Bonnie Butlin: women in cybersecurity are often working without much recognition
The mismanagement of the pandemic has disproportionately affected women and may, in turn, reduce their voice in relation to cybersecurity, Bonnie Butlin, also known as Canada’s first lady of security, told CyberNews.
In 2020, Butlin was granted the Fellow of (ISC)2 award. (ISC)2 stands for The International Information System Security Certification Consortium - the largest non-profit organization of certified cybersecurity professionals.
“I am excited that this recognition is also a timely reinforcement of the importance of augmenting the inclusion of non-technical professionals within the cybersecurity landscape. I do not come from a technical background in cybersecurity; rather, a geostrategic background. Both technical and non-technical expertise is very much needed in cybersecurity and for our communities, and as such, this award is, I think, an indicator of progress being made in this direction,” Butlin told CyberNews.
I see women as the canary in the coal mine - by stabilizing and enhancing the sector for women, it will also stabilize it and improve it for everyone else as well.Bonnie Butlin.
She was recognized for establishing the Women in Security and Resilience Alliance (WISECRA), which engages a growing the number of women in security and resilience associations and groups globally, and her role as a World Economic Forum Expert Network Member.
It’s her 21st award related to security, resilience and leadership since 2013.
During the interview with CyberNews, she expressed concern about the worsening women’s situation in the labor market and the widening gap between the cybersecurity profession and non-technical people.
“I see women as the canary in the coal mine - by stabilizing and enhancing the sector for women, it will also stabilize it and improve it for everyone else as well,” she told CyberNews.
Could you tell me more about the ‘women in cybersecurity’ contests that you are involved in?
Over the past two years, WISECRA has partnered with Women in Security groups and professionals on the ground, with media partners, and local and regional panels of esteemed judges to identify, highlight and recognize top women in security and cybersecurity around the world. This initiative began in 2019 when I and WISECRA were invited to help facilitate the inaugural Top 50 Women in Cyber Europe awards. The project was highly successful. Shortly thereafter, we received interest from Africa in partnering to similarly highlight and recognize African women leaders in cybersecurity. This resulted in the Top 50 Women in Cybersecurity Africa. These initiatives were soon followed by similar awards initiatives for women in security and cybersecurity in Latin America, Canada, the Philippines, India, Singapore, Malaysia, and New Zealand.
That these initiatives were very successful, even during the management of a global pandemic, speaks to the importance and momentum behind these awards, and the appetite around the world to identify and showcase the talent and successes within security and cybersecurity among women, who often are working without much recognition, or external awareness of who they are and what they do.
Prior to our Top Women in Security and Cybersecurity awards, there was no vehicle to do so, let alone across regions and collectively, internationally. Being an international initiative, the award winners were recognized well beyond their regions and states, and in many cases have since connected with each other and with other women in security across the various regions and around the world.
Several of the award winners have since revealed how important these awards were to them, their careers, and businesses - which again speaks to the positive effect of showcasing talent and success among us. Particularly in cybersecurity, this has been a challenge, as those engaged in the sector often remain nameless and faceless. In tech and cybersecurity, we often hear about millions of positions needing to be filled, but attributing real people to real positions and real work is not so common. I believe that there is deep value in highlighting individual achievements among us, and in identifying successes and ways forward in the security and cybersecurity space.
Throughout your career, have you seen more and more women interested and involved in the cybersecurity field?
There are many areas that women are excelling in, but we need more women involved. We also need more women in cybersecurity from a broader cross-section within society and pulling from a growing range of disciplines - both traditional and non-traditional. Prior to the pandemic, women were already underrepresented as a whole, despite stronger representation in some security and cybersecurity disciplines, such as privacy, cyber law, and forensic accounting, for example.
Accelerated ‘work from home’ and ‘virtual board rooms’ have effectively limited the in-person visibility and interactions of women in the workplace, and may have set back women after many years of fighting for a ‘seat at the table’ - a table which no longer appears to be there.Bonnie Butlin.
