Preeti Kanwar is a veteran woman chief information security officer (CISO) and a leading icon in the Indian IT community. However, she refuses to be boxed in gender brackets and applies the same bracket-less approach to cyber security.
“I do not want to make what I do gender-specific,” says Kanwar, chief information officer and CISO at NEC India. “Yes, there are very few female CISOs and CIOs, but I do not want to be looked at from that lens only. Thankfully, the Indian fraternity has always accorded me that same treatment. They do not look at me as a female leader. They respect me for my role and what I am as a person.”
Indeed, Kanwar has had a stellar career spanning nearly three decades, delivering technology projects in areas such as virtualisation, cloud, supply chain and a range of enterprise applications. Her breadth of experience has enabled her to connect the dots and look at things from a ‘togetherness’ angle, a skill that has served her well in the dynamic field of cyber security.
Even as women cyber security professionals like Kanwar are rising through the ranks, there are not enough of them at all levels in the industry. According to a 2020 cyber security workforce study by the International Information System Security Certification Consortium (ISC)², just 30% of respondents in Asia-Pacific were women – though this figure was higher than that of North America (21%) and Europe (23%).
Part of the challenge in raising female representation in cyber security, says Sabna Sainudeen, president of Women in Cybersecurity (WiCyS) India, is the lack of undergraduate training. “In India, we don't have many universities with a cyber security curriculum. Out of hundreds of universities, maybe five or six universities provide that curriculum.”
Even for those that have made it through university, employers often hesitate to hire fresh graduates due to their inexperience in fending off cyber attackers, and the negative consequences should something go wrong. Sainudeen says this has led to a brain drain, where young people who want to pursue a career in cyber security end up going abroad.
One way to address the challenge is through internships, through which young graduates can pick up real-world experience in cyber security and progress in their careers. Some companies are already offering internships and running hiring programmes, but those that do so need to be aware of any unconscious bias during recruitment.
Sainudeen says she has seen some job descriptions which are written in a way that shows a preference for male candidates. “When we recruit with an unconscious bias, we end up having more men and less women, even in an internship programme.”
Companies also need to do more to promote gender diversity in their cyber security ranks. Rather than promote gender diversity for its own sake, Sainudeen says organisations need to see that diversity drives innovation and better decision making, and make an effort to groom employees by funding training and certification programmes, which can be costly.
“Companies can do a lot better, not just by saying they support gender diversity but also investing in their employees so they can bring more benefits to the community,” she says.
In Singapore, the Association of Information Security Professionals (AiSP) has been driving efforts to promote cyber security as a career, starting with students in secondary schools. To date, it has reached out to over 3,000 students across all levels.
The AiSP also has a pool of mentors who work in various aspects of cyber security such as product design and security operations, beyond penetration testing and digital forensics which are more commonly associated with cyber security roles.
Sherin Lee, who leads the AiSP’s Ladies in Cyber Charter, says these efforts are aimed at raising awareness of the profession, which many female students may not be familiar with.
“It confuses students because cyber security involves risk and compliance, and there’s also coding from a cyber security software perspective,” Lee says. “It’s about being able to communicate all of that and it takes time.”
AiSP’s mentorship programme is also open to tech professionals without a cyber security background but would like to enter the field. “Our team of women have different levels of seniority as well, and that’s how we formulate the various mentorship and coaching programmes.”
Women who are already working in cyber security – like their female and male counterparts in other technology domains – could face challenges in moving up the leadership rungs due to family or personal considerations.
Lee said AiSP recognises the need for mentorships for working professionals. To help more women cyber security professionals advance in their careers and take up leadership positions, Lee said AiSP plans to rope in women CISOs and C-suite executives as mentors.
Companies in Singapore are doing their part too. At Ensign Infosecurity, where Lee is marketing director, there’s a lot done in recent years to hire more female interns.
Later this year, Ensign is also jointly organising a symposium with AiSP to connect female students with industry professionals. “Female students will have the chance to interact with their role models and find mentors who match their areas of interest,” Lee says.
WiCyS India’s Sainudeen notes that having role models is key for women cyber security professionals to grow into leadership positions, especially at a time when not many women have the technical skills required of a CISO.
“Women are sometimes being put in non-technical jobs in cyber security,” Sainudeen says. “If you take governance, risk assessment and data privacy, you can see a lot of women in those areas in cyber security, but when it comes to who is leading the threat hunting team, you will rarely see a woman.”
Sainudeen urges companies to not only develop training programmes to nurture women cyber security leaders but also put extraordinary women leaders into the spotlight at events and conferences.
“Bring women leaders onto the front stage and make them a role model so that the next generation can look up to them and see that they can also be up there,” she says.
This article first appeared in ComputerWeekly on 8th September 2021.