Sandra Peter, Kai Riemer and Meraiah Foley
Cybersecurity and women with Meraiah Foley
This week: on International Women’s Day why cybersecurity needs more women and what we can do about it with expert Dr Meraiah Foley.
Sandra Peter (Sydney Business Insights) and Kai Riemer (Digital Futures Research Group) meet once a week to put their own spin on news that is impacting the future of business in The Future, This Week.
Our guest this week
Meraiah’s article on cybersecurity and gender in the Sydney Morning Herald
The stories this week
00:43 – What the cyber war in Ukraine means for Australia
Other stories we bring up
Malware, Microsoft and Ukraine
Businesses and the cybercrime industry
Map of existing career pathways into cybersecurity
2021 report from the Aspen Institute into diversity, equity and inclusion in cybersecurity careers
Betsy Cooper’s 2016 article in New America on cybersecurity and diversity in education backgrounds
2017 literature review on women in cybersecurity co-authored by Meraiah
2011 journal article on gendered wording in job advertisements
(ISC)2 workforce report on women in cybersecurity
2017 journal article on practices for engaging adolescent girls in cybersecurity careers
A call for a feminist analysis in cybersecurity from academics at LSE
2021 UNIDIR report on gender approaches to cybersecurity
2015 article in New America on decrypting the cybersecurity gender gap
2018 poster from Nature on Cybersecurity and women
How to avoid gender bias in job postings
Why cybersecurity should be treated as a ESG issue
The national security issue no one is talking about, women in cybersecurity
World Economic Forum article on cybersecurity needing a more diverse and inclusive workforce
Follow the show on Apple Podcasts, Spotify, Overcast, Google Podcasts, Pocket Casts or wherever you get your podcasts. You can follow Sydney Business Insights on Flipboard, LinkedIn, Twitter and WeChat to keep updated with our latest insights.
Send us your news ideas to sbi@sydney.edu.au.
Music by Cinephonix.
Dr Sandra Peter is the Director of Sydney Executive Plus and Associate Professor at the University of Sydney Business School. Her research and practice focuses on engaging with the future in productive ways, and the impact of emerging technologies on business and society.
Kai Riemer is Professor of Information Technology and Organisation, and Director of Sydney Executive Plus at the University of Sydney Business School. Kai's research interest is in Disruptive Technologies, Enterprise Social Media, Virtual Work, Collaborative Technologies and the Philosophy of Technology.
Meraiah is a Senior Lecturer at the University of Sydney Business School and a member of the Australian Centre for Gender Equality and Inclusion at Work. Her research centres on gender, work, and organisations.
Share
We believe in open and honest access to knowledge. We use a Creative Commons Attribution NoDerivatives licence for our articles and podcasts, so you can republish them for free, online or in print.
Transcript
Disclaimer We'd like to advise that the following program may contain real news, occasional philosophy and ideas that may offend some listeners.
Kai So Sandra, we cannot not talk about the war in Ukraine.
Sandra But we should also talk about the International Women's Day that's coming up.
Kai This is traditionally where we have this as a topic. But weirdly, there might be a topic that brings the two together,
Sandra Cybersecurity.
Disclaimer From The University of Sydney Business School, this is Sydney Business Insights, an initiative that explores the future of business. And you're listening to The Future, This Week, where Sandra Peter and Kai Riemer sit down every week to rethink trends in technology and business.
Kai A lot has happened since our last episode.
Sandra Indeed, there's floods all across Australia, and a war in Europe, in Ukraine.
Kai Which obviously doesn't only have severe implications for the people living in Ukraine but is throwing wider shockwaves around the world.
Sandra And there's news coming out every day about how businesses are being impacted, not only from the financial sanctions imposed on Russia.
Kai But also sports events being cancelled, impact on the global stock market, even Russia being kicked out of, you know, beloved, Eurovision.
Sandra And we're seeing companies grapple with what's going on, some very publicly. Companies like Twitter and Facebook and Google having to take direct action that actually impacts both the people of Ukraine and the people of Russia, but also businesses in these countries and around the world. Even at the very start of the conflict we saw Microsoft warning companies and the government of Ukraine of a new type of malware that they had detected, called FoxBlade, which was set to erase or wipe data on computers in the networks that it managed to access.
