Cyber Skills Gap: can gender balance fill the void?

Speakers: Ballester Rodrigo, Merisio Silvia, Turley Lyndsay, Fox Jacky, Mohan-Satta Emma, van Lom Martijn
Moderator: Franklin Magnus

On the 7th of November, PubAffairs Bruxelles hosted a debate on cyber skills gap and whether a more gender-balanced workforce could fill the substantial skills shortage affecting the cybersecurity field. Mr Rodrigo Ballester, Cabinet Member of Commissioner Navracsics, European Commission, Ms Silvia Merisio, Digital Economy and Skills, DG CONNECT, European Commission, Ms Lyndsay Turley, Head of Comms & Public Affairs EMEA, ISC2, Ms Jacky Fox, Director – Cyber Risk , Deloitte, and Ms Emma Mohan-Satta, Fraud Prevention Consultant, Kaspersky Lab were all present as speakers.

The debate was moderated by Magnus Franklin, Chief Correspondent, MLex.

Before the debate started, Mr Martijn van Lom provided an introductory speech in which he outlined how the cybersecurity industry is suffering from a massive skills shortage. He referred to the Global Information Security Workforce Study produced by Frost and Sullivan in partnership with ISC2 and emphasised that the gap is predicted to increase and forecasted to hit 1.8 million by 2022. The speaker explained that this fact raises several questions for increasingly digital reliant societies, where Wannacry in May 2017 and ExPetya in July 2017 embodied two of the worst cases of cybercrime the world has ever experienced, namely, from data theft of one billion of mail users to crippling the United Kingdom’s National Health Service. In this regard, Mr van Lom stressed that public and private institutions need to invest in more cybersecurity, citizens with digital skills, and, especially, women with cyber skills. He provided some numerical evidence in order to highlight the cyber skills gap as the number of women employed in cybersecurity counts only for 11% of the sector global workforce. The scarcity of female experts in the cybersecurity industry is partly due to the low number of female applicants for cybersecurity roles, fact which has undermined gender balance in several sectors.  Mr van Lom explained that nurturing a stronger talent pool and achieving gender balance can help prevent the dangers of cyber-attacks looming ahead. Furthermore, the speaker argued that the lack of women in the cybersecurity industry is also determined by the fact that young women are generally not attracted to such career pathways. Indeed, the results of the Global Information Security Workforce Study which examined the interests and traits of young people, as well as  their awareness of cybersecurity as a career option, showed that, on average, respondents have decided on their future career before their 16th birthday, while only a fifth of the respondents knew what a cybersecurity expert did, dropping to just 16% for women respondents. Among other reasons, Mr van Lom pointed out that young women experienced a lack of knowledge of computer coding (57%), did not have any interest in computer as a profession (52%), and were not aware of, or did not know enough about, cybersecurity careers (45%). The speaker concluded by stating that the way forward for the cybersecurity industry would be to guide young women, helping them develop the required skills, awareness, enthusiasm and aptitude to thrive in cybersecurity positions. According to the speaker, this exercise will not only reduce the cybersecurity gender divide, but also the overall skills shortage in the cyber skills industry.

Following the introductory speech, Magnus Franklin presented the speakers and, as a first point of discussion, asked what the lack of women in the sector means from the perspective of businesses.

Ms Mohan-Satta began her intervention by saying that the report provided visibility to the issue of cyber skills gap. She stressed that in many instances the shortage of female applicants is determined by the fact that young women do not know what a career in cybersecurity entails and are unaware of the skills required to enter the industry. Research findings that cast new light on cybersecurity are therefore one strategy towards ensuring gender balance in the sector. For Ms Mohan-Satta a successful business should represent a small portion of the society at large as businesses ought to be representative of the various social and demographic backgrounds, not only in terms of gender, but also in terms of cultural background. She argued that the gap in cybersecurity is increased by the lack of representation of different communities, fact which makes understanding customers more difficult. She emphasised that going beyond the 50/50 gender split allows the given company to champion diversity in the workforce and helps businesses in better comprehending the psychology, as well as the modus operandi of cyber criminals more efficiently.

