When it comes to talent, the security industry and the business world are missing out on an under-tapped source.

Jeri Teller-Kanzler, Dr. Carrie Gates and Marsha Wilson are three highly educated, intelligent and thought-leading business leaders. And there are many more across the United States and throughout the world. But there aren’t enough.

A recent report by (ISC)² in partnership with Booz Allen Hamilton, titled “Women in Security: Wisely Positioned for the Future of InfoSec,” echoes the sentiment. According to the report, there is a lack of gender diversity in the information security workforce despite a cyber landscape that is rapidly growing and changing in complexity of threats.

“The information security field is expected to see a deficit of 1.5 million professionals by 2020 if we don’t take proactive measures to close the gap,” says (ISC)² CEO David Shearer. “Knowing this, it is rather frustrating to realize that we do not have more women working in the industry. Only 10 percent of information security professionals are women, and that needs to change.”

While women have represented approximately 10 percent of the information security workforce for the past few years, analysis from the last two (ISC)² information security workforce surveys shows that women are quickly converging on men in terms of academic focus, computer science and engineering, and, as a gender, have a higher concentration of advanced degrees. For example, women in information security are making their largest impact in governance, risk and compliance (GRC) – which the study identified as a growing role in information assurance and cybersecurity – as one out of five women identified GRC as their primary functional responsibility compared to one out of eight men holding similar positions.

“I find the results of the research heartening, in the sense that we are starting to see a full career progression for information security professionals,” says Allison Miller, product manager at Google and member of the (ISC)² Board of Directors. “We’ve moved past the stage where people say ‘you do what for a living?’ and have matured into an industry that needs and demands more diverse skillsets, and more sophisticated differentiation of roles. What the numbers say is that the industry needs more talent. Great! Yes! Let’s foster more talent and innovation, everywhere in information security. That means taking more risks and including more voices. Having hard data gives us the ability to assess industry gaps and shortages – and individual career objectives and expectations – in a more thoughtful and systematic way.”

The research also identified the unique differences between men and women in the industry, and found:

  • Women possess key character traits that enable them to succeed in GRC roles.
  • The percentage of women in the field with either a master’s or doctorate degree are strong, with 58 percent of women having advanced degrees versus 47 percent of men.
  • In the GRC subgroup of respondents, women’s average annual salary was 4.7 percent less than men. Interesting to point out is the difference men and women place on the importance of monetary compensation. Men value monetary compensation slightly over women who look for other incentives from their employers (i.e. flexible schedules).
  • Women are more progressive in their views on training methods. Offering increased accessibility and wider diversity of information security training opportunities may prove to be increasingly valuable in retention and in elevating professionals’ readiness to succeed in new roles.

 

Girl Power

Jeri Teller-Kanzler is director of cybersecurity for AVANGRID, Inc., a U.S.-based diversified energy and utility company and affiliate of the Spanish energy company Iberdrola. AVANGRID’s nearly 7,000 employees operate and manage approximately $30 billion in natural gas and electric generation, transmission, storage and distribution assets located in 25 states and Canada.

Kanzler says she grew up “in a mostly male-dominated bits and bytes Information Technology (IT) world where security meant firewalls, policy settings and datacenter protections. But, as our dependence on the Internet grew, and the networks and systems access points migrated out of the raised-floor data center, the need for an expanded approach to security became evident.”

“We realized we needed to incorporate people and process into the mix,” Kanzler explains. “And to do that, you need to go outside the traditional IT structure and tap into the training, education, risk, compliance and legal teams of an organization and get the business areas to participate. As our approach expanded, so did our talent needs, and the addition of more women was the natural result.

”Keri Glitch, our VP of Corporate Security, and I look at all facets of a business when approaching security; which is a philosophical difference to the traditional approaches.” (See the Keri Glitch interview in Security magazine in June 2014).

