A SPECIAL EDITION BY
CYBER WORLD Women in Cyber Security Exerting Strength, Providing Leadership
Latest News Newest Vulnerabilities Michelle Finneran Dennedy, Cisco Theresa Payton, Fortalice Solutions Ian Glover, CREST Jo Stewart-Rattray, BRM Holdich & ISACA Laura Brent, NATO Women in Cybersecurity: Hidden Cultural Challenges Jennifer Sunshine Steffens, IOActive Magda Lilia Chelly, Responsible Cyber Pte. Jane Frankland, Cyber Security Capital Upcoming Events
Hello. We are proud to announce the second Special Edition of Cyber World, focused exclusively on the important subject of ‘Women in Cyber Security’. Women continue to be under-represented in the cyber security industry – with only 11% of the global workforce made up by women – but the many successes and achievements of women in the field have contributed greatly to driving the success of the Industry as a whole. Without the creativity, passion, transformational leadership and innovation that women bring to the profession and teams around them, such growth would not have been possible. Secgate is a keen advocate for celebrating and building on the power of diversity – especially for achieving the highest levels of professionalism and quality and establishing powerful and lasting relationships. We are thus excited to announce this special edition of Cyber World to highlight the many achievements of women in cyber security, but also to address persistent questions such as why this gender gap continues to exist and what can be done about it. We present articles and analyses by Michelle Finneran Dennedy, Vice President and Chief Privacy Officer, Cisco; Theresa Payton, President & CEO, Fortalice Solutions; Ian Glover, President of CREST and President of Bloodhoundssc 1k; Jo Stewart-Rattray, Director of Information Security & IT Assurance, BRM Holdich, and board member at ISACA; Laura Brent, Cyber Defence Officer, NATO; Jennifer Sunshine Steffens, Chief Executive Officer, IOActive; Magda Lilia Chelly, Managing Director of Responsible Cyber Pte.; and by Jane Frankland, Founder of Cyber Security Capital. We also have an analysis on ‘Women in Cybersecurity: Hidden Cultural Challenges’. We would like to thank all our contributors for their analyses and insightful contributions, and our Readers for their interest and support. We hope you enjoy this Special Edition and look forward to your comments and feedback, which we value greatly. Please also feel free share our magazine with colleagues and friends.
Laith Gharib, Managing Director
OC TOBER 2 017 • 2
Latest News Rounding up the news
APPLE SUFFERS MAJOR DATA BREACH The details of upcoming Apple products were leaked in the largest data breach of its kind experienced by the firm. According to Apple-blogger John Gruber, relevant details that surfaced on websites 9to5Mac and MacRumors were likely to be a deliberate act rather than an accidental leak. Confirmed discoveries include details of a new iPhone X model, an Apple Watch, AirPod headphones, an alternative identification system using facial recognition technology, and the introduction of a new interactive emoji interface. Apple has yet to provide an official statement. Read more here. BRITISH GOVERNMENT WEBSITE OF HMRC COMPROMISED Two serious security flaws have recently been identified on the tax services website of HM Revenue & Customs (HMRC) in the United Kingdom. The vulnerabilities were identified and blogged by Zemnmez, a researcher who discovered them when using the site to check his taxes. Either vulnerability could be exploited by attackers to obtain confidential information through redirecting users to a malicious website, or modify tax records of taxpayers. The HMRC has released a statement acknowledging the identification of the flaws. A joint effort with the UK National Cyber Security Centre (NCSC) was initiated to address the flaws and streamline vulnerability processes. Read More here.
3 â€˘ C Y B ER WORLD
MEDICAL PUMPS VULNERABLE TO EXPLOITATION With the advent of the Internet of Things, more medical devices are utilising advanced communication technologies to achieve their functional objectives. However, the increased connectivity also exposes devices to malicious activities. The United States Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued advice on September 7 concerning a syringe infusion pump – used in acute care and operating room settings – that could be remotely compromised by hackers. Another discovery was made by an independent security researcher, who identified eight security vulnerabilities in the Medfusion 4000 Wireless Syringe Infusion Pump, manufactured by Smiths Medical in Minnesota. More dangerous vulnerabilities can facilitate remote code execution or man-in-middle attacks, while medium ‘severe’ flaws can be exploited to sabotage communication or operational modules in the device. Read More here. VULNERABILITIES IDENTIFIED ON GERMAN ELECTION SOFTWARE In the run up to the recent elections in Germany that took place on 24th September, a team of researchers from German hacking group Chaos Computer Club (CCC) has identified several critical vulnerabilities in the voting software PC-Wahl. The software was historically used to capture and coordinate voting data from local polling stations across the country in all parliamentary elections for decades. Despite publishing a proof-of-concept, the manufacturer of PC-Wahl has denied all allegations about the software’s vulnerability. German Federal Election Director Dieter Sarreither has liaised with relevant state officials to undertake necessary steps to address CCC’s discoveries. Read More here. OC TOBER 2 017 • 4
EQUIFAX LEAK COMPROMISES 143-MILLION CUSTOMERS Between mid-May and July, Equifax.Inc, a provider of credit scores, suffered one of the largest data breaches in the United States. According to a public statement issued on September 7th, attackers managed to gain access to certain files including names, social security numbers and licence plate numbers of as many as 143 million consumers in the United States. Equifax is currently managing the situation with the Federal Bureau of Investigations (FBI) and hired a cyber-security firm to investigate the breach, which is expected to complete its work in the coming weeks. According to the vice chairman of the Senate Select Committee on Intelligence, U.S. Senator Mark Warner, this breach represents a real threat to the economic security of Americans given the wealth of confidential information stored by such companies. Read more here. EUROPEAN
TARGETED Facilities in the American and European energy sectors have been targeted by a wave of cyberattacks from a group known as Dragonfly. After laying dormant since 2014, following its exposure by Symantec researchers, recent activities suggest that the group has re-emerged. Utilising sophisticated spear-phishing campaigns, the group distributes infected files that facilitate the extraction of confidential network credentials to an external sever, which are later used in follow-up attacks. On September 6, Symantec published its findings on the emergence of Dragonfly 2.0, revealing a series of indicators connecting the tools used in recent network breaches to earlier Dragonfly campaigns between 2011 and 2014. Read More here. CHINA ESPIONAGE GROUP UPDATES TOOLS Palo Alto Network Security researchers have identified an increased appearance of KHRAT, a remote access tool associated to a China-linked cyber espionage group, DragonOK. Investigations concluded that KHRAT has received significant updates, which supported new tactics, techniques and procedures (TTPs) employed by the group in 2017. These include new spear-phishing techniques and Command and Control (C2) infrastructures. The most recent recorded attack targeted Cambodian government servers, earlier in June, through masquerading as traffic from other applications. Read More here.
5 â€˘ C Y B ER WORLD
Facilities in the American and European energy sectors have been targeted by a wave of cyberattacks from a group known as Dragonfly.
OC TOBER 2 017 • 6
Newest Vulnerabilities Latest Developments and Trends
STEALTHY LINUX MALWARE ON WINDOW SYSTEMS Check Point researchers claim that the new incoming Windows Subsystem for Linux (WSL) potentially exposes Windows computers to a host of new Linux malware. Researchers argue that anti-malware solutions currently available to Windows computers are not configured to identify and manage Linuxorientated threats, thus jeopardizing users utilising the new Linux command-line shell. However, the concern is regarding the capabilities of contemporary security software rather than a specific vulnerability. According to SecurityWeek, anti-malware developer Kaspersky Lab is aware of the potential for a specialised malware targeting the incoming WSL and is researching threat detection technologies configured for such scenarios. Read more here. BLUEBORNE EXPLOITS TARGET BLUETOOTH VULNERABILITY Researchers at security company Armis have identified a collection of eight exploits, designated as BlueBorne, that enable attackers to gain access to mobile devices, computers, and other IoT-enabled devices via a vulnerability in Bluetooth. In a proof-of-concept video, Armis researchers demonstrated how they were able to identify, access, extract, and command a targeted device via its Bluetooth connection. While newer Windows and iOS users might be protected from such attack vectors, devices using older software versions remain vulnerable, and while most major electronics developers would have addressed this problem, newer and lesser known players joining the IoT market remain potentially vulnerable. Read more here. SHADOW BROKERS LEAKS NEW NSA EXPLOIT: Notorious hacking group, The Shadow Brokers, has released another NSA exploit and announced changes to its subscription plans. Dubbed UNITEDRAKE, the tool was leaked as part of its ‘monthly dump service’. According to an unencrypted user-manual, the tool contains five components that enables attackers to remotely control targeted windows computers. The tool originally made its first appearance in 2014 alongside five other pieces of malware in the classified NSA documents leaked by former contractor Edward Snowden. In addition, the group has announced its transition to ZCash (ZEC) payments, and raised their rates to nearly $4 Million for the stolen exploits. Read more here.