It is more important than ever to include a diversity of perspectives and life experience into our technology use and cybersecurity, and this includes women. This is even more so the case as the pandemic’s management has disproportionately affected women and their employment (and with them, their families). This may in turn reduce their voice in relation to cybersecurity within their organizations and more generally. The further concentration of gains to big tech firms and large multinationals during the pandemic management, may further limit competition in the tech and cybersecurity sector, and affect the abundance and availability of cybersecurity positions across organizations moving forward
The pandemic management has also put significant financial and even existential pressures on many businesses, which appears to have already reduced resources for cybersecurity and related positions. Additionally, accelerated ‘work from home’ and ‘virtual board rooms’ have effectively limited the in-person visibility and interactions of women in the workplace, and may have set back women after many years of fighting for a ‘seat at the table’ - a table which no longer appears to be there. Reports of women being unable to simultaneously care for families and work effectively from home has resulted in a loss of highly skilled women from the workplace altogether, at least in the short-run. Work from home has already put downward pressure on salaries, which have traditionally been a large attractor to the tech and cybersecurity sector, and a key incentive for retention. Consideration of women’s perspectives will be important toward getting the balance right moving forward.
Why do some girls not even consider cybersecurity as a career? Is the trend changing?
Rather than the sector trying to change the behavior and preferences of girls and women, the sector itself may have to adapt to attract talent on a larger scale and from a larger talent pool, including more girls and women. The problem lies not so much in capturing the interest and confidence of girls and young women, or even women of any age toward the sector; rather, I think the problem lies more in the growing perception of a low-value proposition of embarking on a career in tech and cybersecurity under current conditions.
Change can bring with it opportunity. However, too much change, uncertainty, and churn will disincentivize investment and engagement due to higher risk. This includes investment by people in their own education, careers, and futures. Before the pandemic, the tech and cybersecurity sector were already characterized by high uncertainty and risk, rapid change in the technology itself, and high education and retraining costs throughout the employment years - costs increasingly borne by the employee. During and post-pandemic, talent may be even more selective and strategic in their career choices and paths to secure their careers and financial stability and predictability in increasingly volatile economies.
The sector’s start-up culture is often higher-risk by nature, focused on investment value and with less attention placed on strategic and business risk, long-run strategic planning, and longer-run employee satisfaction and retention. Start-ups have traditionally operated on shorter timelines until reaching a high sell price, while employees need to look at longer time horizons. With downward pressure on salaries in tech and cybersecurity, including as a result of virtual work, and work from home, and given the increasingly complex and crowded landscape of regulations, standards and laws, choosing a career in tech and cybersecurity may come with more challenges, and fewer relative benefits than before. The rapid change in technology and need for continuous learning and upgrading, may also lead to higher rates of burnout over a career, and perhaps more so for women who are often already under pressure to perform at higher levels to achieve parity in the workplace.
Ageism is also on the rise, particularly for women, and is further exacerbating retention and recruitment issues. Mid-level entry and re-entry is a particularly difficult problem in Canada, the UK, and the United States. The failure to re-recruit female talent once a leave of absence has occurred has resulted in a significant outflow of talent and skills from the sector when it is badly needed. The pandemic’s disproportionate effect on women is adding to this pre-existing retention and re-recruitment issue, the long-run effects of which are not yet known.
Projections about the near-limitless potential of the tech and cybersecurity sector itself, has also created a disconnect that may be negatively affecting recruitment and retention due to raised expectations not met by reality in the present. Despite great interest in tech and cybersecurity careers, employing talent into actual positions has been harder to achieve. Years of public claims and projections of millions of available jobs in tech and cybersecurity, have occurred alongside equally formidable claims of unfillable employment and talent ‘gaps’, and this inconsistency has remained unresolved over time, and without clear solutions.
