Women in CyberSecurity
This blog provides an overview of women in Cybersecurity and some of the misconceptions surrounding the claim. In addition, it will address deficiencies and recommendations on how to improved the number of girls in the field by incorporating early childhood activities that would increase the key component required for Engineering: Spatial Cognitive Skills.
In the past few years... we hear left and right that there aren't enough women in Cybersecurity, but there's a misconception as to what Cybersecurity is. While it is true... the number of women in the field is less than men, there has to be a more in-depth analysis to truly grasp the areas where women are lacking and where the lack thereof falls within the bigger picture as it pertains to the Risk Management Framework (RMF).
Not all roles fall under Cybersecurity and not all roles currently associated with Cybersecurity fall under Cybersecurity. In fact, there's a number of roles that don't fall within the spectrum of the frameworks (RMF, Cybersecurity) noted, for they fall under STEM fields, tied to the various group required to architect or engineer the environments that fall under the Information Technology (IT) Team .
Yes... it does sound confusing, but unless you have been in the field for many years and have an understanding of the process, it can be hard to comprehend. To grasp it, you must understand the roles. If the roles are not identified in the next section, they do not fall under Risk Management or Cybersecurity. The two key components that many are integrating as one under the "Cybersecurity" heading
Clarification of Encapsulation of Roles under the "CYBERSECURITY" headingThere are many roles under the various components associated with an Enterprise Level Risk Management Framework (RMF), one framework that is key for the Cybersecurity Framework to function properly. To understand what roles actually fall under the "CYBERSECURITY" heading vs. the "Risk Management" or "STEM" heading, they have been broken down on the table below.
|Cybersecurity Roles||There's two components to Cybersecurity: Defensive Security and Offensive Security. Each Component has a set of unique roles with different tasks. The roles for each component are noted as follows:
|Risk Management roles|| The Risk Management Framework has three (3) other components that fall under what is called Information Assurance/ Security. The roles under each component are noted as follows:
|STEM Roles|| STEM Roles are essential for the development of new technology; however, they do not fall within the key roles of Risk Management or Cybersecurity. They fall under two categories:
The roles under the "Cybersecurity" components, as it pertains to NIST guidance, take place after the Risk Management Roles have completed the Accreditation process.If the individual [regardless of gender] doesn't fall under the Cybersecurity roles above, they don't fall in the CyberSecurity category and cannot claim to be a Cybersecurity Expert. Personnel under the Cybersecurity components come into place once the systems has been Authorized to goLive and is in the Production Environment, those requiring Continuous Monitoring or validation that they were secured in accordance with the organization policies in a manner that limits and Internal or External threat from being successful. This isn't meant to be offensive, but rather a reality that must be understood.
Risk Management Roles
Next, are the roles that fall under the Risk Management Framework (RMF) Components. While they are key to limit cyber attacks, they must be in place prior to engaging the Cybersecurity Components. The steps taken by the teams that fall in this role will determine how successful the organization is on limiting cyber attacks. Personnel under this components are responsible for delineating, managing and/or enforcing the organization's IT Security Program.
The program has been known for years as the information Assurance/ Security Team and typically incorporates the Defense In-depth teams as one, but I prefer to separate the two due to the level of technical expertise required. While those under Governance/ Security Leadership and Information Assurance must be familiar with the high level technical aspects of a systems; many lack hands-on technical expertise [about 80% of the workforce has no hands-on technical expertise]. On the other hand, the Defense in-depth team must have hands-on technical expertise to perform in-depth audits or risk assessments of the technology being assess for security vulnerabilities.
STEM RolesRoles under STEM are tied to the technical personnel responsible for engineering and architecting the environments in accordance with the functional requirements of the client. Whether it is the Enterprise Network or an Application geared towards consumers, they depend on the guidance provided by those under the Risk Management roles. They are involved on the Systems Development Life Cycle (SDLC) process, as part of the organization's Information Technology (IT) Team. Those within this roles are hands-on technical individuals who not only dive into the system's configuration settings, but also maintain the systems in accordance with the organization's policies and procedures. Many are involved in the day-to-day security responsibilities tied to both, Risk Management and Cybersecurity Frameworks.
Now that the correct roles have been identified we can attain a better understanding on the areas lacking women presence.
Accuracy of Claim
To accurately identify the areas in which women are lacking as it pertains to the Risk Management Framework (RMF) and the Cybersecurity Framework, is important to reach out to all women claiming to be in "CYBERSECURITY" and have a clear breakdown of key areas related to women behavioral preferences, their expertise level and the various roles they have engaged on. Unfortunately, not all questionnaires reach out far enough to truly determine a more accurate breakdown. In fact, many of us were never part of the statistics used today and the statistics fail to clearly identify key information essential to better grasp the rationale for the imbalance, as it pertains to the areas noted in this article: Risk Management and Cybersecurity. An accurate analysis will help identify some of the key factors associated with women's behavioral preferences and a clear view of how spatial cognitive abilities play a role on selecting fields in the Engineering sector tied to Computer Science, Risk Management, and Cybersecurity.
To gather pertinent data, we have created a questionnaire that has a set of key questions that provide a better overview of the current wave of women in the field. All responses are anonymous and not tied to an individual. No PII information is required. The question are meant to understand the following:
- Roles within RMF and Cybersecurity with the highest and lowest percentage of women;
- Rationale for women joining the Cybersecurity field;
- Childhood Background and linkage to Spatial Cognitive Skills;
- Average Pay Per Role;
- Technical Expertise Level; and
- Mindset and Ideology differences as it ties to the rationale to enter the field and Spatial Cognitive Skills
The link is Women in Cybersecurity Questionnaire
Essential Skillsets Women Must HaveThere seems to be a high number of women in "Cybersecurity" claim that being technical is not necessary to enter the field, and I highly differ. You MUST be technical for most of the roles with the exception of two (2): (I) Security Trainer; (ii) Privacy Officer. Every other role requires you to grasp a high level of technical jargon tied to the technologies being secured. Being technical is key, as communication with technical personnel and implementation of security controls requires understanding on how the requirements must be map to the technology. Many of the failures today is tied to lack of clear communication and/or understanding of how controls must be mapped to the technology between the parties involved in the process.
That said,the roles within Risk Management and Cybersecurity aren't for anyone. There's a set of minimum requirements each women entering the field should have, and the level of understanding depends on the role of interest. This are some of the high level requirements women must have to enter the roles noted within this article:
- Understanding of Network Security and Application Security;
- Understanding of Environments and the security implications impacting each;
- Understanding of Technical Jargon and how it ties to the technology being secure;
- Love for Reading, as there's 19+ families with over 200 sub-topics that must be addressed by some of the roles
- Love for Writing Technical Jargon in a manner that can be understood by the general audience;
- Love for Analyzing hundreds, sometimes thousands of line items either manually or via scripting manipulation;
- Understanding that the field requires continuous learning that is never ending; and
- A high level of curiosity leading to a pro-active approach.