7 • C Y B ER WORLD
MOBILE DEVICES CRITICALLY VULNERABLE TO PERSISTENT THREATS Nine security researchers from the University of California Santa Barbara developed an investigative tool called BootStomp, which identified several critical zero-day vulnerabilities in mobile bootloaders from multiple different devices using Android operating systems. This included a known and already patched vulnerability (CVE-2014-9798) in older bootloader versions. Researchers postulated that these vulnerabilities allowed attackers to obtain persistent root-access to the device, which could be exploited for illicit data extraction or to initiate a denial-of-service attack. All vulnerabilities were reported to the affected vendors and a series of mitigation strategies can be found in their research paper entitled ‘BootStomp: On the Security of Bootloaders in Mobile Devices’. Read More here. WINDOWS FLAW LIMITS THREAT DETECTION Researcher Omri Misgav from American endpoint security provider, enSilo, has identifed an inherent flaw in the Microsoft Windows operating systems from Windows 2000 to Windows 10, which is limiting the threat detection effectiveness. According to Misgav, the error stems from a mechanism called PsSetLoadImageNotifyRoutine, which delivers notifications during module loading, supporting the identification of malicious activity. Misgav postulated that the error could be exploited to ignore select files. This allows attackers to fool the mechanism and embed malware. However, Microsoft engineers have determined that the alleged error does not pose a security threat upon review, and no security patch release was scheduled. Read More here. CRITICAL FLAW IDENTIFIED IN APACHE STRUTS Security researchers at LTGM have identified a critical vulnerability (CVE-2017-9805) in Apache Struts, a popular open-source framework for Java-based web-application development, allowing the attacker to remotely execute malware on targeted servers. According to researchers, the vulnerability resides deep within the Struts programming, and how it handles data from unknown sources. Exploitation can be easily accomplished through submitting a malicious XML code in a specific format to initiate the vulnerability. This would enable the attacker to gain remote access and control over the targeted server, facilitating further penetration into neighbouring systems on the same network. Read more here. OC TOBER 2 017 • 8
When Women Happen to Things, Things Happen Michelle Finneran Dennedy
9 â€˘ C Y B ER WORLD
About the Author: Michelle Finneran Dennedy is Vice President and Chief Privacy Officer at Cisco. She is responsible for the development and implementation of global data privacy policies and practices, working across business groups to drive data privacy excellence across the security continuum. Before joining Cisco, Dennedy founded The iDennedy Project, a public service organization to address privacy needs in sensitive populations, such as children and the elderly, and emerging technology paradigms. Dennedy is also a founder and editor in chief of a new media site – TheIdentityProject.com – that was started as an advocacy and education site focused on the growing crime of Child ID theft. She is a co-author of The Privacy Engineer’s Manifesto: Getting from Policy to Code to QA to Value. Follow her on Twitter @mdennedy.
Accomplished people rarely sit back and let things
wondered what it would mean for the technology
happen to them. They go out and happen to things.
to make a positive difference in people’s lives. This
And now is the time for women to make things
early experience was the beginning of a lifelong
fascination with self-efficacy and the way we
We’ve knitted together a digital world from millions of connected devices modelled after our own human brains. Every new technology opens the
might use technology to solve human and worldly challenges. More importantly, it set into motion a passion for bringing kindness and humanity to an
door for greater expansion and innovation but also
industry traditionally governed by uniform thought.
breeds new challenges to solve, including security
and privacy. Yet, we are not innovating fast enough
technologies and develop innovative ways to break
to counter these challenges. We have a ton of work to do and a significant shortage of more than one million cybersecurity professionals in the industry. Even more staggering, women comprise only 11 percent of the cybersecurity workforce. I think women are one of the largest untapped reservoirs of talent in the world today and that
down our security and privacy barriers, those of us in cybersecurity need to be creative and expand beyond traditional roles and technologies. We can fight for and win back trust in technology, communities, and ourselves. This must include growing the talent pool to include and embrace diverse perspectives.
they should seize the opportunity to contribute to
Increasing the number of women in the cybersecurity
a cybersecurity industry that is impacting how each
profession broadens the spectrum of ideas brought
of us lives and works.
to the table and strengthens every company’s
My own career story began as an undergraduate student in psychology at the Ohio State University. I worked in the educational robotic department and documented the behavior of students as they
position in combating the most sophisticated attack methods. But it doesn’t stop there. Retaining talented women is just as important as getting them through the door.
manipulated robotic arms. As I watched nearly
If every experienced professional in the industry
every one of my fellow students get a laugh out of
selected one person to coach and inspired them
their ability to hack into and reset the machines, I
to stretch beyond their limiting beliefs or surpass OC TOBER 2 017 • 10
We cannot afford to exclude major pools of job candidates, which is why it is crucial for companies and leaders to build inclusive and respectful work environments.
the barriers holding them back, it would take only
data and the human stories people remember about
half a generation to have enough competent people
each one of us. We in the industry need to extend a
working in a respectful environment to develop an
helping hand to people on their journeys and build
abundant, innovative workforce. At Cisco, we call
a more cohesive cybersecurity ecosystem. Let’s join
that the Multiplier Effect.
together and “happen to things.” Humanity depends
With each new technology and subsequent attack
method, the cybersecurity industry is growing at an exponential rate. We cannot afford to exclude major pools of job candidates, which is why it is
This article was originally published on Cisco Blogs.
crucial for companies and leaders to build inclusive and respectful work environments.
Michelle Finneran Dennedy
After all the bugs are patched, the gear is installed
Vice President & Chief Privacy Officer
and the lights are blinking, the only thing left is the 11 • C Y B ER WORLD
CREST is a not-for-profit accreditation and certification body that represents and supports the technical information security market CREST provides internationally recognised accreditation for organisations and individuals providing penetration testing, cyber incident response and threat intelligence services. All CREST Member Companies undergo regular and stringent assessment; while CREST qualified individuals have to pass rigorous examinations to demonstrate knowledge, skill and competence. CREST is governed by an elected Executive of experienced security professionals who also promote and develop awareness, ethics and standards within the cyber security market. CREST also supports the industry by providing in-depth guidance material and commissioning detailed research projects. All CREST research is provided to the industry free of charge and is available from the CREST website. Visit our website for more information on CREST membership and examinations, to find an accredited service provider or to download our research: www.crest-approved.org Follow us on Twitter: @crestadvocate
Company Membership Demonstrable level of assurance of processes and procedures of member organisations
Professional Qualifications Validate the knowledge, skill and competence of information security professionals
Knowledge Sharing Production of guidance and standards. Opportunity to share and enhance knowledge
Professional Development Encourage talent into the market. Provision of on-going personal development
OC TOBER 2 017 â€˘ 12
No More Hoodies: Why We Need to Attract More Women to Cyber Theresa Payton
About the Author: Theresa Payton served as the first female chief information officer at the White House, overseeing IT operations for President George W. Bush and the 3,000+ members of the Executive Office of the President. Currently, Theresa is CEO of Fortalice Solutions, an industry-leading security consulting company, and cofounder of Dark Cubed, a cybersecurity product company.
What image flashes in your mind when you hear the
Optics is one of the biggest hurdles we face as
word cybersecurity? Is it a room filled with happy,
cybersecurity professionals, and the hurdle is even
diverse, productive people making a difference in
greater for women in security. Generally speaking,
the world around them? Sadly no. More than likely,
women are more drawn to careers where they can
it’s a guy hunched over his computer wearing a dark
use their intellectual, emotional and interpersonal
hoodie with some ones and zeros floating above his
skills, and cybersecurity does a terrible job
head. Or maybe it’s a cold room in a basement filled
promoting itself in those areas. What if I told you
with rows and rows of computer servers. If you’re
that cyber can be an extremely emotionally charged
a woman looking at the next 30-40 years of your
field? Yes, it’s logical and yes, it’s technical – but the
life, would you pick a career that looks so ominous?
beauty is that we use those skills in conjunction
with softer skills to truly help people.
