Why we need more diversity in cybersecurity
What type of person works in cybersecurity? Popular culture would have you believe that it’s just men, usually wearing hooded sweatshirts. On the rare occasion where a woman appears, she’s either the awkward type wearing a woolly sweater, or she’s dressed head-to-toe in leather. Stereotypes about the ICT sector are rife, but they are particularly acute when it comes to cybersecurity. And this has an impact on our ability to effectively fend off attacks.
Cyber-attackers are endlessly inventive when it comes to how they break into IT systems. For our defensive capabilities to stay ahead, we need to be even more creative and diverse in our ways of thinking. That can be hard if everyone on the defensive side comes from the same cookie-cutter background.
But it’s not just about increasing the number of women in cybersecurity. I’d like to see a wider range of educational and linguistic backgrounds, greater neurodiversity, and greater ethnic diversity. Now that I’m in a senior position, I try to be a role model and show young women and girls what a career in cybersecurity looks like, to counterbalance some of the stereotypes. Microsoft’s own research has shown that role models can have a significant impact in boosting girls’ interest in science or technology, which might otherwise plummet.
I’ve been lucky in that I’ve always felt welcome and supported in my career, which has spanned almost three decades from my first steps in cybersecurity at the UK Houses of Parliament, through to my current role at Microsoft. But unfortunately, I’ve often also been the only woman in the room, and it would be nice to see that change.
The misconceptions about cybersecurity jobs aren’t just gender related though. People assume that it’s all very deep and technical, or that you spend all day simply analyzing and responding to events. But there’s a lot more variety and plenty of different roles within the sector; from risk-based work, to policy engagement, to studying the sociology or psychology of security. It’s a broad field and there’s certainly a lot more human interaction than the stereotypes would suggest!
I think the psychological and sociological side of cybersecurity is an exciting, emerging area. We’ve traditionally built security solutions by focusing on the technology, but a big gap relates to user behavior, since human error leads to over 90% of cyber breaches. So while we’re creating anti-phishing technologies, for instance, we also need to be looking at how we can encourage safer online behavior and discourage riskier activity.
This more people-centric approach to cybersecurity is central to the work that my team of Chief Security Advisors is doing across Europe, the Middle East, Africa and the Asia-Pacific region. The starting point is always engaging with senior security stakeholders within our customers to understand exactly what they are trying to do, what challenges they face in engaging with their organization’s leadership, and how Microsoft might be able to help.
Since that’s the reason many people get into cybersecurity, it’s for the most part a sector full of passionate, truly motivated people who are trying to be the best in their field. That’s even true of some of the people breaking into systems: many of them do it just to prove that there’s a problem that needs solving!
There isn’t one type of person who should consider a career in cybersecurity. There’s always a way in and there are always opportunities to retrain. To me, it’s really a case of “the more, the merrier”. This is the only way to make sure that we can face future threats head-on.