The struggle to introduce more women into the field of cybersecurity is not a challenge that’s unique to the United States. And considering the global nature of recruitment, how various countries and regions contend with this gender disparity – how they may be contributing to it or actively taking measures to remedy the problem – has a direct impact on the state of talent for businesses here in the U.S.
Click here for complete coverage of SC Media’s 2020 Women in IT Security
SC Media took a trek around the globe, visiting four different cybersecurity markets – Israel, India, Russia and Brazil – and viewed each through the eyes of an accomplished female cyber pro to get a clearer picture of the state of diversity efforts around the world.
Israel: Superior military training, failure to engage
When Yael Ben Arie enrolled in a two-year Israeli Air Force pilot course, she was the only woman among 250 cadets. The experience left her well prepared to enter the world of cybersecurity, where males also vastly outnumber females.
But that doesn’t mean she wouldn’t like to see the numbers even out.
In Israel, “there are not enough women in technology positions in general, and less in cybersecurity,” says Ben Arie, the vice president of research and development at Tel Aviv-based SafeBreach, a company specializing in data breach and attack simulations.
Indeed, if it weren’t for Israel’s military, the number of Israeli women pursuing cybersecurity might be even lower. One of a handful of nations that conscripts women into the armed forces, Israel requires nearly all citizens to serve when they turn 18 – and it is in the military that many young adults get their first real taste of cybersecurity as a possible career.
“The army knows how to find talent very easily. They know how to [train] women – also men – that don’t have computers or a cyber background to bring them up to speed very fast,” says Ben Arie. “In the end, many women get to acquire a cyber education in the army… If it wasn't for the army, they would never get into this world.”
Ironically, the army had recommended that Ben Arie pursue a technology track. “But then I joined [the] flight course,” and went on “to serve as operations officer in an F-15 squadron,” she says. “Later on, I discovered that they knew better."
But there are downsides to teaching cyber largely through the military, says Ben Arie. For one, she says, there aren’t enough higher education institutions in Israel that offer strong cyber programs. Secondly, she finds the military gets cliquey, with many men gravitating toward cyber programs due in part to the competitive “video game” nature of many exercises and drills.
Culturally, some Israeli women tend to find cyber overly militaristic and hypermasculine for their tastes, says Ben Arie, who tries to communicate to women that cybersecurity is more than just digital cops-and-robbers. “It gets more complicated than that. You have to be prepared with all the arsenal of tools, because you don’t know what the hacker is going to do next. He’s the one controlling the game. And that makes it very interesting.”
That’s not to say Israel is lacking in professional cyber opportunities. Indeed, the country is a tiny powerhouse. In 2018, CB Insights reported that from 2013-2017, the country was responsible for the second most cybersecurity business deals in the world, right behind the US.
Still, the nation’s diminutive size creates a challenging dynamic for some female job-seekers: Everybody seems to know everyone, and as a result many people get hired through personal connections, Ben Arie says. This means some jobs are not truly available to the population at large, as men simply hire their male peers.
According to Ben Arie, there also isn’t much of a push among Israeli companies for inclusivity and diversity. In that regard, she thinks the U.S. is further along.
In Israel, “Many companies are small and are in survival mode” financially, she says. For them, diversity is a “luxury” when it comes to hiring. “Companies that fight for their life, they don’t deal with ‘Is it going to be a woman or a man?’ [They] just need someone to come in and help.”
Women in the Israeli cyber and programming communities can at least turn to a number of mentorship organizations such as “she codes” and “Shift” (previously known as CyberGirlz) for help and guidance. And there are companies that are showing progress: For instance, when Ben Arie led cybersecurity, data and machine learning at Trusteer, a computer security division of IBM, roughly half of her team of 45 employees were women.
Ultimately, however, if more Israeli women aspire to ascend to top cyber positions, they might just have to go out and create them. Israel is a huge hotbed for cyber and tech startups. In 2018, TechCrunch reported that 15 percent of newly established Israeli cybersecurity startups featured a female founder – a five percent increase over the previous year.
“It’s not a matter of opportunity. It's more a matter of women believing that they can do it,” says Ben Arie. “When there are more… good role models, people believe that it's possible.”
India: Empowering the spirit 'jugaad'
There is a Hindi word “jugaad” that roughly translates to using outside-the-box thinking to solve a problem. A hack, essentially.
In India, the women who pursue cybersecurity as a career epitomize the spirit of “jugaad,” says Vandana Verma, security solutions architect with Bangalore-based India Software Labs, an IBM company. They see that a future in this field is possible, and despite obstacles they are carving out their own path to get there.
In that sense, India has come a long way from when Verma, a SC Media Women in IT Security honoree, first joined the workforce as a developer at Wipro Limited around 2005. At the time, she knew little of cybersecurity, and few women there were active in the field.