13 • C Y B ER WORLD
As CEO of Fortalice Solutions, I work directly
forget passwords, and they will do unsafe things
with the government, corporations and people to
to get their jobs done, such as use free, unsecure
protect what’s most important to them, including
WiFi. Haven’t you? Women’s natural intuition
intellectual property, financial assets and healthcare
and emotional intelligence to see themselves in
information. And perhaps the most rewarding of
someone else’s shoes is exactly what we need to
all, I work frequently with law enforcement to use
combat this problem.
innovative technology to combat human trafficking and childhood sexual exploitation. We need to demystify cybersecurity and talk plainly about how our field helps people, in real tangible ways. For example, I’ve often said that security is inherently flawed because it is not designed for the human psyche. Today security is not only an afterthought, security designs have zero empathy for the human. Do you know any non-technical professionals who profess a deep fondness for strong passwords? You don’t. Passwords are designed for the technology, and we ask the human to conform. According to cybersecurity best practices, people will share and
To be more inclusive of women in cybersecurity, at least three things need to happen. First, hiring managers need to expand their criteria and qualifications. Many hiring managers are leaving women and minority candidates on the sidelines by chasing the same resumes, the same degrees and the same alphabet soup of certifications in future employees. While this might be one indicator of a successful hire, it is not the only indicator. The best cybersecurity professionals are insatiable learners and highly skilled problem solvers who think about the user while never underestimating
OC TOBER 2 017 • 14
I recommend all cyber practitioners, and especially women, take advantage of all the amazing free tools out there from RSA, TED Talks, and even YouTube.
the adversary. Take a chance on a different degree
there aren’t enough women role models in cyber.
and background and invest in cross-training. Some
While connecting with other women has had its
of my best cybersecurity team members started out
challenges, there are wonderful women in cyber
in a different field and are now some of the best,
today – look at KT McFarland, Deputy National
most well-rounded cybersecurity professionals we
Security Advisor and Ambassador to Singapore, and
have on the front lines of fighting cybercrime.
Keren Elazari, a global speaker on cybersecurity and
Second, an April 2013 survey of Women in
ethical hacker out of Israel.
Technology found that 45% of respondents noted a
I’ve been very lucky to work with wonderful,
“lack of female role models or [the encouragement
inspiring women in cyber, but I recognize that my
to pursue a degree in a technology-related field].”
exposure might be more than women starting
It’s been proven that professional mentorship and
their career. This brings me to my third point: I
development dramatically increase participation
recommend all cyber practitioners, and especially
in any given field, so the lack of women in
women, take advantage of all the amazing free
cybersecurity is really a compounding problem –
tools out there from RSA, TED Talks, and even
we don’t have enough women in cyber because
YouTube. You can watch speeches from veteran
15 • C Y B ER WORLD
cybersecurity professionals about their careers,
must be a constant student of your profession in
hear their advice on how to succeed, and learn new
skills to keep you competitive in the workplace. Consider free online courses in cybersecurity (a few possibilities are Codeacademy, Coursera, Khan Academy, Udemy, MIT open courseware, and check locally for free bootcamps) or popular programming languages like Python. Ask your colleagues to show you their favorite geek gadget or ethical hack. There are some excellent security frameworks and guidance available for free online such as the NIST Framework, CIS Critical Security Controls, SSÅE 16, and discussions on GDPR. Leverage social media to hear what’s on the minds of security experts. You
It’s true that there is a shortage of women in cybersecurity, but there isn’t a lack of talented and strong women in this world. Cybersecurity requires a general shakeup, and perhaps women are the ones to do it. I’m grateful that I can talk about my industry, and I hope more women join this exciting field – they can even wear their favorite hoodie. This article was originally published in Security. Theresa Payton CEO Fortalice Solutions
OC TOBER 2 017 • 16
Closing the Gender Gap in Cyber Security Ian Glover
About the Author: Ian Glover, President of CREST, has over 30 years’ experience working in the information technology industry. He was one of the founding partners of Insight Consulting and when the business was sold to Siemens Ian sat on the Board of Siemens Communications. Ian also established the CLAS Forum with CLAS as a partnership linking the Information Assurance knowledge of the UK Government with the expertise and resources of the private sector. Ian was the Chairman of the Forum until April 2012.
It is no secret that the cyber security industry suffers
keep coming up with the same approaches and
from a lack of gender diversity and it is estimated
that only 10% of the global information security workforce are women. Increasing the number of women in cyber security is not simply for diversity’s sake, but for the sake of the industry. With the industry facing a skills shortage, recruiting more people into the cyber security sector is increasingly important across the globe and by consistently taking people from the same backgrounds, we’ll 17 • C Y B ER WORLD
The industry has begun actively addressing the issue, with major industry players coming together to discuss the main obstacles to gender diversity and, more importantly, what is needed to resolve them. Last year CREST, the not-for-profit accreditation and certification body representing the technical information security industry, released
a report outlining the details and conclusions
when talking about cyber security and a lack of
from its Diversity Workshop looking into closing
understanding around what the industry is, and
the gender gap in cyber security. It analysed why
what skills are required. It’s not just technical skills
diversity is an increasingly important issue, what
that drive the fight against cyber criminals.
is deterring women entering the industry, how to make a difference, who to target and how to get the message out there. The first step is to work out why women are not entering the industry. One of the major challenges
Whilst it is important to address the current diversity challenges that the sector faces, we need to establish ways to facilitate change. This includes: •
connections with schools, running initiatives
we face is that despite cyber security being very
to engage school children in workshops,
welcoming to women, the impression from the
classes and demonstrations to inspire them
outside is much the opposite. We have to correct
to strive for cyber security careers. Fighting
the perception for women to want to come into
for time in the curriculum is tough, so we
it. There is a misconception that the industry
need to target and incentivise head-teachers
is simply boring and just for techies, when it’s actually exciting, diverse, innovative and financially rewarding. But no-one hears about the good stuff. This can often be due to the language adopted
Education - Industry should have stronger
to lead from the top. •
Raise awareness - Overtly promoting cyber security careers and opportunities available
OC TOBER 2 017 • 18
to women – and telling them it is a career
in the profession. Mentoring schemes and
that they can embrace and enjoy – is an
improved networking opportunities would
essential first step.
improve the support network for women in cyber security. Offering support to women
Industry perception - The marketing of
either returning to the sector or converting
the cyber security industry needs a lot of
from elsewhere is also important, be it
further consideration to ensure the sector
financially or emotionally.
is portrayed in an accurate, positive way. Ensuring all messaging is gender-neutral
Promote role models and ambassadors -
and attracts both sexes is essential. This of
Raising the profile of successful females in
course also means attracting people from all
cyber security would be really encouraging
different backgrounds and ethnicities.
Support - Whilst it is imperative to recruit new women into the industry, it is also important to support and retain the women currently
19 • C Y B ER WORLD
industry. There is a lack of female role models, and appointing ambassadors and
promoting women would inspire the younger
groups alone will not solve the short-term problem.
If the campaign was to only focus on schools, it
Removing barriers for entry - The cost of training can often act as a barrier to entry for people wanting to start or return to careers in cyber security, so supporting women financially through the availability of underwritten loans could act as one solution.
For any initiative to achieve short and long-term success, establishing who to target is vital. It is important to get the message across all ages, cultures and regions. Secondary school children are probably the most important group to target, followed by graduates. However, focusing on these
would be eight years before any tangible changes became visible. Perhaps the most over-looked group is the returners and career migrators, but it’s certainly the category with the potential for the most quick-wins. This group already has the skills, but just need support, guidance and training tools to move into, or be welcomed back into, cyber security. To effectively get the message out there it’s important to harness a variety of methods. The media must play a significant role with more female coders and cyber security experts in TV shows and
OC TOBER 2 017 • 2 0
Re-enforcing the idea that women in cyber security is somehow strange or abnormal only continues to put women off, resulting in a self-fulfilling prophecy.
movies – younger girls need to feel validated. This
only continues to put women off, resulting in a
is poignant, because the message absolutely needs
self-fulfilling prophecy. We need to stop getting
to reach girls that this career is for them. TV and
hung up on how few women there are and what
radio campaigns, print advertising, social media
the challenges may be, but instead focus on the
campaigns and online adverts are all useful to reach
success stories and talk about why cyber security
the masses, but direct marketing and more intimate
is an amazing career. It’s about fighting cybercrime,
networking events will also have a great impact
it’s innovative, it’s interesting, and let’s not forget
in a smaller group. Graduate fairs and schools are
to point out that it’s well paid, and a career for
obvious targets, but to make a significant impact,
everyone, technical or non-technical.
the activity should be continual, or periodical, as opposed to a one-off event. Schools have limited time and the competition for air-time is enormous.