Several cohorts of graduates in some regions have been largely unable to find employment after graduation, let alone at the level, salary, or with the stability and permanence they anticipated and were encouraged to expect when entering programs. This disconnect may be even worse for mid-career professionals and professionals wishing to move into tech and cybersecurity from other fields. Over time, students and talent may move on to other opportunities, where expectations are more in line with achievable outcomes.
As tech and cybersecurity have mainstreamed into our lives, a commensurate larger workforce is required. While millions of positions may be available now and over time, talent in the millions, willing to take larger career risks and absorb higher career costs, likely will not be available to match the demand. This may require the sector to adapt to fill the demand from among a larger, medium-risk talent pool, beyond the current preferred talent pool with higher risk tolerances. This will help tap into a larger talent market for larger-scale hiring in tech and cybersecurity.
Instead of trying to get girls and women to become interested in the subject matter or trying to attract many more high risk-takers than would be available in a typical population, adapting the sector toward a broader pool of talent with lower risk-tolerances in relation to their careers and financial futures, may be needed to attract talent on the scale and with the breadth of experiences needed today. Opening up the pool by adding to the value proposition may include incentives like more training and resources availability, higher pay across positions throughout the organization, more job stability, and longer-run consideration of risk and strategic planning that will allow businesses to scale up and thereby develop and retain talent over time. With an increased value proposition for lower-risk tolerances, the pool of candidates may grow, and recruitment and retention issues ease, allowing us to better meet the demand for highly skilled and diverse talent on the scale we need.
Why do you think it is important to recognize women for their roles in the field of cybersecurity?
Recognizing women in cybersecurity is a great example of what I like to refer to as “the ordinary and the extraordinary.” It allows ordinary people to see other ordinary, relatable people doing inspiring and extraordinary things in such a way that they can envision themselves doing it as well. Whether it is celebrating a full career or a current success at an earlier stage of an in-progress career, recognizing women shows that it is possible to achieve in this sector and identifies opportunities and career pathways. Women are still in the minority in cybersecurity - connecting them has produced mentors and supports that are not always readily available in the workplace or locally, and which may be even more elusive but important when working virtually rather than in person.
Women provide a different, and additional, window into what is happening in security and cybersecurity in different regions around the world, while still being part of the larger security communities in those regions. Diversity of thought and perspectives and life experiences shape how we view problems and potential solutions to those problems, and how opportunities are identified and maximized. Highlighting women amplifies these unique perspectives and experiences, and may help enhance solutions both locally and beyond.
Highlighting women also identifies where there are entry points into and within the sector, and where new entry and mobility points may need to be created for others coming in and up.
In some ways, I see women as the canary in the coal mine - by stabilizing and enhancing the sector for women, it will also stabilize it and improve it for everyone else as well. Doing so will support talent development and innovation, and by scaling out the talent pool, it may help scale-up businesses over the longer-run as well.
More great CyberNews stories
70TB of Parler users’ messages, videos, and posts leaked by security researchers
Data collection cheat sheet: how Parler, Twitter, Facebook, MeWe’s data policies compare
Kill, laugh, love: what should we do with deepfakes?
Don’t trust this stranger: they’re a fake
You are an influencer in the field of cybersecurity. What audience do you target? Do you want to reach the cybersecurity community, or also people who are not cybersecurity professionals?
While I remain focused on all things security, security and cybersecurity intersect with and affect our communities and our lives in so many ways. For those working and living outside of the professional security community, we are on their periphery. We are all interfacing with each other in increasing ways. During the pandemic, the public health orders surprised many in how non-security professionals could have such great influence on businesses and employees, and deeply affect security and cybersecurity considerations and practices. Some businesses had to alter even their strategic plans and cybersecurity strategies - risky under the best conditions and with longer planning timelines - as a result. The effects on security due to the public orders from non-security professionals have endured for much longer than foreseeable and may be permanent. Since 9/11, security has largely impacted the rest of society. During the pandemic, the rest of society has affected security in unprecedented ways. Achieving a new balance between the two will be the subject of important discussions in the future.