Kai Yeah, so security researchers at Microsoft in Seattle noticed this suspicious activity and scrambled together a task force in the matter of hours to detect, describe and then disable this malware. And then they notified not only the Ukrainian government, but also the White House. So a really interesting incident where a global company becomes involved in a war that is also fought in the realm of the internet, online, the cyberspace.
Sandra Yeah, and it's interesting that a company like Microsoft these days would kind of play the role that a company like Ford would have back in the day, like moving from building cars to building tanks, but having an active role in some of these conflicts.
Kai And other companies, like, as you mentioned, Facebook, Twitter, grapple with how do you stop misinformation that immediately sprang up around the conflicts. Reporting false information, supposedly out of Ukraine showing pictures that were from other wars that were sometimes 10 years old. How do you stop this? How are you being a global citizen in a world where now all of a sudden you have a conflict, and you operate in both countries, Russia and Ukraine? So really interesting questions that are just emerging that we will keep an eye on.
Sandra In the meantime, the question of cybersecurity has come to Australia already as Australia's lead cybersecurity agency also issued a warning, urging Australian businesses to enhance their cybersecurity because of the risk of the Russian/Ukrainian conflict spilling over into Australia's cyber activity.
Kai But it is also the time of the year when we would normally do our episode on International Women's Day, which is shortly coming up. And as we were looking into this, we found out that coincidentally it's also Women in Cybersecurity month.
Sandra Which got us thinking, who could we talk to who would be pleased to talk about both issues of cybersecurity but also of women in these fields? And turns out Dr Meraiah Foley, who's the Deputy Director of the Women and Work Research Group at The University of Sydney Business School, focuses her research on issues of gender equality at work, and is currently studying these questions in the context of cybersecurity. So who better to talk to then?
Kai And what better moment in time to talk about these issues then now when cybersecurity is really at the forefront of attention in both the media and the business world? So, let's talk to her.
Sandra Let's do this. So welcome, Meraiah, thank you for joining us.
Kai Hello, Meraiah. Good to have you on what is an incredibly wet day here in Sydney.
Meraiah Foley Thank you for having me.
Kai You're joining us remotely because travel is really difficult today.
Meraiah Foley Yes, the roads are mess.
Sandra And so is the situation that we're discussing. And the story that we're gonna try to unpack a bit today has to do again with Russia's war against Ukraine, in this case, cyber war. And we've picked this article from The Conversation, "As Russia wages cyber war against Ukraine, here’s how Australia (and the rest of the world) could suffer collateral damage". But I'm also quite aware that fairly soon we've got International Women's Day.
Kai And we're aware that you're doing research into bringing those two topics together, cybersecurity as a profession, the under-representation of women. And so it's a really topical issue to discuss, given how cybersecurity, cyber war is in the media, and with Women's Day coming up.
Sandra So the idea here is that the Australian Cyber Security Centre is asking organisations and businesses in Australia to be on high alert due to Russia's cyber-attack against Ukraine. And this is mirrored in other places like the UK and the US, and even New Zealand. And the Australian Cyber Security Centre does not identify a specific threat, but rather the fact that there might be disruptions or uncontained malicious cyber activities due to the ongoing war. And this is a fairly significant problem for business, right? Cybercrime continues to increase every year, it's about a 15% increase annually. And it's a $10 trillion illegal industry, as projected over the next five years.
Kai So with the war in Ukraine shedding light on the importance of cybersecurity, not just for the world, but also for Australia, and the looming shortage in that field. Meraiah, one of your arguments is that the under representation of women presents a problem but also an opportunity. So how do you think about this and what does your research contribute to solving this problem?
Meraiah Foley Okay, so as you noted, cyber activity underpins every function of our government, businesses, education, health care, and emergency services. So cyber activity is absolutely crucial to everything we do, and the interconnected nature of the cyber landscape leaves us vulnerable to attacks, even at the best of times outside of what's happening between Russia and Ukraine. Of course, that situation merely exacerbates the existing problem. So the Australian cybersecurity threat report for last year found that there were over 67,000 cybercrime reports last year, self-reported losses from cybercrime total more than $33 billion. And that affects every aspect of the way we operate. Now, against this rising kind of backdrop of the risks to our cyber infrastructure, Australia and the rest of the world is facing a critical shortage in workers in this sector. And the lack of gender diversity in the sector is a significant contributor to this problem. So cybersecurity is a very male-dominated sector. Globally, men outnumber women in cybersecurity by three to one. And in Australia, women account for just 27% of the cyber workforce. And that is a substantially lower proportion than we find in other related industries like information media and telecommunications, which has about 39% women. So the Australian Government is predicting that even in a best-case scenario, by 2026 Australia could be facing a shortage of about 18,000 cybersecurity professionals just to meet business as usual demands. That is outside of extra security issues like the situation that we're seeing unfold in Russia. So it is really urgent that we bring more people into the cybersecurity profession. But there is a big question about how we do that. And my research, which is called Pathways to Cyber: Understanding Women's Participation in Cybersecurity Careers, looks specifically at how we increase women's participation in this crucial sector.
