Joyce Hakmeh
Good evening, everyone, and welcome to Chatham House, to this event tonight about Expanding and Enhancing the Global Cyber Workforce. My name is Joyce Hakmeh. I’m the Deputy Director of the International Security Programme here at Chatham House and the Co-Editor of the Journal of Cyber Policy.
In today’s interconnected world, where information and communication technologies form the backbone of digital economies and have enormous potential to fast-forward progress on the Sustainable Development Goals and improve people’s lives in fundamental ways, cybersecurity take essential and crucial place. And when we talk about cybersecurity, we talk about normally the three pillars of cybersecurity, that is the people, processes and technology. People are essential to delivering cybersecurity, and to protecting against threats to national security, and to help harness the potential of information communication technologies, ICTs, and achieving the socioeconomic development and growth.
However, there are key challenges. The demand for cybersecurity professionals continues to outpace the supply for societies, businesses and governments globally, resulting in a cybersecurity workforce gap. Effectively recruiting, developing and retaining cyber talent are common challenges in many contexts, especially in government contexts, and it does not end here, there are also challenges around diversity of the cyber workforce and its inclusion.
So how can we address the cyber security workforce shortage and skills gap and how can we expand, enhance and diversify the global cyber workforce? Today’s event, supported by (ISC)2 and the UK Cyber Security Council, will try to answer these questions and will help us understand where progress has been made and which areas require the most attention going forward.
So, with us to answer these questions, we have a fantastic panel, and I’ll start with my immediate left here, Ruth Edwards, Member of Parliament for Rushcliffe and Parliamentary Private Secretary for the Chancellor of the Duchy of Lancaster, yes, and the other speaker…
Ruth Edwards MP
Speaking [inaudible – 05:26].
Joyce Hakmeh
The other speaker is Simon Hepburn, the CEO of the UK Cyber Security Council, and Clar Rosso at the end, the CEO of (ISC)2, and Julie Johnson, the First Attaché to the UK from the US Cybersecurity and Infrastructure Security Agency. Welcome to all of you.
So, before we start with the discussion and the questions, just a few housekeeping rules, so today’s event is on the record. If you are social media inclined, please do tweet and use the #CHEvents. We will be leaving some time towards the end of this for some questions, so if you want to ask questions, raise your hand and people will come with a mic. If you are online, then welcome to our online speakers, or, sorry, participants. Please do use the Q&A function. And lastly and very importantly, there will be a networking reception at the end of this, so please don’t leave and join us upstairs for that.
So that’s the introductions, and I’ll start with the actual substance, and I want to start with you, Clar, and at (ISC)2 you do quite a lot around trying to understand the global cyber workforce and where the gaps are, so can you tell us a little bit more about that? What does the current global cyber workforce look like and if you can tell us a little bit also how the pandemic has perhaps changed that landscape?
Clar Rosso
Okay, it’s a great question. So, I have some good news and I have some bad news. So – and the bad news is the good news, actually, so let me get to that. The pandemic just intensified the cybersecurity workforce and skills gap because with people working from home, the threat landscape simply exploded, and there was awareness of that. So when we were looking at the 2020 workforce numbers, we thought, “Can’t wait to see 2021 numbers, and we are going to see an explosion of demand for cybersecurity professionals.” Didn’t happen. It actually – the demand shrunk in 2021, and when we dug into that, we felt it shrunk because of a little bit of economic tightening and uncertainty and that people weren’t quite ready to grow their cyber workforce.
We’ve seen something – but the workforce itself grew quite a bit in 2021, so we’ve seen something different this year. We saw the workforce grow globally by just over 450,000 which was great news. However, we saw demand shoot up significantly, so the workforce is now 400 – 4.77 million cybersecurity professionals, but there’s unfilled demand for 3.2 million. So while the workforce grew about 8% this past year, demand grew over 26%, but that bad news is the good news, because I think what that shows is an increasing awareness among organisations of the need to have qualified professionals in place to help support their cyber defences.
So, we’ve also – and I know we’re going to talk about a lot of this, so I won’t go into a lot of this now, but in addition to kind of looking at the workforce number, we actually don’t think that’s the most important bit. We think what’s important is what are the strategies we collectively can engage in to attract more people into the profession. How do we retain the people we have, and how do we create that welcoming environment of belonging that’s going to want all sorts of people to be a part of the cybersecurity profession, and we can talk a little bit more about that later.
Joyce Hakmeh
So basically taking the long view, and even if the numbers are not so great now, let’s think more long-term and think about the strategies and the measures that we take now.
Simon, the Council has been established to help deliver the UK’s national cybersecurity strategy and specifically looking at the workforce and standards. Do you agree with the way Clar has described the situation? What are the, sort of, trends that you are seeing and how are you thinking about these trends in the context of your work?
Simon Hepburn
Thank you, thank you very much. Yeah, I do agree with a lot of what Clar’s basically said. I think the – you know, from a report that was developed by DCMS around the current, kind of, skills gap within the UK, which was launched back in May earlier this year, there is a – one, a skills gap and that seems to be increasing on a year-to-year basis. So – but it’s looking at really two areas. One is around what’s the, kind of, entry levels into the profession? What’s the, kind of, roles that really – where we need that technical knowledge and expertise, but also what, kind of, skills that we basically need to develop as part of drawing on that wider profession?
So, from our perspective as the Council, we’re really looking at how do we ensure we create a – kind of, a structure and a process where – as a, kind of, career route map into cybersecurity, and what’s the, kind of, key qualification certifications? And we’ve got those obviously members here today who are from obviously certification bodies, what’s the appropriate certifications who specialise in whether it’s security architecture, risk, etc.? But really being clear around what’s the specific need? And obviously my focus is obviously, you know, the UK, and I’m looking at international perspective, but really based on – very much on the UK. So what’s the specific skills that are required to deliver, not just for HMG, but also for all businesses? So that’s a lot of the work that we’re, kind of, focused on doing, and also looking at the – what’s the, kind of, core standards that we need to work towards throughout as part of our work as the organisation?
Joyce Hakmeh
So do you see the situation has improved in the last few years or is it, kind of, flag – it’s still a challenge, it’s getting bigger, we’re getting maybe smarter in addressing it, but, you know, the, sort of, situation is not getting much, much better?
