People and Technology Gap…

We live in a time where technology is advancing ever faster, and it is almost impossible to keep up anymore. With this advancement of technology, also comes the security risks that we all must face. So, what is the future of cyber security going to be? We are already in the era of cyber wars, where every individual, all the way up to government level, will have to face cyber crime at some point. It's just a matter of time, so what are we going to do as a society? Buy the latest and greatest technology? But can we be sure that having the latest fancy technology will always protect us?

We see a lot of organisations heavily investing in new sophisticated technologies to manage their cyber risks, but a common mistake so many organisations make, is to almost completely ignore their people and processes by relying too much on this technology. Like the saying goes, “Your security is only as strong as your weakest link!” and time and time again, it seems the weakest link in the security chain are people. If we don’t create a security conscious culture that values people over processes over technology, your investment in technology could be rendered ineffectual. But if we prioritise investment in humans, encouraging the right security culture and know how, then the development of good policies and procedures, enable the best return on investment in technology. This is why I believe investing in people is the most important aspect of having a solid security system in any organisation. How can we expect advanced technologies like artificial intelligence to protect us if we don't have the right people and processes in place to help enable ethical business practices? 

Skills Gap

Do we have enough trained and skilled security people in the industry to cope with ever-advancing cyber-attacks? Unfortunately, the answer is a ‘no’. To support my claim and explain how dire the situation is, here I would like to share some statistics I received from the IISP, Institute of Information Security Professionals. According to a recent study by the IISP, it is obvious that the biggest challenge that we face in security is the number of trained security professionals.

(Source: https://www.iisp.org/iisp/About_Us/IISP_Media/iispv2/About_us/IISP.aspx?hkey=866b64e2-77f2-4159-9acd-134c01ae54cf)

By looking at these stats it is obvious the problem is scarier than one would imagine, and I ask, are we doing enough as individuals? 

Gender Gap

We have a huge skills gap and to make things worse, below you will notice we also have a massive gender gap where the female representation in the InfoSec industry is disgustingly low.

As a female IT and information security professional, I find it very frustrating and disappointing to see such slow growth in addressing the gender gap. I have been a techie for all my career and in every team I’ve worked, I was either the only female or one of very few. For years I have been talking about this and participating in many projects to promote IT and cybersecurity to many young females, but I always felt there is a lot of talk about it in the industry with people using this as more of an opportunity to promote themselves but when it comes to actions there is not much is happening.

I was born in Sri Lanka and grew up in a culture still heavily influenced by the historic effects of a master servant culture. Servants must follow the orders of the master without question. So naturally people expect to follow what the boss says without a question. I believe this has a major effect on creating future leaders. I know it affected me a lot until I managed to break out of that culture. When it comes to information security I believe it's very important to have people who are ethical, independent and confident so they are able to provide the right advice to top management to help enable business risks are managed properly and business functions are done securely. This also comes down to having trustworthy information security professionals with high integrity and credibility, which can be a really big challenge for many businesses. For example, how do you ensure your pen tester really is a white hat? (White hat is a term used for ethical hackers and black hat is a term used for unethical hackers) How do you ensure that they always disclose everything they find in your system or if they are even doing what they claim to do? 

Attitude Gap - What doesn’t kill you makes you stronger…

To make matters worse in this male dominated industry, there is an attitude of male entitlement and (I call it) ‘caveman syndrome’ where women are only seen as sex objects, baby machines and house servants. There have been times where some men thought it’s ok to manhandle me, pretending like it’s nothing and that they are entitled to it. Or this old gem, where some colleague asked me what I’m doing in IT, rather than making babies at home. One time I got bullied quite badly by a project manager that I almost went into depression if I had not reached out for help in time. If one does not have the right support, it’s difficult to come out of these kinds of unpleasant situations. People could naturally lose confidence in themselves or even go into depression. These are just to name a few of my bad experiences and there have been many times I have suffered embarrassment as well as anger and regret for not knowing how to deal with these situations. Luckily for me I managed to get that support and came through these experiences stronger than I ever was. I could probably write a book on this topic now, but the best thing is that the pros of working in this industry far outweigh the cons. I’ve worked with many talented professionals and most of my good friends are men, including my best friend, mentor, partner and now husband. To be frank, I have found men to be more supportive than some of the 'very few' females in this industry. We are supposed to be empowering each other not ignoring each other!

