Seeking women in cyber security? Cast your net smaller!
Jenny Duffy – penetration tester and head of talent at Pentest People – describes the obstacles she overcame to get into cyber security and what drives her mad about employers saying they can’t find good cyber security people.
Writing in Computing on 16th November, ‘Your next security hire might not come from tech,' Tom Allen reported the comments on the cyber security skills crisis made by Simon Hepburn, the newly-appointed CEO of the UK Cyber Security Council, which was set up to address the shortage of cyber security professionals in the UK by mapping out clear career paths.
As a professional penetration tester and mentor to new recruits, I'm really happy to see that the Council has been founded and that it is opening up the pathways into the profession to a more diverse audience. Its Careers Route Map is a fantastic resource to guide aspiring cyber security professionals on the roles that suit their interests, the qualifications they'll need and, importantly, the salary ranges that they can expect.
Judging the book by the cover
During my own schooldays in the 1990s I knew that I wanted to study computer science and I took computing as a GCSE option. However, back then the teaching staff didn't understand the routes into computing careers, let alone cyber security. Despite telling numerous careers advisors that I wanted to work with computers and build computers, they kept steering me towards administration roles.
Even when I got to college, where I wanted to study computer science, I never really got the careers guidance I was looking for. Fortunately, one of my biggest motivators is being told that I can't do something; in fact, it's a trait that really helps me in my work as a penetration tester.
Overcoming obstacles
My own route into the profession wasn't straightforward. I started my family while I was still in my teens, then set up a scaffolding company with my partner before selling the business a few years later. However, I always planned to go to university. When my little girl was eight, I set myself a target to start my career in cyber security by the time she was in secondary school and enrolled on a computer science degree course. For the first two years of my course I combined my degree studies with working as a data researcher and bringing up my three children, and only became a full-time student in my final year.
After graduating with a first-class Honours in Computer Science, my initial plan had been to hone my skills and experience working on bug bounty schemes. However, I missed the structure and camaraderie of working within an organisation and began applying for pentesting roles with cyber security consultancies. After being interviewed by Pentest People, I was immediately offered a role as a security consultant and tester.
Finding the 'right' path into security
A key role of the UK Cyber Security Council is to raise awareness of the entry points into the cyber security profession and the recognised certifications and routes to career progression.
When I was looking at cyber security job adverts ten years ago, they all stipulated that candidates had to have a degree in computer science. Nowadays there are many more pathways into the profession, such as apprenticeships. Looking back, OSCP would have been cheaper than paying for a degree course, in combination with gaining a few CVEs and building my profile on LinkedIn and becoming known in the industry - but, personally, I wanted to go to university.
Holding the door open for other women
It's encouraging to see that it seems to be getting easier for girls to get into cyber security. When I was at school, as the only girl in my computing GCSE class, I got the feeling that I wasn't meant to be in the room. When you don't feel welcomed, it's hard to flourish.
As a fully-qualified and experienced pen tester, I'm keen to hold the door open for other women who want to get into the cyber security profession. I was recently appointed as the head of talent at Pentest People, which has given me the opportunity to write the induction programme for the new intake of graduates and apprentices. I currently have ten new appointees under my wing, three of whom are women. The programme draws on my own experiences as a pen tester and provides a solid foundation that provides consultants with the knowledge, understanding and confidence to undertake penetration tests and to communicate their findings to clients.
The answer is right under your nose
I whole-heartedly agree with Simon's comment that, "There's no reason you can't recruit your next security professionals from within." It drives me mad when I read about companies saying they want more women in technology, when they already employ hundreds of women. Why don't they offer those roles to the women already working within their organisations, who might have just fallen into a role in accounts, admin, compliance or marketing to support their families, but who have the desire and ability to be excellent technologists and/or cyber security professionals?
A lot of women tell me that they'd love to do what I do. A friend of mine works for the NHS and says she'd love to be a pen tester. She's great at problem-solving, has an innate curiosity, attention to detail and excellent communication skills. These are all qualities that we look for in cyber security professionals.
There must be thousands of women who had the same school experiences as me and were steered away from their true career. If organisations just asked their existing female employees if they'd be interested in training for an IT role, they'd gain the advantage of hiring women who already understand their business and who can bridge the traditional gap between IT and other departments. But they're not even asking them the question.
As Tom reported, a key part of the UK Cyber Security Council's role is to address the labour shortage in cyber security. The Council's CEO encourages employers to cast their nets more widely to encourage more people to enter the cyber security profession. In my view, they could achieve that goal more quickly if they cast their nets closer to home and brought in all the female employees who were steered off their true career paths when they were still in school."