Ms Turley started her intervention by stating that a critical insight into the profile of the workforce highlights that the first generation of workers, now working in senior levels in cybersecurity, comes from an ICT background. However, in Ms Turley’s view this specific workforce might not be best positioned to lead how the cybersecurity industry is evolving or should evolve. She clarified that the current workforce is not necessarily optimal in understanding, hiring, developing, and creating a new generation of experts, which is also a reason behind the lack of gender balance in the workplace. Ms Turley stressed that women are working in an environment that has been defined by men while the majority of management roles are occupied by men who have the power to set the tone and decide how a business should put into practice their choices.

According to Ms Fox’s experience, employing more women has been difficult as a result of the fact that the cybersecurity sector is not an obvious career choice for women. A research conducted by Deloitte in Northern Ireland showed that the percentage of young women who selected science, technology, engineering and mathematics related subjects could be as low as 25%, although some variations occur within the different domains. In Ms Fox’s opinion, these low numbers can be explained by examining national education systems curricula and their implementation in single-sex middle schools subjects. According to Ms Fox, this setting  resulted in young women distancing themselves from certain career trajectories.

Ms Merisio began her initial speech by stating that the gender gap does not only affect the cybersecurity industry, but is also common to all ICT jobs. In order to address these shortages, which are notably affecting most EU member states, the European Commission launched the Digital Skills and Jobs Coalition in December 2016. Within this Coalition, counting at the moment more than 300 members, 80 actors also committed to take concrete action to increase the level of digital skills in Europe. Ms Merisio specified that the European Commission supports grassroots initiatives which aim at increasing public understanding of digital skills at all levels. The EU Code Week, which gathered over a million people in 2016 and allowed users to engage with coding, is one such example, the speaker added. Ms Merisio also stated that the Commission is intervening through European funds to address skills shortages in the ICT sector. The speaker concluded by remarking that in December 2017, at the annual conference of the Digital Skills and Jobs Coalition, the EU executive body will launch the digital opportunity scheme, a pilot project to provide traineeships for students and recent graduates in order to give them the chance to develop digital skills in specific fields such as cybersecurity, artificial intelligence, big data.

Mr Ballester replied to the question by expressing the opinion that social systems and cultural backgrounds in certain societies did not necessarily explain the lack (or presence) of gender balance. According to the 2017 EU gender equality index, the proportion of male graduates to female graduates in STEM subjects is 75% to 25% in the Netherlands, 70% to 30% in Belgium, whereas, it resulted 50% to 48% in Turkey, and 49% to 51% in Bulgaria. In Mr Ballester’s view, these unexpected results show that the cyber skills gap is a multifaceted topic that goes beyond the boundaries of gender or culture. As a result, the speaker concluded, although a more gender balance workforce is necessary, it results as an incomplete answer in order to fill the void in the EU, as well as global cyber skills gap.

A second point of discussion concerned national education systems and their impacts on the career steps for women entering the cybersecurity sector.

On this matter, Ms Mohan-Satta said that in the case of Northern Ireland, as an example, young women and men have already decided on what subjects they could develop a career path by the age of 16. According to Ms Mohan-Satta, the problem lies in the distinction between so-called “girl subjects” and “boy subjects” which prompts young women to choose studies and career trajectories that they perceive to be more suitable to them.

Ms Merisio replied to this question by reminding that the EU does not have direct competences in order to reshape national education systems. However, the speaker also pointed out that the European Commission has set up several collaborative projects with national institutions, the industry and the civil society sector in order to galvanise EU member states into adopting structural reforms of the education system. Ms Merisio also explained how the rationale behind the implementation of subjects such as media literacy, cybersecurity, and privacy in primary schools is a tool which should allow students to familiarise with digital subjects at a very young age also in order to offer future career opportunities.

Ms Fox contributed to this perspective by stressing that, with the appropriate government regulations, national education systems could provide the means to help and motivate young girls to pursue a career in the cybersecurity sector. She also mentioned that statistics from the achievement levels in Ireland show that 50% of girls who studied mathematics at a higher educational level outperformed their male counterparts in their final results.