Kanzler and Glitch share a unique working relationship, in part because of their approach, and in part because of AVANGRID’s structure where Corporate Security is responsible for both cyber and physical security. “Our back office operations follow a regular IT model,” Kanzler explains, “but control of our natural gas and electric distribution systems and wind turbines now has shifted to the Internet. In the past, people would go into a substation and physically operate a particular switch. Now, the ‘switch’ can be controlled through the Internet from hundreds (if not thousands) of miles away by a click of the mouse. It’s all very convenient but also vulnerable. We’ve had to create a new security model and implement new controls to protect our cyber assets.”

That new security model was born from Kanzler’s “quirky” Internet philosophy, as she calls it. “The Internet has opened a new world; it’s exciting, it’s enabling, but, and here’s where it gets interesting: most of us don’t know how it works. We can’t see it, we can’t touch it, and yet we entrust it with most of what’s near and dear to us. Which makes protecting it all the more important. It’s a double-edged sword, which requires a tricky balancing act between necessity, convenience, risk and cost.

“When I joined [the company] two years ago, Keri asked if we could build a cybersecurity program based on an integrated people, process and technology philosophy. We know computers don’t wake up in the morning and decide to do something bad. They only do what people tell them to do. How we monitor, track, mitigate and respond to areas of risk depends on process. Identifying and implementing the protective tools and techniques is dependent on technology. At AVANGRID, our program addresses all three aspects, using risk (or riskiness) and regulatory requirements to drive decisions and manage expectations.”

For example, Kanzler and Glitch both understand not all cyber breaches are the result of malicious activity. “Sometimes people just make mistakes that can create vulnerabilities,” Kanzler says. Raising awareness amongst the business user population was one of the first priorities of the nascent cybersecurity team. Tools used to increase employee awareness included, a “passport to security” containing security-related information and tips, participation in National Cyber Security Awareness Month (NCSAM), publishing a quarterly security newsletter, a simulated email phishing program and encouraging all managers to start their team meetings with a security “tip of the day.” One of the main keys to the success of the cybersecurity program at AVANGRID is its top-down, bottom-up approach – which led to the establishment of the Business Security Liaison (BSL) program. BSLs reside in the business units and act as advocates, coaches and teachers to promote and support cyber security at the team level. “We now have 30 BSLs,” says Kanzler. “And, we’re recruiting more every day.”

“In October, we held our first ever Cyber Security Conference,” says Kanzler. The Conference, the brainchild of Kanzler and her team, included the BSLs plus business leaders and cyber security executives from AVANGRID, Iberdrola Spain, Scottish Power, Iberdrola Mexico, Elektro, and Iberdrola Renewables.

“Our main objective in putting on the Conference was to continue to integrate cyber security into everyday business practice. Each of the 65 participants attended sessions led by AVANGRID cyber and physical security experts as well as a number of keynote speeches from external experts,” she says. “They also had a unique opportunity to schedule one-on-one sessions with those experts to discuss specific challenges.” BSLs followed their own customized learning track during the three-day conference to boost their security knowledge. The Conference raised awareness, grew commitment and generated a lot of momentum, adds Kanzler. “It exceeded all of our expectations, and we’re already planning the second one.”

Another shining example of a female thought-leading business leader is Dr. Carrie Gates, who is a Senior Distinguished Engineer and Chief Scientist in Dell Research. She is responsible for driving the long view of the Dell-wide security strategy with regard to software and hardware products and services, as well as developing and leading a research agenda that has the potential to impact the strategic direction of Dell in the security space. She is also responsible for establishing Dell as a thought leader in the security arena through customer presentations, academic publications and new innovations.

Prior to joining Dell in November 2013, Dr. Gates was a distinguished engineer and director of research for CA Labs, the research arm for CA Technologies. During her seven years with CA, she published 29 papers, gave 25 invited talks, served on 11 panels, filed 20 patent applications and was a principal investigator on more than $1 million in externally-funded research projects. She previously worked for CERT at Carnegie Mellon University as a member of the technical staff, where she did research on security analysis of large volumes of network traffic. Prior to starting her research career, she was the systems manager for the Faculty of Computer Science at Dalhousie University (Canada).