Kai So when you talk about cyber activity, we mean anything that we do online and digital which sort of permeates all aspects of our daily life right, which is also what makes a cybersecurity so important because it is no longer just protecting some niche aspect of an industry or of society, but it goes to the heart of everything we do. But there are two issues here that I hear you talk about. One is what we actually mean by cybersecurity and how we have to think about this. And then secondly, what can we do to increase women's participation in that. So maybe we start with the first part, because when I was at uni, when I studied, cybersecurity was very much thought about in terms of protecting networks, so very technical, very sort of base function of computer science, which I think is still the case and is still important, but we see a lot of threats now that go far beyond that, that tackle our social infrastructure that have to do with, you know, cybercrime that attack social activity in social networks. So how do you think about cybersecurity when you talk about this in your own research?
Meraiah Foley One of the real opportunities in cybersecurity, in terms of making the field more attractive to a wider, more diverse range of people, is to start thinking differently about the way that we frame it. And that cuts exactly to your point, which is that we can no longer afford to look at cybersecurity, just as a very narrow domain of Computer Science and Engineering, protecting data and systems. That is, of course, a very important part of cybersecurity. But we also now need to recognise that cybersecurity cuts across almost every function of our organisations, so risk management, legal compliance, ethics, policy, as well as the information security aspect of it and the very technical computer science engineering domain. And if we think broader about what cybersecurity is that opens up potential pathways into the profession, and once people are under the umbrella of the profession, they can, of course, be trained in the different dimensions of cyber security. But this will only happen at the scale that we need it to happen if we start to talk differently about what a cybersecurity career is, and what the pathways into a cybersecurity career look like.
Kai So when we say cybersecurity profession, is that actually well-defined? Because, given that there are now so many different aspects that are needed in order to you know, keep us, or keep businesses or keep government safe online, then no single person will have all those skills, right? So some people will have very specialist network, hacking type skills, so very core computer science skills. Others will be anthropologists, social scientists who have knowledge about what it means to keep users safe online. So is it one profession? Or is it sort of a field of collaboration? How do we think about this?
Meraiah Foley In any profession, we often have different subcategories. And what is interesting about cybersecurity is that it is very much emergent and being sort of actively redefined all the time. So as you said, information security has been around since the dawn of the internet, the need to protect data and systems has been an embedded part of computer science for a long time. But there is increasing recognition of these other dimensions of cybersecurity careers. So last year, for example, the Australian Bureau of Statistics introduced a number of new specific cybersecurity careers in its classification of occupations, recognising that governance and risk management is an important part of the cybersecurity profession. That policy is an important part of the cybersecurity profession. So these are increasingly being recognised as sub-domains of cybersecurity, but still very much in the popular discourse, cybersecurity is presented as being very much at the intersection of computer science, law enforcement and the military. And this is problematic because these are three areas where the barriers to the recruitment and retention of women are extremely well-documented. So if we want to draw more people into the profession, bring people under the umbrella of the profession so that they can then think about moving within the various occupations within the profession, we kind of need to change the way we talk about what a cybersecurity career is, and even what cybersecurity entails.
Sandra So what could cybersecurity entail?
Meraiah Foley Part of cybersecurity is not just about the protection of data and computer systems, the protection of critical infrastructure, although those things are of course, very important, and I don't discredit that, but it is also about education against misinformation and disinformation. It is about how we regulate some of the platforms that people use to share information to minimise the risk of misinformation and disinformation. So it is about risk management, it is about policy, it is about ethics and governance. So it's less about securing data and more about building resilience within an environment that is increasingly embedded in cyber activity.
Sandra So maybe it might be more useful to think about it as something along the lines of cyber resilience rather than just narrowly cybersecurity?
