Whether you’re a cyberterrorist or a valiant defender of the virtual realm, things are about to pick up. The global ransomware cyber-attack this weekend, which affected over 200,000 companies in 150 countries (including the NHS) has served to highlight just how much of a threat hacking has become, with the situation predicted to escalate over the coming days. In recent years, headlines have abounded with cybersecurity debate, from Talk Talk’s data breach in 2015, through to the A-list hacking scandal. In 2016 the FBI ran into confrontation with Apple – backed up by other technology giants including Google, Facebook and Microsoft – about data protection, privacy and hacking. Such is the level of growth in this sector that even industry analysts are reluctant to forecast its global impact, although a report from Cybersecurity Ventures has predicted that worldwide spending will exceed $1 trillion between 2017 and 2021.
This formidable growth has resulted in increasing cybersecurity budgets amongst leading brands (and not a moment too soon as government research has revealed that two thirds of large businesses experienced a cyber breach in the last year), with J.P Morgan Chase & Co doubling their annual cybersecurity budget, Microsoft investing over $1 billion annually and Bank of America confirming an unlimited budget to mitigate against cyber criminals.
As need outpaces recruitment capability, McAfee’s Center for Strategic and International studies has estimated there will be up to two million unfilled roles in cybersecurity in the next two years. According to McAfee’s ‘Hacking the Skills Shortage’report, 82% of respondents are witnessing a cybersecurity skills shortage, with disciplines including intrusion detection, secure software development and attach mitigation highlighted as the most critical. 53% of those surveyed believe the talent dearth is worse than in other IT professions.
Thankfully, at the same time (if not the same rate) as cybersecurity is growing, interest in “ethical hacking” - synonymous with elite hacker groups such as Anonymous and Netflix creation Mr Robot – is also picking up. Specialist forums and online marketplaces including Hackajob have added significant weight behind the movement, whilst gamification based assessment exercises and national hacking competitions are enabling candidates to demonstrate their hacking skills alongside their experience.
And yet, for all the siren-sounding about a skills shortage, there is one demographic that is seriously underrepresented. That hacking is historically seen as the pursuit of anti-establishment, socially inept teenage boys or the activity of James Bond-esque ‘Q’ characters, has issues in itself, however with such a developing market, it’s deeply concerning that women make up only 11% of the world’s information security workforce. Faced with reports of sexual harassment at security and hacking conferences, marginalisation in online forums and misplaced campaigns such as IBM’s #HackAHairDryer campaign on Twitter which targeted women with the aim (ironically) to ‘reengineer misperceptions about women in tech”, it’s unsurprising that cybersecurity can appear like an untouchable environment to women. According to the ‘2017 Global Information Security Workforce Study: Women in Cybersecurity, a disturbing 51% of women have experienced discrimination in the cybersecurity industry and 28% of women felt that their opinion was not valued in the workplace.
To add insult to injury, despite the median cybersecurity salary reportedly at least 2.7 times the average wage, the ‘Women in Cybersecurity’ report also highlights that in 2016 women in cybersecurity earned less than men at every level, and that men were nine times more likely to hold managerial positions. This is taking into consideration that 51% of women hold graduate level degrees compared to 45% of men in the sector.
And yet, women arguably could make a more valuable contribution to cybersecurity skills gaps than their male counterparts. Cybersecurity should look to active hackers for their skill shortages; hackers make strong cybersecurity professionals simply based on their understanding of how the other half thinks – their discovery of loopholes, shortcuts and system errors can help support infrastructure as much as undermine it. But how many tech companies want to invite a wolf into their den?
Sociologists have found that women are less likely to be “crackers” operating on the dark side of the law, and more likely to be hacktivisists, hacking with a moral agenda – think Lisbeth Salander in The Girl with the Dragon Tattoo. Research has shown that women tend to have a stronger moral compass in business than men and with regular commentary on the role of the male ego in hacking (see ‘Machismo and the Hacker Mentality’), it’s not too much of a leap to understand why women are drawn towards white hat activity. The vigilante tendency of female hackers should arguably make these communities easier to tap into. Whilst crackers are resigned to the shadows, ethical hackers can operate slightly more openly, with international groups such as Femhack, Women Hack For Non Profits and the Women in Cyber Security (WICS) Group providing a platform for women to further agendas and network.
To push the point further, although few, women have already made a considerable contribution to the hacking community, with celebrated white hat hackers including Ying Cracker, Natasha Grigori, and Adeanna Cooke, whilst their black hat counterpart, Xiao Tian, created one of the most renowned all-female hacking groups – the China Girl Security Team – in response to a lack of outlet for female hackers. In 2006, Joanna Rutkowska (our real-life Lisbeth Salander) caused sensation when she publicly hacked into the Windows Vista beta at the Black Hat Briefing Conference. To date, she runs an international security firm alongside working with some of the largest information technology providers in the world, including Windows. Meanwhile, Raven Adler has become one of the most high-profile faces in the hacking industry. The first female to give a technical presentation at DefCon and a specialist senior security consultant to both public and private organisations, Adler has repeatedly underlined that she wants to be known for her work, not her gender.
In order to tackle the impending global skill shortage for cybersecurity professionals, it is therefore vital that we start to tap into these talent pools. That might mean addressing inequality in the workplace, finding new avenues and networks to explore or providing leadership development plans for women. Ultimately though, these actions start in one place: we must escape the cliché of the dominant, uber-intelligent, reclusive hacker and shift it to that of an intelligent, independent and ultimately moral individual. Only then can we start to appeal to a community which, if barely visible, is certainly there and certainly hungry for change. In short, it’s time to headhunt Lisbeth Salander.