Simon Hepburn
I wouldn’t say the situation’s getting better. I think the – and especially in relation to attackers in a sense, I think there’s new technology and new approaches basically being developed, so we have to be responsive to that. So that’s one, around how do we then train up our workforce and our peoples and our departments and organisations, how do they basically protect their selves? So it’s really important that we’re agile as a sector and a profession and that we’re developing the appropriate, kind of, training and development programmes to skill people up to obviously protect both the organisations, of course.
Joyce Hakmeh
Thank you for that. I want to dwell a little bit more on the challenges before we get into that, what we need to do, and I want to bring you in, Julie, from the US perspective, to also share, sort of, your views as to how do you see the status quo today, what is the picture that you’d like to paint? Is it very similar to what they’re saying, is it – in the US, are there, sort of, like, specifics that are a bit maybe different from what the previous speakers have said?
Julie Johnson
And I do want to highlight something else we saw during COVID and thank you for bringing that up because, you know, we try – in public service, we get out to universities, we want to group, we’re seeing a drop also in higher education enrolment, right? So the pool of people we used to rely upon is shrinking.
I know I’ve seen this in my own family. During COVID, I had a niece and a nephew who did not like the online environment, online learning, they were both in cyber studies, they both left to join the military, right? And that’s a – so our pool of people is shrinking, that’s a very big challenge for the USG. You know, we need to remember that if we’re not going to get that pool of people from the outside, we have qualified public service inside. So our challenge is reskilling, retraining people we have inside, and that’s going to take a huge investment.
And if I may also touch upon what’s unique about public service, right, because I was here for the Security and Defence Conference at Chatham House and up came that usual question we’ve all heard before, it was posed to General Breedlove and Lockheed Martin, how do we compete with the private sector? We can’t, and we don’t need to try to compete with the private sector. What we need to emphasise and our challenge is to remind people in the States the value of public service, and that’s how we’re going to pull people into the process. That, of course, requires shifting our human resources, how we hire, and again, I mentioned this previously, I do not think we necessarily need to focus on retention because there’s constant changes in tech. Let’s be honest about government service and what we can offer people, get them in the door, thank you for your service, then send them on their way.
Joyce Hakmeh
But, I mean, some people might challenge this view and say, “Well, is messaging enough when the private sector’s offering, like, you know, six-figure salaries?” Is a, kind of, say, come and serve your country, you know, like, a good incentive on its own to, kind of, attract that talent, that the governments really need?
Julie Johnson
I think so. I’m here because of that, right? I have colleagues who have left the financial sector, great colleagues at State Department, Department at Energy and other places because of that mission set, because they know what is possible and what good they can do. So yes, I 100 – I’m 20 years in doing this, I wouldn’t be here if I didn’t believe that. I guarantee you I would leave if I did not believe in that mission, and that’s the messaging and the mentoring and the one-on-one, kind of, messaging we’re going to have to do.
Joyce Hakmeh
Brilliant, thank you. Ruth, you do quite a lot about, sort of, how can we change the culture, how can we change the mindset thing, and listening to, kind of, the experts describing what they’re saying, like, what resonates with you and how are you thinking about these problems, as you’re thinking about the solutions, that need to be in place?
Ruth Edwards MP
Sure, so, I mean, I think we’ve seen massive disruption to the global labour market since COVID, right? It’s affecting a lot of different industries, it’s been quite interesting to see that ‘cause obviously, as a former cybersecurity professional myself, I’ve known it’s been a problem in the cyber industry for a long time. We now have it in lots of different industries, as people reassess where they want to work, do they want to work overseas from their families, what kind of, sort of, lifestyle work balance that they want to create. And so we see, you know, shortages in one sector, we’ve put some stuff in place, we get more people in there, then those shortages crop up in another centre. So in government at the moment, it feels a bit like you’re playing, sort of, Whac-A-Mole, just desperately trying to plug gaps in places.
When it comes to cybersecurity, though, I think there are two key things that we need to be focused on. One is recognising that 80% of the 2030 workforce are already in the workforce, right? So we need to get people to switch into those sort of careers. Now, I actually think we have a great opportunity for doing that because so many parts of the – of any, sort of, tech industry are undergoing so much change. So, before I was elected, I worked in BT’s cybersecurity team. What is happening to networks at the moment? There is a huge shift away from physical networks to virtual networks, and with that far less requirement for the whole big teams of people we used to have, you know, putting those networks in, maintaining them, everything like that, and different skillsets involved.
So one of the things that BT did very successfully was look at how to reskill people who’d been involved in that side of the business and bring them over to growing areas of the business like cybersecurity. So the entire one of their stock teams, for example, was trained from an engineering team formerly, and worked very well, so I think we’ve got options like that.
In government, I think we need to look at how we can have flexible finance for people to retrain at any stage in their career, and we did a lot of work on that with the Post-16 Education bill, looking at the lifelong learning guarantee and the, sort of, bank account of training that – about four years’ training that everybody can get to take at any point in their lives. And I think that’s really key ‘cause I think the model that we’d worked on as a society, whereas you finish school, you do your training, and then you go and you do it, and that’s your career for the rest of your life. That’s not going to hold up because jobs change, jobs are going to go, jobs are going to change, new jobs are going to come, so I think that’s a key part of it, too, and then the other part I think is addressing the pipeline issue and getting people excited at school age about cybersecurity and the huge range of choices there are – there is there.
Joyce Hakmeh
Brilliant, thank you. Clar, I want to go back to you and to, kind of, talk about the, sort of, best practices and things that we need to do, and I’ve identified here a few from what you’ve been all saying. I think, Simon, you talked about we need to understand where the need is and, like, what skills do we need to develop, what are the qualifications for that? I think, Julie, you talked about the importance of messaging, looking inside and seeing how do we, kind of, retrain people, and then, Ruth, you’ve been talking about, sort of, importance of reskilling people, as well, so resonating some of what’s been said and, kind of, switching between careers and not, kind of, going to the classical way of university, job, etc., and think a little bit more in an agile way. And on that, kind of, point of agility, we all know that the cyber threat landscape is constantly changing, so how can we be agile in identifying the emergence – emerging areas of need and growth to respond appropriately in the cyber workforce and just then respond to the, kind of, threats that are emerging? As we think about all these measures, how do we take into account the constantly changing landscape? Clar.
