The cybersecurity challenge is for all, women included

Fewer than 20% of all Fortune 500 chief information security officers are women, another example of the difficulty of achieving diverse talent in STEM fields.  Fierce Electronics asked an expert, Arqit’s Roberta Faux, US head of cryptography and US field CTO, about emerging cyber threats and the importance of diversity in cybersecurity.

What is the biggest reason there aren’t more women in the tech field? Many educators worry the problem starts with girls at middle school age or even younger, but how are policymakers to fix it? Is there a role for industry in education that addresses this problem so early on in a girl’s life? 

The lack of women in the STEM fields is a multifaceted issue that ranges over cultural, social, educational, and organizational factors. The dominance of males in the cybersecurity field is a global phenomenon. Importantly, diversity in STEM extends to disparity across race, ethnicity, age, gender, sexual orientation, among others. The cybersecurity field, like many other sectors within STEM, has historically been dominated by males due to a variety of systemic factors.  

The educational pipeline into cybersecurity often starts with an interest in STEM fields that is cultivated during early education. Societal biases and educational disparities have led to underrepresentation of minorities and women in these foundational courses, which ultimately affects the diversity of those who later enter cybersecurity careers. 

Like many tech fields, cybersecurity can be highly network-driven when it comes to finding job opportunities. With the existing network predominantly white and male in the Western world, it can be challenging for those who do not fit that demographic to break in. Additionally, the lack of diverse mentors can deter underrepresented groups from pursuing and advancing in this field.  

Addressing diversity in STEM fields is a multidimensional challenge that requires efforts from policymakers, educational institutions, the private sector, and the STEM community. Policymakers have legislative and regulatory options to foster environments conducive to diversity in STEM. This may include education policies that encourage STEM participation from an early age for underrepresented groups, STEM scholarships to reduce financial barriers to entry, creating initiatives that connect students with mentors from diverse backgrounds in STEM professions, enforcing anti-discrimination laws in educational institutions and workplaces, public awareness campaigns to promote the value of diversity in these fields, private sector partnerships, incentives for organizations that demonstrate effective diversity hiring practices in STEM fields.

Given the scope of the challenges, it is probably worthwhile to fund research to better understand the barriers to entry and advancement for underrepresented groups in STEM fields. 

In your area of cybersecurity, is the problem getting women in the field worse than in other fields of tech like networking, embedded, and more?

The field of quantum-safe security is a relatively new and a highly specialized field that is rapidly evolving within cybersecurity. Like many emerging technologies, it can present additional barriers to entry compared to more established areas of cybersecurity. This means there are fewer educational and professional development pathways established making it more difficult for newcomers, especially women and other underrepresented groups, to find entry points and resources for learning. 

The technical nature of quantum-safe security means the workforce must have a strong background in mathematics as well as other expertise such as basic quantum mechanics, networking, databases, internet protocols, and standards. Cultural and social barriers can become even more pronounced in cutting-edge fields like quantum-safe security where the “pioneer culture” may favor traits traditionally attributed to men. 

As an emerging field, quantum-safe security typically has more limited funding and resources for diversity initiatives compared to other areas of cybersecurity that are more established and have recognized the value of such programs. To lower these barriers, it is important for those in the industry and academia to foster an inclusive environment, provide targeted support and mentorship programs, and encourage more women and other underrepresented groups to pursue STEM careers with a focus on quantum-safe and advanced cryptography.  

Would a cybersecurity company make better products or provide better services with more women in high level roles?

There is an inherent value of diverse thought in decision-making processes. The benefit of having women in leadership is part of that diversity, which can contribute to better products and services. It is well-known that diverse perspectives are crucial for innovation, and diverse leadership teams are more likely to consider a wider range of strategies and solutions that ultimately lead to more innovation. 

The stereotypical traditional leaders have used their positions of power to tell others how to do things, which doesn’t foster community or collaboration. Next generation leaders must be listeners, must understand what drives people, must motivate people and most importantly, must lead by example. 

Collaborative environments that foster a team-oriented culture leadled to better problem-solving. Diverse teams offer broader insights ensuring products are designed to be user-friendly to a general audience, improving user experience and effectiveness. In any industry, effective communication is vital for both routine operations and crisis management. 

Today, companies with inclusive leadership are more likely to attract top talent who increasingly value diversity and inclusion. This means such tech firms hire and retain the best employees, increasing job satisfaction and ultimately enhancing the company’s overall performance. 

Can you share your experiences that might help young women in high school or college better understand what they face in a tech career? Any tips or things to avoid? 