Prior to the pandemic, new security disciplines were emerging, and their development may be accelerated by the pandemic, for example, cybersecurity economics, organizational resilience, and security convergence (IT and physical security). Development of these disciplines, with their more sophisticated and nuanced approaches to security and cybersecurity, may help to provide a more balanced interconnection between security and non-security actors and functions in society, and provide better balance and stability in our responses moving forward. The development of these disciplines may also help attract more people into the sector in the interim and before a next event.
Do you think there’s a knowledge gap between the cybersec community and people in general? Being a journalist, I feel that there are many highly skilled professionals, but their knowledge and messages somehow do not get through to most people. Therefore they keep making the same mistakes, such as reusing passwords, etc. It feels like cybersecurity is designed for highly skilled and technical people, leaving others intimidated by the complicated language and procedures.
It is getting more complicated, in terms of threats and risks, the increasing complexity of systems and platforms, and our increased usage of them. The gap may unfortunately widen if not addressed in a considered and comprehensive way. It is complicated enough for professionals, let alone for the public who are understandably focused elsewhere on other areas and business lines, and their daily lives.
The IoT, AI, new standards, regulations, laws, and international legal and trade regimes, and geostrategic friction among states, to name a few, have greatly complicated the sector and how we operate within it. Attacks have become more sophisticated and threats are in some cases using psychology and data analysis to achieve a greater effect. Law enforcement is struggling to catch up, particularly during the pandemic, as people are spending more time online and changing what they do online, and from where. The cyber and human attack surfaces have greatly expanded as a result. This is making it increasingly difficult for people to navigate the landscape safely, and under significant rapid change, in what was already a challenging landscape full of threats and risks, with limited resources available to the public. Additional resources, supports, and training will be required for individuals, businesses, and governments. Cooperative international efforts are also underway to assist the public in purchasing and layering safer and trusted products and services, and toward building greater trust in the products and services available to them. There will be no easy or quick solution to this increasingly complex challenge, especially given variations across jurisdictions.
What are the main cybersecurity challenges that the world is facing today?
A higher-level, more sophisticated, and comprehensive treatment of security as a whole will be required. The traditional security disciplines are developing and maturing, often independently. New disciplines are also emerging, including those that are more strategic and cross- or interdisciplinary in nature. A comprehensive and more integrated approach to security may be required.
Linking subject matter experts all the way up through organizations and society to strategy and even grand-strategy at the state level may be required to compete with our strategic competitors globally - a competition that is currently beyond the purview of individual businesses and business lines, and in some ways, at the source of international geostrategic frictions today.
While the concepts have been around for some time, we may now need to meaningfully shift from a resilience posture (largely defensive in nature) toward an agile and anti-fragile posture (more flexible, active and proactive in nature) in security and cybersecurity. A comprehensive approach will be needed to make the transition.
The management of the pandemic has highlighted the need for security to mature as a profession and as a significant and trusted partner in our societies. Security professionals were largely side-lined during the pandemic, while politicians, public health officials, and selected experts from outside of the traditional security disciplines co-opted security terminology. A more balanced result, with less economic damage, might have been achieved had security professionals been brought in from the start. By contrast, China and Russia, for example, appear to be engaging traditional security disciplines and professionals more, and at higher strategic levels.
Such a treatment of security will involve more, not less, collaboration between the public, private, and not-for-profit sectors in relation to security. This will take some re-building following the largely public-sector driven pandemic responses, which largely left the private and not-for-profit sectors, including much of the security community, sidelined, including while cybersecurity was needed more than ever.
More collaboration, and more sophisticated collaboration at all levels of organizations as well as across the public, private and not-for-profit sectors, will be required to successfully address security and cybersecurity threats and risks, which have only grown and multiplied with the pandemic, and which will be further complicated with the economic volatility that will follow.
Attracting diverse talent to security and cybersecurity, from a widening range of backgrounds and expertise, and on the scale needed, will continue to be a priority moving forward.