Clar Rosso
So, I would say this. You know, when I – it’s almost like an 80/20 roll. So as important as what are the emerging threats, when we ask cybersecurity professionals what’s at risk and they say they’re at risk if they don’t have enough staff. They tell us when we ask more specifically and dig in and say, “What isn’t happening in your organisation?” The things they’re telling us is we’re not doing enough risk assessment, threat hunting and management. We are not touching our critical systems in timely ways. We are failing to follow our processes and procedures, and we are not – we’re not having the time to invest in training our whole staff in the organisation, ‘cause it’s really not just about the cybersecurity staff, it’s also about raising the cyber literacy of the entire ecosystem, and then oversights, processes and procedures.
And so that information, to me, speaks to there is the threat hunting aspect of it and we need to think how can we do more of that? But that information speaks to me as that the basics are getting missed, more often than not. So never mind the new threats, we’re not doing the basics that can protect 80/90% of what we need to protect as an organisation. So focus on the basics. And what I’m seeing as best practice is talking to people around the globe because this is a collective shared problem around the globe, is that organisations are really starting to think a little differently about who they hire, and they’re starting to realise that if I can hire entry in junior level professionals and the kinds of work that they can do for us are the exact kinds of work that we’re not doing as a result of not having enough staff.
Those are all entry level jobs that – and so that’s helping, and then the second part there is they’re really starting to turn to hiring people with non-technical backgrounds, and the right personality attributes that actually lead to successful long-term careers in cybersecurity. So they’re looking for analytical thinkers, problem solvers, good communicators, critical thinkers, creative people, people who can work alone and in a team. And I am finding, talking to organisations, they are more and more willing to hire for that skillset, and you will be happy to know, through research, a passion for really public service, and whether that’s public services in public protection, those are all the attributes that lead to long, fruitful careers in cybersecurity, so people are starting to hire for them and then train the technical bit.
And so that’s actually, for us, is really encouraging because we know that the most ideal situation is to bring the technical, the I – steal people from IT and bring ‘em over to cybersecurity, but the need is so great, we don’t have enough of those people. As much as we talk about unfilled demand in the cybersecurity workforce, there’s another thing that I think is more important than that gap number. 95% of all businesses globally with 100 or fewer employees have no cybersecurity professionals at all.
Joyce Hakmeh
95%?
Clar Rosso
95% with 100 or fewer employees have nobody on staff at all, so they don’t even have that demand to call it unfilled. So the assumption is – so this is something new we uncovered and now we need to dig on it, so the assumption is they are using probably some level of third party service or there are some very, very fractional complete cyber professionals and they’re spending 25% of their time. It’s somebody on their team is spending less than 25% of their time attending to the organisation’s cyber hygiene or work defences.
Joyce Hakmeh
Thank you.
Clar Rosso
That’s hot news.
Julie Johnson
Hmmm, right there, but this is our audience, right? So critical infrastructure landscape across 16 sectors, healthcare, food and ag, energy, right, it’s massive, but exactly to your point, it’s not the emerging threat, it’s dealing with what we have now, right? So CISA, our policy, our training, our culture, comes out of DC but we have an army of people that march across the country door-to-door to offer tailored services to exactly those people in those smaller organisations, the largest Fortune 500 banks, that’s where we find the prob – where the problems are. That’s where we have discussions about physical cyber convergence. So those people that didn’t previously see themselves in a cyber career managing a wastewater treatment plant, now, with their industrial control system, connecting to the IOT, they are in a cyber career, right? So that messaging, those tailored tools, training and resources, that’s – if we can get to that lowest common denominator, not only in training and education, but also in interesting people into the cyber field. That’s where we pull most of our people in.
Joyce Hakmeh
How do we do that?
Julie Johnson
With an army of people that march across the country. CISA is broken into ten regions. I previously came from New York City, I covered New York, New Jersey, Puerto Rico and the US Virgin Islands, and I mean it. We marched around knocking door-to-door, and you eventually get to a tipping point of security if you knock on enough doors. That’s how we do it.
Joyce Hakmeh
Brilliant, thank you. Simon, can you please also share your thoughts on this issue and I’m interested if you can also comment on what Clar mentioned about it’s not just the technical people, we can – we should also be, you know, seeking non-technical people, which is sometimes hard to attract them into this industry because they think, “Oh, you know, it’s very technical, it’s not for me.” So how do we address that?
Simon Hepburn
Well, obviously, I think one of the key ways is really around demystifying the profession with – ‘cause there is a kind of – both a perception and a view that you have to be, you know, a Computer Programmer and very, kind of, technical to join the profession. So, exactly as Clar said, I think that it’s really important to really do the basics because that’s where a lot of the, kind of, challenges are currently.
So one way is around demystifying the profession where people understand that you can come from different skilled professions and especially around, kind of, people with, like, career changes, etc., can join a profession, but one of the things with that is really about understanding, but what are you going into? So, are you – you know, are you going into security testing, are you going into security architecture, are you going into penetration testing?
But it’s really about the entry level opportunities, understanding what skills you need to do that, making it – one of the – you know, the key things for us as an organisation is really about raising awareness of the profession to both the general public, but also to not just to profession of, kind of, experts but people in other occupations. Because when you do that and what then happens is that people see that they’re actually making a contribution to cyber or cybersecurity.
And when engaging with younger people, it’s not so much about talking about cybersecurity, it’s really about working with them where they are and what they understand. So that might be talking about TikTok or Snapchat, and then around digital security, and kind of taking them on that journey to then understand actually, I need to protect myself, my information, this is cyber, and then taking ‘em on the journey.
So, for me, it’s really around, kind of, taking people on the journey to flow into cybersecurity and really make it – you know, the work of the Council is really about focusing very much on this is a job and a profession and a career, the same as engineering, the same as law, accountancy, come and join us. There’s opportunities, loads of opportunities, not just nationally, but internationally, and you can, you know, be working from home, etc., but still be supporting some work around the country. And exactly as you said, there is a really important, kind of, mission piece, some people absolutely will join because they want to make a positive contribution to society and that’s realistic.
Joyce Hakmeh
I think that’s really great what you’re saying about demystifying the profession and trying to, kind of, raise more awareness that it’s not just about, like, one thing that you do, there are, like, different things that people with different skills can do and should be doing. But I also think that, you know, there is also some sort of awareness needed around the impact that these jobs will make, right? It’s not just about the big stuff, national security stuff, there’s also, you know, things that one can do to help, like, you know, your neighbour, like, you know, the community more gen – right? So there are different levels where this can help. Ruth.
