Not long after the pandemic began, Leigh Tynan was asked by a manager to move from her position as Telus’ director of business strategy development to a new post: Leading the team developing Telus Online Security, a software-as-a-service offering to consumers for protecting their internet-connected devices.
She said yes.
That three-letter word is important for women who want careers in IT — and especially cybersecuity — a number of women emphasized in interviews for International Women in Cyber Day, which is observed on September 1st.
“The answer is never, ‘No,’ when you get those taps on the shoulder,” Tynan said. Don’t turn down opportunities, she and other women said.
“Just put your hand up,” said Cheryl McGrath, country general manager and area vice-president of Optiv Canada, a major cybersecurity integrator. “Ask for roles. Work hard once you get them. Don’t shy away.”
“We’ll get there,” she said of overcoming the male domination of the profession. “It’s way better now than when I started doing this. And a lot of men are supporting women to move into careers in cyber. That’s a positive change.”
Women in Cyber Day, recognized in a number of countries and Canadian provinces, celebrates the work of women in the field, encourages young women to consider cybersecuity careers and pushes organizations to find ways to expand the number of women on their cyber teams.
In Canada, it will also be observed on September 20th with a day-long symposium with the theme of ‘Education, Safety, and Security of Women and Girls.’
Today is also a day to bring awareness of the challenges women face in this overwhelmingly male profession.
In Canada, it has been estimated that women make up only 10 per cent of the cybersecurity workforce, says Tynan. By comparison, ISC2 estimated in 2019 that women made up 24 per cent of the global cybersecurity workforce. Cybersecurity Ventures predicts women will represent 30 percent of the global cybersecurity workforce by 2025, and that will reach 35 percent by 2031.
Part of the problem is that cybersecurity — and IT in general — is seen as a profession requiring technical skills and certifications. Not necessarily, say the women we spoke to. There are many opportunities to learn on the job.
McGrath got a degree in political science and economics, but after joining Xerox Canada, learned IT and rose to become vice president of sales and client operations, including overseeing the 1,200-person delivery arm of the company’s data centre outsourcing division.
Tyan says when she began running Telus Online Security she realized how little she know about cybersecurity. So she learned.
Ashley Mataya, senior manager of cyber partnerships at Vancouver-based Lighthouse Labs, which offers many IT training courses, noted a number of Canadian universities — and Lighthouse — offer short cybersecurity bootcamps that women with little or no tech background can take for entry-level skills. Organizations should also encourage staff to take these courses so they can recruit cybersecurity talent in-house, she added.
Still, there can be obstacles.
“When I started in cybersecurity, I thought I would gain respect and recognition by working hard, being a good team player, and producing excellent results,” Sonali Shah, chief security strategist at Texas-based Invicti Security, said in an email. “Unfortunately, this was far from reality. I worked in establishments where male employers and board members have treated me differently from my male peers, sometimes consciously, and other times not, but never to my benefit. I was often the only female in the room, whether I worked in investment banking or a technology company.
“The most significant challenge for women in this space is they often don’t see other women in technical, high-power roles within organizations. Sure, you can apply for an entry-level position and work your way up, but the real challenge is often entering the organization at the managerial or director level,” she wrote.
That hasn’t stopped her. Over a 25-year career Shah has been a technology executive, investor, and advisor at numerous security firms. She’s helped launch startups, take high-growth companies into new markets and regions, and build and lead high-performing product and marketing teams.
There are arguable three tracks to getting more women into cybersecurity: Things the education system can do, things women can do in their careers, and things managers can do.
School boards should bring IT into middle- or even primary-school curriculums early, say many experts. McGrath notes many educators talk about STEM programs — science technology, engineering and math. She likes to talk about STEAM — adding A for arts. Why? Because, she argues, many girls shy away from STEM-related courses thinking they are too technical for them. A wide background can be an advantage for getting into IT, she said — an argument made by many of the women we interviewed.
McGrath said she’s “quite pleased” that Ontario is adding computer coding as early Grade 1.
There are a number of cybersecurity-related jobs that don’t involve technology, the women we spoke to emphasized. These include writing manuals, proposals and marketing material, pitching customers on the ways a company’s products can solve an organization’s products, legal work, and more.
