How do we create a diverse cybersecurity industry?
How do we foster greater diversity and inclusion to an industry with historic underrepresentation? And of what is the industry depriving itself when it doesn’t make space for diverse voices? These questions were at the heart of a panel discussion held October 28 by the Rogers Cybersecure Catalyst that brought together experts from some of Canada’s biggest brands to share their experiences and ideas. Matthew Tim (VP Cyber Technology Office at Royal Bank of Canada) and Sundeep Sandhu (Vice President, Cyber Security at Rogers Communications) joined moderator Momna Farooq (Cyber Security Consultant at Deloitte and an alumnus of the Accelerated Cybersecurity Training Program’s October 2020 cohort) to discuss the progress that has been made in creating an inclusive industry, and the deep-rooted systemic issues that still require work.
“Within the last decade we’ve seen significant change, and there’s diversity in leadership,” said Sandhu. “I think it’s really important that you never diminish what reflections of you look like in all roles. When you see yourself in those types of roles, it really can foster comfort and courage. If you can see it — you can be it.”
Sandhu noted that for many women, one barrier to cybersecurity has been how the industry has traditionally been branded. “When I came into the business, it was very much: if I didn’t have a black hoodie and I wasn’t a hacker, nobody knew what cyber security was,” she remembered. “Open conversations like this are changing that. Cybersecurity is much more of a multidisciplinary field. There are so many types of roles and an understanding that we need all types of skillsets.”
Cybersecurity is a vast industry with many different kinds of careers, and for Tim, promoting this idea will be key. “I think that excitement has to come with an understanding of the diverse roles that the cyber field offers,” he said. “We always talk about the cohort with the hackers and the data scientists or the ones doing all the intelligence work, but if you look at the makeup of the population of security, there are a handful of those who are really what we would call specialists. Are they really as important as the ones who operate some of the security controls? My answer is yes, everyone is just as important because security is made up of multi-faceted elements. We have to have a comprehensive defense approach, and it requires individuals with different skills and perspectives.”
The Accelerated Cybersecurity Training Program is an example of an initiative that seeks to train learners from diverse backgrounds. Core to the program’s philosophy is that a career background from outside cyber is an asset, not a hindrance. “I would be more interested in a well-rounded individual who can run a business, manage a team, manage finances, manage organizational change, and make sure the team is led with empathy,” said Tim. “The cyber part can be learned, but I would say that the other parts are developed over time and in some cases more difficult to learn.”
He added, “”I’ve had some conversations with candidates who will say, ‘I’ll be honest, it doesn’t seem that interesting,’ or, ‘I don’t have the technical background.’ I don’t think we should allow first impressions about the work to deter strong, diverse candidates from pursuing a career in security and cyber.”
How can the industry build on the progress achieved in recent years? Sandhu proposes that large organizations must continue to build internal programs to foster diverse talent. “We must continue to amplify and shine the spotlight on talented women and equity-deserving groups to show representation and build the future of cyber talent in Canada. Mentorship and sponsorship are critical to the path forward. When you complement high-performance with effective sponsorship, you build future leaders, innovation and results.”
Tim feels that further efforts need to be made in making STEM disciplines exciting and accessible to people as early as elementary school. “We want to generate that excitement about cyber, but also demystify that it’s not just about hacking, and it doesn’t mean you have to be a technical expert to be able to code. We need to generate excitement and extend knowledge so that diverse candidates, and especially women, understand that there is a career, an opportunity and a future in cyber and tech.”