Ruth Edwards MP
Well, I think Simon is completely right about demystifying the profession and the different career paths you can have in it, because I think cybersecurity is quite – or a career in cybersecurity is quite a nebulous concept to a lot of people. I mean, probably not the people in this room, but if you were to go into your average coffeeshop and ask people to start naming different things you could do as a cybersecurity professional, I think people would struggle beyond hacker or spy, or maybe comms, obviously, you know, a big online anti-fraud presence.
So, I think that’s one of the key things and I was saying to Simon, actually, it’s really great to be sitting on the stage with him because before I was elected, we were working on the designs for the Cybersecurity Council with Tech UK, the – one of the trade bodies, and BT, and there was this big, sort of, organogram of what could it do? So it’s great to see it up and running and actually giving that shape and focus to the industry, so I think we are making good progress.
And then, I think the other thing is thinking about how, as Julie was saying, public sector organisations, private sector organisations who can’t afford to pay as well as some of the big tech companies, some of the big cyber companies, can attract people to work with them because it’s not just money. So, for example, BT, I mean, we don’t – they don’t pay the same rate as some of the other cybersecurity companies, but we were never short of penetration testers because they had this fantastic, huge global network to basically play about with, so there was that real area of interest.
We see GCHQ have made really great progress with Cyber First, which is this bursary programme that gets students through university on the basis that they then work, I think it’s may – might be two years, I can’t remember the exact number, but a couple of years for the security services after that, different – you know, in terms of alliances between countries overseas, why can’t we look at doing secondments, you know in certain areas? Maybe not the most sensitive ones, but there are lots of creative things you can do to offer people a fantastic career, which aren’t necessarily just focused on the highest figure salary.
Joyce Hakmeh
And, you know, as you said, like, also it’s just that the mission of working in the public sector, but also the access and the experience, the unique experience that you get that you won’t get anywhere else, right, especially when you work with big agencies like CISA and others.
Clar Rosso
But I’m not going to be quiet about the process, I know there’s security clearances and other things to go through, so I know there’s a lot of revamping of the process we have to do because it takes time. It takes time to come onboard, so how do we change that before people walk away?
Joyce Hakmeh
Right. I’d like to get now to talk a little bit about diversity and the workforce, we’ve been talking about the gaps, the challenges and what can we do, in terms of, like, trying – changing mindset, changing the messaging, demystifying the profession, etc.? And Simon, the Council does a lot of work around understanding the diversity in the workforce, and before we, you know, hear from you about what is the diversity looking like in the UK, I want to ask you a question about the importance of diversity in the workforce because some might say, “Well, I don’t care about, you know, my tech people’s gender or ethnicity or background, as long as they can do the job, they’re in,” right? What is the problem with that kind of thinking?
Simon Hepburn
Yeah, I think that the – there’s loads of business cases, anyone can go online and, kind of, see the business cases, not just for cybersecurity, but in any business. I think the more diverse your workforce is, the more profitable you will be as an organisation and company, and what you really need, especially in this sphere, is that you need people who are thinking from different perspectives based on different cultures, different understanding, different genders, sexualities, etc. Because ultimately, these are – when we’re looking at the kind of – the attackers, in a sense, they’re – that’s the perspective they’re coming from. So you can’t have just an homogenous group who’s constantly looking at cybersecurity, what you need is a diverse workforce who’s also on the defence side, so I – so for me, it’s around getting that balance right.
And there is a report that’s written by KPMG, commissioned by NCSC, called Decrypting Diversity, so that was – the last one was 2021 and then the baseline was in 2020, and that basically showed that within cybersecurity, the – there’s very – there’s more work to do, I think is the best way to describe it, but they – especially in relation to I think more women in cybersecurity and more ethnic minorities in cybersecurity.
And so really, within that report, there’s six recommendations, two of which is for the Council to really drive forward, and one of those is really around the – showing the kind of – showcasing some current role model. So, you know, we’ve got obviously Lindy Cameron, etc., who’s the CEO of NCSC, so really highlighting some successful women in the profession, their kind of journey into the profession, but also apprentices, and, you know, who’s – again, kind of, join the sector and their journey, and also career changes. So really showing the different routes into the profession, so people really get that understanding. So, for us, as an organisation, it’s about continuing to, kind of, drive that agenda forward.
A few weeks ago, we had a Ethnic Minority in Cyber symposium, and that was really to look at what are the current barriers or the perceived barriers, okay? So – and it is important that we have that open engagement, and last year and this year – next year, sorry, we’ll be having a internati – on International Women’s Day, a International Women’s, kind of, conference in relation to women in cyber event, again, which is really important. Last year, we had Lindy, again, who was part of that and also my Chair, Claudia Nathanson, and it’s really about how do we not just open the doors, but also support women who may be at a specific position within cybersecurity, how can we raise to be CSOWS? So watch how you break the glass ceiling, etc., but talking to global CSOWS on how to basically break that glass ceiling.
So, diversity from our perspective is, well, diversity, it’s inclusion, but set in the right culture in the organisation to include people, so they basically make a positive contribution. But the next Decrypting Diversity report will be out in 2023, so the datasets, the analysis, but that’s going to take place in 2023.
Joyce Hakmeh
Great, thank you. Julie, can I come to you next about why do you think diversity is important in the cyber workforce and what – how do you see diversity at the moment, maybe in a US context, if you want broader than that? Simon talked about the diversity of thoughts that is important, which can also lead to profitability. What are your views on this?
Julie Johnson
100%. I mean, we can’t be stuck in groupthink, that’s it, bottom line, and I was so glad to hear you mention Lindy. I mean, like, we’ve got Jen Easterly, I mean, talk about lead by example with these two great women, right, and look at this stage, I mean, this is amazing, right?
So it starts from the top, and you’re absolutely right, the recruiting, the outreach, the efforts, we – it’s all there. We’ve changed our internal culture, but I want to say it’s still going to take some time to turn that ship of internal culture around. We can hire in as many people as we want, diverse people, but until we completely change that internal culture, it’s not always a welcoming environment everywhere. And I don’t – you know, I’m just going to be blunt about that, I have colleagues in the private sector and across federal agencies who aren’t quite met with that welcoming culture yet. So that’s going to take some time, and until we get that right, we’re not going to retain the staff we need.
Joyce Hakmeh
But how do we change the culture, in your mind?