By actively seeking out and engaging in a broad range of experiences, young people can gain insight into the tech industry, the roles available, and the strategies for success.  Pivotal opportunities for high school or college students can include technical coursework, hands-on internships, tech conferences, hackathons, tech clubs and/or bootcamps. These can be enlightening experiences and provide exposure to role models, an understanding of current trends, and offer insights into challenges. 

My journey into cybersecurity was not the typical one. With bachelor's and master’s degrees in liberal arts, my initial path was far from the digital frontlines. Yet, it was precisely my training in critical thinking, analytical research, and my interdisciplinary interests that proved invaluable when I pivoted to a technical career. My diverse academic background became a formidable asset that allowed me to bring a new dimension to my technical work. 

Take risks. Or as Geena Davis, actor, activist, author, said, “If you risk nothing, then you risk everything.”   Taking risks can be a formative step in fostering a successful career in technology—a field that thrives on innovation and continuous learning. When students step out of their comfort zones to join a coding bootcamp, lead a project team, or enter a hackathon, they're not just acquiring new technical skills, they're also cultivating a mindset of resilience and adaptability. These environments often simulate the real-world pressures and challenges of the tech industry, encouraging students to think critically and solve problems on their feet.  

Risk-taking in these formative years can lead to breakthroughs in personal confidence and professional competence, both of which are crucial in navigating the fast-paced and ever-changing landscape of technology. By embracing uncertainty and learning from failures without the high stakes of a post-graduation job, young adults prepare themselves to enter the tech workforce not only with a toolkit of skills but with the courage to innovate, the willingness to advocate for their ideas, and the ability to bounce back from setbacks—qualities that are invaluable in any career. 

Intentionally adopt a “grit” mindset – the combination of passion and perseverance to achieve long-term goals — even in the face of adversity. This persistence, resilience, and determination is incredibly valuable in STEM careers which often involve complex problem-solving that requires one to push through repeated obstacles. In research, experiments will likely fail multiple times before yielding any results, and in software development, code will need numerous iterations before it works correctly. A grit mindset enables individuals to view these not as insurmountable failures but as steps in the learning process.  

The nature of STEM work demands continuous learning and adaptation; it is the gritty individual who will spend hours persevering to troubleshoot a problem, master a new programming language, and stay abreast of advancing technologies. This tenacity and unwavering commitment to seeing a task through to the end is what ultimately drives innovation and scientific discovery, making grit an indispensable trait for anyone aspiring to a successful career in STEM. 

People are born with various levels of grit, but it is also a trait that can be improved by shifting your mindset from a fixed to a growth orientation. Women and underrepresented groups with grit have the unyielding passion and perseverance to pursue long-term goals, despite challenges they may encounter. This steadfastness is crucial not only for personal career advancement but also for broader cultural change within STEM industries. 

Individuals with grit push the boundaries of what's possible, break through glass ceilings and build a path for those who follow – this can drive diversity and inclusion efforts that enrich the field writ large. Grit empowers us to persist in our studies and careers, champion innovation and demonstrate that competence and resilience are defining characteristics of successful scientists, technologists, engineers, and mathematicians. Fundamentally, grit is not just a personal attribute, but it becomes a catalyst for systemic change. 

At Fierce, we’ve covered the threats to national security from quantum, particularly if an enemy of the US masters quantum keys to break encryption. How serious is that threat now? Is the US doing enough?   

The advent of quantum computing represents a significant inflection point in the field of cybersecurity.  With the ability for large scale quantum computers to render traditional encryption methods obsolete, much is at stake. This capability poses a serious threat to the foundation of current cybersecurity protocols – the very mechanisms that safeguard financial transactions, protect personal information, and secure national secrets.  

The quantum threat may be a distant possibility or an impending reality. Beyond the quantum threat, looms a host of other anticipated and unanticipated threats which require urgent and comprehensive action to modernize the security of our digital infrastructure and preserve the integrity of global communications and data security.  The consequences of such a development are far-reaching and profound.  For owners of data with long term value, it is an imperative act.  

The U.S. government is facing an unprecedented type of problem that we’ve simply never faced. We are ill-equipped for the volume, velocity and variety of today’s security demands from cloud to mobile and Internet of Things (IoT) devices. The lack of agility for the US government bureaucracy is one of many enormous challenges. 

