The UK government founded the CyberFirst campaign back in 2016, which is a broad campaign aiming to introduce young people to the world of cyber security before the crucial age when they start dropping STEM subjects at school. It’s a campaign with noble aims but the most publicity it seems to have generated was when this advert briefly set Twitter on fire last Autumn before being hastily withdrawn by the government.
Teenagers are about as likely to take career advice from the government as they are fashion advice from their parents, so government sponsored campaigns are always going to have a limited impact. The cybersecurity industry is increasingly realising that the lack of diversity across much of the industry is a problem. Adenike Cosgrove, Director of International Product Marketing at Proofpoint explains why.
“The reason you need diversity is because criminals target people. They understand human psychology. They understand how to craft marketing messages to get somebody to click. They know how to socially engineer different types of people in different types of roles to get them to engage with their payloads, or with their malware. So, in our security teams we need to have diverse perspectives on solving that problem.”
Cosgrove provides a real-life example of why the diversity of cybersecurity vendors matters.
“We did an analysis on one organisation and established that the most targeted team was PR. PR managers hold a wealth of information. They have access to pre-release information that isn’t in the public domain yet and they’re working on campaigns. Criminals target PR people to steal that information and steal credentials. This PR team was made of a broad spectrum of men and women from different ethnicities, so security teams need to reflect the same spectrum of individuals too.”
It seems like a small issue but the imagery that is presently synonymous with cybersecurity doesn’t appeal to the broad section of society that it needs to. It’s probably more successful at recruiting criminals than those with more noble intent. Perhaps more importantly, cybersecurity organisations are increasingly going out into local communities and using recruiters to actively seek out more diverse candidates rather than relying on existing, predominantly pale male talent pools.
Leah Claireaux, Cyber Security Research Professional in BT’s Future Cyber Defence team is a stellar example of what technology employers stand to gain from looking outside the box when it comes to recruitment. Claireaux joined BT in 2015 as an apprentice straight from school, and whilst she began doing a degree in network engineering, she switched to computer software engineering because she found it so interesting.
Having mastered Java and Ruby languages, Claireaux finished her apprenticeship in 2019 and casting around for her next challenge, alighted on the burgeoning field of data science.
“Data science was growing, and I moved into a research team looking at Big Data. I was trying to find my field as a researcher and cybersecurity has always been something that interests me. I like the idea that you can see the end result – you’re actually trying to prevent bad things from happening. I did a six-month trial in cybersecurity, and because of the networks and the software, they blended so well so I had that foundation knowledge and cybersecurity aspect as well.”
Given the relatively short time that Claireaux has spent as a fully-fledged researcher, she has already chalked up some impressive achievements alongside studying for her master’s degree in data science.
“I created a novel algorithm to identify anomalies in network data which is currently being trialled on production data,” she says. If the trial goes well, it could be developed and used across BT data.”
Illustrating the importance of community connections, Claireaux also volunteers as a STEM ambassador.
“I go into different schools and share my story with them. I also ran a hothouse where we got all the latest apprentices and grads together to try and talk about how we could overcome this kind of stigma about technical roles. We need to relate the technology and break it down. We answer questions like – how does TV actually get to your TV and that kind of thing. We need to make technology more relatable.”
Claireaux also believes in the importance of starting early. Pre-pandemic she would run sessions in primary schools.
“We teach algorithms from the basics in terms of making a sandwich by breaking it down into steps. It shows them that an algorithm is just a set of instructions, not this big daunting thing. From that start it becomes more interesting and more relatable.”
Like Claireaux, Adenike Cosgrove is part of a growing awareness in cybersecurity vendors that the responsibility for increasing the range of voices and perspective within their organisations is that of the vendor. For her that begins with Proofpoint’s customers and trying to increase awareness of and interest in cyber security at end user level.
“I think it’s easy to just put up that job ad and sit back but I think we need to do the work. As part of Cybersecurity Awareness month last October, Proofpoint engaged with some of the end users within our customer accounts. We did a webinar which wasn’t super technical, but focused on how end user can protect themselves – what could they do as individuals? For most of them it was the first time they’ve ever engaged with security in this way. It was very interactive. We didn’t just talk at them we encouraged them to come to us with questions. The number of questions that we got was so inspiring. So many people fed back that they wanted to learn more and have follow up sessions.
Another example is a session we ran for a group of women in the IT team for one of our customers and it was a real mix of levels with some quite senior right down to recent graduates who had just joined. It was a completely open and frank conversation about their experiences, but more importantly what they can do to progress their careers within their organisations. And that too was really inspiring.
Cosgrove is acutely aware of the importance of the public image of cybersecurity and suggests that cybersecurity vendors need to make themselves more approachable and accessible.
“I think really what we need to do as cyber security organisations is to be out there, provide those opportunities for people to come to us engage. We need to let more people know about cyber security because it impacts us personally, but by doing that, we will identify opportunities for people that are interested in cybersecurity to potentially join the industry and help us solve these challenges.”
Both Cosgrave and Claireaux are brilliant ambassadors and role models for cybersecurity, and their careers illustrate the kind of paths available in the industry. Nonetheless, the industry is struggling to attract the diverse talent it needs to keep cyber criminals and hostile states at bay.3 Cybersecurity professionals within enterprise are working hard, and using the tools at their disposal to transform their image from being stern spoilsports who stop employees using their favourite apps into collaborators and enablers of productivity. If the cybersecurity industry is to recruit the skills it needs now and longer term, it will need to reflect these changes, and make sure that it reaches out rather than hiding in the shadows.