During the upcoming Women in IT UK Summit, happening on the 23rd June 2021, UK Cyber Security Council vice-chair Jessica Figueras will be participating in a panel discussion about The Cybersecurity Mesh. The session will cover how to analyse the increasingly digital world, the risk management successes and challenges of the pandemic, and how to address the skills gap in IT. You can register to attend the event, happening virtually, here.
In this Q&A, we discussed the biggest lessons that UK cyber security has learned over the past year, the work the UK Cyber Security Council has been doing to encourage the next generation of cyber security professionals, and how diversity in tech can be effectively promoted.
What would you say are the biggest lessons that the UK cyber security sector has learned over the past year, given how the landscape evolved during the pandemic?
I would say one of the biggest lessons has been the speed of change in the environment due to Covid, and the need to respond quickly. We had to start remote working in the space of a couple of days, and deal with the security implications that came with that. I do believe that this was quite transformative for a number of enterprises, in that they discovered they could cope with these changes, and was a positive thing that people learned.
However, we also saw a big increase in cyber attacks, including in particular some troubling developments around ransomware, which is the other side of the same coin. I think senior leaders have learned that they can no longer ignore this risk, and whilst boards were aware of cyber security risks, I believe it was seen as quite a technical aspect of the business that they could delegate to technical teams. Now boards seem to understand the need to take a more active interest in cyber security.
Another aspect that’s emerged over the past year is worries around transparency in cyber security. Firstly, there’s less awareness of supply chain issues, the Solarwinds attacks being a notable example, and organisations have a critical reliance on their suppliers to keep them safe. This raises the issue of accountability at board level, in that organisations need to know whether suppliers are safe or not. In addition to this, there is an increasing interest in data-centric security which, given the use of predictive analytics and automation, brings its own questions around the transparency of the models.
Securing against Covid-19 disruption and the importance of diversity and inclusion in security
Could you please talk me through the work that the UK Cyber Security Council has been doing to encourage a new generation of security talent?
We’re all about the people who work in cyber security: the people who are going to keep organisations safe. But what we need to consider about cyber security as a profession, is it’s probably the newest profession in existence. While professions such as law, medicine and finance have had hundreds of years to build up codes of conduct and standards for professionals working within organisations, these shared professional standards aren’t currently in place for cyber security. There are many qualifications and certifications available in the sector, yet senior managers typically lack knowledge about cyber security, which makes informed decision-making difficult.
The UK Cyber Security Council is there to strengthen the profession, and help it to mature. We’re looking to map all the qualifications that are out there into a skills framework, meaning that these qualifications can be compared more easily, and establishing career pathways. This way, people can get a clearer grasp of whether a given person is a junior, mid-level or senior level professional, and where they would fit into a team.
We also want to establish a code of ethics for the sector. As it happens, I do believe that cyber security professionals have a strong core of professional values in place already, and hopefully we’ll be able to codify standards of practice. We also hope this would help organisations to do the right thing, and ensure that professionals can work in environments that support these high standards of ethics.
As a female leader in cyber security, and indeed the wider tech industry, how have you gone about promoting workplace diversity?
One thing I’ve always enjoyed doing is going into schools to talk to pupils about working in tech. I think it’s important for the next generation to have diverse role models to inspire them.
The tech industry is a lot broader than people realise, and it amazes me that in this day and age, we still have this stereotype around technology that it’s only coding, which is bonkers. Tech professionals have such a wide range of skills, and I think it’s important to get across the breadth of the profession.
Also, there is the matter of the gender pay gap, which I’ve been encouraging organisations to pay more attention to. There is still a lot of inequity around pay in tech, and even if you discount occupational factors, it’s still common that women are paid less than men for the same job. We find that the companies that succeed in gender balance are also the ones that have the most transparent and objective frameworks around pay and career development.
Why do you think that a lack of diversity is still present within IT?
Interestingly, the tech industry used to be much more gender-balanced, and this was the case up until around the late 1980’s. If you think about what the tech industry of the 1960’s and 1970’s looked like, we think about computers that took up whole rooms, and women were the first coders. These women were mathematicians, technicians, punch card machine operators. It was a very different industry, and there were lots of jobs for women. But then, the tech industry grew, and became more mainstream and glamourous, and less women entered the space.
I think that in society generally, we tend to find levels of prestige attached to professions that are usually dominated by men, and the opposite is the case for those taken up predominantly by women. You can see this in those professions that have changed their standing over the course of history, such as teaching; while the local schoolmaster was once an important, well-respected figure in the local community, the education sector now is dominated by women, and it isn’t seen that way anymore.
But there are a lot of practices that really do help, notably in hiring and recruitment. It’s well known that simple tweaks to how we recruit and hire staff can make a big difference to the number of women that enter the tech industry.
Could you please talk me through what you’ll be talking about at the upcoming WIT UK Summit?
I’ll be speaking on a panel about the cyber security mesh. We’ll be discussing the skills gaps that are still present in IT, training and diversity.
The discussion will also explore the idea that cyber security is too big to ignore, and like many other areas in tech, there’s a constant process of automating tasks where we can, which changes the role of cyber security professionals. For me, one of the most important skills gaps that exist is the ability of cyber security professionals to communicate with, and educate, the business. Those communication skills are really crucial, as that’s what will enable senior managers to make better informed business decisions.