Read the full ‘Closing the Gender Gap in Cybersecurity’
It is therefore imperative to collaborate with
existing initiatives in order to make the biggest
For more information on CREST, click here.
possible impact. Regardless of the media used to distribute the messaging, momentum and positivity are absolutely key to success. Re-enforcing the idea that women in cyber security is somehow strange or abnormal 21 • C Y B ER WORLD
Ian Glover President CREST
S : r IS M te r M RO is T F in P te N’ TE y M e M oun ce DO NO urit llac l C eren Y c a ba f KE Se n W Glo Con UK Be ne ism y O ror Da Ter
250+ 100+ High-End Countries Exhibitors
LONDON HOSTS WORLD CLASS INTERNATIONAL SECURITY EVENT TOPICS COVERED: Global Counter Terrorism Protecting Crowded Places Critical National Infrastructure Designing Out Terrorism Major Events & Stadiums Building & Facilities Management Aviation & Borders Transport Security Cyber Security UK SECURITY EXPO
250+ High-End Exhibitors, 250+ Sessions & 200+ World Renowned Speakers
WOMEN IN SECURITY WORKSHOP
NEW CYBER INTELLIGENCE ZONE
In association with:
In association with:
In association with:
REGISTER A FREE VISITOR PASS NOW N www.uksecurityexpo.com/cw Global Counter Terrorism Conference Pass start from just £199 + VAT. Quote code UKSEC15 to save 15%
Women in Cyber Security Must Not Be Made to Feel Alone Jo Stewart-Rattray
About the Author: Jo Stewart-Rattray is board director of ISACA, chair of ISACA’s Women’s Leadership Council and director of information security and IT assurance at BRM Holdich.
conference, it can be an uncomfortable dynamic,
technology workforce, and particularly in cyber
and one that should not be underestimated when
security, is complex and multilayered, yet for some
sizing up the many reasons for the gender gap –
women, it may be as simple as the discomfort
make that gender gulf – between men and women
caused by walking into a room and being the only
in technology-driven professions such as cyber
Whether that occurs at a staff meeting, an
In my role as board director for global business
appointment with clients, or at an industry
technology association ISACA, I’ve had the pleasure
23 • C Y B ER WORLD
of participating in several networking receptions
must realize that they have tremendous value to
aimed at elevating and empowering women in the
add to the profession, which will quickly become
tech workforce. These gatherings are invariably
evident to their male counterparts. For their part,
upbeat, well-attended and have facilitated many
it is incumbent upon men to make women feel
valuable connections for those participating. They
comfortable and respected in all settings. A friendly
also have shed insights on why many women are
smile or moment of small talk can go a long way.
reluctant to enter, or remain in, the cyber security profession.
Another common thread from many of my conversations about why many women pass on
So, what can be done to overcome that ‘only-
cyber security is the stigma that the field is, for lack
woman-in-the-room’ hurdle? The ultimate solution
of a more elegant descriptor, too geeky. Stubbornly
is for many more women to enter the cyber
outmoded perceptions linger that cyber security
security field so that being surrounded by men
practitioners are socially awkward, still-living-in-
is a much less likely scenario. That, however, is a
mom’s-basement types, when the reality is that
longer-term proposition. In the meantime, women
cyber security has become a board-level business
OC TOBER 2 017 • 24
priority for all organizations in today’s digital economy. Cyber security professionals are coveted, well-compensated and often need excellent people skills to successfully collaborate with their business partners. Organizations should clearly convey that messaging in the way that they advertise job postings and reach out to prospective candidates. All of these concerns tie in with recent research from ISACA on breaking down gender barriers in the tech workforce, in which a lack of mentors and role models, workplace gender bias, unequal growth opportunities compared to men, and unequal pay were identified by survey respondents as top barriers faced by women in technology. ISACA’s SheLeadsTech programme aims to address the underrepresentation of women in technology, taking many of these factors into account. Revealing conversations like the ones I have had at the programme’s networking events provide an excellent starting point to understanding the challenges ahead. As daunting as the outlook may seem – Payscale notes that only 21% of executives in the tech industry are women – there are many ways we can make a positive impact, such as participating in mentorship programmes, creating scholarships, pushing HR departments to adopt best-in-class hiring and retention policies (including offering flexible working arrangements), and countless other efforts that can make the cyber security profession more hospitable for women. Generations of women have faced hurdles in being valued and respected in the workplace, but by standing up to the status quo, meaningful change has and must continue to take place. If we are resolved to make progress, I have no doubt that the day will come when talented, tech-savvy women will regularly be surrounded by empowered, female colleagues in our classrooms, offices and boardrooms. Jo Stewart-Rattray Director of information security & IT assurance BRM Holdich 25 • C Y B ER WORLD
Generations of women have faced hurdles in being valued and respected in the workplace, but by standing up to the status quo, meaningful change has and must continue to take place.
OC TOBER 2 017 â€˘ 26
Why Are We Still Talking About ‘Women in Cyber Security’? Laura Brent About the Author: Laura Brent has held cyber policy roles in both the public and private sectors. Currently, she is a cyber defence officer on the NATO International Staff, where she helps develop and implement cyber policy on behalf of the Alliance. Previously, as a manager at EY, Laura conducted cybercrime investigations and assessed clients’ cyber security programmes and maturity. Prior to EY, Laura served at the U.S. Department of Homeland Security, working on a broad range of security issues including cyber security and critical infrastructure protection.
SHOULD WE STOP TALKING ABOUT WOMEN
because we, as a field, ultimately don’t care enough
IN CYBER SECURITY?
to fix the problem.
It is easy to dismiss the discussion of ‘women in cyber security’ as a boring one – the story doesn’t ever seem to change. Blog after article upon study repeatedly demonstrate that women in technology
WE SHOULDN’T GIVE UP YET. Before women accept permanent minority status, though, we should ask: Do we really understand the
generally and cyber security specifically continue
to be underrepresented in an environment that
Though it is clear women are underrepresented in
favors men. In 2017, women represented 11% of the global cyber security workforce – the same low percentage as in 2013. Frankly, given that this state of affairs continues despite the attention it has gotten, it’s tempting to believe that female representation in cyber security isn’t changing
27 • C Y B ER WORLD
technology, continuing research is giving individuals, educators, and employers a better understanding of why women are underrepresented in technology. While it is beyond the scope of this article to argue what ‘adequate’ or ‘good’ representation looks like, it’s hard not to agree that the situation
is bad: In 2017 in the United States, only 14% of
Though the general challenges of women in
information security professionals were women,
technology have been long known within the field,
while women represented 48% of the workforce
every year more is unquestionably being done
overall. Moreover, more, and more specific, data
to rectify the issues. Big companies are spending
are now available on the significant hurdles women
big amounts to make diversity a priority. Intel has
face at school, during the hiring process, and in the
allocated $300 million for diversity efforts; Apple
has dedicated $50 million to get more women and
Take schooling, for example. A recent study in Israel demonstrated that teachers, when grading math tests of their own 6th grade students, gave boys higher grades and girls lower grades as compared to a group of independent teachers grading the same tests with the names removed. Another study showed that though women earn approximately 37% of U.S. undergraduate degrees in Science, Technology, Engineering, and Mathematics (STEM) overall, they account for only 18% of computer science degrees. While these studies do not represent great news for women in technology, they point to real and specific areas to target for improvement. In other words, we are getting better at getting the problem.
minorities into the technology industry; and Google spends $150 million a year on its diversity initiatives. There are also organizations devoted to assisting companies to recruit and retain women: The Anita Borg Institute, for example, has created the datadriven Top Companies programme, which helps pinpoint specific indicators and tangible strategies that allow companies to ‘[build] workplaces where women technologists can thrive.’ WE ARE THUS DOING MORE...BUT THERE’S STILL MORE TO DO. All hope is not lost: people continue to better understand the causes of under-representation as well as devote increased resources to addressing them. But, as we said at the beginning: female representation
OC TOBER 2 017 • 28
These are huge and complex challenges, encompassing everything from bias in the classroom to workplace cultures that drive away women…
suboptimal. Thus, the real question is: have we
diversity is thus not only the moral choice, but the
actually done all we can to improve?
smart business decision.
The simple answer is no. These are huge and
As companies do attempt change, it’s important
complex challenges, encompassing everything from
to realize that first solutions might not be last
bias in the classroom to workplace cultures that
solutions. Unconscious bias training, for example,
drive away women; more data and more money
has become one of the most popular Silicon Valley
are key, but they are insufficient without long-
programmes: Individuals learn to recognize the
term, serious commitment to change from the top.
