What do Girl Scout cookies and cybersecurity have in common? For one, they both have massive reach. No matter how hard you try, you really can’t avoid either.
They also both have Liz Joyce. She’s Hewlett Packard Enterprise’s chief information security officer (CISO), a post she’s held for two years after being at the company for six. This puts her in a very elite club of female cybersecurity professionals. Depending on whose numbers you believe, women only occupy between 11% and 14% of cybersecurity positions. Judging from this, as well as the limited number of women in c-suite roles, it’s a safe bet that the percentage of female CISOs and CSOs is even smaller.
“When you look at the STEM industry general, about 29% is female,” Joyce said. “In cyber, some say 14%, some as high as 20, some as low as 11% but either way it’s far too low.”
When Joyce and I talk, she’s surrounded by Girl Scout cookie boxes and planning sales — it’s that season, and her daughter is a Girl Scout. For the record: thin mints are her favorite.
In addition to being HPE’s security chief, Joyce also played a pivotal role in driving a cybersecurity curriculum that the company launched earlier this year in partnership with the Girl Scouts. It aims to educate girls ages 9 to 11 on cybersecurity skills. Girls who complete the curriculum will receive a patch to put on their uniforms, and as part of the new program HPE also debuted an online game called Cyber Squad.
Make Security Fun Again
“The important thing for us was making it fun,” Joyce said. “When it’s fun, and it teaches, it’s far more memorable. Maybe it sparks an interest in cybersecurity, and just igniting some of that passion in kids is really important.”
It’s important because it shows kids that security is a potential future career, and it gives them something to aspire to. But equally important is showing kids role models and leaders in the field who look like them.
The new Girl Scouts program and online game are just a couple of HPE’s attempts to bring more diverse applicants to an industry that not only suffers from a lack of diversity but also a massive shortage of skilled professionals. While the Girl Scouts program is specific to girls, Joyce stresses the importance of building relationships with all under-represented groups — the National Action Council for Minorities in Engineering, for example — and especially those that target youth, like HPE’s CodeWars coding competition.
“We talk about cybersecurity, and we know there’s a major talent shortage,” she said, referencing a Cybersecurity Ventures report. “The most recent numbers suggest 3.5 million vacancies by 2021. We literally cannot find enough people to fill these jobs. If you are excluding, or not including, a large portion of your population who might be able to contribute to this, that’s a pretty fundamental missed opportunity.”
In addition to simply increasing the potential candidate pool, diversifying the cybersecurity sector brings more ideas to the table about how to prevent attacks and secure environments — and that should matter to everyone.
“Cybersecurity is a big challenge,” Joyce said. “It’s not industry specific, it’s not regionally specific, and it touches everything that’s connected. So you want to take all of the best resources and innovation to solve that problem. Technology is constantly changing and evolving, and cybersecurity is no different. It has to constantly adjust to either keep up or get ahead of the attackers. If you don’t have that diversity, you’re going to keep coming up with the same answers.”
Changing the Programmatic Structure
To drive diversity in security, several things need to change.
First, “there has to be that programmatic structure around how we hire, develop, and retain an inclusive workforce,” she said. This includes doing outreach in diverse locations and schools so the pool of candidates doesn’t all look and think the same. “And for those that are driving the business and making those decisions, you have to have the same diversity,” Joyce said. “Making sure there are women in leadership roles who can help be part of that change and keep that focus is really important.”
HPE’s security team is 32% female, and the leadership team within security is 50% female, Joyce said. “However, there is more room for improvement, and that attests to the focus the company has in supporting that change and recognizing that we as a company and our customers are all going to be better off if we earnestly have a culture around this. Part of what we do, as Antonio would say, is bring together the brightest minds to drive innovation, and to do this you have to have diversity of thought.”
Antonio is Antonio Neri, HPE’s CEO who took the reins from Meg Whitman last year. And this points to another key requirement when it comes to driving diversity: the mandate has to come from the top. If the c-suite doesn’t buy in to its importance, it’s never going to become part of an organization’s culture. Joyce says hiring and retaining diverse employees is “a constant area of focus” at HPE, “from Antonio, to my own direct boss [ John Schultz, chief legal and administrative officer], it has always been an aspect of what we do at HPE. Meg [Whitman] was always a sponsor of women’s groups within our organization and that has not waned.”
This involves recognizing unconscious biases, having open discussions about them, and then also following up on the words with real actions, Joyce said. “Whether it’s about training, or how we go through our whole talent process, it’s about making sure we hold ourselves accountable and being transparent about that.”