We need to change the way we think about and practice cyber security, and we need women and others from a more diverse professional background to help us do that.
The low number of women in cyber security, and ways that we might encourage more women into the field, has been receiving a lot of attention recently. This led me to ponder why I think it is important that more women become cyber security professionals.
There is certainly little doubt that women are under-represented in cyber security. Research released in 2015 found that, globally, 10% of information security professionals are women. The 2017 version of this research indicates little change with the current percentage at 11%. This latest research also notes that more of those women have advanced degrees but get paid less. Information from AISA puts the number of female members slightly higher at 12%. From the various industry events I attend and my networks of information security colleagues, these numbers are about right.
Upping the number of women in cyber security is often linked to the cyber security skills shortage. Presumably the idea is that more women will increase the total number of cyber security workers and reduce the so-called shortage. This seems to assume that the cyber security skills shortage is a simple problem of supply versus demand: if there were more people in ‘cyber security’ (and that would include women if we could just get more of them interested), they would all be employed because of the pervasive shortage of skilled staff. But is the cyber security skills shortage as simple as that? Recent research I did with AISA suggests that the problem is as much with demand, and the way organisations recruit and develop cyber security specialists and the barriers to entry into the profession, as it is a problem of supply.
But bringing more women into cyber security is much more than simply a solution to the supply problem. Women and others from diverse professional backgrounds have an important role to play in re-positioning cyber security to make it fit-for purpose for the 21st century. This is because the challenges faced are not confined to recruiting more people into the industry to strengthen our defences, but go to the heart of cyber security practice. The current framing of cyber security as a defensive war against aggressive, sophisticated enemies not only amounts to an exclusionist narrative which turns women and others way, it is also out of step with the modern world.
Women can introduce a much-needed change in thinking and new approaches to information security which will help our profession keep up with the changing needs of the community we serve. A new perspective and change in approach to cyber security will also make the profession attractive to a more diverse group of people, naturally opening it up beyond the domains currently inhabited by computer scientists, engineers, cryptographers and mathematicians bringing broader skills and different knowledge to the profession ultimately improving the quality of the solutions we can offer the community
Moving away from negative security
My main issue with information security as most practitioners currently understand it, is its positioning as a ‘negative security’, relying almost entirely on technological controls and operating on the basis of exclusion and inclusion. This positioning is reflected in the language and narratives we use when we talk about cyber security and in the way that we have developed the standards that shape our practice.
The current narrative of cyber security is centred on the need to protect organisational assets from sophisticated, well-resourced and determined adversaries. Military terminology has been appropriated by the cyber world so we have offensive and defensive security, strong perimeters, defence in depth, ‘kill chain’ and advanced persistent threats. “Users” are regarded as inept at best and hopelessly incompetent at worst, who need to be protected from their own stupidity and lack of care. This view of cyber security, as ensuring freedom from attack and protecting the assets and values of a particular group (usually organisational management), is a negative security (to borrow from national security theorists).
Current practice which relies on this negative role of security does not resonate with many women. Women largely do not want to go to war, they do not want to be involved in building or manning the barricades to repel attacks, nor do they want to be involved in taking offensive action. A technology company called Buffer used to advertise software developer positions as “hackers.” After noticing a dismal rate of female applicants – 2% - the company experimented with using “developer” instead. The company hired its first female engineer soon after making this changed and shortly after had two full time developers who were women. Other research has found that women don’t like jobs that require traits such as ‘independent’, ‘aggressive’ and ‘analytical’. Women were more attracted to descriptions containing ‘dedicated’, ‘responsible’, ‘conscientious’ and ‘sociable.’ Arguably, this may just be about the language used in information security. But language is important. And the language of information security to the extent it supports a negative security, does not attract women.
Perhaps what is more important is that this narrative of negative security, where ensuring cyber security is an on-going and ever-escalating war and where distinctions are made between those who are inside the defences (who are included) and those who are outside (who are excluded) is engrained in and underpins most accepted standards based information security management practices.