By happenstance, an opening became available in cybersecurity after her development work ended. “This project had the opportunities, and I just grabbed that,” she says. And she hasn’t let go since, taking on other security roles at companies like Accenture, Time, Inc. and IBM. She is also president of Infosecgirls, a global organization that promotes, supports, mentors and trains women in security.
Meanwhile, as Verma grew into the industry, India as a whole experienced a similar awakening.
“The country is getting to know more about cybersecurity,” Verma told SC Media, especially as the greater cyber community has flourished and grown, providing opportunities for mentorship that weren’t before possible.
Just last August, Indian Prime Minister Narendra Modi publicly announced that the country would be unveiling a new national cybersecurity program.
“The country’s prime minister is recognizing that cybersecurity is important for us. And we need more people in cybersecurity,” says Verma. “And everyone listened to that speech.”
The new program will surely introduce more opportunities for women interested in cybersecurity, yet some may not believe they are equipped with the right skills. Verma and the Infosecgirls organization want to dispel such misconceptions. The truth is that many skills apply toward cybersecurity.
“This is not just about coding security or hacking of applications," Verma said. "It's way more than that. You need to have knowledge about networks. You can learn about networks, if you have interest. If you are a developer, you can do secure code review. If you are a tester or a QA or functional tester, you can actually test the applications. So you can be anything in this field.”
Aside from a lack of knowledge or confidence, other circumstances preventing more Indian women from joining the cybersecurity community include the country’s average female literacy rate, which at the time of the 2011 Census of India stood at only 65.46 percent. Additionally, many villages and rural areas don’t have access to digital technology and the internet. (Modi also addressed this issue in his recent announcement, detailing efforts to connect more over 600,000 villages to a fiber-optic network within 1,000 days.)
“You need bandwidth, you need people, you need volunteers who can go there and who stay," Verma said. "We need to connect with someone who is assigned locally and help people. Infosecgirls is trying to do that.”
The organization then trains those local people to help get the communities connected. “It's like creating a chain of people. InfoSecGirls alone is nothing – it's all about people supporting each other. And they don't have just women as volunteers. There are men helping us as volunteers who are helping us with trainings.”
A lack of women leadership and pay equality also presents obstacles, but Varma says that India recognizes the problem. “A lot of organizations have starting bringing on more diverse candidates on the board,” says Varma, who is currently the only woman on the OWASP Foundation’s global board of directors.
Ultimately, “people understand that it's not about women or men; it's about getting equal participation, and getting different ideas from them,” says Verma. “People say that it's all about merit. But then if given an opportunity, people can prove themselves. My peers, my friends, my seniors, they have proven that they deserve to be in a C-level position.”
Russia: Hacking from a young age
With fears of Russian hacker interference flaring up again as the U.S. presidential election nears, the adversarial relationship between America and Russia is once again in the spotlight.
But just as both countries are alleged to engage in offensive hacking and cyber spying, they both also have plenty of good guys – and gals – trying to protect people’s data.
So, what is the Russian cyber industry like for women in security? At least according to one of those women, the challenges and opportunities are not too far off from what you’d find in America.
Tatyana Shishkova is a senior malware analyst at Kaspersky, where she has worked for the past seven years, starting out as a technical writer. Shishkova has specialized in Android threats such as the Black Rose Lucy malware-as-a-service operation, and actively takes part in the Coalition Against Stalkerware initiative, protecting her fellow women from domestic abuse and harassment enabled via mobile spyware. Just this month, she presented her latest research on the multiplatform GravityRAT trojan at the SASatHome conference.
Shishkova told SC Media that in Russia employers are open to hiring women with her abilities.
“I personally did not notice any discrimination during my studies and when applying for a job,” Shishkova says. “It’s important to say that women and men have equal opportunities when applying for jobs in Russia, and what’s important is their professional experience. And as our society is becoming more digital, there are more job opportunities in tech and more IT companies in Russia. There are various opportunities for internships in such companies and this is a great opportunity to start your career.”
While she is not aware of any gender quotas or official policies to promote hiring of women, Shishkova says that many big Russian companies “have internship programs for students available to all who pass a test.” For instance, Kaspersky has its Safeboard internship program, “and I see that every year there are more and more young women in internship positions at the R&D department and who then have opportunity to advance their careers in our company,” she says.
In fact, a fifth of Kaspersky’s research and development team is female and one in seven women are team leaders.
With that said, Russian men still tend to flock to cybersecurity in much larger numbers than Russian women. And that is apparently reflected in Russian education enrollment numbers.
“There’s a high percentage of young women in Russia who receive a university degree, including in tech. However, there are still fewer women in technical universities,” says Shishkova.