The U.S. government should consider a broader range of quantum-safe cybersecurity solutions that are applicable to a wide range of use cases.  It is imperative to figure out how to more migrate quickly without inadvertently introducing more vulnerabilities.  USG could incentivize early adoption, piloting quantum-safe projects – especially non-public key solutions, engage in international collaborations, and prioritize the transition to PQC in critical infrastructure sectors.    

President Biden has focused more on cyber threats lately, but it feels like only a start. Are you seeing more action and what still needs to be done by industry or government?  

Securing against cyber threats is an enormous and dynamic challenge requiring constant vigilance and evolution of strategies. Both industry and government recognize cybersecurity as an ever-evolving threat. Preemptive action, rather than reactive measures, will ultimately define the success of cybersecurity strategies in the future. 

Companies must update and fortify their cybersecurity protocols, employing advanced security measures like end-to-end encryption, secure authentication, and intrusion detection systems. This means ongoing budget allocations for cybersecurity need to reflect its critical importance, and workplace culture, at all levels of the organization, that share the cybersecurity responsibility, awareness and best practices. 

The U.S. government introduces regulations that set minimum cybersecurity standards for critical infrastructure and industries and facilitates public-private collaboration to share threat intelligence. Additionally, government funding should be directed towards research and development of advanced cybersecurity technologies, including a robust suite of quantum-resistant encryption approaches, training a diverse cybersecurity workforce, and engaging with the international community.  Furthermore, the government can incentivize cybersecurity best practices and widespread adoption with tax breaks, grants, or other incentives to entities that meet or exceed cybersecurity standards.  

Both government and industry need to also develop crisis response plans to efficiently and effectively deal with all aspects of potential large-scale cyber incidents.  As entities move towards adopting zero trust security models, there is the potential to minimize internal and external threats.  In zero trust security models, no user or system or end point is trusted until authenticated. 

Industry and government need to take proactive and coordinated steps to bolster cybersecurity defenses. The Biden Administration has taken steps to secure cyberspace, including The National Security Strategy, Executive Order 14028, National Security Memorandum 5, M-22-09, and National Security Memorandum 10. Most recently, the Executive Branch released an order to establish new standards for AI safety and security so that America leads the way in managing the risks of AI.  These doctrines are both ambitious and noble, outlining formidable challenges to accomplish, yet establishing a vision for the necessary work ahead to secure our digital ecosystem. 

Aside from quantum, what are the biggest cybersecurity threats? 

Cybersecurity threats are constantly evolving and becoming more sophisticated. Today’s threat environment is complex, with state and non-state actors launching novel cyber campaigns. Next-generation technologies are accelerating, creating new ways for innovative attacks in the digital world. Ransomware, phishing scams, and advanced persistent threats (APTs) will grow more sophisticated, causing continued damage. Supply chain attacks and dependence on open source will pose increasing vulnerabilities. Insufficient cloud security practices will lead to more data breaches.

State-sponsored cyber-attacks, whether direct or indirect, will increase, including espionage and sabotage, to fulfill national objectives of foreign governments. Vulnerabilities in IoT devices will expand the attack surface for cybercriminals. Cyber threats against our AI-systems will evolve in unpredictable ways. Moreover, AI-enhanced attacks will provide the growing potential to create sophisticated cyber-attacks that can learn and adapt to security measures over time. Large-scale data breaches will continue to expose massive amounts of personal, corporate, and national security data, which can be used for various malicious purposes and will likely alter the global power struggle. 

A significant risk to cybersecurity is homogeneity of thinking in non-diverse teams, which leads to blind spots in identifying and mitigating threats. Cybersecurity thrives on the ability to foresee and counteract a wide range of attack vectors, and this requires a diversity of thought, experience, and expertise. Without varied perspectives, we fail to anticipate the myriad ways in which a system can be compromised. Diversity is not just a metric to be achieved; it is a strategic advantage. Diverse teams bring together individuals who can challenge each other's assumptions, leading to more robust and comprehensive defense strategies against the increasingly sophisticated and diverse nature of cyber threats. 

There is a lot of bad news and it’s getting worse. That's why it’s critical to inspire courageous people to embrace the challenge of joining the cybersecurity workforce! Cybersecurity needs sharp, dedicated individuals to fortify our digital front lines. Step up, skill up, and join the ranks of cybersecurity professionals building and safeguarding our digital universe. Consider a journey into this dynamic and rewarding field. Cybersecurity heroes needed! 

Roberta Faux is US Head of Cryptography and US Field CTO at Arqit,  a provider of a quantum safe encryption platform-as-a-service designed to protect any networked device or cloud machine from current and future forms of attacks, even from a quantum computer.