Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

How to increase the number of women in information security

Laura Payne, BMO

29 Sep 2016


Many people recognize the potential to increase the number of women in Information Security.

“When the ISC2 2015 Women in Security Study came out last year saying there’s been no growth; basically stagnation, in terms of including more women in this particular field, that’s of interest to me, being a woman who works in Information Security,” said Laura Payne, Senior Information Security Advisor, Bank of Montreal. “We have a huge shortage of qualified resources in this field, and by all means we should be finding and encouraging those women to join.”

Payne will be leading the keynote discussion at SecTor 2016. This keynote is a conversational presentation on what encouraged the female panelists to enter this field. The audience (expected to be about 90% male) will want to know, ‘What can we do?’  

“I think a stigma is you have to fit a certain kind of box,” she said. “The reality is there are many areas -- pen testing, governance policy writing, risk management, communications -- and all of those things require sold grasp of the technical parts of information security. But they’re a different kind of role. Opportunities are there that fit things women are interested in.”

It’s known that that interest in math in young children is the same for both genders. Later something happens around STEM topics that hasn’t been sorted out, which seems to close some doors. Someone who might be interested in security might never see information about it, or even have the chance to discover if they’re interested in it.

“Making sure there is opportunity and awareness is 50% of it; that doesn’t mean you have to wear a hoodie and be alone in your parents’ basement,” said Payne. “This is about helping people be protected. We’re protecting customers, and the livelihoods of people who work in industries that may be jeopardized. That resonates with women… the technical skill comes down to ‘what I can do with it’, rather than the fascination with the technology itself.”

That protection part is a bonus when talked about. Security professionals are doing it for people, and to make things better for our society. It’s not because they’re hoarders and don’t want to share… it’s because they want to provide safe and secure environments with which people can interact. We can live safely, securely, and comfortably using technology assets.

Which raises the stereotype of momma bear protecting cubs. Relating Payne’s original point back to people, two things got most women into information security…
1. Contributing in a meaningful way, not just to themselves, and
2. Someone had pointed out, ‘Hey you’re pretty good at X, and that’s a skill we can use. Would you consider a role or study that leads to a role in information security?’  

“In my case I was doing ITIL processes, and an opportunity opened to be information security officer for that team,” Payne said. “My manager at the time encouraged me. He said, ‘Look, you’re already doing business continuity, disaster recovery, and audit responses as part of your daily duties. Really all you need is a bit of knowledge and you’d be a great for this role.’ If he hadn’t said that I wouldn’t have even considered applying for it, and years later I’m still here.”

Her experience runs counter to another stereotype; that of men wanting to keep security as their own version of The He Man Women Haters Club.

“Fortunately I haven’t experienced that, altho I have heard things anecdotally,” said Payne. “More commonly I run into people who just don’t know what they can do. The people I’ve talked to are supportive. First thing that comes up is, ‘We don’t want to fill positions to hit a certain percentage.’ I’m not interested in having unqualified people in this profession any more than anybody else is.”  

So how do you find those with the qualities for information security?

“The way we write job descriptions – especially in technology – focuses on technical skills. Anybody technically apt can pick up those skills. It’s the critical thinking and soft skills that are important, and people with those can come from a wide variety of backgrounds.”

Also helpful is demystifying security for those who may not be aware, or who labor under misapprehensions about the field. Hence this SecTor keynote panel.

“It won’t be scripted; it’ll be fresh for the audience, and it’s not about ‘guys are terrible and we need more women,’” Payne said. “We’re a community. We want to bring this discussion to the human level of why each of us got into it, how those backgrounds are successful, and how to find people who might not be cookie cutter tech mold candidates, but who have other qualities that make them great IT security candidates.”

To attend the session register for SecTor 2016 here.