In 2020, the UK’s cybersecurity industry was 18% female, with men dominating STEM-related courses at universities; gender equity won’t happen overnight. But according to Jane Chappell, Operations Director at Arcanum, cybersecurity can be a liberating sector for women where what you know is more important than who you are.
“I think part of the apprehension (for women) is that it’s going to be terribly geeky and highly technical, but it’s actually very broad, and no one person can know everything,” says Chappell.
“There are lots of part-time and free online courses which didn’t exist 20 years ago. The Open University, for example, has good cybersecurity courses. As long as you’ve got access to the internet, you have various means to understand what the career is about. So alongside your job, you can do some self-study which is what many people do. I still do that as there’s so much that’s changing all the time.”
Chappell believes the industry is doing a lot to attract women and cites the work of multinational BAE Systems and their public commitments to hire, retain and support women in the sector, and the fact the National Cyber Security Centre has initiatives for school girls from 12 years old onwards.
However, she maintains that “self-motivation” is essential: “There are lots of initiatives out there, but I think the first thing is finding out they’re there in the first place.
“I think part of it is just having the confidence to do something. Once you’re in the know about something, you suddenly see lots of information about it. So it’s about making that first step.”
Cybersecurity is not known as a diverse industry, at least not yet. Still, Chappell says the possibilities are good for neurodiverse candidates as well as women: “Some of the specialisations in cybersecurity are a good fit with people on the autistic spectrum.
“Some of these really skilled people might not have the best interpersonal skills, but they have some incredible skills that are really sought after by organisations, and it’s about finding the right niche for them.”
Knowledge is the first prize
The conversation turns to being a female leader in cybersecurity, and from what Chappell says, it seems less imbued in the politics of representation that defines minority leadership in other sectors: “As long as you know what you’re talking about and you know your subject, that’s the key thing,” she says.
She goes on to say that cybersecurity’s constant focus on skills building and innovation means the sector is more of a meritocracy where progression is based predominately on what you know:
“As long as your skill sets are there and you’re able to justify your knowledge, gender is immaterial. The sector operates at a very high tempo, there are new technologies, new software, and new hardware coming out all the time. The skills that you’re required to have changes all the time in legislation and also in requirements and international standards; you have to keep up and meet those requirements.”
The workplace culture at Arcanum
Chappell speaks about the culture at Arcanum, the UK cybersecurity firm where she’s worked for over a decade and where they have achieved near equal representation for men and women:
“We have a fairly open management style, and we’re a virtual company with one small HQ in the West Midlands,” she says. “However, the majority of people work from Scotland all the way down to South Coast, and to everyone in the business, we say as long as work is delivered, you manage your own hours.
“So they work around their own commitments as well as personal ones too. We don’t do micromanagement. I think it’s the openness of the organisation, its transparency, and a very collaborative, supportive working environment that works for us.
“I don’t want any employee to feel that needing to go and do something else is seen as a weakness; in other organisational settings, they may feel they’re letting themselves or their colleagues down. I would say that leaders need to be as open as possible about the fact there are private things that people have to attend to, and keep up that openness about staff being able to manage their own workload and time.”
But is lack of transparency from staff an issue? From Chappell’s response, it seems that the nature of work within cybersecurity firms decreases presenteeism in favour of simply getting the job done:
“For us, it’s not a matter of ‘oh, I’ve got to be online’. We know that when some of our work is on client sites, people can’t communicate, sometimes for a day or two. We’re not looking into what everyone’s doing all the time. We have a weekly meeting, where they say publicly for whatever reasons that they’ll be away. And sometimes I can have half a dozen conversations a day with people online, but then I might not speak to someone for 10 days because we’re busy doing other things. There’s a balance with it all.”
So how can other cyber firms emulate Arcanum’s culture of openness and flexibility? Chappell says it’s down to making it “very clear” on the type of organisation you’re running. This, she adds, takes “a lot of confidence” as a leader to allow for employee autonomy over micromanagement.
“For the most part, we employ people referred to us or who have been known to somebody in the business. So we work very much on a trust model. But we have taken on some people we have never met before, but it’s just building that trust for the most part. So that’s the key message, but let them know what the boundaries are and what they can and can’t do, just be very clear from the start.”
Considering the flexible culture at Arcanum, it’s no wonder the firm employs a number of working mothers who Chappell says have pivoted into cybersecurity from other sectors. But she doesn’t see gender as the important factor and cites her male employees who are also working with young children:
“The gender of the person joining the company is, like I said earlier, immaterial. Of course, it just so happens that we seem to have been quite attractive to a number of women from their early 20s right the way to more experienced, mature women.”
For those women who joined Arcanum from different disciplines, Chappell says there are plenty of opportunities to learn on the job: “We’ve got two people running through part-time master’s degrees at the moment,” she says. “We’ve also got other people taking courses as it’s required as part of the job.”
Being a pioneer
So what does she think about recruitment drives where companies make an effort to hire from underrepresented groups? “I think sometimes it can have a negative effect. For example, there’s been so much publicity about bringing women into STEM and cybersecurity that we’ve forgotten that we should be here for our skill sets, not just because of the colour of our skin or our gender.”
Once women enter the sector, from Chappell’s experience, people, and by which she means the male majority, accept and support them as if they were any other employee. However, she doesn’t deny that women are still very much frontierswomen in cybersecurity and need to be proactive to break in.
“In my experience, people are very willing to help mentor and support anyone where cybersecurity is a new environment for them. I have always found it very welcoming. But it helps to be open about joining as many sorts of forums and organisations as possible as it might not always come through your company.”