‘stereotypes, both negative and positive, that exist
Once problems are identified, organizations must
in [their] subconscious and affect [their] behavior.’
transparently measure their progress and then hold
Recently, however, some research has contended
management accountable – in real ways, including
that unconscious bias training can, in fact, worsen
financially – for their success in hiring, retaining,
behavior – if everyone recognizes that all people are
and promoting women. Company leadership needs
biased, there’s less incentive to change a behavior
to buy in – and demonstrate loud and continuous
that’s now firmly the norm. Some are already taking
commitment to declared policies. Studies have
on the challenge to improve, rather than discard,
compellingly shown the tangible business value of
more gender-balanced companies; such focus on 29 • C Y B ER WORLD
Finally, as the push for more women in technology
attacks that have affected industries from shipping
continues, it is also critical to recognize that there
to healthcare, costing hundreds of millions – if not
are real strains of active opposition to change. In
billions – of dollars. The possibility of a devastating
September 2017, the New York Times published
attack on critical infrastructure remains all too
an article, ‘Push for Gender Equality in Tech? Some
real. The Euro-Atlantic security community now
Men Say It’s Gone Too Far’, detailing how some men
definitively recognizes that a cyber attack can be
have begun to assert that the relatively modest
just as harmful to a society as a conventional attack.
efforts to level the steeply unequal playing field have already been excessive. Sadly, for some, the current gender balance seems to be a feature, not a bug. GETTING BETTER ISN’T OPTIONAL.
In the midst of this crisis, industry is depriving itself of an enormous potential talent pool. Ultimately, the organizations that take meaningful action to hire and retain women first will be better positioned than their peers for success.
One has only to glance at the front page of a
newspaper to understand the importance of cyber
Cyber Defence Officer
security. In 2017 alone, there have been global
OC TOBER 2 017 • 3 0
31 â€¢ C Y B ER WORLD
OC TOBER 2 017 â€¢ 32
33 â€¢ C Y B ER WORLD
Forest Tree A pioneering solution that empowers your functional teams to safeguard your enterprise. The big data solution to network and data discovery, event detection and generating knowledge from your network to support your operational, compliance and security needs. Forest Tree enables you to make decisions based on real data from your network whether those decisions involve operational, security or compliance objectives. This solution shows you a comprehensive analysis of network traffic to identify and catalogue events in your organisation in real time. Our solution uses ground breaking machine learning capabilities to bring insights on system and user behaviours enabling decisions to be made holistically. It risk rates behaviours enabling unusual activity to be flagged to your operational teams. This solution learns and alerts you. Forest Tree provides dashboards for IT operations, security and compliance teams that show the risk rated activity and highlight individual high risk communications. It provides the capability for teams to interrogate the database to investigate on suspicious or unusual activity. This solution answers all your questions. With all network activity captured and tools for making queries, Forest Tree gives you the ability to demonstrate your compliance to policies and regulations and to prepare reports as required. This solution is your organisation’s “Black Box” Forest Tree gives transparency to your business teams, seeing the same picture of the real activity passing across your network enabling appropriate business level responses. This solution enables cross-functional understanding.
OC TOBER 2 017 • 3 4
Forest Tree A holistic solution designed to protect and serve your business needs Forest Tree provides information about data and communications in your network allowing full visibility of activity from your systems. Operations staff can extract data to create inventories of your entire estate and its behaviour dynamically. It can be used to identify end-user computing, data transfers to cloud providers and other third parties. Forest Tree can bring you visibility of services that are outside the control of your systems management solutions. Security Forest Tree produces risk rated assessments of all network activity, facilitates inspection down to packet level for security operations teams and provide security dashboards for management. Connections and data transfers can be approved so that they aren’t continuously flagged for attention. We use machine learning to characterise user behaviour and can identify when a user deviates from the norms for they role or is inconsistent with their peers. Forest Tree works with unstructured data within emails and attachments as well as structured data providing the widest coverage of data traversing your network. Group Functions Forest Tree supports Group functions who can have the same visibility of dashboard information and thus have transparency between operations and policy and compliance departments. Some examples of use cases include: ● ● ●
Is user behaviour changing, which users are not complying with policies? Are you in compliance with policies and regulations? Is the total risk score reducing in line with your plan?
35 • C Y B ER WORLD
OC TOBER 2 017 â€¢ 36
37 â€¢ C Y B ER WORLD
Forest Tree Designed for humans; engineered for networks Performance engineered. Our solution is built to meet the needs of even the most sophisticated networks. Everything from the detection of events through to the generation of reports has been developed by our engineers to ensure speed and scalability. Our Core engine has been implemented and tested on networks that operate at one terabit per second — processing the entire network traffic, with zero packet loss, all in real time. Our solution is linearly scalable; we maintain our high performance on networks of any size or complexity. Delivers certainty. Business decisions require accuracy. Our entire product has been developed and tested to ensure that you know exactly what actions are happening within your network at a given point in time. Its ability to act as a “black box” on the network, recording network activity for later investigation, gives certainty to your forensic investigations and incident reports. We help ensure your leadership are informed on any incidents before regulators and reporters approach them. Built for people. Every part of our solution has been designed in consultation with security analysts, incident responders, penetration testers and CISOs to ensure that it is as efficient and as effective as possible. The user experience has been carefully considered to ensure that analysts can get to the features they need quickly, and the dashboards have been designed to ensure that each analyst is presented with the data they need to be able to perform their job. We work continuously with industry professionals to ensure our product meets the operational needs of security teams.
OC TOBER 2 017 • 3 8
A defence-grade cyber security product, Fores solution that allows organisations to monitor an electronic commu Contact us for a demo
39 â€˘ C Y B ER WORLD
st Tree is a patented advanced Cyber Security nd understand the content and context of each unication channel at: Info@secgate.co.uk
OC TOBER 2 017 â€˘ 4 0
Women in Cybersecurity: Hidden Cultural Challenges In an international economy which is becoming
ninjas, specialised events (i.e. Ally’s Skill workshop)
increasingly dependent on technology (i.e. Smart
that raise awareness amongst mid-senior level
Grids, Cryptocurrency, Biometrics), the increased
professionals, expert-panel discussions (i.e. Palo
demand for skilled professionals is rapidly exceeding supply. Amidst this general trend, the cybersecurity industry is also suffering a critical gender disparity problem. According to a recent GISWS (Global Information Security Workforce Study) analysis on Women in Cybersecurity, the number of female professionals in the industry has remained stagnant at 11%, despite the global expansion of the cybersecurity industry.
Alto, Black Hat USA) guiding c-level executives,
and even a Women in Cyber Security Steering Committee. Despite these initiatives and the abundance of research available, the statistical stagnation of 11% still comes as a discouraging blow. Especially when viewed against a projected workforce gap of 1.8 million vacant positions by 2022 looming ever closer. Which begs the question, did we miss
Realizing the value of attaining corporate diversity, achieving gender-equality has been a major focus
and discussion topic over the last several years.
RINSE AND REPEAT
This has resulted in multiple initiatives designed to
The unhelpful yet simple answer is yes. Almost
increase industry awareness and encourage women
all available investigations tale a ‘rinse and
to join the cybersecurity profession. These initiatives
repeat’ approach when identifying the challenges
range from sponsorship programmes (i.e. Raytheon
associated with gender diversity in cybersecurity.