Mr Ballester was of the opinion that the European Commission and, more in general European institutions, have limited power and resources to provide support to all the initiatives needed. He continued by explaining that modern societies are already in the midst of a digital revolution, and it is actually difficult to assess or tackle any pragmatic answer to the cyber skills gap in the short term, whereas, in the long term, both EU educational systems and private actors might address these set of issues within a broader, more effective and adaptable perspective.

A third point of discussion concerned possible best practices to tackle the cyber skills gap, and prevent the numbers of female cybersecurity experts from dropping.

Ms Fox replied to this question by stressing the importance of role models who have expertise in the field and can act as a catalyst for other women to enter the cyber security job market. She stressed the importance of role models by elaborating from her personal and professional experience and highlighted how the societal change should be a progressive, but constant path towards which both public and private actors should tend.

Ms Mohan-Satta pointed out that it would be a good practice to establish mentoring programmes, whereby both men and women can act as mentors and help young girls to understand cybersecurity roles and, as a result, attract them to join the cybersecurity industry. The speaker also acknowledged that businesses in general do not give enough visibility to the core skills needed by a cybersecurity expert. Ms Mohan-Satta concluded by stating that creating a better balance between defining what a cybersecurity expert does and how private and public institutions can act to help, is a first step towards bridging the gap between ensuring gender balance in the cybersecurity industry and solving the digital skills gap.

Ms Turley replied that, in her experience, women who receive formal support such as mentoring schemes or official programmes that encourage women participation feel empowered and display more confidence. She added that a good practice would be to put in place leadership training programmes for women. She specified however that it is essential to demystify and broaden the perspective of the digital industry in order to make technology a more accessible subject. The speaker remarked in particular that cybersecurity experts should better clarify what they pursue, describe the impact of the industry as well as what day-to-day activities and duties consist of. She also pointed out that, unlike ICT, the cybersecurity industry proposes many barriers to newcomers as there is a strong reliance on previous experiences. In Ms Turley’s opinion workers who have a different educational or professional background can, however, bring a set of skills and perspectives that will enrich the cybersecurity sector. For Ms Turley, having a plan that describes in detail how an organisation is going to support its workforce is therefore a further good practice. Ms Turley finally praised the support of the Commission through the Digital Skills and Jobs Coalition initiative, whereby EU institutions targeted four categories of digital skills, namely digital skills for citizens, digital skills for ICT professionals, digital skills for the workforce, and digital skills for the public administration.

According to Ms Merisio the main objective of the EU institutions actions in ICT is that all citizens need a degree of digital literacy. The speaker added that another issue which came around in her experience is the very definition of ‘a cybersecurity expert’, as well as the identification of what is meant by cybersecurity jobs and cybersecurity positions as there is often a lack of understanding surrounding the cybersecurity industry as this includes many different areas of specialisation.

The Q&A session also covered the following issues: gender equality, best practices not only to retain but also to develop the current workforce in the cybersecurity industry, how can EU institutions, national government and private companies champion gender balance in the cybersecurity sector, what systems, programmes and schemes can be put in place to help the disparity between men and women in the cybersecurity field, how can national education systems support and educate young girls to motivate them to pursue a career in cybersecurity.

Do you want to go further into the issues discussed in our debate? Check our list of selected sources which we have provided for you!

The Digital Skills and Jobs Coalition, European Commission

The Digital Skills and Jobs Coalition, Members Charter, European Commission

Commissioner King’s speech at the EU Cybersecurity Conference “Digital Single Market, Common Digital Security 2017”, 15 September 2017

Global Information Security Workforce Study, Centre for Cyber Safety and Education

Beyond 11%. A study into why women are not entering cybersecurity, Kasperky Lab

EU security chief: Europe faces a “cyber security skills gap”, Government Computing

European Institute for Gender Equality, ICT specialists by gender

Cyber security in the energy industry: a skills gap within a skills gap, European Network for Cyber Security

Launch of the European Digital Skills Awards 2017, European Commission

Commission announces pilot project to boost digital skills through internships, European Commission

‘Most women have decided against a career in cyber security before they’re 16’, Information Age