Women in cyber – diverse talents and the barriers to acceptance

Three women at BAE Systems Applied Intelligence, exemplify some of the various opportunities for women in cyber, with diverse backgrounds, skillsets and routes into the sector ranging from programmer to comms, or transitioning from social science to threat intel. Using their own experiences of progressing in a male-dominated sector, they explain their role, the challenges and consider what changes could redress the underrepresentation of women in cyber.

Mivy James, Head of Consulting at BAE Systems

Jo Massey leads IT and comms at the Foreign & Commonwealth Office

team within BAE Systems.

Saher Naumann, Threat Intelligence Analyst at BAE Systems

Mivy James is the most straightforwardly ‘techie’ of the three, starting her career in the industry 25 years ago after studying computer science and maths, then becoming a programmer in the security sector.  “I went from being a coder to system design, to enterprise architecture and now digital transformation at BAE Systems. Security came in immediately as I work in defence and security so understanding of cyber-security is essential, including security by design.” James adds, “If security is added on then you are not setting yourself up for success, Compared to when I started, QMS (quality management systems) and security architecture have now become a key element of what I do, an integrated part of the role. If you are working in the cloud you need to write security for the cloud so it intersects with security.”

James’ role has various responsibilities. She is head of consulting for an internal part of the business with 150 consultants, working on incidents and consulting on digital transformation. James explains: “I am passionate about digital transformation being cultural, not just tech.  So currently that’s a lot of work related to cloud, but it may be edge or quantum in the future. There is a need to constantly transform, to develop strategies and road maps, finding how top level decisions are made, with software teams working in an agile way. Otherwise they may not be delivering as they should because often people are working in a bubble and they need to apply their findings to the wider enterprise to have an impact.  As an organisation, we need to do what we are recommending to our clients, to overcome the pain points ourselves, not just the technology but all the cultural aspects.”

Saher Naumann told Guru how she was doing a Masters at Kings College London, where she had gone to study counterterrorism and was doing intelligence when she was introduced to war studies – both political and technical. “So from a Social Science background I went into the threat intel space, which was great for me. It is a technical field but with room for people with other skills.”

Within threat intelligence Naumann is as an analyst, taking the threat intelligence, understanding the political situation, and contextualising what is seen in cyber operations between states or criminals, tracking malicious actors, whether state not, for espionage or financial gain, profiling, understanding how they move, their signatures, techniques and understanding the adversary, knowing what customers should be worried about, who is attacking what  – and then providing actionable intelligence.

“Tech areas complement this with analysis of what attackers are doing. Network defence is an ongoing process and we are always working to get better; it’s never achieved, but we can put in technical defences to get better,” say Naumann She adds, “Understanding  motivation and intent does help contextualise the intelligence, including geopolitical overtones. A lot of cyber espionage by states reflects what’s happening in the real world, in specific regions or conflicts.  Cyber is just one part of a state’s strategy, and is not viewed in isolation, but as a component of wider efforts to achieve an objective for that country.”

Jo Massey immediately states: “I don’t have a STEM qualification; I have a Masters in literary translation.” Starting her career during the mid-90s she found she was able to write what technologists wanted to say in a way that would be more widely understood, writing documents supporting business development, writing competitive tender responses. “Making sure that we were communicating what we do and why.” It increased competitive tender wins and was used to develop training and mentoring programmes in ‘how to win’. In 2013 Massey joined BAE to run its  bidding and in 2019 became Account Director for its Foreign, Commonwealth and Development Office (FCDO). She explains: “I run a team of 160 people responsible for ensuring the technology and communications are maintained 24x7x365 across all 280 FCDO Posts (Embassies, High Commissions, Consulates) worldwide.”  It entails communicating really clearly, to explain to the customer what is being delivered and why it meets their needs, to ensure commitment to quality. “Mostly, my job is about effective team leadership, and I am committed to building diversity within the team, not just in gender but in ethnic and cognitive diversity, too,” adds Massey.

“It is not uncommon for men to underestimate my technical skills and experience”

When asked about the challenges for a woman progressing in the male-dominated cyber security sector, James says: “It’s probably true for women in any male dominated environment (that they will face barriers to success). Mostly it’s the daily grind of daily challenges more than anything overt.  25 years ago, some men said women just can’t write code – but that was easy to challenge as we were writing code. Now I don’t hear people saying that but there are more subtle challenges.  When meeting for the first time it is not uncommon for men to underestimate my technical skills and experience. I am a professional nerd and proud of being pro-nerd. They assume I may be a different type of consultant.”