Cross-examining different research articles ranging
Program; Rebecca Gurley Bace SWSIS Scholarship)
from cybersecurity to human resources, common
seeking to cultivate the next generation of cyber-
challenges identified include:
41 • C Y B ER WORLD
negative work environments (i.e. Chauvinistic
to greater diversity and gender equality at the
discrimination (i.e. Tokenism);
opaque and intimidating recruitment tactics;
According to a YouGov investigation in 2015, which
inconsistent or delayed career experiences
examined the attitudes of 24 countries regarding
CULTURE, GENDER AND TECHNOLOGY
(i.e. Pay Gap, Delayed Promotions); and •
gender progressiveness, several European countries displayed more progressive attitudes towards gender equality than their American, Asian, and Middle Eastern counterparts (see full poll results). One explanation for such an outcome is that
While it is regrettable that such challenges
contemporary gender perceptions simply evolved
persist, most investigations often neglect to
from attitudes historically engrained deep within
explore associated factors outside of mainstream
cybersecurity and business development. This limitation is actually indicated on page 6 of the widely referenced 2017 GISWS report as part of its introduction, questioning whether ‘cultural issues, discrimination, access to education, or a combination thereof are contributing factors’. It is important to stress at this point that it seems that various cultural traditions and outdated gender perspectives remain the greatest impediments
progressive attitudes towards gender equality. Recent discoveries at a Swedish burial site identified the potential existence of female Viking warriors, although the role of warrior was predominantly perceived as an exclusively male domain in ancient Viking communities that existed across the Fjords, or modern-day Scandinavia. According to Charlotte
OC TOBER 2 017 • 42
Hedenstierna-Jonson, the leader of the excavation,
region. According to a report by Channel News Asia,
‘the gender roles may have been more fluid…and
even in countries like Singapore, which possesses a
that…women may have been regarded as socially
highly international profile, women are still facing
male…able to assume positions of military leadership’.
multiple challenges when climbing the corporate
If her inferences are accurate, it corresponds with
ladder in the technology industry. This could be a
the contemporary development of gender neutral
result of ‘sticky cultural factors’, a concept proposed
schools and the general progressive views towards
by Dr. Astrid Tuminez, the Regional Affairs Director
gender equality in Sweden and other Scandinavian
for South-East Asia at Microsoft, and Philip Brett,
countries such as Norway. Whilst gender issues
president of TBWA\Asia, in their article for The
still regrettably exist, the OECD (Organization for
Drum, commemorating International Women’s Day
Economic Development) Education at a Glance
2017. A similar argument can easily be identified
research revealed greater empowerment of women
in Mihoko Matsubara’s 2015 article for Palo Alto
in STEM (Science, Technology, Mathematics,
Networks on the limited number of Japanese
and Engineering) degrees in these geographical
women in the tech industry. Her investigations
regions. However, if we apply a similar investigatory
framework to the Asia-Pacific, we see a slightly – if
regarding ‘confrontation’ can further discourage
not vastly – different story.
women from entering the tech industry, let alone
In comparison to other developed regions, the AsiaPacific is still suffering from an inherent gender
undertake leadership positions and becoming rolemodels for future generations.
imbalance, attributed to many of the traditional
Regardless of how globalised an enterprise, regional
roots of the multiple ethnicities populating the
leaders must learn to work within local cultural
4 3 • C Y B ER WORLD
It is important to stress at this point that it seems that various cultural traditions and outdated gender perspectives remain the greatest impediments to greater diversity and gender equality at the workplace.
paradigms. Only after a degree cultural intelligence
unified identity, such as an industry culture. In the
is cultivated, can regional leaders begin removing
context of diversity, where does CQ fit in within the
gender discussion in cybersecurity?
biasness, improve attitudes
sustainably empower local female talent. CULTURAL INTELLIGENCE, DIVERSITY AND STRATEGIES Cultural Intelligence or cultural quotient (CQ) is a theory in organizational psychology which posits that it is an essential skill to be able to interpret unfamiliar actions, behaviours and motivational elements in a similar way as a person’s immediate compatriots would. In business, academic and government research, the term is used to represent one’s
The answer is: In its solutions. According to a Dark Reading article by Jodie Nel, it remains difficult for women to break into both the security or technology sectors. According to the research mentioned earlier, the inherent masculine representation of the field, and accompanying chauvinistic culture, is thought to be the main cause of discouragement amongst women. As such, most solutions and strategies suggested to executives tend revolve around three main objectives: •
education and exposure;
According to Livermore, understanding other cultures can underline workplace cohesiveness through shaping how potential diversity-related barriers are handled, and is especially important in the context of stressful situations. We are briefly
Encourage the incoming generation through
Raise awareness amongst existing staff; and
Empower existing female professionals to dispel existing misrepresentations.
reminded that the term ‘culture’ can also refer to a
OC TOBER 2 017 • 4 4
Most of these solutions inform and have flourished
workforce gap of 1.8 million vacant positions by
in the various scholarship programmes, discussion
2022, there have been positive developments in the
panels and workshops mentioned earlier in this
pursuit for greater gender diversity in the field. In a
article. However, it remains the uncomfortable
recent report developed by cybersecurity veteran
truth that not all organisations are as progressive, or
Caroline Wong titled ‘Women in Cybersecurity:
have the equity for such initiatives. Ergo, they could
A Progressive Movement’, women are actually
begin their own path towards better workplace
thriving in the profession and are feeling valued at
gender-diversity through employing the BCIQ
their workspace. Whilst her study mostly comprises
(Business Cultural Intelligence Quotient) developed
of female executives with over 5 years’ experience
by IIan Alon, Michele Boulanger, Judith Meyers
in the field, it still signifies a positive outcome.
and Vasyl Taras at the University of North Carolina. The BCIQ framework enables the assessment and measurement of cultural appreciation within a workspace. The scalable nature of BCIQ allows workforce managers at all levels to measure gender diversity trends within their relevant industries. A key benefit of the BCIQ is that is data is generated from observation and direct measurement against a preestablished standard at the company level. Unlike the self-reporting nature of most CQ frameworks, this significantly increases the accuracy.
Understanding the limited amount of perspectives from women at the entry-level in the cybersecurity industry, a few small interviews were conducted with women aged 22-26 who have just joined the industry less than a year ago. Whilst the abundance of research has stressed the importance of technical demands, it still boils down to supply-and-demand. Once enough STEM professionals exist, coding and other technical skills might just become the next ‘Blue Collar Job’ – according to Wired. Therefore, one of the respondents believed that
PROGRESS, NOT PERFECTION
with the rapid expansion of the field: ‘there will be
Whilst the statistical stagnation of 11% is
more opportunit[ies] for women in cyber if a wider
particularly discouraging in the light of the projected 45 • C Y B ER WORLD
range of backgrounds…[as most women] often
Change is happening, however slow it remains. It is with hope that by updating our current initiatives – by accounting for cultural influences at localised levels – that we can increase the efficiency of how solutions are executed.
come from backgrounds such as audit, intelligence,
The takeaway point here is literally ‘Progress, Not
forensics, physical security, and ISMS experience.
Perfection’. The road towards gender equality has
With the new GDPR legislation I believe the field
been treaded, with many ups and downs and often
will need lawyers with cyber competence too’. In
far too slowly, by other communities, industries and
the context of the negative landscape portrayed in
even governments for many decades. In addition,
much contemporary research, this is a very positive
the gender problem is part of a wider diversity issue
response coming from a young professional who feels
plaguing the cybersecurity industry on a whole.
that opportunities remain plenty. CONCLUSION In this article, the various elements of ‘culture’ were examined. We have explored the correlation between gender perceptions and traditions being passed through history. We examined how inherent ‘sticky cultural factors’ can undermine the effectiveness and confidence of women interested in the technology and cybersecurity sector. We have explored the importance of cultural intelligence and even proposed a highly scalable framework for organizations. Finally,
Change is happening, however slow it remains. It is with hope that by updating our current initiatives – by accounting for cultural influences at localised levels – that we can increase the efficiency of how solutions are executed. As one of the interviewees mentioned, the cybersecurity sector is rapidly expanding. With the advent of the GDPR and incoming Chinese Cybersecurity law, industries will require more talent from a much broader background to support its technical operations, which will hopefully provide further opportunities to narrow the gender gap.
we learned that it is not all negative, and that women in both senior and entry level positions in the industry are feeling optimistic about their place in the industry and the opportunities arising from its expansion.
Secgate Research & Development
OC TOBER 2 017 • 4 6
Want a Diverse Workplace? Think Culture, Not Compliance Jennifer Steffens About the Author: Jennifer Steffens is Chief Executive Officer at IOActive, responsible for all aspects of the company’s global business and strategic vision. Steffens has a wealth of industry and business experience, including having been an early stage member of several successful startups. Previously in her career, Steffens was a Director at Sourcefire, where she helped build and grow the business from $250K to over $35M in run rate in just four years.
One of the core truths of cybersecurity is that
workforce, ultimately embracing every facet of
regulatory compliance isn’t enough. I’ve emphasized
this point before, and so have many others.
Here too, compliance box-checking won’t cut
The logic here is straightforward: Regulations –
it. If you’re just looking to satisfy the regs, you’re
necessary as they may be – are too inflexible and
essentially telling your team that diversity is a hassle
too slow to address the full spectrum of potential
to be managed with minimal effort.
