The cybersecurity world is working hard to attract a larger diversity of profiles into the domain. There are scholarships, mentorship opportunities, networking events, awareness programs, trainings, NGOs, and more. Still, there is a lot more work to be done as the proportion of women in the field, while slightly growing every year, is estimated between the range of 20 to 25%. A lot of the aforementioned initiatives are centered around the idea of representation: it is because women don’t have enough role models that they don’t think of joining cybersecurity, or possibly feel that the field isn’t suitable for them despite aspiring to join it.
The positive impact of representation is unquestionable, but it’s also fair to point out that it constitutes a long-term battle. Role models that emerge today will inspire the children of tomorrow, and these children will graduate yet another day after. In other words, if we do everything right starting now, we’ll begin reaping benefits maybe 20 years from now. This would be an excellent outcome and we should keep working towards this; at the same time there is an estimated shortage of 4 million cybersecurity professionals right now.
Some will undoubtedly (and correctly) point out that the various programs listed above also yield immediate results, through guiding women with professional reorientation, outreach in universities, and so on.
We’ve asked his point of view to Ivan Kwiatkowski, Lead Threat Researcher at HarfangLab, and according to him, such initiatives – which have his full support – can never produce the volumes of infosec professionals that are currently needed. But what if there was a way we could solve the problem in 5 years instead of 20?
Too few women are encouraged to go into scientific fields. What about cybersecurity?
Ivan Kwiatkowski: First things first, obviously as a white male, I’m exceptionally well positioned to share ideas on the subject of diversity so let’s dive in. A good place to start, in my opinion, consists in understanding where the bottlenecks in the global “cyber expert factory” are located. No matter where you live, the career path you should follow to work in cybersecurity probably looks a little like this:
The diminishing size of the boxes represents the decreasing number of people they contain
For me, in the French education system, it involved obtaining the scientific variant of our national high school exam (“baccalauréat”), then a lot more math, later receiving a broad education as a developer in an engineering school, and finally following security classes on the side. The very long term (20 years) goal of the STEM field is to move more women from box 1 to box 2, whereas the initiatives mentioned in the introduction focus on smoothing the transition from box 3 to box 4. The main issue with the latter, of course, is that at this advanced stage, cybersecurity is fighting over breadcrumbs with physicians, mathematicians, and so on. Most of the filtering has already taken place, and the available pool of women we can guide towards the light is already too small for our needs. This is a structural problem, and if we want to fix it, we’ll literally need to think outside the boxes.
It doesn’t seem like it’s in anybody’s power to change the education system though. What would alternate ways be?
Ivan Kwiatkowski: A funny thing I didn’t mention about my studies is that despite following a very mathematics-heavy curriculum (at which I was medium at best), my core skills were always linguistics and literature. So you can imagine my frustration when I eventually joined the IT world, only to find out I had learned to calculate integrals and studied the laws of thermodynamics for absolutely no reason. In my 15-year career, I can safely say I never found a single practical application for my scientific education.
Instead, I eventually reached a somewhat counterintuitive epiphany that never fails to raise eyebrows every time I bring it up: IT is in most aspects a linguistic discipline. Think about it. We use programming languages to communicate intent to computers. My daily work, as a reverse-engineer, involves reading very obtuse machine language to extract semantic data. I dare anyone to explain to me how this isn’t the most overpaid translator job in the universe – I feel orders of magnitudes closer to Jean-François Champollion than to Marie Curie. Then, looking at various campaigns, I put on my analyst hat and write reports about the whole thing. Sometimes, I also get to go on stage and use my definitely-not-school-taught public-speaking skills to present research. When I write C++ code, I can feel in my body that the active part of my brain is the one which produces English, not the one that used to know multiplication tables.
I’m perfectly willing to admit that some IT jobs (that focus on fundamental algorithmics, hardware, etc.) do require a strong scientific background. But they’re the minority, and after years of university teaching, I posit it might be a lot easier to teach English majors how DNS works than it is to teach Science majors how to write a report. Hence, I put forward my proposal for an alternative career path leading to cybersecurity:
Scientific minds are still more than welcome, of course. But you know what field is overflowing with women? Literature studies, applied linguistics, etc. Interestingly, I had a discussion with such an individual last year, who told me that she had to attend a light programming course (i.e., Python 101) as part of her studies. Assuming that it was just mandatory tech proselytism, everyone in her class had rejected the course material. She admitted that if it had been presented in the light of a linguistics skill, allowing people to express ideas in machine-tongue (so they can do our bidding), she would in fact have been extremely interested in the subject.
So, what’s that magic trick that would close that gender gap you were talking about earlier?
Ivan Kwiatkowski: The cybersecurity industry is well known for welcoming individuals with the wildest backgrounds. I can name a deputy CISO who came from political studies. A baker-turned-reverse-engineer. A vulnerability researcher with a degree in musicology. My theory is that it’s not because we’re more open than other fields (we are though), or more desperate for new talent (that too). But rather that the standard education path leading to infosec actually does a terrible job selecting the skills we are looking for, so instead suitable people get lost everywhere else and sometimes find us later. When we’re lucky.
There is a huge untapped potential there, one that we can develop in just a few years if we just find the courage to broadcast that we’re not really scientists and that other not-really-scientists could become excellent practitioners. I think they really want to be convinced.
In addition to gender diversity, we’d also get education diversity as a free bonus. Part of me believes we need this just as much.
And just as we need to get rid of misconceptions about the studies that can lead to a career in cybersecurity,
there are a number of misconceptions we need to get rid of about cyber itself. What are they?