“I got in the industry because of James Bond!”
In our preparation for the Nordic IT Security conference on the 7th November, we sat down with Jane Frankland – an award-winning cybersecurity entrepreneur, speaker, consultant and author. Being one of the market’s top influencers, and a huge advocate for women in IT security, we also discussed her forthcoming book on women in security, the latest cyberattacks and her own experience of being businesswomen in the tech world.
So Jane, let’s start by discussing the most topical issues of the last few months – cyberattacks WannaCry and NotPetya. Could you share your point of view on why they happened and what impact they will have on the cybersecurity industry, and on the businesses’ perception of cybersecurity importance?
Attacks like Wannacry or NotPetya are ransomware attacks, and we’ve been seeing much more sophistication in terms of these attacks recently. Although, McAfee previously forecast that ransomware attacks would decline towards the second half of this year – obviously we’re still being affected. These particular forms of ransomware attacks could be state sponsored, or cybercriminal – at the moment we don’t know. What we do know is that the purpose of these attacks was different. NotPetya was there to wipe out data, whereas Wannacry was there to take money.
Aside from ransomware attacks, we’re also experiencing the types of attacks that have been around for years and we’re subjected to them because so many vulnerabilities still exist. Hackers are getting in and penetrating environments, systems and applications, largely because security is still an afterthought. It’s not being built-in at the design stage. We’re also not doing regular penetration testing, systems are not being patched (for various reasons) and users are still being given admin rights and permissions that, quite frankly, they should not have.
There is this continuous debate on how businesses do not view cybersecurity as an important investment. Obviously, with the latest reports coming in, with the actual loss NotPetya and Wannacry caused some businesses, that might change, but do you think it can change in the long term how businesses view cybersecurity? Is there a way to influence their perception?
There are so many different types of businesses in the world, from one-man bands, who are heavily reliant on their owners all the way through to SMEs and multinationals, so there’s no silver bullet in how we handle these issues. It really comes down to how a business views their risk, its appetite for it, and, what budget they’re prepared to spend on it in order to mitigate the risks they’ve identified. If we’re talking about big multinationals – they’d normally have CIOs, who’d have access to the board, and having influence, they’d be able to educate them on what was going on in terms of their threat environment and security posture. Smaller businesses don’t necessarily have that resource in-house and often they don’t understand what’s happening. It’s understandable as there’s a multitude of threats to consider. Some are deliberate, from threat actors such as cybercriminals, cyberterrorists and state sponsored attackers, and others are unintentional, from employees who make mistakes. Additionally, there’s compliance to consider, and right now the main focus is the GDPR.
As technology becomes smarter and more interconnected they’ve also got to look at security in the cloud and the IoT, plus any legacy systems that they have, as these are usually built on old operating systems, which are vulnerable and unsupported. And then there’s their ecosystem of suppliers and partners, which they have to assure, and the non-electronic systems, such as cold data storage.
Whether or not a business has a security team, many are choosing to outsource their security operations. This allows them to scale and become more agile. It also allows them to focus on educating their employees as to why security matters to them and ensuring that policies and procedures are adopted, and risks are managed.
As you can see, there’s an awful lot to consider, and it’s always got to be aligned to the business’s appetite for risk, because the job of a security professional is not to protect the whole environment – not to secure it – because that’s impossible, but rather it’s to do their best with the budget that’s been allocated to them. That means they’ve got to detect attacks, respond to them and recover from them fast and with minimal impact to the business. This makes it very challenging, as attackers are getting more sophisticated and creative in terms of how they’re getting into the systems, as well as going after businesses with old types of attacks.
The only way a business is going to get all of this and their perception to be changed is when you know what drives them and then you communicate the implications – threats and opportunities – in a language they understand. For a board this is usually best done by using monetary figures but for other key stakeholders it might be something different like time or speed.
Jane you advocated for more women in IT security industry. What’s your take on diversity in the industry right now?
With a bombardment of attacks and an increase in awareness from businesses wanting to protect their assets and mitigate their risk, according to reports we’ll have a 1.8 million skills deficit by 2022. However, from my research, I really question whether we’ve such a big issue.
One of the things I’ve noticed is a lack of meaningful data. For example, few reports or media articles specify what job roles we need, and in which countries. If we don’t have meaningful data on this we can’t do anything to resolve it. At the moment there’s a lot of hype and scaremongering. I know many security professionals, from CISOs to computer science or security graduates who are available for work but who can’t find it. I also know people, who have non-tech degrees or from other careers who’d like to join our industry but are finding it difficult to get into. So, it’s little wonder I question whether we’ve really got a skills shortage if these people – who are capable – are not being employed.
In terms of the gender diversity issue we do have low numbers of women in security. For the past 5-years we’ve seen a trend and a year-on-year decline. Right now we’re standing at 11% in terms of women in cybersecurity around the world. We also know that more women leave the industry than come into it and that’s a huge problem. So for me, when I look at attracting more women in the industry, I think it’s important to focus on the hiring and retention processes. Many companies do a really good job of attracting equal number of men and women but struggle as many women leave after about 2 or 3-years.
The reason why women in security are so needed is because of economics. Firstly, according to numerous reports, women in business are good for profits, as they ensure more innovations, more diversity in the workforce and stay on track with budgets more often than when compared to homogenous teams. From a security perspective though, women are vital as they see risk in a different way to men.
They also behave differently, too. There was a study done by Nordic company, which looked at gender culture. Having studied more than 10,000 employees across five verticals in two countries within the Nordics, they found women to be complying with rules, and embracing organizational controls and technology more than men. Additionally, whilst men rated their knowledge and awareness of IT security, controls, and behaviours much more highly than women, men reported higher levels of risky behaviours, both on their own part and that of their colleagues.