James continues, “That’s true when it comes to leadership as well. Leadership qualities are seen differently between men and women. Research shows its more about differences in perception than behaviours, and it can be double edged. And as there are not so many senior women in tech roles, I did feel I was a pioneer, and I shouldn’t have to be a pioneer. As a mother of a six year old, I also get ‘benevolent sexism’,  with men making decisions for you and that can be quite patronising – eg deciding that I won’t want to do something because it involves travel or working outside hours – but I would find a way of making it happen if it’s the right opportunity.”

James also challenges assumptions that women will have more empathy and soft skills, saying: “As the mother of a son I have not seen that. Women get given softer tasks, more communications roles are given to them, and while it is important that these are done, when they are given to a women because she is a women, even if her skill set is technical, it can detract from her tech skills. And the industry drop-out rate (of technical women) is faster than among male peers and she is likely to drift into other professions, driven away from the very tech focussed roles.  It happens incrementally over time so it’s hard to tackle. The engineer who finds herself working in HR needs to say, “No, I am going to focus on the technical roles.” This may be seen by others as being a bit difficult. It is harder for women to say no to things you don’t want to do – it’s harder to say “no I won’t do that thing that’ll help you out.”

This issue is a responsibility for the industry to rectify, not the women, says James. “Educate them on the systems and how to challenge those things.  Eg a woman returning from maternity might be given a less technical role. Would it happen to a man who was off for medical reasons?  Tech roles get dripped away. Industry needs to be alert to that. It should not be left to women to say ‘this is happening because of my gender.’

Another issue pointed out by James, is that however well meaning, many women in tech roles don’t want to be a poster girl for tech roles or they will start asking themselves, ‘have I been chosen as an example because I am a good coder or only because I am a woman?’  James says, “I’ve attended a lot of women in tech events and I often feel a scream building up when I hear it said that women can get into tech by telling them they don’t need to be technical,  and consultants can excel in tech. It reinforces the stereotype that women can’t’ or won’t do tech, programming etc – we actually need more women in machine learning and AI to overcome bias in the program.  Lots of this is well meaning and there are random routes into this industry, but we shouldn’t be telling girls what they can and can’t be interested in.”

Society also has to shoulder its share of the blame including popular culture.  “In the 80s and earlier there were more women in coding – it has become harder for women in tech. I would like to see more female nerds such as via programmes like the Belinda Parmar Little Miss Geek. Initially the rise of home computing was marketed at games and gaming. My family was adamant that we would not be stereotyped, and we would have access (to tech) regardless of gender. That’s not true for everyone. IT being marketed as a boy’s toy is a cliché, and so in higher education girls are disadvantaged, boys have had a head start, so girls feel they can’t do it. It has a snowball effect.

“Now technology is ubiquitous. There are as many female gamers as boys, though the way they interact is different. Back with the Zx810 you had to code to play. I thought it was a generational thing and engagement by women would increase and become more usual – but it’s not been true – though there is an increase again now. A lot of effort has been put into fixing that, and in a generation it may be normalised again.  It needs to be so successful as to make the schemes redundant. I do hope it picks up again. At BAE Systems we have done a lot on how we recruit at entry level – if we’re fishing from a small pool we miss out on a lot of talent – people who have a flair for the topic but  hadn’t had the opportunity before.”

James says we need to be disruptive to drive change, “So those lists (such as The Most Inspiring Women in Cyber on 28 October) are energising.  Otherwise you may think, Is it just me? – then see that, no, there are others, Here’s an awards list. The events themselves are great for networking, and there is a knock on effect of raising those women’s external profile, getting invited to speak on panels and make room for other women, opening up opportunities and taking other women with them. We want to be on an equal footing with male peers, but also recognise that I am different.  It is true that such lists can drive resentment. It doesn’t cancel out when gender has been a disadvantage.  It’s about equity and equality. It is not a level playing field to begin with. Any organisation can still do a lot in its workplace (to improve the participation of women) – it’s continuous, and there are always new people coming into a business so we need to instil those values. We should take progress where we can.”

“Seeking out other women in similar roles creates solidarity and support”

Naumann agrees, noting how: “Many women have experienced subtle discrimination of being in a male dominated industry – it’s often micro aggression, men talking over you in a meeting, not acknowledging your role or authority, assuming you are not technical. Often its unconscious things which will be encountered over and over. Women should not have to carry the burden of constantly having to navigate through this, it’s also up to men to change their behaviour. I have developed a bit of a thicker skin, but I have also become very self-aware of when it happens and relations with people.