Her undergraduate and master’s degrees were on the analytics side, she says, but her Ph.D work gravitated towards security because she notes, “There’s an adversary with cybersecurity that you are chasing, and I love being challenged like that.”

She points to two specific situations during her undergraduate work that she credits to her career path.  “I was looking for a job after my undergraduate degree, when a female professor asked me why I wasn’t pursuing my master’s degree. I hadn’t considered doing it until she brought it up. The second situation took place during a biology lab presentation. After I presented, the instructor pulled me aside and told me that I spoke like a girl, in that I ended every statement with a question and raised my voice. It undermines what you say when you speak like that.”

Dell as a company is working to advance STEM education (Science, Technology, Engineering and Math) for females through its partnership with Girlstart. Founded in Austin, Texas, in 1997, Girlstart’s mission is to empower girls in STEM. Everything about Girlstart’s headquarters screams girl power: from the neon walls, computers stickered in flowers, even a specially compiled “girl power” playlist. According to Tamara Hudgins, Executive Director of Girlstart: “Girlstart is designed for every girl. We’re not for the geeks. Our programs are designed for all girls, especially those who don’t know they love STEM yet.”

According to Dell, 80 percent of the girls involved in Girlstart’s Project IT Girls program go on to a four-year university, and 80 percent pursue STEM majors.

As a child, Marsha Wilson says she wanted to become a teacher. As Solutions Team Lead at Chef Software, and with past positions in IT and cybersecurity with Booz Allen, BAE Systems, Sempra Energy and DualSpark, she says she is teaching in the sense that she’s helping clients address problems and solve them.

“It’s always been frustrating to be in information security as woman,” Wilson says. “I have had conversations with female colleagues who have been told they don’t have the right to be in information security because they don’t have the right degree. But I work with highly intelligent colleagues who have theater and liberal arts degrees and who have a passion for the industry. So I believe that we need to stop focusing on the majors, and instead, look for someone who has the passion and can relate to people. Maybe that’s what we have missing all along. I also believe that we need to connect with millennials – tag-team them as they enter high school. You only really need to spark someone once. That’s what happened to me. I wanted to study Chinese while I was in the military because of one teacher I had in high school.”

One change that’s coming, according to Frank Cilluffo, Associate VP/Director for Center for Cyber and Homeland Security at George Washington University, is that the role of the CISO is going to be very different tomorrow than it was yesterday. “Historically people treated the role as a computer science and cybersecurity role from a technical perspective alone. And while that component is important, it’s only part in which a CISO’s role should entail. A CISO should not only speak to their tribe, but also play a role in communicating with executives, as cybersecurity is no longer a backroom issue, but increasingly a board room priority,” he explains. “Cybersecurity leaders have to find ways to speak to stakeholders and customers in a way that goes far beyond the technical component of their job alone.”

“Yes, we do have a national challenge to get more women into the field, because the current situation is completely unacceptable,” Cilluffo notes. “My experience is that my female MBA students are just as strong, if not stronger, than their male counterparts. It’s part of the changing face of what the cybersecurity and CISO mission will entail. They will not only have a technical expertise, but also a solid grounding of business, law, compliance, policy and communications knowledge and capabilities.”

Cilluffo recently returned from Estonia, which he says is one of the most developed cyber countries in the world, particularly with the way it has attracted more women into the cybersecurity field. Coding is taught in elementary school along with the English language.

Estonia’s Foreign Minister Marina Kaljurand, Cilluffo says, has made it “cool” to be a cybersecurity professional. “She’s a mentor, and women look up to her,” he notes. “And we need mentors in this industry. The challenge is to get to the K-12 area to engage young children. Academia and education has a responsibility to ensure it happens.”

Education, Training and Career Sources

There are numerous resources available to women and minorities about education, training and careers in cybersecurity and IT.