The one place rarely I have to wait in line for the restroom is at tech events, and especially at cybersecurity ones. At the recent RSA Conference I found out that Microsoft UK’s Chief Security Adviser Sian John actually launched an initiative called "Queue for the Loo" aimed at getting more women into cybersecurity “so that it becomes like normal life and we have to #queuefortheloo.”
While the industry as a whole isn’t there yet, RSA Conference made some gender parity improvements this year boosting its female keynote speakers from just one in 2018, to 29 this year, or about 43 percent of all keynote speakers. These women are all highly qualified security executives, so it’s difficult to imagine that conference organizers had to work all that hard to find women keynotes — they simply had to ask.
The overall sector, however, looks much less diverse. Women occupy only 11 percent of the cybersecurity positions, according to Forrester Research. And — have you heard? — the industry’s got a massive skills shortage. As Microsoft CVP of Security Ann Johnson said in her keynote, filling this cyber skills gap is going to require also addressing the inclusivity gap. “These gaps threaten the delicate balance in favor of the attackers,” she said. “And if we do nothing to address these gaps it will impact every single one of us in our daily lives.”
This is where groups like Security Advisor Alliance, a group that among other things works with schools and teachers to encourage future cybersecurity professionals, and efforts like Black Hoodie, a women-only reverse engineering workshop, come into play. Diversifying recruitment and training goes beyond gender and race, and it also applies to abilities, education, social background, and beliefs. “We know that diverse teams make better decisions 87 percent of the time,” Johnson said. “Our teams must be as diverse as the problems we are trying to solve.”
But beyond recruitment and training, the industry needs to retain talent, and Johnson said something really interesting about retention that’s not discussed nearly as much as the need for greater diversity. We need to take care of our security professionals, and this includes their mental health.
“We absolutely must protect the mental health of our defenders,” she said. “We must provide them technology and community, and we must listen to the research that demonstrates that mounting stress on our defenders leads to more mistakes and oversight the longer an attack goes on.”
Work stress, she said, is causing 66 percent of IT professionals to look for work elsewhere, and 51 percent of those are willing to take a lower-paying job for less stress.
Of course, it’s easy to point to Microsoft’s potential financial gains. Products and services like its new cloud-native security information and event management (SIEM) tool Azure Sentinel and its managed threat hunting service Microsoft Threat Experts use automation and artificial intelligence (AI) to take some of the burden off of humans, which presumably will lead to less stressed and overworked security professionals.
But it’s still important, and mental health should be part of the retention discussion, especially when it comes to something as important as protecting against cyberattacks, which can result in real-world life and death situations. Johnson called on security professionals to focus on mental health “so it’s no longer a stigma in this industry.” I hope the industry rises to meet this challenge.