“I have realised that seeking out other women in similar roles creates solidarity and support and you get to see what the experience of other women is.  I’ve also sought to excel in my role, be ambitious and pursue as many opportunities as possible.  Sometimes we can internalise it and find it difficult to be seen on the same level as there are a lot of men around (in tech) but I seek to thrive as best I can.  Women who love IT should still be able to pursue what they are passionate about and are interested in.  But many women (find they cannot) and people leave the industry. I would advise them seek out support and solidarity from other women and male allies.”

The challenges don’t stop outside the directly technical sphere as stereotypes and assumptions in relation to power, authority and career remain the norm.  Massey says how throughout her career she has faced such challenges.  “When I had my first baby, the company found someone to cover my maternity leave, and then he did not want to give my job back and I ended up working for him as the attitude was, “You’re likely to have another anyway”. Such attitudes were deeply entrenched habits in industry.  Looking back, I probably should have made more of a fuss, but I sought to remain gracious and worked harder. It has worked out well for me, but in retrospect I should have spoken out for those who might in future be less resilient than I was. Many times I would confront the issue by making a joke about being the only woman in the room, but I never imagined any complaint would be taken seriously if I had decided to actually escalate it.”

Being a working mum also introduces challenges in terms of the expectations of others. Massey says: “I recall a time relatively recently when I was the only woman in a meeting at the end of the day that was over-running. I was aware that if I missed my next train I would not get home in time to see my children. It really mattered to me that I should get away, but I was crippled with embarrassment at having to interrupt the meeting and leave, so some of that challenge still exists.”

However, for Massey, the biggest challenge is that there is no female role model above her in the organisation chart to aspire to. “Right now, there are no females on the board, either. It’s not for want of great candidates.  Some young women in the organisation tell me they look up to me as a role model, which is great, but it would be nice to see women further up the chain, too. Women who are looking at what they are going to do next may feel they have to move on to get ahead.”

“Diverse teams perform better – not just different genders”

Massey says that while she does believe in meritocracy, “…that doesn’t push people to think more carefully, beyond the ‘best person for the job’.  I would never want positive discrimination, but the reality is that if you measure and report on something then you are more likely to do it, so we should be setting ourselves targets to increase diversity and reporting on those. What we need to focus on is enabling equity, not just equality. People do not all have the same starting point in life. We need to employ different ways to make roles available to a variety of people, to open them up to the same chances of success. Sometimes this means investment in certain types of individuals more than others, to level up the starting point.

She concludes: “I genuinely believe that diverse teams perform better – not just different genders, but different lifestyles, beliefs, ethnic backgrounds, etc. There’s plenty of research that proves that diverse teams generate incredible results through avoidance of ‘group think’. If not having a diverse team can be seen as a risk, this would change a lot. If a team within organisation looked at a team of 10 people all the same and thought “well this represents a risk to the project’ then we might see decisions made to drive more diversity into our teams.”

Looking at actions that might bring about the changes sought, Naumann says:

“One of biggest things women can do is to do as much as they can as individuals, but also with industry and companies helping shoulder the burden, is to hire diverse candidates and make the working environment more inclusive.  It’s about who gets to be in the room and who gets to have influence.

“It’s great to hear Cyber First has had a 60 percent increase in female entrants this year and women in tech should be encouraged.  We should also let potential candidates know it’s not always about the tech, it’s also critical skills and analyst skills which are as important a part of the team – (but the perception of cyber security) often deters women who see it as tech only. Women should pursue tech if that’s what they are interested in and other areas if they are interested in other areas.  We need to examine every part – recruitment, working practices, diversity and inclusivity, who are you working with, who is hiring, eg its often white men hiring white men, also impacting retention and attrition. Women leave because of policies that discriminate, such as childcare policies, and we need to design policies that benefit everyone.  The gender pay gap, and other Issues that are not gendered such as transparent salaries and roles and promotions. There isn’t much transparency around companies and it’s not beneficial for equity, and while not inherently a gender issue, resolving them could help the push forward in equality.”

“The genders are different and we tend to express ourselves differently”

Massey pointed out that BAE Systems is doing a lot of the traditional things that get results, starting with youngsters: BAE encourages staff to be STEM ambassadors (which Massey does) and hold events for local schools where they talk to teenage girls about careers in cyber and tech.  She also notes: “We see a great number of women coming into the organisation at the graduate level which is great, but these numbers just aren’t reflected further up the career ladder. Is it a maternity thing? I know a lot of women choose not to come back after having a baby, but not so many that there should be this chasm at the top. I am not sure of what the answer is. I have never had a female mentor, and although all my mentors have been genuinely great, I feel I have missed out as a result.”

