In a December 2020 BetaKit Live, Canadian cybersecurity leaders said the ecosystem needed community to grow. But what are you supposed to do if that community is gated, leaving at least 50 percent of the population on the outside looking in?
The current approach isnât enough to foster the diversity – or scale – necessary to fill the estimated 3.5 million cybersecurity job openings globally in 2021.
In a recent BetaKit Live, Kirsten Turnbull, Security & Compliance Technical Specialist, Microsoft Canada; Lise Lapointe, CEO and Owner, Terranova Security; and Ikjot Saini, Cybersecurity Expert & Assistant Professor, University of Windsor discussed the necessary steps to build a more diverse and inclusive cybersecurity ecosystem in Canada, particularly by fixing issues in education and mentorship.
The only one in the room
Originally from Yellowknife, Northwest Territories, Turnbull grew up watching her dad – a satellite programmer for a telecom company – work with computers in the 1980s. She felt comfortable around computers from this experience, and decided to study engineering at university. But when she walked into her first-year course at the Southern Alberta Institute of Technology (SAIT), she noticed she was the only woman in the room her age. There was one other woman – a 50-year-old reinventing her career – but she was the only young person entering the field – a trend that has repeated multiple times throughout her career in IT and cybersecurity.
âIt was setting me up for the rest of my career. ‘Youâre going to be the only woman in the room.’â
Lapointe had a similar moment as an entrepreneur. Sheâd already built and sold a successful training company after a stint teaching IBM customers how to use mainframes in the 1980s. After her first companyâs acquisition, she wanted to build a product-focused company to help educate people in the cybersecurity world, which she called Terranova. In 2015, Terranova was honoured as a world leader in cybersecurity on Gartnerâs Magic Quadrant. During the selection process, the Gartner team told her she was the only woman they knew who was running a cybersecurity business.
Saini was a bit luckier. Originally from India, she completed her Master’s degree locally before coming to Canada for further research. After years in academia, Saini recalls that she wasnât the only woman in the room – there was one other woman as well.
These experiences are not unique, and happen throughout the cybersecurity world. Women and other minority groups regularly find they are the only one of âthemâ in the room, which the panelists indicated can lead not only to imposter syndrome, but also feelings of isolation that can hinder career progression.
For Turnbull, noticing she was the only woman in the room was a harrowing foreshadow.
âIt was setting me up for the rest of my career,â said Turnbull. âIt was, âyouâre going to be alone. Youâre going to be the only woman in the room.’ And that was the case.â
The need for a Cybersecurity University (or at least great internships)
Like any career path, cybersecurity requires formal education and practical experience for success. However, both âpipelinesâ are choppy at best.
Saini explained that in the university system, there are few, if any, opportunities to engage in cybersecurity while in traditional university programs. A person interested in cybersecurity must first complete an engineering or computer science degree, then apply to take additional courses related to cybersecurity. As a result, people who might already face barriers to achieving a traditional university degree are heavily discouraged from pursuing even further education.
âWhy are they going to spend extra time, extra effort, and extra money?â asked Saini, adding that if someone makes it through an engineering or comp sci program, they are often content to stop there and take a lucrative job as a developer or working engineer.
For those who make it through the challenges of academia, there are further challenges to gaining practical experience, since there are few clear co-op or work placements available for students. However, like any career path, hands-on learning is crucial for success in cybersecurity.
âI canât stress how important it is to spend some time in the trenches,â said Turnbull.
Turnbull added that programming needs to be made available as early as possible in the educational process, something she likened to a medical residency. Without that robust experience, you might end up with a doctor who knows how to set a bone but not much else – the same problems exist in cybersecurity, but thereâs no infrastructure to support hands-on learning.
The importance of mentorship and community
When youâre the only one like you in every room you enter, navigating any path can feel isolating. And when the opportunities are hard to find from the get-go, not having guidance makes it that much harder. The panelists each identified a need to foster mentorship and community to not only make the cybersecurity career path easier for everyone, but those people who might not feel welcome in the first place.
âWe need to encourage women to go into cybersecurity â and it needs to start at a young age.â
The challenge with mentorship in cybersecurity is that the young industry is not yet fully defined. Many of todayâs practitioners are creating the technologies and best practices of tomorrow. As a result, finding mentorship can be even more difficult in the cybersecurity world versus more mature industries such as finance or accounting.
Recalling her early career days, Turnbull noted that her mentor is one of the only reasons she was able to navigate the path sheâs taken.
âI would honestly say I probably wouldnât be doing this interview with you if I hadnât had the guidance of my mentor,â said Turnbull. âI probably would have run away, intimidated and scared.â
Lapointe agreed, adding that mentorship shouldnât only start when someone has already pushed through academia and hands-on learning.
âWe need to encourage women to go into cybersecurity – and it needs to start at a young age,â said Lapointe.
Saini experienced these challenges herself and wanted to create her own change. As a result, she founded the Women in Cybersecurity chapter at the University of Windsor in 2019 to help bring more women into the program and provide a sense of belonging for women already present. So far, itâs working: the proportion of women in the program jumped from 11 percent to 25 percent in two years.
More than meets the eye
Encouraging women to go into cybersecurity, said Lapointe, is not about making an emphatic âdiversityâ point. Instead, itâs about the simple fact that people from different backgrounds or with different experiences see the world differently – and that is crucial in the cybersecurity world.
Modern cybercriminals think like startup founders and are increasingly creative in their approaches, so cybersecurity professionals need to match – and best – that creativity with their own. Managing the constantly evolving threats in cybersecurity, said Lapointe, requires âfull inclusivity.â
But the traditional view of a cybersecurity professional is a nerd who codes, which Turnbull said âcouldnât be further from the truth.â There are many different types of roles in the industry, from sales and marketing, to coding and logistics. As a result, you donât have to be an elite hacker to go into cybersecurity.
Each panelist agreed that the industry is more about puzzle-solving than writing code, which if promoted properly, could broaden its appeal to a larger audience. While few are interested in becoming an âelite hackerâ, doesnât choosing a career as âthreat hunterâ sound pretty cool?