Monkey Business - Fotolia
Out-going GCHQ director Robert Hannigan has called on every UK organisation to do more to encourage women into the information security profession in the face of a growing skill shortage.
“If we are not tapping into women, we are depriving ourselves of a massive talent pool,” he told the CyberUK conference taking place in Liverpool convened by the National Cyber Security Centre (NCSC), which is the operational arm of GCHQ.
In the UK, the proportion of women in cyber security stands at just 8% and men earn an average of 15.5%, or around £11,000, more than women, according to the latest figures released from the Global information security workforce study (GISWS) published by the Center for Cyber Safety and Education, a charitable trust of information security certification consortium body (ISC)2.
The report calls for corporations to create more inclusive workplaces and to end gender pay inequity in the face of an expected global shortfall of 1.8 million cyber security professionals by 2022.
Hannigan said diversity of thought is key for innovation, which in turn is key to any organisation’s survival. “Getting people to think differently – throwing together different types – I am quite passionate about it for that business reason,” he said.
Hannigan said it is a myth that women are not interested in computer science. “If you look back in the history of computer science, if you go back to Bletchley and to the 50s when the UK was a world leader in computer science alongside the US until the early 60s – women were at the heart of that,” he said.
Since then, Hannigan said there has been a “fundamental shift” which some academics have blamed on poor government policy influenced by civil servants “who did not get technology” and a reversal of gender.
“As computer science jobs came to be seen as important and well-paid rather than clerical and menial they flipped from being jobs for women to being jobs for men,” said Hannigan.
“We have to put that right, but we can only put that right collectively so every company, institution and organisation needs to be working on this – it won’t right itself. The education market won’t do this quickly unless we help it.
“We all need to do everything we can to put right that skills problem, and I also think we will get a better innovative approach by fixing diversity,” he said.
Read more about information security skills
- Anti-millennial recruitment stance will widen cyber security skills gap, experts warn.
- Companies struggling to fill infosec roles should focus on finding people who can do what they need, not qualifications, according to a security industry panel.
- Information security professionals need to grow their skills, engage with the business, increase security awareness, set business goals and tailor their messages, says a panel of experts.
- The information security profession has reached an inflection point and is poised for growth, according to Adrian Davis, managing director for Europe, Middle East and Africa at (ISC)2.
Hannigan admitted that his push for diversity has been met by resistance, but he said most of it was not conscious or deliberate.
“Most people either think it is too difficult or they feel threatened by it, which isn’t new in diversity. I think it is normal in every institution and we all feel threatened by change, but it is absolutely critical to making progress,” he said.
According to Hannigan, GCHQ is pursuing various initiatives to encourage more women to work in computer science and cyber security, such as a competition exclusively for girls aged 13 to 15 that attracted around 8,000 participants competing in teams from more than 2,000 schools.
“We are also very supportive of the TechUK initiative to bring women back into the tech sector mid-career,” he said.
A lot of GCHQ recruitment is based on aptitude rather than science, technology, engineering and maths (Stem) qualifications, said Hannigan. “We are getting great people that way, as well as through apprenticeships for school-leavers.”
The Global information security workforce study reveals that UK employers inadvertently favour men and filter out women because they are less likely to study Stem subjects. However, 76% of female professionals in the UK have never studied a computing degree, while UCAS indicates 13,000 fewer women than men study computer science in Britain.
Adding to this, 93% of UK employers prioritise job candidates with previous experience and 35% in the UK look for a technical degree, while just 27% of female professionals in the UK have studied computer science degrees, compared with 41% of men.
Experts call for better security training
With the demand for people with cyber security skills set to increase even further as organisations realise the necessity of a strong foundation in cyber security, Raj Samani, CTO for Europe at Intel Security, said traditional education is not preparing individuals for cyber security jobs.
“In addition to re-directing the curriculum to focus further on cyber security, we need to look beyond higher education to train people for the profession. Whether through hands-on training or professional certifications, employees can access specific cyber skills without a certain degree course,” he said.
Employers can encourage staff to undertake training and certification courses to better prepare themselves and the business for the expanding attack surface, he said.
Beyond employer investment, Samani said Intel Security research also found that the majority of respondents do not believe governments are investing enough in programmes to help cultivate cyber security talent.
“With many companies unable to fill key cyber security roles, we will see an increase in businesses outsourcing security and making the most of technology automation. For example, companies can significantly reduce the number of events to investigate in person if intelligent automation processes are in place, thereby reducing the burden for staff,” he said.
According to Samani, organisations need to consider a blended approach: “Find the right combination of people, process and technology to effectively protect the organisation’s data, detect any threats and, when targeted, rapidly correct their systems.”