Meraiah Foley Exactly. And research from human resource management, which is an area that I teach and specialise in, clearly shows that the language that we use when we describe an occupation or an industry, the language that we use in job advertisements, the language that we use, when we describe tertiary programs, is very important in terms of its influence on who is attracted to those occupations, industries, jobs, or tertiary programs, who applies for those programs. And then also who is sort of deemed to be inappropriate hire in that context. We're at a crucial moment, I think, in cybersecurity, where we can begin to rethink some of these questions and reframe how we talk about what the industry is, if we're really serious about attracting more people into the industry.
Sandra
So let's look at some specifics, right. You were talking about how we talk about the industry and so on. A lot of that is also done through job adverts. What is some of the language that we currently use, and what could we do to kind of broaden the field or the attractiveness of the profession?
Meraiah Foley So as part of my research into this, we are doing an analysis of entry level job advertisements in cybersecurity. And preliminary findings are that words like threats, attacks, intrusions, incursions, defences, they're rife in these types of advertisements. Now, of course, protecting data and protecting systems does entail a certain amount of defending against attacks and incursions. But it also entails a high level of collaboration, teamwork, cooperation, building resilience, building strength. Now, this is important because research on gendered language in job advertisement clearly shows that when job advertisements contain a lot of stereotypically masculine language, women are less likely to see those jobs as being attractive, they're less likely to see those industries as places where they will experience belonging, and so therefore, they're less likely to apply. Now, this is significant in cybersecurity, because at the moment, the barriers to entry in cybersecurity careers relative to other professions are relatively low. And by that, I mean, there is still a lot of on-the-job training being provided in this area. So you could be potentially attracting people into the area and training them. But you won't do that if they don't apply in the first place. So by rethinking the way we talk about what these activities are, we can attract different people into these jobs.
Kai So do we bring in people into cybersecurity by thinking about it in broader terms? So having diverse interdisciplinary teams in terms of skills and gender? Or is it also about bringing women into the core STEM, computer science part of it? And how do we deal with both? So what are strategies for doing this, not just at the level of job-seeking, but also in terms of the education of it?
Meraiah Foley That is a really important point. And this is a very complex problem, and it cuts across multiple dimensions. So I think the answer to the question is we need to do both. We need to recognise the multi-disciplinary complex nature of cybersecurity, and potentially attract women into that profession via these multiple pathways: regulation, law, risk management policy, as well as the sort of quote unquote hard STEM subjects, engineering, computer science. I think some of the more promising pathways are training programs that begin very early. So that is about bringing cybersecurity education, for example, into primary schools. And that is not just about building those hard technical computer science skills, but also about building the wider community resilience that we need critical thinking skills, the ability to distinguish good information from bad information, sort of understanding the broad range of cybersecurity related issues from the earliest stages of our education. But there are many complexities around encouraging women into those STEM subjects. More recently, there has also been some studies showing that women who come into cybersecurity via these alternate pathways, say via an interest in regulation, or an interest in the ethics or an interest in the policy, then receive on-the-job training in the more technical aspects of it. And I think that is a creative way to break some of the known barriers that exist around bringing women into STEM subjects by more traditional pathways, tertiary education, and so forth.
Kai How do we think about role models in this field, female role models? Is it worth drawing on, you know, historical figures, because in the very early days of cryptography, for example, in the early days of computing, women were for a while even dominating some of those areas? We've seen recently in TV series that a lot of the traditional nerd roles are cast with female characters. How do we think about role models in this field that has still a predominantly male image?
Meraiah Foley Yes, so the role modelling is extremely important. And as you say, you know, women were cryptographers in World War II, both in 1000s of women worked in cryptography in the United States, and in the United Kingdom, women were essential to the you know, early kind of computing that happened during the space race in the 1950s in the 1960s. And in the early days of computer science, women were much better represented than they are today. And other scholars have attributed women's decline in computer science to the rise of the sort of very masculine stereotypes around computer use, gamers, and hackers and so forth, and that this is reflected in women's under-representation in cybersecurity today. The research tells us that role modelling is really important, this idea that you can't be what you can't see, or that patterns that we see in wider society reinforce our stereotypes about who belong. So I'm put in mind of decades of what are known as 'draw a scientist' studies, where researchers asked students of all ages to sit down and draw a scientist, and they overwhelmingly will draw a picture of a male figure, even as the proportion of women in science has increased over the last 20 years, this trend has remained relatively stable, Because what we see out in the wider world reinforces our stereotypes about who belongs in certain occupations and industries and who doesn't. So it is really important, I think that we're beginning to see these depictions of nerdy code breakers or hackers who are women, that we call attention to the fact that women have been well-represented in cryptography and computer science in the past, that there's not some inherent characteristics of the female brain that make them less inclined to these occupations and industries, but also that we provide a wide range of pathways in.
