A report published by CREST highlights progress made in gender diversity across the cyber security industry, in the past few years and points to the next steps needed to further address the gender gap. CREST – the not-for-profit body that represents the technical security industry including vulnerability assessment, penetration testing, incident response, threat intelligence and SOC (Security Operations Centre) – has found that while awareness around gender diversity has improved, there is still work to be done to make a significant practical difference.
In polls taken at CREST’s gender diversity workshop, only 14% of attendees argued that not enough work has been done to lessen the gender gap, but 86% believed that while progress has been made, it is not nearly enough. The study also found that 59% of participants classified their experience in the industry as mixed, having received support and enjoyed roles but pointing to obstacles and challenges that had to be overcome as a result of being female.
The workshops had the primary focus and objective of inspiring change and concluded that the main priorities for change are encouraging girls at school to study computer science; improving visibility of female role models; challenging the perception of industry and perceived gender-specific roles; and industry-wide female mentoring and coaching.
The report suggests that the primary reason for the underrepresentation of women in the cyber security industry is down to a lack of interest in the subject from school age. When considering ways to make change, the report recommends that industry leaders – including directors, CEOs and accreditation bodies – could and should be responsible for approaching schools help educate and encourage students. Schools could also promote initiatives such as CyberFirst’s online Girls Competition, which aims to inspire the next generation of young women to consider computer science as an option with a view to a future career in cyber security.
Findings by CREST also point to issues with current recruitment practices, including the way job descriptions are written, the language used and arguably even candidate requirements. Female representatives at the workshops agreed that the inclusion of training options on the job advert would encourage more female applicants, as would flexible working hours, good maternity policies and back to work support. Another key finding is the demand for an industry-wide female mentoring and coaching scheme to create a stronger, closer female community whilst enabling women to grow and develop in their careers.
“It is encouraging that as an industry we are making progress but there is a lot more to do and improving the visibility of female role models will allow us to challenge the perception of the cyber security industry,” says Ian Glover, president of CREST. “Schools hold the key and we need to help them to encourage more girls into the industry. Furthermore, the mentoring scheme would give a platform on which role models can help to coach and guide others, which in turn will help to challenge the perception of gender as it relates to the industry,” adds Glover. “The actions are well-thought through, they are doable but just need the support of industry, education and recruiters.”
To download the full report, go to: https://crest-approved.org/wp-content/uploads/CREST-Gender-report_202004.pdf
The report was borne out of research conducted among CREST members and an open Access to Cyber Day and is one of a series of diversity reports that can be found on Knowledge Sharing area of the CREST website – www.crest-approved.org
CREST is a not-for-profit accreditation and certification body representing the technical information security industry. CREST provides internationally recognised accreditations for organisations providing technical security services and professional level certifications for individuals providing vulnerability assessment, penetration testing, cyber incident response, threat intelligence and security operations centre (SOC) services. CREST Member companies undergo regular and stringent assessment, whilst CREST certified individuals undertake rigorous examinations to demonstrate the highest levels of knowledge, skill and competence. To ensure currency of knowledge in fast changing technical security environments the certification process is repeated every three years.
CREST is governed by an elected Executive of experienced security professionals who also promote and develop awareness, ethics and standards within the cyber security industry. CREST supports its members and the wider information security industry by creating collaborative research material. This provides a strong voice for the industry, opportunities to share knowledge and delivers good practice guidance to the wider community.