GUEST BLOG: In this contributed blog post, Kris Lovejoy, global security and resilience practice leader at Kyndryl talks about the skillsets needed for a career in security.
As a business leader working in security and resilience, I spend a lot of my working time considering why smart people make mistakes. That might not match up with everyone’s mental image of cybersecurity as a profession, but my 25 years in the sector have never matched the stereotype of sitting in a dark room with flashing lights, furiously typing to fend off attackers.
The reality of our work involves a more subtle and diverse set of skills. It’s about spotting risks that others don’t see and understanding what their impact could be. It’s about designing training, processes, and policies which people can truly understand and apply. It’s about preparing people to respond and recover when things do go wrong, and then trace the root cause of incidents to prevent them from happening again.
It is, in short, as people-centred as it is technologically-inclined, and good security means guiding users towards safe behaviours as well as blocking dangerous ones.
My expertise in guiding behaviour makes it particularly frustrating when, working as a woman in a field which remains male-dominated, people misunderstand what causes that inequity. For example, it remains all too common to hear executives proclaim they have diversity on their teams – and then point to the token woman leader who all too frequently has a “nurturing” role. Another common experience is reviewing all male slates for high stress positions and hearing that NO diverse candidates responded to the opening. Or finally – and my personal “favourite” – is where a woman is asked during and interview by a male supervisor if she has good child care, because, “this job is going to be really hard – are you sure you have support at home?”.
I know from personal experience how such symbols, biases and omissions create an atmosphere in which you begin to question whether their cultural fit in an all-male team might represent a battle that you’re not ready to enter into, and send you down a different path. Or at the mid-career point, questioning whether you can both be a good parent and and take that next “big” job.
Career progression depends on how, or whether, many different factors and influences line up to support – or stop you. My first purely cybersecurity role was with TruSecure, one of the sector’s earliest start-ups. At the time I had, almost accidentally, acquired some security experience in another role as a network consultant. The combination of the opportunity to leverage that skill as well as reduce my commute time by over two hours a day (key to a single mom to two small children) – was a strong motivator.
Some of my early experiences in the field were horrific – bordering on comic. I was asked on a couple of occasions to date a customer to secure a deal; I was once asked to have lunch in a hotel in hopes we could spend a couple hours before a meeting upstairs; I had a customer once tell me he assumed I was a call girl set up by his friends because it was crazy to think a woman named Lovejoy would seriously be hired to deliver a “penetration test”.
At that time, I stayed in the career because I loved it, and sadly assumed that such behaviour was to be expected and laughed off. At some point I realized not working harder to change the behavior actively just made me complicit. So I started to use my voice. And while I can’t take credit for the improvements we have made over the past 30 years, I did my small part.
But If we want to really improve the diversity in this workforce, we can’t focus only on those most acute and shocking moments of discrimination. We need to consider, in a more holistic way, what a viable career path looks like for women in security, and challenge less explicit assumptions which discourage them from reaching the highest levels of the profession.
And we should want to improve diversity. Security is as much about our people as it is about our technology, and no single person can understand everything about how organisations behave and make decisions. Diverse teams create a more nuanced and empathetic picture of what businesses need across the full spectrum of business operations, financial management, IT teams, and everything else that goes into success.
My passion for driving change in diversity relates back to ethics, business outcomes, and opportunities for women all at the same time. Things have gotten better for women in tech since my career started, but it couldn’t be clearer to me that we’re not there yet. My hope is that people will really reflect on what they can do to smooth the path to better representation at every level in our sector, and make sure that careers aren’t being blocked by challenges we might not even notice.