Julie Johnson
Well, we’ve done it in – it’s CISA, it’s come from the top, again, leading by example, right? Who do you bring in? I mean, if you have Jen Easterly on top, I mean, that’s the best thing we can do. Putting down values like respect, people first, thinking about mental health, right? So we’re getting there, we’re getting there, but I just want people to recognize it is going to take time, that there’s no quick fix to this.
Joyce Hakmeh
Hmmm hmm, Clar.
Clar Rosso
Agree with everything that’s been said. Shall I focus on some thoughts I might have about how we drive change?
Joyce Hakmeh
Hmmm.
Clar Rosso
So, one of my favourite quotes of all time comes from the woman who was the first African-American woman Member of Congress in the United States, her name was Shirley Chisholm. There’s this beautiful quote that says, “If they don’t give you a seat at the table, bring a folding chair,” and I, kind of, live by that. But I understand that not everyone does, so what we need to really do is focus on that inclusion piece and how do we create inclusive workplaces. And yes, I think there’s some toxicity and bad practices within the profession, but I certainly find globally there’s more openness and willingness to change than one would imagine, and that that kind of old school thinking is going out. And we actually have data now that’s showing us for the Gen Z and the millennials moving into the profession, that the organisations they want to work for have to have diversity, equity and inclusion initiatives. And organisations – we captured this for the first time this year, the organisations that actually have DEI initiatives in place, their staffing shortages are smaller than those organisations who are working on building their DEI programmes or those organisations that have nothing at all, and that’s really compelling.
The other thing I would say, when thinking about, kind of, job satisfaction in creating inclusivity in the workplace, is don’t – okay, I’m going to just say this in a way that’s not super gentle and you’re – we’re all going to come on the journey with me.
Joyce Hakmeh
We’re a tough crowd, don’t worry.
Clar Rosso
Okay. The old white guys that caused the problem should not go into a room with all good intention and say, “This is what we think these young diverse professionals want,” and then walk out of that room and unveil their grand thinking. It’s beautiful when that comes from the heart, and that means a lot to me, but that’s not the way forward, and the way forward truly is you have to talk to the people that you’re trying to intract – attract and include in your organisations and find out what’s important from them directly.
So yes, things like pay equity are important, give me a mentor or some role model that I can talk and bounce ideas off of, show me a career pathway, but in addition to that, some of the big things that are coming up is, get rid of your gatekeeping culture within the organisation. That’s a huge one for job satisfaction. Job satisfaction goes through the roof when the gatekeeping culture in an organisation’s been eliminated, so work on things like that.
The other thing that’s really important and actually fits nicely into what I just suggested is people want to work – diverse people, newer people of professions, also want to work in organisations where leadership in an organisation actually listens to them. They care what they have to say, they ask their opinions, which fits back to your idea, Simon, of everybody should be at that table and that all opinions should be valued. Those are the organisations that people want to be in, and the people who find themselves in organisations where that’s not happening, they’re out the door. They got the private sector offering them jobs, they’re not going to sit around for a culture that they don’t deem acceptable. So it’s totally possible, but it has to be intentional, and that – can I do one more thing?
Joyce Hakmeh
Yeah, of course.
Clar Rosso
And I’ll just go for it. If there’s someone in your organisation that is creating that toxic part or the non-inclusive part, but they are this amazing high performer, I’m going to tell you, your organisation is not as good as the great culture words you have on the wall. You are only as good as that worst behaviour that you tolerate. So as long as you tolerate bad behaviour in your organisations, you’re not going to change anything.
Julie Johnson
I’m going to cry a little bit there.
Clar Rosso
Have my speech.
Joyce Hakmeh
Between the two of you and everyone on the panel, I think going to leave with some tears in our eyes, but I think – I just want to come to you, Ruth, because I’d like to hear your perspective on this. We heard from Clar about the importance of understanding your people, I think, and their needs, right, and getting rid of that gatekeeper culture, and bring a folding chair when there aren’t enough chairs around the table. What else would you like to add to that?
Ruth Edwards MP
Well, I – the first thing I want to say, actually, is that I do think things have got considerably better. So, I’ve been in and out of the cybersecurity industry since about, sort of, 2012, and I would never have been to a panel event where three of four panellists were women. We were actually quite lucky if we saw one woman on one panel in a whole day of panels at a conference. Usually the women were in, sort of, long evening gowns giving out the goodie bags on stands in the expo hall.
So I do think that things are a lot cheerier than they were, and I think it’s really important, I would really back up what everybody’s been saying about the importance of role models. Because if people look at an industry, doesn’t matter what it is, whether it’s cybersecurity, whether it’s politics, and they don’t see anybody that looks like them, then they don’t think that that’s going to be a good place for them to work, they don’t feel like they could potentially belong there.
And it was actually – that was actually really brought home to me how that happens at such a young age, and apologies to those who’ve heard this from me before at any Women in Tech events. But my friend was telling me about her little daughter, who’s about six-years-old, and when she had this conversation with her, her little girl had only ever really known Theresa May as Prime Minister. And my friend was having a conversation with her husband about David Cameron, and Olivia said, “Oh, mummy, who’s David Cameron?” and she said, “Oh, well, he used to be Prime Minister, darling.” She said, “Oh, being Prime Minister is a woman’s job.” And it’s really at such a young age, people get that idea that if they don’t see people, you know, they associate industries with what they see. So I do think it’s really important that we have, you know, female professionals front and centre, the people from, you know, diverse ethnic backgrounds front and centre, as well, I think that’s really important.
I think neurodiversity is something that a lot of cybersecurity companies are now exploring, and I think that’s a fantastic way to make use of the great skillsets that people have, but just needs some tweaks to the way, you know, that they’re managed and the – their working environment, as well. So I do think that we have a lot of opportunity there, provided that we’re open to that and pushing it, but I do think it’s – although we still have a considerable way to go, I do think it’s a lot better than it used to be.
Joyce Hakmeh
And thank you for mentioning the, kind of, neurodiversity and the feedback, etc., because, you know, when we often talk about diversity, it’s always like, “Do we have enough women?” and it’s way broader than that. And I actually want to take it a step further and talk a little bit about the, sort of, importance of intersectionality in our, kind of, understanding of diversity because, as we know, identities are made of complex combination of characteristics, which overlap in ways that can have important consequences and often leading to multiple disadvantages for the same groups.