Their research was interesting and along with my work highlights that one gender is not better than another, but that by working together we can use the skills that we have naturally to actually make the industry better. I think the message should be it’s OK to be different and whilst there’s a lot of emphasis on women in tech or security right now, I’d like to see an industry where people are recruited based on the ability of their thinking and communication.
The reason I’ve been doing so much work with women and have chosen to lead with them is because I’m obviously a woman, have been in the industry for over 19-years, and we’ve got data reference points on women in security. Yet, many of the issues I write about in my book or speak about at conferences are applicable to anyone, irrespective of gender. I also believe that by tackling these issues we’ll perform to a higher standard as an industry.
You mentioned that huge majority of women leave the workplace and don’t come back. Do you have any knowledge of why that’s the case?
Yes, and I go into detail in my book. I believe the main reason why so many leave is because of culture – and this comes down to the ideas, customs, and social behaviour of the business, plus where the business resides globally. This is a hugely complex issue and each organization is different but some common reasons come up time and time again, for example, a lack of flexibility in terms of remote working, travelling, or hours of work. This is a huge problem for women in India who are incredibly well educated when it comes to security, yet many have to leave when they get married or start a family. Many women also get tired of working in a male dominated environment because they’re subjected to sexism, harassment or discrimination. The really sad thing is that most of the time their male colleagues don’t even realize that what they’re doing is either penalizing women or making them extremely unhappy. But it is. The ‘2017 Global Information Security Workforce Study: Women in Cybersecurity’ revealed that 87% globally experienced unconscious discrimination, 53% experienced unexplained denial or a delay in their career advancement and 19% experienced overt discrimination.
You talked about the aging of the industry. There is a Twitter discussion going on, on whether you need education to actually be a good cyber security professional or you need practice, because it’s really hard to teach such a specific subject. Do you think there is connection between two?
When I started in the industry nearly twenty years ago it was different. People grew into security. It was evolving and they were given a chance in security – to learn on the job. Lots of young people entered the profession, but now the industry has less than 10% who are under 30-years old. Back then security was less complex and it was mostly technical. Now, however, it’s much more complex, certifications are established, and it’s maturing. There’s also a very big part of the industry that actually concentrates on a less technical side. We call this the human side. This means we’re looking at psychology and behaviour now. Within our industry there are many professionals, especially the more senior ones, who’ve never been educated in technology or computer science. Take for example pen testers – most of them don’t have degrees and if they do some aren’t even technical. Most start out by playing or “tinkering” with technology. Because they’re interested – they network, learn from others, watch YouTube videos and build their skills by experimenting. There are certifications for them to take if they want to, but most of the time it comes down to whether or not they can do it and if you’re a pen tester who’s hiring another it’s easy to ascertain whether or not they’ve got the skills to get the job done. With other roles, it’s different. Take security awareness. One woman I know came from a PR and marketing background. She had no experience in cybersecurity but she was interested to learn about it, knew how to communicate, how to market and was able to bring employees up to speed from a cybersecurity perspective. Then there are other women who’ve made a transition from being a PA. They’ve got good relationships in the organization and are effective communicators. Other successful women in the industry I know have degrees or backgrounds in law, tech, accounting, audit, history, physics, English, business, HR, astronomy, philosophy, psychology, drama, art, nursing, floristry, hairdressing, building and so on.. Security is really very diverse.
I know you offer advice to women a lot, so after this discussion we had, I was wondering if you could share advice to give to women and those looking into changing their profession to cyber security?
My biggest advice is to build your personal brand, and I teach many in security how to do this. This means knowing who you are, what you stand for, what your values are, what your mission is, and how you’re going to present yourself online and offline. Being visible is so important for women as there are two types of work – visible work and invisible work. Women often do invisible work. They work hard, do a great job, and yet because they’re not visible they remain unnoticed and get bypassed for promotions. Building an effective personal brand enables them to avoid this. Furthermore it enables a woman to know how to pitch herself, which is important if she wants to attract a mentor, or sponsor and develop her career. Mentoring is all about training someone to do what you’ve done – it’s about imparting your knowledge onto them – informing them how you’ve done it. Sponsoring is about helping someone whom you believe has got talent to get a job via your own network.
Once you’ve created your personal brand you should then start building your network. This means participating in conversations and discussions online and approaching others in cybersecurity whom you’d like in your network. If you focus on forming genuine relationships with people you’ll build a good network quickly.
After this, it’s really about building your knowledge. Look into what security area you want to specialize in – is it a technical area? If so, be as specific as you can i.e. do you want to become a penetration tester or subject matter expert in end point security, encryption or threat intelligence? Or, do you want to go down a business route, for example strategy, operations, program management, governance, risk and compliance (GRC). Also consider if you want to be offensive or defensive. If you don’t know what route to take, that’s not a problem. Just approach the right people in your network and ask them for advice. If they don’t respond try them again but be polite and value their time. By doing this you’ll get an idea as to where you want to sit in the industry.
So why did you decide to go into security?
When I started my first tech company I knew nothing about technology. The only two things that interested me were artificial intelligence and security. I chose security as I thought it sounded interesting, cool, glamorous and a bit like James Bond. The work I do is nothing like Bond, however, for someone who likes people, psychology, transformation, continual learning and a dynamic environment it’s incredibly satisfying. It also fulfills three of my core beliefs – freedom, empowerment and entrepreneurship – for we secure the world’s operations, its state of being. We – in cybersecurity – are now fundamental to how our society operates, and the world relies on us to protect them.