June 26, 2018
There’s really no “typical” individual in cybersecurity, and Jane Frankland exemplifies that fact. Jane, who entered the field with a background in textile design, is now the Managing Director of Cyber Security Capital.
Jane is also the author of the of the Amazon best-seller INSecurity: Why a Failure to Attract and Retain Women in Cybersecurity is Making Us All Less Safe. I recently spoke with Jane about her path into cybersecurity and the importance of diversity in the field. An edited version of the interview is below.
What prompted your interest in cybersecurity?
Well [laughing], I literally started a company. I had promised myself to never do sales, but I had ended up in a pretty hardcore sales job. When I met my boyfriend, who was a “techie,” he wanted to start a company together. At the time, I only knew about two areas of tech that interested me—AI and security—and since AI was too emerging in 1997, we went with cybersecurity. I thought it sounded really cool (kind of like James Bond), and in those days, we were mostly talking firewalls and intrusion detection systems; companies had just started using email, and most didn’t even have a website. Cybersecurity was much different than it is today. We specialized in ethical hacking, and within two years, we had a seven-figure business.
How have you seen the field evolve over the last twenty years?
I see both progress and stagnation. The language has certainly changed: it started as “IT security,” or “information security,” and now we’ve evolved to “cybersecurity.” My company began as a value-added reseller, selling high-availability servers and security solutions. Then, it became “penetration testing”; and now we largely refer to the practice as “ethical hacking.” There’s also a lot more emphasis on people—how they can be both your greatest vulnerability and your greatest asset. Since people are security, this is definitely a positive.
On the other hand, I see a huge leadership problem. It’s so easy to look and to say, “we’re making the same mistakes,” because we frequently are; we’re talking about the same things we were twenty years ago. This comes back to the fact that our job, as cybersecurity professionals, is not to secure. Our job is to reduce and mitigate risk in line with each organization’s risk appetite. In order to do that, we need to better communicate what our job is to the stakeholders we’re engaging with, like the CFOs or the CEOs or the board (if we even get to communicate with them). We also need to start with people and then move to processes, rather than neglecting overall strategy. Since CISOs are only in their position for an average of 22 months, they’re not in the job for long enough to affect necessary change. So the volume of cybersecurity roles has increased since I started, but there’s still a long way ahead.
What inspired you to write INSecurity?
When I first worked in security, I can remember so clearly that I had a female client—and it was so exciting to find another woman in the industry; it was so massively rare. So I had noticed this lack of women in the field for a while. Then, in 2015, I picked up a report on women in cybersecurity, and realized the problem was worse than I originally thought—and it was getting worse each year. I decided that it was time for me to write about it. There was no agenda. I just wanted to be a voice and add my perspective. So I did, and it was really well-received. A few months later, I thought it would be useful to turn my article into a report. I ended up contacting a publisher out of curiosity, and she told me I’d be crazy not to write a book.
How is the dearth of women in cybersecurity making us less safe?
Women see risk in a different way. There’s loads of data on it, and this is all covered in the book. Since our job in cybersecurity is to mitigate risk, we are inherently increasing our risk by not placing women in decision roles. Women also have a greater tendency to implement processes rather than just tech, meaning they’re more inclined to consider human behavior and design holistic solutions.
Cybersecurity seems to have a diversity problem that extends beyond just gender. Do you think that affects our safety as well?
Absolutely. We already know that when women are in leadership positions, other forms of diversity increase. And bringing in different types of people clearly has an impact on how we solve problems and mitigate risk. Professionals from different backgrounds with different experiences—if they’re younger, if they work in different areas, it doesn’t matter—have unique skill sets and abilities, which makes us more secure when addressing problems. So when it comes to diversity beyond gender, we need to let data drive the discussion.
If you were speaking directly to women looking at the field of cybersecurity, what would you tell them?
Depends on whom I’m talking to! When I’m speaking with young girls, I use my voice as a tool—I bring stories; I talk about skills; I try to present the true promise of diversity in our industry and the intellectual diversity that already exists. You don’t have to be a techie. You can be a business person. There are lots of different fields that all play an important role. When I’m talking to people who want to pivot—from auditing, from law, from teaching, from HR, or even from a PA role—I’ll speak to them about the industry and how easy a transition can be. Generally speaking, I try to normalize all forms of contribution to the cybersecurity field.
What about recruiters? How could they recruit more women into the field?
The (diverse) talent is there, but we have an inability to bring it in. There’s a problem both with HR and with hiring managers, but it’s also a larger issue of how recruitment actually occurs. Looking at CVs can indicate gender, age, ethnicity, and other factors that may implicitly influence how we select candidates. Panel interviews can make candidates uncomfortable and cause different people to converge on single opinions, which is not necessarily good. Because nobody comes into cybersecurity ready-made, we need to write the job from the ground-up. We need to train people upon entry and ensure that diversity of thought keeps organizations more secure.