So, in your work, Simon, I’m trying to understand the diversity in the workforce, to which extent do you go trying to, kind of, map out the, kind of, disintersectionality that is very important to really get an accurate picture?
Simon Hepburn
If I – based on the work that we’ve obviously been looking at is – one, it’s around looking at that wider, kind of – the wider diversity piece. So if we’re focused on let’s say young people in schools and ed – especially education, who’s taken up either computer technology kind of courses, like GCSE, etc., and who’s not, and if young ladies are not then why not? And really looking at organisations, there are specific organisations that focus very much on obviously neurodiversity, and our, kind of, perspective on it is that we – as an organisation, we can’t focus on every special, kind of, characteristics in relation to intent. And so really, it’s about working with organisations and help both organisations and businesses to develop really good models of work and programmes, that are really getting – are creating a positive impact. So it’s about engaging with them and amplifying that work.
The – because our focus is very much on how do we get more people into the profession and a lot of our current work and content were, kind of, written by professionals and maturer people. And so based on that, some of the – our current narrative, and I own this, some of that current narrative is – wouldn’t be accessible for younger people or for the general public to access. So it’s a really important piece of work to, kind of, make that change of some of our current, kind of, comments and narrative.
But also – you know, I’ve got a mature Board, I hope you’re listening, my Board of Trustees, but also to engage with young people around what should this look like and that’s basically a co-production model. So how do we work and engage with the future talent pipeline, so that they then understand we’re creating that information, so that they then understand, you know, how – one, how to join the profession, but what the profession actually is. So whether that’s, you know, one of the specialisms or how to get chartered, etc., and they see that kind of route, but all of the areas in relation to [inaudible – 44:25].
Joyce Hakmeh
Right, and giving the – also agency for the – you know, the other voices, right, as you said, Clar, and, kind of, moving away a little bit from the old models.
Alright, so, now we have 20 minutes left and I’d like to turn to all of you in the room, but also people, and I see some questions coming in, in the chat, and so I – perhaps what I will do is, I’ll take three questions at a time, if I have them, and then give you a chance to respond to the questions that you would like. So, who would like to ask questions? Right, okay, so let’s start with you, sir, and then you and then break.
Member
Thank you, it’s great listening to you. I just have a question, I know it seems a bit unrelated, but it’s a bit like the other side of the coin, in terms of cybersecurity and hackers. Availability to cyberweapons and access to them, for instance on a USB like this or hardware, is one of the most, kind of, unregulated things today, and in the UK, we don’t have that with firearms, for instance, possessing one can be an offence. However, with cy – with weapons, we see possessing one is not offence and using one is, and I wonder your thoughts on whether cyberweaponry is access to a good thing, with ethical hacking and such, or is it a bad thing? I was just very interested in your professional opinions.
Joyce Hakmeh
Thank you.
Member
[Pause] Hi, good evening, thank you. I’ve got a question for Julie Johnson, actually, and then I’d be interested to hear Ruth Edwards’ thoughts on this, as well. So, to Julie, how much of your army of cybersecurity professionals that knocked door-to-door was made up of veterans and do you have government programmes to encourage service leader – leavers into cybersecurity? And then to Ruth, does the UK have such programmes? How do you think we leverage the network of thousands of general risk management professionals that leave the armed forces each year?
Joyce Hakmeh
Thank you. Okay.
Craig Edwards
Thank you very much. Hello, Craig Edwards, Hakluyt. You’ve spoken extensively about bringing people into the industry and how we need to attract new people, different types of people, etc. I’ve spent a lot of time speaking to senior cyber leaders, and particularly those who have got high levels of accountability, and one of the things which keeps coming up is the enormous pressure that they’re under relentlessly. Increasingly, as I speak to people like CSOWS, it’s remarkable how many of them are actually thinking about leaving the industry. So I’d like to ask the panel how important is retention, as well as attracting people, and what are some of the steps that can be taken to increase retention levels amongst the most experienced cybersecurity practitioners?
Joyce Hakmeh
Thank you very much. Plenty of question for you, so why don’t I start with you, Ruth, and then can go like this? Pick up whatever, we had cyber weapons, veterans, retention, take your pick.
Ruth Edwards MP
Sure, so when it comes to veterans, so the UK does have a number of programmes that links veterans up with employers. I’m not aware that they are, like, cybersecurity specific in that way, I think it’s broader than that. Obviously, you do have a number of cybersecurity companies coming forward to take part in those programmes, for the very obvious reasons that you listed in your question, you’ve got a great potential workforce there. I think that’s a really good idea, and possibly something that we should actually explore. So I think I’ll go away and find out actually if we are doing anything that’s specific on cybersecurity ‘cause we’ve already got the format and the setup there that works very well with lots of other different industries, so I think that would be good.
On cyberweaponry, your quite right, a lot of it is dual use, right? So, something that could be a cyber tool to be used in perfectly good faith to test your organisation’s defences can also be deployed for various purposes, and that’s why we have the Computer Misuse Act, which is going to be undergoing the overhaul. Quite where we are with that, in terms of the legislative programme, it’s been, I think, somewhat delayed, the announcement of that, and that’s something I’d like to see brought forward because it was designed in the 1990s, and I think we can all agree that things have moved on a bit since then. So yeah, we do need to look at that again.
Joyce Hakmeh
Thank you. Simon.
Simon Hepburn
I’ll answer your question, if that’s okay. So, I think the – it’s a real interesting one, especially around – you know, especially CSOWS, global CSOWS, is, kind of, top of the profession and who fundamentally you’re looking to leave the profession. And one of – you know, I have quite a lot of conversations, which I always find super fascinating, is that the – very often, you know, it’s – and also cybersecurity professionals are in the, kind of, IT stack and not in the, kind of, business stack. So they’re not having the conversations with, you know, the Directors or the Chief Execs or they’re at the – basically the top table. So when you’re in that position, so a lot of responsibility or accountability is – kind of sits with you, but you can’t drive anything forward, that is very, very, very frustrating.
And so a lot of the blame, ultimately, would be put on yourself, and so really, for me, it’s about making sure you have the right people around the top table, and CSOWS is definitely one because it is – it’s not just an – it’s not an IT issue, it’s a business issue. It’s about business continuity, you see. So it’s really – and so it’s really important to have the right people around the table having a conversation, developing a business continuity plan and response plan, etc., and to make sure the work, kind of, support mechanisms are put in place.
