and effective crisis management. Information security is and continues to be an integral part of the overall work done by the Norwegian Directorate of Health.

Leveraging personal devices for working from home became the new normal. But BYODs have a real impact on cybersecurity if not properly accounted for. How are CISOs developing an overarching plan for the security of end-users and clients?

Securing the human element and the endpoints is an important part of the overall cybersecurity strategy and plan. We need a continuous shift in the mindset from “Humans are the weakest link” to “Mistakes will happen.” How can we protect, prevent, adapt and respond better? Additionally, as BYODs and work from home come into the picture, the cybersecurity strategy and plan also require addressing the cyber risks that this evolved digital landscape brings along. To ensure a safer and more secure working environment, the following are some of the key things to consider as a part of the overarching plan:

• The line between the personal and the professional lives has blurred over time. It’s important to adapt your security policies to fit these integrated worlds.
• Perimeter-based security is no longer effective. Apply a zero-trust approach to both your architecture, and identity and access management. Always verify.
• Regular user awareness training is still key. Cybersecurity is about people, processes, and technology. The human aspect of cybersecurity is equally critical and must be addressed.
• When conducting phishing training, keep in mind that the goal behind such training is to educate the users, not to trick them.
• Define and implement your BYOD security policy to ensure acceptable use.
• Maintain your BYOD policy up-to-date and include secure practices such as restricting access to critical and sensitive information from non-managed devices, providing managed devices as alternatives when possible, and defining and implementing which apps are whitelisted, etc.
• Implement technical measures and controls such as Mobile Device Management (MDM), remote secure wipe, Data Loss Prevention (DLP) to safeguard company apps and data on BYOD.
• Shadow-IT is a real concern and often difficult to manage. Deploy discovery tools, monitor your network regularly, and scan for unknown devices.

March 8 is celebrated as International Women’s Day, and women who rise to the position of a CISO are a rare sight. The low representation of women in cybersecurity is linked to a broader problem of their low representation in science and technology. What is the reason for this gap? Is it a business issue or a gender issue?

It’s a social issue. It’s an issue that has affected our society for decades. We as a society, including family, school, businesses, universities, etc. have a social responsibility towards closing the gender gap. Getting girls and women interested in STEM education at schools and in universities is good and important, but it starts way earlier. It starts at home. It starts in kindergarten. It starts with encouraging girls to dream and supporting them in pursuing their dreams.

There is a lot that can be done by everyone for girls and women at different ages and in different environments from home, school, and universities to the corporate world. There is still a huge gender gap because not enough is being done by everyone, and not always for the right reasons. Many, over the last decades, have fought for equal rights and equal opportunities for women. However, there are still many who don’t believe that the gender gap is a real issue that plagues our society. Others want to help, but don’t really know what they can do to contribute and then some do contribute but for the wrong reasons. Unless and until we understand and agree that this is a social issue that needs to be tackled at all levels in all environments, we won’t be able to close the gender gap, in a sustainable way.

There’s a perception that information technology/cybersecurity is an occupation for men. Is it true that women are generally not presented with career opportunities in the industry, or is it because most women are unaware of them?

The key issues are (a) lack of inclusion and openness (b) stereotype that women aren’t best suited for these roles (c) boys’ club culture and (d) “that’s how we have always done it” mindset. The perception is slowly changing. However, breaking the barrier and becoming a part of something that has mostly been a boys’ club with strong stereotypes isn’t easy and requires an active effort and openness from corporations, colleagues, and your network.

Another important aspect that contributes to fewer women approaching or being interested in technology or cybersecurity, is the lack of diverse opinions within the organization and around the table. Women can bring different perspectives to the table, in their ways of thinking, approaching, and solving problems. Many women are not considered for a career opportunity within technology or cybersecurity because of stereotypes. Many others don’t get to know about those opportunities due to lack of inclusion or not being a part of the boys’ club. Many women feel the resistance or are shy to be a part of a world that is more often than not run by the “That’s how we have always done it” mentality. In addition, many corporations still don’t support a work-life balance. In fact, in many cultures, working extremely long hours is considered productive, whereas exactly the opposite might be true.

A sustainable change requires a leadership that is open, diverse, and inclusive. To build such a leadership, one needs a balanced representation. However, representation is not only about diversity in what we see but also diversity in what we hear. This inclusion of diverse opinions and varied representations of what we hear can help bring different perspectives and openness around the table, allowing more women to be interested in technology and cybersecurity.