In many cases, this results in lowering the bar for
If you’re looking for real security, you need to build
hiring practices to achieve compliance – and not in
it from the inside out, weaving it into every layer
the development of a thriving and diverse team.
of your organizational culture. That way, smart security practices emerge naturally – no matter what happens. In a sector as fluid as ours, it’s the only way to play. This principle holds true for another swiftly evolving business challenge: How to help traditionally male industries recruit and retain a more diverse 47 • C Y B ER WORLD
Diversity should be seen as a must for cybersecurity firms – and a company’s failure to establish such a culture should be seen as a threat both to its own future viability and to its clients’ security. That’s a pretty strong statement, I know. But here’s why I say it: The cyber realm is ever-changing and
ever-evolving, and the threats never sleep. The only
This became apparent to me early in my career. I
way to keep up is to maintain a workplace culture
got lucky. I spent my early days in cybersecurity
that is totally open to new ideas and diverse voices.
marketing with some really solid – and entirely male
And by ‘totally open’, I don’t mean ‘kinda open’. I mean so open that you’re willing to accept the mistakes, bad ideas, and occasional outright failures
– research teams that just didn’t care that I was a woman. They cared about whether I knew my stuff; it’s how they judged everyone around them.
that inevitably happen whenever you’re genuinely
Once I met that bar, these colleagues invested
challenging the status quo. I mean so open that
generously in my professional development. It was
you’re actively destroying all barriers – both
all very empowering – and very illuminating.
obvious and subtle – to the emergence of genuinely innovative thinking.
Unfortunately, time and time again I have heard stories from other women of early-career
I know our sector mouths such nostrums all the time.
experiences that shattered their trust, set back their
But look around. How many companies are acting
progress, and in some cases chased them out of the
on the realization that one of the biggest barriers to
tech sector entirely.
innovation is the chronic underrepresentation of so many talented pools of potential innovators? (That would be the all pools except the male one, in case you’re wondering.)
These women are not incompetents or shrinking violets who deserved to be weeded out of a competitive marketplace. They are highly talented individuals with much to offer, and the ultimate
It’s quite likely that a lot of companies are avoiding
losers are the companies that treated them so
this because it requires an awful lot of work. Well,
I won’t lie to you – it does. But I can tell you from firsthand experience that the effort is totally worth it.
When I became CEO at IOActive nine years ago, I was determined to instill an inclusive, status-quochallenging mentality throughout the team. For us, it’s an absolute imperative. We have offices (and OC TOBER 2 017 • 4 8
clients) around the world, and literally cannot afford
I’m reminded of this every time I go to a
to allow any barriers to the open flow of information
cybersecurity conference. As a woman, I am a
and ideas – from anyone and anywhere.
minority in almost every room I step into. I’m also
The approach we’ve taken is less about ‘diversity programmes’ per se, and more about a culture that abhors all blockages to the development and dissemination of good ideas, no matter the source. In such a culture, communication is of paramount importance. As an executive team, we try to talk to everybody as much as possible so that we are aware of any formal or informal practices that might make our company less hospitable to smart ideas – and smart people, regardless of gender identity. For instance, we often use meeting facilitators to make sure that good ideas aren’t getting suppressed or shoved aside just because the people who have them happen to be introverted, soft-spoken, or otherwise inclined toward a communication style that male business cultures traditionally disfavor. It’s just one way of ensuring that all participants – of all genders and backgrounds – can present ideas for broader consideration. This not only widens the aperture for worthwhile thinking; it signals our seriousness about maintaining an open, welcoming corporate culture.
reminded of it when I go to a CEO roundtable and folks from other companies initially assume I’m one of the event planners. It has happened more times than I can shake a laser-pointer at. Are these experiences a bit frustrating? Sometimes more than a bit frustrating? Sure. But over time I’ve come to a resolution: My best response is to be myself; to own my identity without apology; and to know that my voice has purpose. And that’s what I want for everyone in our company. It’s also what I want for everyone in the cybersecurity sector. We need wholly inclusive business cultures that sustain and propagate themselves, and that organically generate superb outcomes for the daunting task at hand. This matters, because our work matters. At a time when our skills and ideas are more urgently required than ever, we need to see all artificial barriers to talent for what they truly are – a threat to our companies, a drag on our sector, and a dangerous impediment to the attainment of security in cyberspace.
As a female executive, I obviously have a personal interest in seeing the cybersecurity field become more open to women. And make no mistake: While I’ve seen vast improvements throughout my career, there is still plenty of room for improvement. 49 • C Y B ER WORLD
Jennifer Steffens CEO IOActive
OC TOBER 2 017 â€¢ 50
Secret Diary of a CyberFeminist Hacker: How to Handle Challenges in Cyber Magda Lilia Chelly
About the Author: Magda Lilia Chelly is the Managing Director of Responsible Cyber Pte. by day, and a cyber feminist hacker by night. Magda spends most of her time supporting chief information security officers in their cyber security strategy and roadmap. She reviews technical architectures, cloud migrations, and digital transformations. She is continuously raising cyber security awareness & diversity at a global scale.
When my father encouraged me at first to go to an
and followed my tech-calling. What I did was not
engineering school, I did not know the challenges
common, but it was not that uncommon either.
that I would have to face over the course of my
What I did not see coming was that it was still not
widely accepted in various cultures around the
Coming from a multicultural background, with traditional and conservative views on the roles of women and men, I deviated from that pre-
world for a woman to BE a female leader in tech, and especially in cyber security. That only 11% of of the cyber workforce are women speaks for itself.
determined life path that was meant to be. I was,
When I started my preparatory school to become
from the youngest age, a problem solver, passionate
an engineer, I had comments like: ‘But you don’t
about mathematics as well as physics. When I had
look like a ‘geek’’. And, I did not for many reasons.
my first computer in 1995 I felt very comfortable
I did not fit the stereotype that the majority was
navigating, and discovering a totally different
expecting: I loved fashion, I loved fast cars, I loved
universe. I then embarked on my new journey,
partying, and I loved computers.
51 • C Y B ER WORLD
When I think about my experience, from my
Women all know this challenge. By the age of 15,
engineering studies to my PhD, and then during
girls tend to be less confident, and lose interest
my professional journey, I realise that I have always
in mathematics, according to the statistics. I have
been around mainly male colleagues. Women were
talked to many young graduates in cyber security,
the clear minority in my industry. At my very first
and all are fabulous, smart, and motivated. You can
important meeting, I was asked to bring coffee. I
definitely see the passion that is there. However,
definitely felt uncomfortable: ‘Hmm, I am the one
only a few of them continue their technological
doing the demo about an indoor positioning system
careers in general, and even less in cyber security.
in complex environments.’ It was absolutely bizarre,
The previously mentioned percentage of 11% did
and as I was at the beginning of my career, it was
not suddenly materialise over the past few years,
not so encouraging.
and there are various reasons for it.
Over the years, I got used to represent the minority,
In fact, there are now more job openings in cyber
and I discovered that there are many reasons why
security than there are cyber security professionals.
these situations happen, including unconscious
The demand will only increase in line with the
biases; and not only negative intentions. We all
growing maturity of companies in the cyber space.
have unconscious biases, and when you get used to
The world needs skilled cyber security talent,
meet only men in a meeting room when addressing
including women — and that’s why I consider myself
the subject of security, you tend to be surprised
having a mission, inspiring more women to get into
when it’s actually a woman leading the meeting.
cyber security, and follow in my footsteps.
OC TOBER 2 017 • 52
Will that be easy? Maybe not. So, what? Life is
You will be challenged by everyone – So,
not easy. But everyone can do it, and especially a
what. No one is perfect and we all make
motivated, talented woman.
mistakes. Get your act together and make something great.
Let’s be clear here what this statement means: You will get to face some of the below challenges: •
Your opinion will not be heard in meetings – So, what. Speak Up. Find Allies to Support You.
You will be refused contracts – So, what. You will find someone else who believes in you. The world is small, but big.
You will be appraised differently – So, what. Believe in yourself and find ways to prove your knowledge.
53 • C Y B ER WORLD
You will be told that you can’t make it – So, what. Of course, you can make it. You know it.
Earlier this year, I launched a new initiative, ‘Woman In Cyber’, to help inspire, educate and encourage more girls and women to start a career in cyber security. It does address the issue of diversity differently,
and even thongs to address the topic in a fun and different way. With my company, I promote and raise awareness of these efforts around the
world, through free mentoring, support, and
diversity will crack, not only the code but also cyber
I absolutely realise from my own experience how
Becoming an engineer, and a cyber security
important it is to have ‘that person’ supporting
professional has absolutely fulfilled me and made
your choices, no matter who they are. In my case,
my career. It allowed me to become a recognized
my father has always been supportive of my
leader in the space. If you’re considering a career in
choices, even when not approving. He was my
cyber, I encourage you to go for it!
mentor. Everyone should have that opportunity, and have a mentor. That is what women and girls need nowadays in order to continue to pursue their interest in cyber security, but also to climb the career ladder, even if the doors are initially closed.