So if the CSOW is basically talking to the Directors and the Chief Execs around some of the challenges in the organisation and this is what we need to do to mitigate, it’s about giving that support for that to take place, whether that’s, you know, software-based, IT-based, or staff-based or resource-based. If you’re not getting none of that, but you know a lot of the responsibility is and you’re going to get the blame, then who would want to be in that role?
Julie Johnson
Yeah, agree, knowledge transfer is just so difficult for us. We see people walk out the door and take everything with them. We do have programmes in various agencies at the government to bring people back, kind of, part-time, to transfer that knowledge to the next generation, but a very important point you bring up. Before I go here, what a great topic of conversation, and then if we look at misinfo and disinfo and this evolving world.
With CISA, not directly related to cyber tools as weaponry, right, we’re always having a – trying to walk a tightrope of regulation, no regulation, right? So what a great evolving landscape, but I would like to follow-up with you on that conversation, and add CISA falls under Homeland Security, which is equal to the Home Office. I am a minority there for not serving in the military. I think the last numbers were one third veterans, so this is a space we actively work in. Jen Easterly is a veteran herself, so 100%, yeah.
Clar Rosso
I’m not going to talk about the retention part ‘cause of course we have to retain people, we can’t afford to lose any there, except for those toxic ones, we can get rid of them. But I want to talk about that, kind of, accountability and responsibility at the CSOW ‘cause I think this is a fundamental, problematic issue that we have. There’s a little bit of cyber insurance that would come in to thinking about this, as well.
I spent a lot of time in the accounting and finance industry before I entered my – the role that I’m now, and you all might remember the ear – some of you are probably not old enough to remember the early 2000s, but most of you look like you’ve been around the block awhile. And there became a time which, like, Arthur Andersen and Enron fell apart in the United States and really, globally, and all of a sudden, people woke up and said, “Wow, we might have a problem with our Corporate Boards of Directors, and most particularly Public Boards of Directors, actually don’t have the level of financial expertise that we need them to have. I think we need to start having conversations about the level of cyber expertise or cyber literacy that especially Public Company Boards of Directors need to have.”
I have the best Board of Directors in the world because they’re all cyber experts. I’m going to teach ‘em a little more about finances, but let’s not say anything about that. I’m kidding. But I really think – I think there’s something about that, I think the cyber literacy of Boards of Directors, I think of CEOs, we really need to work on how do we help them understand what the issues that are being dealt with are and what, as leaders of the organisation, as the CEO who says no to the CSOW when they say, “I need you to urgently do this to shore up our cyber defences,” then there’s a breach and there’s a big problem and they want the CSOW to take the fall and say, “Whoa, whoa, whoa.”
There has to be a way that those lines of accountability and responsibility become much more clarified than I think they are today, and I would love to believe that that is going to organically happen, but I’m pretty sure it’s not. I’m pretty sure that there’s going to be some action in maybe starting with certain sectors like critical national infrastructure and others where there are going to start to be some requirements put in place in the US. Our Securities and Exchange Commission has a proposal out to say that if you have a Public Company, you’d better have somebody with cyber expertise on your Board of Directors.
Joyce Hakmeh
I want to take some questions here online and then hopefully another round from the room. So I have two questions that are rel – quite similar, actually. So if someone wants to move from working in virology into cybersecurity, where do they start? And someone else wants to move from being an IT professional to shift into cybersecurity, what are the future prospects of that? So that’s, kind of, one question.
And then another one is about saying “Several CSOWS increasingly saying that they hire for comms to be the ship and ability to learn about the industry sector rather than technical skillset to help ensure [inaudible – 54:38] and board can understand what is happening and what is needed. Do you agree with this and do HR departments recognise this? Seems somewhat different from the job adverts, which often seem to require many technical skills.” So these are two questions, who would like to answer them, or one of them?
Clar Rosso
What was the first job they were switching from, in that first question?
Joyce Hakmeh
I think virology, but I don’t know how you pronounce it.
Clar Rosso
Yeah, it’s all possible. I mean, you know, open the gates wide to everyone, right? And again, I don’t think we really talked on – about, you know, what is a cyber job? It’s the Security Officer at a building that’s now a smart building, right? It’s a Datahub Manager, it’s somebody in crisis management, in continuity planning, right? So open the doors wide.
I used to recruit for State Department and NSA and I’d have a French Teacher come up to me, “I just teach French, how can I possibly do anything else?” I said, “Think about the skillset you have to bring to a classroom,” right? So think broadly, look for people that are responsible, that exercise good judgment, right, and their ability to learn. We have opened the – like I said, the gates wide to everyone, it’s possible.
Joyce Hakmeh
As we’ve heard, we need many, many different kind of skills, right?
Clar Rosso
There’s so many.
Joyce Hakmeh
Many different kinds of skills.
Clar Rosso
And everything is cyber now.
Joyce Hakmeh
Exactly.
Clar Rosso
And you talk about leadership, right, understanding what is cyber, if they’re in finance, it’s – it hits upon cyber, if it’s energy, it’s cyber, right, and that’s what we have to think about.
Joyce Hakmeh
Thank you. Anyone else for the second question?
Simon Hepburn
Second question, so in relation to I think the – especially around HR, I think one of the challenges we are finding and exactly as the question, kind of, posed was around the, oh, HR Departments very often ask for, you know, a specific role with several certifications or qualifications, which normally you would find after you’ve got a certain amount of experience. So, for a lot of people, that actually creates a barrier before you even apply. So, one of the challenges we find is that, so it’s really around how do you not just simplify, but it is around working with HR Departments to understand what’s the specific job you’re – you know, in relation to job description and the person’s specification, what’s essential, what’s desirable, and being really clear about what the role is. So it’s not, you know, general cybersecurity, if it’s focused on a specific specialism or area, absolutely articulate that.
Joyce Hakmeh
Yeah, yeah, and I think that’s really, really very important ‘cause that’s your – kind of, your entry point, right, into – okay, more questions from the floor. Let’s see, thinking about diversity, I’d like some diverse with – okay, so there’s the lady over there, and then gentleman, and then there, so there, and then we can see how…
Member
Oh, thanks for the…
Joyce Hakmeh
…many more people…
Member
Oh, sorry.
Joyce Hakmeh
Yeah, please, go ahead.