There’s a curious disconnect here, as Russia is well known for exposing schoolchildren to computers and coding at a very early age and making such subject matter an integral part of the core national educational curriculum. Russia’s Federal Educational Standards (FES) makes the study of informatics and related technologies compulsory for schoolkids, and many cybersecurity experts have credited this approach for creating new generations of prolific Russian coders, hackers and, in some cases, even cybercriminals.
The lack of Russian women enrolled in their own country’s technical universities suggests some kind of impediment. One such hindrance may be traditional cultural values that still play out in certain pockets of Russia, Shishkova notes.
Shishkova also believes there is a pervasive “stereotype that programming and tech are for men.” To debunk such myths, Kaspersky and other Russian IT companies take part in an initiative called Data Lesson.
“Every year, we prepare our own digital lesson in a format of a game/test on the topic of cybersecurity,” Shishkova continues. “The main aim is to teach children the basics of online security and tell them more about future opportunities of working in IT.”
Brazil: A cybercrime hotbed
It’s been an eventful year for cybersecurity and privacy practitioners in Brazilt. In February, the world’s largest Latin American country issued a presidential decree announcing a comprehensive national cybersecurity strategy, and in August a new data protection and privacy law, Lei Geral de Proteção de Dados, LGPD, went into effect.
For a country that is notoriously plagued by banking malware and ransomware threats, this is progress. Where Denise Menoncello would like to see even more progress is bringing women into the fold.
Based in Sao Paulo, Menoncello is an information security management and business continuity consultant with CMS Brazil, a company specializing in information technology sales and infosec advisory services. In her role, she works with CMS Brazil’s clientele to ensure their security privacy and business continuity needs are met.
With 23 years of career experience in information security, Menoncello currently serves as vice coordinator of the Information Security, Cybersecurity and Privacy Protection Committee of the Brazilian Association of Technical Standards. She is also deputy leader of the Brazil chapter of WOMCY – LATAM Women in Cybersecurity, which has roughly 450 members.
Menoncello says that in order to forge their own path through a predominantly male industry, more women in Brazil “are studying harder, graduating and achieving more certifications” in the field of cybersecurity. But there are still significant impediments preventing even greater numbers of Brazilian and Latin American women from entering the market.
Among them are a “lack of knowledge about cyber” and an “absence of economic resources,” she told SC Media. “We have a lot of [educational] courses in information security, but the women don’t have money and don’t have the resources to enter into these courses.” The number of Brazilian women in cybersecurity leadership positions “is still very low,” and while women are around 55 percent of the workforce in Brazil, in cyber and technology, "we are not even half of this number.”
Culture is also an issue. Globally, the cybersecurity industry has had difficulty shaking free of the perception that it is a man’s game first and foremost. But Menoncello believes this attitude is particularly prevalent in Latin America, where some members of the population can’t let go of their old-fashioned concepts of gender roles.
“The parents say to the girls, ‘You are prepared to be a mother. You are prepared to be a teacher… but not to work with technology,” Menoncello said.
Menoncello thinks the new LGPD law, which will be enforced in 2021, will generate opportunities for women who may not feel entirely comfortable with technology to work instead in privacy. That ultimately is “closely linked to information security and also areas of cyber, because the law requires implementation of security controls, such as incident response.”
Moreover, Brazil and Latin America’s unique threat landscape also is opening up doors for women, as companies desperately seek help to stem the rising tide of financial cybercrime.
Trend Micro last year reported that Brazil in 2019 ranked second among all countries in terms of the total number of ransomware attackers. And banking malware such as Guildma, BasBanke and Metamorfo represent a significant scourge on the local population, which generally prefers doing their banking online. And it’s not just banks that are affected: “They are capturing logins and passwords for financial firms, or even for credit bureaus,” says Menoncello. “This thing is huge.”
These threats shape how companies in the region train their security teams and execute their cyber strategies. “We have, for instance, incident response, vulnerability management, and even anti-fraud teams who were created to combat these threats. So, many companies are opening up positions and these are opportunities for women,” Menoncello says.
But how to give more women the push they need to get involved? One answer is WOMCY, which offers, mentoring, networking, educational and job placement programs for women in cybersecurity across Latin America. Programs include WOMCY Girls, which shares STEM-related career experiences with girls ages 14-17, and WOMCY Jobs, which guides university-level cybersecurity students (men and women) through academic training and helps them develop a specialized career plan.
Additionally, “In Brazil we also have other NGOs working to include more women in the cyber and technology market, which promote mentoring and training,” says Menoncello. “Companies are also concerned and making programs to encourage diversity in teams and the inclusion of more women in areas of technology and security.”