Hiring Gap! 

I first came to the UK to do my BSc in computer science, where I found myself in the minority, starting from my degree to every single company I worked with over the last 15 years. Most of them were for fortune 500 companies who are supposedly actively promoting diversity and equality. As the statistics show, there simply aren’t enough females in IT and security. Should the approach to the hiring process be reviewed? I believe so, if I had it my way of course I would mandate it be changed to a 50:50 hiring policy, so for every male you hire you would also hire a female. What disappointed me the most recently was the one thirds ratio mandate by the UK government for appointing females as board members. In the UK we have a badass queen and a badass female prime minister, yet the attitude towards hiring female board members is still not what it should be. Where is the equality that everyone goes on about? There is more a tendency to hire a man over a woman for an IT job because of the hypocrisy and false perceptions in our society. For example, when a female applies for an IT / InfoSec engineering job, hiring managers naturally tend to be more tough on female applicants. Some even go to great lengths to ask harder questions or make them do extra technical tests to try find a reason not to hire them.

When it comes to graduates that apply for entry level jobs, the male graduates have a higher chance of getting the job, even with a lower set of skills, but female graduates often get told they don’t have enough work experience. I would like to ask what work experience are you expecting from a graduate? That’s why they are called graduates! They do not have a lot of work experience and companies should give that experience by hiring them and training them with the right skills. I know from my own experience, degrees don’t prepare you enough for real-world jobs, nor do they give the full skill set required for a specific job so this makes on the job experience absolutely critical for graduates. It’s up to the individual and the employer to identify their skills and make use of them like in any other job. I would almost always choose someone for their passion and attitude over qualifications.

Mind the gap - my gap issues ;)

• We have a people and technology gap

• We have a skills gap

• We have a gender gap

• We have an attitude gap

• We have a hiring gap

All these problems started to bug me too much that I had to become part of the solution.

Bridging the gap

 After months of research and self-study, this finally led me to create a program to help address these issues and help bridge that gap in building a talent pool of good information security leaders and also with focus on getting more females into the industry. Therefore, I’m so excited to announce “SHe CISO Exec.™”, with the help of my female empowerment and leadership partner Senela Jayasuriya-Abeynaike, we hope to address the challenges of a CISO (Chief Information Security Officer) when it comes to building a diverse security team. With this program we are planning to ask the industry to help build that talent pool by sharing their knowledge, skills and real-life experience to attract, train and mentor more females and new entrants into the InfoSec industry. This is what I hope to give back what I never had in my life.

What is SHe CISO Exec.™?

SHe CISO Exec.™ is designed to redefine Women in Technology but is not limited to only women. It’s designed to be a global program in information security and leadership training that builds and empowers the female and male information security talent pool. A comprehensive five-day training boot camp on information security, leadership and personal development, to help and equip entrants with the fundamental knowledge of information security and leadership skills. Thereby bridging the skills gap and encouraging more females to choose an information security career. This program provides delegates with knowledge of all the different security domains, industry best practices along with ethical leadership skills and self-development skills to bring out that inner strength, originality and confidence to enable participants to reach their fullest potential; Create an army of information security leaders that CISO’s in the industry need, to fight the ever-increasing cybercrime epidemic. This is not something I can do alone but it's a start and we already have many organisations offering to help us.

With my partner Senela, I would like to invite all of you to help by participating in;

1. Speaking / teaching / coaching at the series of events

2. Sponsoring a participant

3. Nominating a suitable participant

4. Or apply for the scholarship to be a participant and we will help you find suitable job opportunities with the help of our sponsors.

We will be running the pilot projects in October 2018 in Sri Lanka and then in the UK and if you are interested in participating, get in touch with me.