Member
Thanks for the opportunity. So, I have a question more on the, you know, industry practice right now ‘cause we have seen a lot of, you know, companies are undergoing this digital transformation, try to install a lot of, you know, emerging technologies like AI and, you know, software system into the workplace. So do you see this potentially could expose, you know, companies to, you know, bigger as, you know, cybersecurity risks, and how do companies currently address it? And also, as I’ve mentioned, there is a lot of new technologies involved in the workplace. Do we play a catchup game or, like, how is – what the current status, like, are we able to, you know, address those new challenges involved in – associated with, like, new technologies? Thank you.
Joyce Hakmeh
Thank you. Gentleman over there with the glasses.
Member
Thanks very much. I’m interested to know whether the panel would see what I’m about to describe as a risk or an opportunity or a bit of both, which is you described a significant gap between demand for skills and supply salaries that are increasing. And typically what you might see in those circumstances in other sectors would be some kind of wage arbitrage where people start to procure services or employ people in countries perhaps where the wages are a little bit lower or you might see an investment in automation or you might see both, where people are starting to remove humans from some certain parts of the process or the sector, and that investment, you know, will start flowing. So, does that create a risk for what we’ve described, or perhaps an opportunity, or a bit of both?
Joyce Hakmeh
Thank you.
Member
Hi, I know you wanted the ENI question, I haven’t got one for you, a diversity one.
Joyce Hakmeh
No, no, no.
Member
But I can think of one.
Joyce Hakmeh
A diversity of voices from the room, not about diversity.
Member
Right, just a quick – I was thinking about it just now. Do you think – somebody mentioned earlier about burnout, do you think there’s a need for specific therapy or a role to be created around therapy? We talked about mental healthism, it’s a big subject now, I think that’s – there should be a role specifically just around cyber, people who are coming into cyber, there’s a lot of work to do. I know the senior cyber people in senior levels have got a lot of work on, but people at all different levels have a lot of work to do, and people who are moving into the industry when they’ve got this massive workload just being thrown at them. Do you think possibly – you know, HRs have their own, sort of, mental health programme, but you think that we should be focusing on that and maybe even weave it into a syllabus where people who are coming into cyber, maybe there’s a section in there about managing the workload and managing your mental health?
And then just one diversity question. What would you think would be the biggest motivator for companies to actually invest in DENI? You know, small companies, you know, we’ve talked about some companies even challenged with invested in cyber, then to put this on top of it, well, how we can motivate companies?
Joyce Hakmeh
Thank you very much. We have three minutes left, so I’m going to take, like, you know, quick answers from each one of you. Over to you, Clar.
Clar Rosso
Oh my gosh, I want to answer all – it’s security by design, the profession over and over and over again, and this is not self-preservation, says yes, technology can help supplement, but it will not ultimately replace people, the people have to stay. Mental health and mental wellbeing, data again, remote work, let them work from home and give them a choice in where they work. The people who work from home, we have data that shows they take better care of themselves and their mental and physical wellbeing than people who are being forced into offices.
Julie Johnson
Exactly right with the tech. There is a gap it can fill, but you’re not going to get rid of the human element, it does come with risk, 100%. The push for diversity, it’s that groupthink, right? We need diversity in thought, it will make your business succeed. Mental health has been a top priority from our – for our agency since day one. We have tools and resources and Jenna’s going to kill me, I can’t remember the system, Headspace, I think I have that correct. We have townhall meetings talking about mental health, it is almost part of our daily activity, so you’re absolutely correct.
Joyce Hakmeh
Thank you. Simon.
Simon Hepburn
Completely agree, I think we’ve – so technology, AI, etc., yes, at a baseline, but you always need humans. I’m being as sharp as possible in relation to mental health. It’s always interesting, especially if you’re looking at something like digital forensics, so what they’re looking at, what they’re reviewing. So I think the whole thing around making sure they’ve got the appropriate support is absolutely essential, not just digital forensics, but within core cyber. So that should really be part of the core, kind of, both staff benefits, but the construction to make sure you’ve got the right culture within the organisation. And the final one was?
Clar Rosso
Diversity, what’s the benefit of being diverse?
Joyce Hakmeh
The most – the incentive.
Clar Rosso
Yeah.
Simon Hepburn
And yeah, so – and yes, I think it’s what I started off saying before, it’s really – it’s the ultimate – the benefits to the organisation, but also to the individuals.
Ruth Edwards MP
Right, so, quickly, so on new technologies, yes, it does increase the risk, there’s an increased attack surface. How can you get out in front? Well, there’s two ways. There’s first concentrating on prevention, having much more secure design, so we’ve just had the – a bill go through parliament where we have put design standards on consumer technologies for the first time.
The other thing I think is thinking quite creatively about how scammers are going to exploit whatever it is you’re doing. So we saw over COVID, lots of – it wasn’t just working from home, though that was a big part of it, a lot of people immediately tried to exploit the COVID support that came from government. We had a lot of romance scam rises ‘cause lots of people were obviously dating online. And you’ve got to think about how – you know, this is what I’m doing, how might that be exploited, and get out there. And we’ve seen that done very effectively, actually, in terms of the disinformation from Russia over its invasion of Ukraine, and you’ve seen allied intelligence services putting out information that they would probably, in the past, not have done so about, you know, Russia will try a false flag operation here, and I do think that’s really helpful.
On the mental health support, I think one of the things I’ve seen, in recent years, was actually a much bigger awareness about the importance of mental health across all sectors, which I think is really important. I think particularly where people are dealing, as Simon was saying, with incredibly disturbing content. If you’re – you know, I know some of the Officers in NCA, for example, dealing with child sexual abuse content, I mean, that is horrendous, and obviously, you need specialist support for people in those organisations.
And in terms of what’s the, you know, business case for firms for diversity, apart from the issues about, you know, productivity and profitability, which we’ve heard about, there’s a cybersecurity workforce shortage. If you’re not appealing to women, ethnic minorities, the neuro diverse, etc., etc., that is a huge proportion of the population who aren’t going to come and work in your business, it’s over 50%. So that to me would be the key reason for doing so.
Joyce Hakmeh
Well, sorry for the pressure, and you all did wonderfully, and sorry for the audience for not getting to your questions. This has been extremely informative and I think, like, really very, very good advice and a very good, sort of, way of framing the issue, and I really enjoyed the conversation and I’m sure our audience have, as well, so thank you very much for joining us today. Thank you.