“Of course the genders are different and we tend to express ourselves differently.  Women are usually seen as softer, with a gentler approach.  For example, this week I am embarking on some tough negotiations with my customer. They’re a great customer and I feel comfortable with handling the negotiations, but I worry that not everyone trusts me to do it well. I feel there may be nervousness about me negotiating because I am a smiley, happy person and some may think I will just roll over – they equate positivity and niceness with naivety.”

As an example of her own different approach, Massey notes how: “For the 16 months that I have been in my current role as account director, I have written a weekly blog about what’s going on, about specific roles, about things I have observed and learned. This is sent out to the whole team every Friday morning. Not a week goes by without me having a response from someone about the topic of the week, sharing their views or personal experiences. Touch points of communication like this keep people motivated and engaged; while we’re all working at home they may not be seeing me around the office but they read the blogs and can see that I’m still here.  Many might think, “What a fluffy waste of time” but there are different ways to lead. “

Broadening the discussion out to challenges facing the industry, James says: “One of things accelerated by Covid 19 is digital collaboration so we recently ran our first face to face workshop for six months as its been running digital. There are advantages and disadvantages.  There has been a proliferation of new stuff.  Before (lockdown) the organisation had control over what was used and where, now with other suppliers and others involved they don’t have control over the platform.  So how do we allow business to continue to operate without opening ourselves up to all sorts of horrors we didn’t previously have to contend with?  We can use the right tools, but here are the rules for use, and no one talked on company proprietary stuff, or about espionage. Content for digital collaboration is a useful tool but we talk around it.”

James also agreed it’s not a temporary phenomena. “There’s increased remote working and digital collaboration is her to stay so we may have initially tolerated lesser security. But we need to manage the risks. There’s a proliferation of tools including from other organisations, eg we may need firewalls. Something that has seen a surge in demand, though it’s always been a challenge.  Plus there’s ‘business as usual’ stuff to contend with. Collaboration at scale. Remote working threats. More flexible working hours, different time zones.  It’s all here to stay – we’ve all got an appetite for it. So we’ve got a meeting and can’t work this system, and it needs to be secured. There is a mindset shift as part of this digital transformation. We‘ve all got a lot to do, from rules based command and control, how to plan work and get it funded – cultural transformation – the genie is out of the bottle and there is no going back – we have to do what’s needed to make it work.

“If you don’t see it you think it doesn’t exist. They (women) get less screen time.”

Naumann describes how, when putting on an event comprising only women speakers, “It took me a couple of days to round up the women.  It’s not an equal balance however there are plenty of women out there but they’re often not recognised in the public space – and if you don’t see it you think it doesn’t exist. They get less screen time.  Who is quoted in articles? Who are they (the media) using for their sources and quotes? You can see who is getting coverage. We need to get people to think. (Understandably, journalists) ..go to who you trust – but doing so you will never get new blood.

“Often it’s not gendered, but why not apply a more open approach; people are looking at experienced people (to hire) but you can also invest in a new person and train them.  Many came from university and employers spend time investing in teaching people. But most posts are not for entry level people and employers want so much that it deters people from applying. Training is how you get more people, we need to train. I would not be here if someone didn’t think “she has skills and intelligence – we can train her.”

Naumann also describes role models and mentors in the company as useful, asking, “Are they accessible, do you see women in more senior positions? If you do it gives a sense of something to aspire to.  I am a bit torn about lists – the recognition is great and you get to see talent and expertise out there, though sometimes it’s over-correcting for the imbalance. I would prefer a more balanced approach. Women and men quoted equally rather than women-only lists. I would like to see the recognition of women in the jobs incorporated in everything else – see them as sources of expertise. They will be sought out by some – who make the extra effort.  Others will simply trust me as an analyst. Lists can be seen as identifying people as women first rather than their role. Why not be included in a list of achievers rather than a women only list?”

Massey notes that there is a high level of demand right now during Covid and a lack of people with the right security clearance, skills etc. “It’s an interesting challenge as there are more opportunities than we anticipated, particularly in the government space where there is extra demand. An issue is attracting and keeping young people. The next generation, 21 to 27 year olds want to be doing something meaningful, and for them it’s often more important than money. They want to see the context and the point of what they are doing, eg a business analyst in support of what? (For BAE Systems) it’s about using the context of what we are doing to attract more people in, and we need to do more of that.  They want to move into jobs where they can feel really proud of what they do.

The post Women in cyber – diverse talents and the barriers to acceptance appeared first on IT Security Guru.