Is it viable for governments or educational institutes to launch funding/incentive/scholarship programs for women’s education/ training to create a pool of skilled IT professionals?

Many organizations, governments, and educational institutions have started to build initiatives and scholarship programs to attract more women to STEM education programs or to pursue a career in technology and cybersecurity. It’s not a level playing field yet. We still have a huge gender gap. We need more of these incentives and funding. However, it’s extremely important to ensure these programs are built for the right reasons. Gender equality, diversity, and inclusion are not about fulfilling a quota. They are not about giving scholarships or jobs to a less deserving woman instead of a more qualified man. Gender equality is about allowing equal access to rights, resources, and opportunities. Yes, we absolutely need such initiatives and programs, but they need to be done for the right reasons, with the underlying goals of closing the gender gap and building a diverse and inclusive society. It’s about encouraging more women to consider and get interested in fields that stereotypically have been male-dominated. It’s about providing these women the necessary tools to break those stereotypes with their qualifications, passion, and purpose. It’s about ensuring that our corporate world has a diverse workforce, including at the leadership level.

Gender stereotype is a common phenomenon everywhere. What recruitment efforts must SMBs adopt to welcome higher female enrollment?

Step one is awareness and acceptance of the issue at hand. Step two is changing the mindset at the leadership level. These are the prerequisites to ensure your practical next steps to build diversity are successful and sustainable. Companies can adopt various measures to recruit more women but even before that, it is important to have an open, inclusive, and diverse mindset and leadership.

Organizations can apply both a top-down and a bottom-up approach. Recruiting a diverse and inclusive leadership not only sets the right tone at the top but also provides a better platform for building a diverse and inclusive workforce within the entire organization. Organizations can have internship programs to attract more women in tech. Mentorship programs can be used as an effective tool to help them build skills, self-confidence, and network.

Many other efforts can be done. Encourage, mentor, and support more women within the organization to become a part of the leadership team. Many women don’t apply for jobs unless they fit 100% of the criteria. Advertise your tech or cybersecurity roles in a gender-neutral way and with realistic qualifications, so you are not already excluding a huge chunk of talented applicants from the process. Create maternity and paternity programs for your employees. Encourage and support work-life balance. Have equal pay grades for equally qualified candidates, independent of gender. Provide these benefits and equal opportunities as a part of your recruitment process. Build an inclusive and open environment within your organization to keep your employees motivated and productive. However, for any women’s initiative to be successful and sustainable, it has to be done for the right reasons.

Lastly, what is your advice to young women who wish to climb the upper echelons of security leadership?

There are two key elements to this. The first is understanding and implementing what it takes to be a great leader. The second is to learn to communicate security effectively and tailored to the audience.

1. Good leaders are self-confident but humble. They believe in their mission but also promote and enable others. Women have had to fight for decades for equal opportunities in a male-dominated industry. Knowing your worth is the first step. Knowing and believing that women can have it all, is the second. Women bring diversity and varied perspectives to the table that organizations can benefit from. There is a phrase that my dad used to tell me and my sister while we were growing up – “Never let anyone have you think, even for a moment, that you cannot do or achieve something because you are a woman.” Leadership starts from within.

2. Effective communication is yet another critical element to increase your odds of becoming a part of the security leadership. Independent of which role you have today, if you wish to be an effective security leader, you should train yourself to think and work like a security leader. Understanding, learning, and communicating security effectively and tailored to your audience is critical. To be an asset and a part of the leadership team within an organization, it’s critical that you understand your audience and their needs. Invest time in learning about their overall goals and challenges with security. Invest time in learning the business language. Invest time in conditioning your mind to think like a security leader. Keep an eye out for opportunities and focus on providing value to the leadership. There will be failures. When that happens, reflect on the actions you took, note down your learnings, go back to element one above, remind yourself of your worth, and start again.

About the Author

Pooja Tikekar is a Feature Writer and part of the editorial team at CISO MAG. She writes news reports and feature articles on cybersecurity technologies and trends.

More from the author.

CISO MAG’s March issue on Women in Cybersecurity is out. Preview here. Subscribe now!

The post “Never let anyone have you think that you cannot achieve something because you are a woman” appeared first on CISO MAG | Cyber Security Magazine.