Women thinking about a career in cybersecurity — either because they are in university, in IT or want to shift from an existing job to cybersecurity — need to do several things:
— join an association that represents women in cybersecurity. There’s no shortage of them. A short list includes Canada’s Women in CyberSecurity Society, Women in Cybersecurity (WiCyS) and the Women’s Security Alliance (WOMSA). Groups like ISC2 have women’s programs and a women’s scholarship program.
There’s a longer list here that includes Twitter and LinkedIn groups.
— take chances. “It’s a fast and furious world where women can excel,” McGrath said she tells women. “They just need to seize the opportunities — and ask for them. And be willing to learn. It is hard work. It changes more rapidly than any other IT role I’ve had because we have to try to stay one step ahead of the nation-state actors and bad guys.”
— speak up. “One of the biggest things is trusting your voice and speaking up,” said Tynan. “So often you think somebody else knows more than you do. But that’s not true. I have learned in my career to speak up and have a voice.”
— take control. “You have to own your career,” she added. “If you’re waiting for someone to do it for you, to tag along [with them], you might be lucky. But you also need to invest in your network, invest in areas you find interesting and learn more. If you’re waiting for something to happen, it may not. No one can control your career except you.”
As for organizations, the women we spoke to said leaders have to create and get behind diversity programs for all departments, including the IT and security teams.
One way, Shah said, is to build security champion programs for pulling talent from other areas of the organization. “The great thing about security champion programs is how they’ve evolved in recent years to include employees who aren’t necessarily experts and expand to those with a security interest,” she wrote. “These individuals help champion the security message wherever they are in your organization and can help ensure greater buy-in from the larger company, generate feedback and gain insight from people of different backgrounds and focus areas. Especially with the talent shortage in cybersecurity, this kind of program allows companies to bring in new skills and perspectives that can trickle throughout the organization and help educate and create awareness and interest in the cybersecurity function of the business.”
Telus, for example, has an internal program called “Connections” which focuses on driving gender equality, and providing networking and career development opportunities for women and those who identify as women. Tynan is part of the company’s global team.
Training new hires or upskilling staff doesn’t have to be expensive, says a recent study by the ISC2.
Forty-two per cent of cybersecurity hiring managers recently surveyed said training costs less than US$1,000 for entry-level hires (those with less than one year of experience) to handle assignments independently.
Nearly a third (30 per cent) of respondents said it takes less than US$1,000 in training costs for junior-level practitioners (one to three years of experience) to handle assignments independently.
HR leaders also have to change job descriptions to get a wider range of applicants, said Mataya. Usually they are written with what she called a male-centric viewpoint. In part that’s because men are more likely to apply for a job even if they don’t meet all the published requirements. Many women, however, will only apply if they meet all of a job’s published requirements. “It’s not for lack of confidence, but more for ‘I don’t want to waste anyone’s time.'” she said.
So HR needs to work with managers to make their list of job requirements less specific, particularly if some skills can be taught on the job.
“There are currently 3,700 open vacancies for cybersecurity positions in Canada,” said Mataya. “What companies need to do is figure out where that talent is coming from. There is an entire population of people who have not been looked at as a perfect pool of talent to draw from when it comes to roles in tech, especially in cybersecurity.”
There are “massive opportunities” in cybersecurity, said Tynan, “and I hope women and girls around the world take the time to learn more about cybersecurity and get interested in it, because no matter what your skill set there is room. We need diversity of thought and experience to help combat the cyber risks we face. Everyone is welcome.”
Stephanie Benoit-Kurtz, principal security consultant at Trace3, a U.S. consultancy with offices in 11 states, who is also and lead cybersecurity faculty for the college of business and information technology, University of Phoenix, said cybersecurity is “really is an amazing career … It’s never the same job two days in a row, there’s always something different … Every day you get to be involved in cutting edge technology that can transform the way the business works.
“My advice to every woman in technology is to make sure you take your seat at the table,” she added. “Don’t sit on the sidelines, don’t sit in the chair next to the wall. Let your opinions and your experience be heard.”