And, if you’re passionate about promoting women in cyber to others, look at our articles on womanin-cyber.com and spend time inspiring other young women, helping them in their career. We can only make a difference together.
Mary Barra, Chairman and Chief Executive Officer at General Motors, said in one of her articles that ‘Diversity Will Crack the Code’. I believe that
Magda Lilia Chelly Managing Director Responsible Cyber Pte
OC TOBER 2 017 • 5 4
How to Use Men to Balance the Numbers of Women in Cyber Security Jane Frankland
About the Author: Jane Frankland is the Founder of Cyber Security Capital and the IN Security movement. She is an award-winning entrepreneur, speaker, author, consultant and CISO advisor. She’s also one of the top 50 influencers in cybersecurity in the UK. Jane has over 19-years’ worth of experience in the industry, has built and sold her own global penetration testing firm, been an SC Awards judge for Europe and the USA, advised boards, and held senior executive positions at several large security consultancies. As an ambassador for cybersecurity she’s passionate about diversity in the workplace and her book, ‘IN Security: why a failure to attract and retain women in cybersecurity is making us all less safe’, is due for release in 2017.
I’ve got a bee in my bonnet and I feel compelled to
For almost a year I’ve been writing a book on women
write about this. This blog won’t be a long read, but
in cyber security, which comes from the premise of
hopefully it will add value and be insightful.
how a failure to attract and retain women in our field
I’m not looking to score brownie points with anyone for writing it. Nor am I looking to antagonise anyone. But if I do the latter, I apologise in advance. I just need to draw your attention to something. Chances are you’ll know this already, but just in case you don’t.... Here goes. Deep breath. Feel the fear, and all that.
55 • C Y B ER WORLD
is making us all less safe. It’s nearing completion now, which I’m excited about, as are others. As you may also know, the topic of this book wasn’t something I planned on writing. It happened by chance, following a blog I wrote in November 2015 after reading an (ISC)2 report. And, it was the most non-strategic thing I’ve done in my life. How life’s laughing at me!
Yet, since then, I’ve found it’s become my whole
As research suggests that women think differently
world, and I’ve been championing women in cyber
to men, I firmly believe that women must play a
security daily – whether that’s been writing the
fundamental role in helping us in cyber security to
book; interviewing women (and men) about the
perform to a higher standard. When cyber crime,
challenge; speaking at events about it; mentoring
cyber terrorism and cyber warfare are on the rise,
women (and men); sponsoring women (and men);
and attacks are becoming more sophisticated
connecting them to people in my network, who
we need to do something differently. After all,
can help them more than me; or helping them to
businesses, economies and lives are at stake.
transition into our field.
As people are the foundations of good security
In fact, last year I was invited to speak at 35 events
and one of the components of the golden triangle
– all over the world, largely about this issue, and this
(people, processes and technology), I do wonder
year I’m scheduled to speak at 30 events already,
why so many are looking to exclude one group –
and [at the time of writing] we’re only half way
through April. I was also nominated for five awards, short listed for four, and received two.
Yet, ‘women-only’ groups, even when men are welcomed, are doing just that. The words signal that
Anyway, I’ve enjoyed the work I’ve been doing
men aren’t welcome, or that this group isn’t for you
immensely, as I’m passionate about increasing
if you’re a man.
the numbers of women in cyber security. Yet, the reason why isn’t purely because I believe in treating all people fairly and because it’s just. It’s more to do with performance.
Words are so important. They’re powerful, and change always begins with words, in language. A while ago I was honoured to keynote at JP Morgan, in London, as part of Women’s History Month. I OC TOBER 2 017 • 56
spoke about my 19-year journey in cyber security,
them until the system that was originally engineered
and how I transitioned from being nominated as
by men for men evolves.
a Young British designer in my twenties to one of the UK’s top cyber security influencers. I shared my failures, and ten important lessons I’d learnt along the way. I also spoke about how men ARE a big part of the answer to redressing the gender diversity balance in cyber security. Although there’s a lot of talk about equality or better still equity, women are perceived as belonging to the outside of power. You can hear this in the words that are used - in shared metaphors like ‘knocking on the door’; ‘storming the citadel’, or ‘smashing the glass ceiling’, and so on. Sadly, phrases like these undermine women, as they imply that women have to break down barriers, or alternatively that they’ve to take something that doesn’t quite naturally
I don’t blame men for this. Until things change, women need to learn how to play the system (or game, as I like to call it), which is entirely possible, as it’s flawed. But, we also need to accept that we cannot hope to change things permanently without the backing of men, and that means educating them and including them. In cyber security men are 90% of our industry, and they are the key to helping us transform the balance. Men are the change makers. But, only if ‘women-in’ and the division ceases. It has to stop being about ‘them and us’ – men and women. When I entered the industry nearly twenty years ago it was never like this. No one actually cared if you were a man
belong to them.
or a woman.
Women can’t be fitted into the workplace and reap
I believe if we’re going to change things and alter
all of the opportunities that could be afforded to
57 • C Y B ER WORLD
the balance, it has to be about performance, and as a result I believe men should NOT be excluded.
“ As a mother of two sons and a daughter, and someone who loves working with men and cool women, I know that good men – the majority of our industry – want to help. I know that many have daughters and wish them bright future careers where they’re able to fulfil their potential. I also know that many men are being inadvertently ostracised with some of these well-meaning initiatives and made to feel
I believe if we’re going to change things and alter the balance, it has to be about performance, and as a result I believe men should NOT be excluded.
To conclude, I firmly believe: That we’re ONE team in cyber security. That we’re stronger TOGETHER. That there’s no ‘them and us.’ No men verses women. And, that no one sex is better than another. However, I do believe that men and women are different. And, that’s a GOOD thing.
like they’re the problem. I even witnessed a man at an event recently apologising for this. So let’s be clear. Men are NOT the problem. They’re the SOLUTION. The problem is the SYSTEM. I know that men want to change the system for themselves too. They not only want more women
Jane Frankland’s upcoming book ‘IN Security: why a failure to attract and retain women in cybersecurity is making us all less safe’ will be published by RETHINK PRESS. For more information on the book, please click here.
in the industry, as it’s more fun and normal, but they want to improve their situation. They want more of a work-life balance, to be around for their children, and to stop being penalised for wanting to take paternity leave, or to take time off with their children or families.
Jane Frankland Managing Director Cyber Security Capital
OC TOBER 2 017 • 58
Cyber World Missed an edition? Want to subscribe? Want a hardcopy? Want to contribute? Contact us on firstname.lastname@example.org 59 â€˘ C Y B ER WORLD
CSX NORTH AMERICA hosted in Washington DC, USA, 2nd to 4th October 2017 Read more here. INFOSECURITY NORTH AMERICA hosted in Boston, USA, 4th to 5th October 2017 Read more here. IP EXPO EUROPE 2017 hosted in London, UK, 4th to 5th October 2017 Read more here. SIXTH ANNUAL FUTURE OF DATA PROTECTION FORUM hosted in London, UK, 5th October 2017 Read more here. ISSA INTERNATIONAL CONFERENCE hosted in San Diego, USA, 9th to 11th October 2017 Read more here. CSX EUROPE hosted in London, UK, 30th October to 1st November 2017 Read more here.
61 â€¢ C Y B ER WORLD
About Secgate Secgate is a specialist security advisory and technology innovation group made up of experienced and award winning tier 1 professionals who deliver intelligent protection solutions that both strengthen and empower our clientsâ€™ IT security and resilience. Our in house technology department builds, implements and manages next generation IT security tools to help our clients analyse, correlate, identify and eliminate Cyber Security threats. With headquarters in the UK, Secgate Technologies is made up of industry experts and leading technologists who have built a suite of solutions with proven defensive capabilities that tackle IT threat detection, analytics and IT incident response. Our flagship product, Forest Tree, has been successfully deployed in a number of complex and uniquely demanding environments. Our combination of consultants and technologists allows us to deliver unique and innovative solutions that provide our clients with a real tangible value.
Berkeley Square House Berkeley Square Mayfair London W1 United Kingdom
OC TOBER 2 017 â€˘ 62
6 3 â€¢ C Y B ER WORLD