Modern information security practice has its genesis in the military and defence (which focuses on ‘protection from’ rather than the ‘freedom to’) and cryptography, the domain of engineers, scientists, mathematicians and technologists. These antecedents support the technological and process based foundations of standard information security practice. They rely on the use of a largely command and control structure where security is a matter of policy and process, decided by management based on risk assessment outcomes, supported by largely technical controls and closely monitored as part of an on-going continuous improvement process. From this perspective, security is best achieved via technology rather than, for example, building social networks of solidarity, examining every day practices or working on making people feel secure or empowering them to develop their own solutions. This command and control structure works for organisations that can directly control all of the people and technology that are ‘inside’. It is a model that suits government agencies, the military and the Catholic Church. It leaves little room for innovation, empowerment or individual goals and is unsuitable for most modern organisatons.
In short, current information security practice and its supporting language, both based on a negative security, are not engaging to many women and are not appropriate in the borderless, complex, inter-connected, individualised world we live in.
Although broadly accepted and widely used, there is little evidence that the traditional negative and exclusionary constructs of cyber security are any more effective than others. There is no research that demonstrates that organisations that have adopted traditional standards-based approaches to information security are any better off than those that have not. In fact, we as the people who peddle this stuff don’t believe in most of the most commonly used standards ourselves. Few information security practitioners think that compliance with a standard makes an organisation secure.
So, what are we doing about it? Where are those challenging the standard view of information security as a negative concept, disputing the idea that security is a predominantly technological construct, insisting that the social context is relevant and important, that security is a value-laden term that we need to understand and be able to contextualise Where are the people looking to re-define what we mean by ‘information security’, when most of us acknowledge that traditional concepts like ‘confidentiality, integrity and availability’ are no longer of any use or relevance.
Diversity of thought and diversity of opinion are incredibly important for innovation. We need people with different backgrounds, interests and perspectives to be involved in our world and help pull together a new narrative that is more fitting for current security challenges. We need people who are interested in social solutions: in looking at ways that people can be made to feel safe and secure, in building human resilience, in working with people to see how security can help them do their jobs rather than get in the way.
There are glimpses that this new thinking is happening already. The Security Influence and Trust group adopted the theme ‘Ask Out Loud’ for Safer Internet Day 2017 (#AskOutLoud). Rather than technology, they adopted a social solution, promoting the idea of asking someone else if you’re not sure about an email or other message. Recent (ISC)2 research also notes that women in management positions in information security have a wide variety of educational backgrounds as contrasted with men who ‘overwhelmingly have engineering or computer science backgrounds.’ The research states ‘their wider variety of backgrounds reflects the different skillsets that women bring to their roles, and highlights the values of their interdisciplinary skills.’
We need to work out what matters
I’ve been working in cyber security for over 15 years but I often feel I’m not really accepted by many of my more technically credentialed colleagues. I firmly believe that it’s time for cyber security to mature and add a new ‘social’ dimension. I believe that women and others from a broad range of backgrounds, can help re-formulate some of the fundamental principles of cyber security, so we can answer in a meaningful way some of the big questions such as ‘What is it that information security enables organisations and people to do?’;’What are the values we hold dear that information security supports?’; ‘What freedoms can we create through cyber security?.’
Without this new thinking, we will continue to rely on the language of war, the fables of the strong attacker and the weak user. We will use outdated practices based on technical controls directed at asset protection; praying for a cyber event so catastrophic that it will make cyber security professionals important and relevant, while heading towards oblivion.
Bring in women and social scientists, creative designers, psychologists, philosophers, organisational and learning specialists and educators. Let us have a broad, inclusive, innovative conversation and see if we can agree on how information security can help us achieve what matters. If we do that, I am sure more women will see cyber security as something with which they want to be involved.
Dr Jodie Siganto
13 March 2017
With many thanks to my friend and colleague Dr Lizzie Coles-Kemp and the many conversations we've had over the last few years about negative and positive security, information security practice, the importance of diversity, the human experience and the future.