Kai We're in a business school, all three of us. What is the role of business schools, business, school education, advocacy, you know, what can we do in order to strengthen pathways into cybersecurity more broadly, but also the role of women in cybersecurity?
Meraiah Foley I think it's really important to take cybersecurity out of this silo of security studies, sort of military studies and computer science, and recognise that cybersecurity is now deeply embedded in everything that we do. So the World Economic Forum, for example, has called cyber risk, quote, “the most immediate and financially material sustainability risk that organisations face today”. So cybersecurity in that way is integral to what businesses do and will continue to do into the future. I think business schools need to be thinking really strategically about how they educate students about cybersecurity risk, about cybersecurity ethics, about cyber security governance. And that potentially opens up yet another pathway for people into cybersecurity careers, both the technical and non-technical domains by embedding cybersecurity into everything we do, rather than looking at it as some sort of siloed computer security issue, or an insurance risk for organisations if their data gets stolen, for example. So if we go back to this idea that we need to broaden out strategically what we think of as a cybersecurity career, by exposing more people are male and female students to the broad range of cybersecurity issues that organisations face, that then widens the potential pool of people who are attracted to this industry, who may then go on and get the kind of technical skills that are required, and add new perspectives to the types of issues that are faced within cybersecurity. So there is some research showing that diverse teams have some advantage over more homogenous teams in their ability to kind of identify a wide range of threats or yield more innovative solutions by virtue of bringing a diversity of perspectives to bear on a complicated issue. So the question then arises, what issues have been missed in cybersecurity by not having more women? And if cybersecurity continues to be very male dominated, it's entirely possible that cyber criminals in the future may exploit some of the unconscious bias that might be inherent in the industry, you know, by circumventing the homogeneity of the method, right? So having more resilient cybersecurity teams, more diverse cybersecurity teams, is important to guarding against some of those possible threats.
Sandra And as we mentioned, it is Women in Cybersecurity month. It's also International Women's Day coming up. How do people actually get started with this? So if there's someone out there listening and thinking, 'maybe I should check out a career in cybersecurity', what can they do?
Meraiah Foley So there are a range of resources, there is government initiatives at the moment to try to map the variety of cybersecurity careers and the pathways into those cybersecurity careers. I would encourage people to go and investigate that. There is a lot of general information in the media looking at the range of options for cybersecurity careers. So I would encourage people to go and look at that. At the moment in the profession, relative to other professions like law or medicine where the barriers to entry are relatively high, the barriers to entry in cybersecurity careers are still relatively low. There are a lot of post-tertiary qualification programs that people can undertake in order to get the technical skills and training that they need to succeed in cybersecurity careers. And there's a lot of on-the-job training being provided because the skill shortage is so dire, right, this is a real growth area, it's a relatively high-paid profession. And I would encourage people to take a look at the opportunities available.
Sandra And there's never been a more important time to be doing this. We'll put all the links in the shownotes as well.
Kai Thanks Meraiah, this was great. And as Sandra said, there's ample material that we will provide. And I also want to say that the Business School will be launching offerings in cybersecurity shortly, developed by our colleague, Carol Hsu. So even here at the Business School, there will be pathways opening up to enter into this important and emerging field.
Sandra And we will be checking back with you next year to see how the research is going. But thank you so much for sharing your insights with us today.
Kai Thanks, Meraiah.
Meraiah Foley Pleasure.
Kai And that's all we have time for today.
Sandra Thanks for listening.
Kai Thanks for listening.
Outro You've been listening to The Future, This Week from The University of Sydney Business School. Sandra Peter is the Director of Sydney Business Insights and Kai Riemer is Professor of Information Technology and Organisation. Connect with us on LinkedIn, Twitter, and WeChat. And follow like or leave us a rating wherever you get your podcasts. If you have any weird or wonderful topics for us to discuss, send them to sbi@sydney.edu.au.
Close transcript