In a December 2020 BetaKit Live, Canadian cybersecurity leaders said the ecosystem needed community to grow. But what are you supposed to do if that community is gated, leaving at least 50 percent of the population on the outside looking in?
The current approach isn’t enough to foster the diversity – or scale – necessary to fill the estimated 3.5 million cybersecurity job openings globally in 2021.
In a recent BetaKit Live, Kirsten Turnbull, Security & Compliance Technical Specialist, Microsoft Canada; Lise Lapointe, CEO and Owner, Terranova Security; and Ikjot Saini, Cybersecurity Expert & Assistant Professor, University of Windsor discussed the necessary steps to build a more diverse and inclusive cybersecurity ecosystem in Canada, particularly by fixing issues in education and mentorship.
The only one in the room
Originally from Yellowknife, Northwest Territories, Turnbull grew up watching her dad – a satellite programmer for a telecom company – work with computers in the 1980s. She felt comfortable around computers from this experience, and decided to study engineering at university. But when she walked into her first-year course at the Southern Alberta Institute of Technology (SAIT), she noticed she was the only woman in the room her age. There was one other woman – a 50-year-old reinventing her career – but she was the only young person entering the field – a trend that has repeated multiple times throughout her career in IT and cybersecurity.
“It was setting me up for the rest of my career. ‘You’re going to be the only woman in the room.’”
Lapointe had a similar moment as an entrepreneur. She’d already built and sold a successful training company after a stint teaching IBM customers how to use mainframes in the 1980s. After her first company’s acquisition, she wanted to build a product-focused company to help educate people in the cybersecurity world, which she called Terranova. In 2015, Terranova was honoured as a world leader in cybersecurity on Gartner’s Magic Quadrant. During the selection process, the Gartner team told her she was the only woman they knew who was running a cybersecurity business.
Saini was a bit luckier. Originally from India, she completed her Master’s degree locally before coming to Canada for further research. After years in academia, Saini recalls that she wasn’t the only woman in the room – there was one other woman as well.
These experiences are not unique, and happen throughout the cybersecurity world. Women and other minority groups regularly find they are the only one of “them” in the room, which the panelists indicated can lead not only to imposter syndrome, but also feelings of isolation that can hinder career progression.
For Turnbull, noticing she was the only woman in the room was a harrowing foreshadow.
“It was setting me up for the rest of my career,” said Turnbull. “It was, ‘you’re going to be alone. You’re going to be the only woman in the room.’ And that was the case.”
The need for a Cybersecurity University (or at least great internships)
Like any career path, cybersecurity requires formal education and practical experience for success. However, both “pipelines” are choppy at best.
Saini explained that in the university system, there are few, if any, opportunities to engage in cybersecurity while in traditional university programs. A person interested in cybersecurity must first complete an engineering or computer science degree, then apply to take additional courses related to cybersecurity. As a result, people who might already face barriers to achieving a traditional university degree are heavily discouraged from pursuing even further education.
“Why are they going to spend extra time, extra effort, and extra money?” asked Saini, adding that if someone makes it through an engineering or comp sci program, they are often content to stop there and take a lucrative job as a developer or working engineer.
For those who make it through the challenges of academia, there are further challenges to gaining practical experience, since there are few clear co-op or work placements available for students. However, like any career path, hands-on learning is crucial for success in cybersecurity.
“I can’t stress how important it is to spend some time in the trenches,” said Turnbull.
Turnbull added that programming needs to be made available as early as possible in the educational process, something she likened to a medical residency. Without that robust experience, you might end up with a doctor who knows how to set a bone but not much else – the same problems exist in cybersecurity, but there’s no infrastructure to support hands-on learning.
The importance of mentorship and community
When you’re the only one like you in every room you enter, navigating any path can feel isolating. And when the opportunities are hard to find from the get-go, not having guidance makes it that much harder. The panelists each identified a need to foster mentorship and community to not only make the cybersecurity career path easier for everyone, but those people who might not feel welcome in the first place.
“We need to encourage women to go into cybersecurity – and it needs to start at a young age.”
The challenge with mentorship in cybersecurity is that the young industry is not yet fully defined. Many of today’s practitioners are creating the technologies and best practices of tomorrow. As a result, finding mentorship can be even more difficult in the cybersecurity world versus more mature industries such as finance or accounting.
Recalling her early career days, Turnbull noted that her mentor is one of the only reasons she was able to navigate the path she’s taken.
“I would honestly say I probably wouldn’t be doing this interview with you if I hadn’t had the guidance of my mentor,” said Turnbull. “I probably would have run away, intimidated and scared.”
Lapointe agreed, adding that mentorship shouldn’t only start when someone has already pushed through academia and hands-on learning.
“We need to encourage women to go into cybersecurity – and it needs to start at a young age,” said Lapointe.
Saini experienced these challenges herself and wanted to create her own change. As a result, she founded the Women in Cybersecurity chapter at the University of Windsor in 2019 to help bring more women into the program and provide a sense of belonging for women already present. So far, it’s working: the proportion of women in the program jumped from 11 percent to 25 percent in two years.
More than meets the eye
Encouraging women to go into cybersecurity, said Lapointe, is not about making an emphatic “diversity” point. Instead, it’s about the simple fact that people from different backgrounds or with different experiences see the world differently – and that is crucial in the cybersecurity world.
Modern cybercriminals think like startup founders and are increasingly creative in their approaches, so cybersecurity professionals need to match – and best – that creativity with their own. Managing the constantly evolving threats in cybersecurity, said Lapointe, requires “full inclusivity.”
But the traditional view of a cybersecurity professional is a nerd who codes, which Turnbull said “couldn’t be further from the truth.” There are many different types of roles in the industry, from sales and marketing, to coding and logistics. As a result, you don’t have to be an elite hacker to go into cybersecurity.
Each panelist agreed that the industry is more about puzzle-solving than writing code, which if promoted properly, could broaden its appeal to a larger audience. While few are interested in becoming an ‘elite hacker’, doesn’t choosing a career as ‘threat hunter’ sound pretty cool?