In a 2020 joint report by the NCSC and KPMG UK, entitled ‘Decrypting Diversity’, out of the 1252 cyber professionals interviewed, only 13% identified themselves as part of a minority ethnic group (Black, Arab, Asian or Mixed ethnicity, also known as BAME). Further, “41% of black survey respondents said they had experienced an incident of discrimination in the last year,” as per the findings of the report.
These numbers are telling of the gross misrepresentation of minority communities that is still prevalent in the world of cybersecurity and the high levels of discrimination and exclusion that take place in the industry that we all like to think of as pretty inclusive, diverse and dynamic.
In cognizance of this fact, the UK government launched the Cyber Skills Immediate Impact Fund last year with the goal of encouraging more women, BAME, and neuro-diverse candidates to choose cybersecurity as a career. The idea was to enhance diversity in the industry and ensure that minority groups can compete on an equal footing. With this mission at its heart, the government pumped in an additional £500,000 into the Fund this year.
Laudable as they are, are initiatives such as these adequate? Is funding a good enough impetus to infuse diversity and inclusion in an industry that is now at the very heart of business and government bodies in the UK and the world over?
Turning the spotlight on a BAME Success Story
To explore these questions and more, Cyber Management Alliance spoke with Mahbubul Islam, CSyP, a member of the BAME community himself who has managed to scale great heights in the world of cybersecurity.
This interview is part of our ongoing series called ‘Diversity in Security’ where we aim to unravel stories of those who have fought discrimination and bias to carve their own paths to success in the domain. The idea is simply to turn the spotlight on their impressive journeys so that they may inspire others to follow their passion and make a career for themselves in the world of cybersecurity.
Mahbubul Islam, CSyP, Chief Information Security Officer (CISO) at the HM Courts and Tribunals Service
Mahbubul began his long tryst with cyber in 2007 as an Information Assurance Manager with various government departments, before moving on to take up the role of Head of Information Assurance at the HM Passport Office. Here, he was leading a team of security consultants and gained valuable practical experience in directing a delivery team which he was also able to apply to his next role at DWP’s flagship programme Universal Credit. This led him to the role of Head of Government Transformational Security. Mahbubul now has the accountability of the Chief Information Security Officer (CISO) at the HM Courts and Tribunals Service, an executive agency of the Ministry of Justice.
Experiences as a BAME leader in cyber
Mahbubul believes that a lot remains to be done in the UK as far as diversity in cybersecurity is concerned. Yes, representation of women and members of the BAME community has improved over the years but it’s nowhere near where it should be. He adds that when he started his career, he would be the only BAME person in a security training course he attended. Today, if he were to attend a similar training programme, he’s 80% certain that he won’t be the only BAME person there. Yet there’s a good chance that he might be the only one and that’s precisely why he believes that representation in the industry is still far from satisfactory.
Talking of his experiences with bias and perhaps racial prejudice, Mahbubul feels that he has definitely experienced many instances of confirmation bias in his career. “Many times, things that I have said have been re-evaluated and re-interpreted by people who are not from the BAME background. Or maybe that’s how I felt,” he shares.
The impostor syndrome versus the confirmation bias has definitely caused challenges for Mahbubul over the years.
“I always felt that I had to prove myself more than others and I was always one step behind the role I was actually in and much of this had to do with bias. It’s only in my present organisation that my experience and knowledge has allowed me to build a team that supports me fully in delivery and security. The challenges, then, have gone from being the only BAME person in a training programme, to being the only BAME in the leadership team,” Mahbubul shares.
We always turn the conversation in the direction of the advantage that someone from a minority community, be it based on their gender, colour, faith or race, may have when entering into the world of cybersecurity and we asked Mahbubul for his opinion on the same. He was quick to add that if one can afford to make such a generalisation at all then he would think ‘resilience’ is the one fairly common quality that a lot of BAME persons have that helps them do well in the security industry.
“It is the environment that someone has been raised in and has grown in that makes their skillset. However, in my personal experience, those from the BAME community or those that have faced bias of some sort, are generally more resilient. And resilience is imperative in the world of cybersecurity because it helps you deal with incidents, handle excessive pressure, take a step back if required to evaluate a problem. It also gives you the confidence and wisdom to know that a step back doesn't mean that you’re stuck there.”
Diversity in Cybersecurity today
Today, Mahbubul feels that he’s finally in a place where he can afford to not care about what anyone might say. After long years of proving himself and accumulating extremely valuable knowledge and experience, he feels that he’s at that comfortable juncture in his career where if he sees bias of any sort, he is able to call it out and challenge it. And that, he shares, is how every member of the BAME community (or anyone for that matter) should really feel from the very onset of their professional journeys. That is the ultimate goal!
We asked him to share some advice for young BAME professionals who are ready to chart out their own paths in cybersecurity and Mahbubul is quick to point out that “building confidence is absolutely critical.” He adds, “Knowing what the impostor syndrome is and learning to deal with it effectively is also a crucial skill that everyone from the BAME community has to develop.”
Mahbubul eloquently turns the spotlight on the concept of privilege, even within the BAME community. The whole narrative of privilege must be explored according to Mahbubul and everyone should evaluate their own experiences and their current challenges in the light of privilege vis a vis their peers. Some BAME professionals may have more privilege than others - it could be thanks to something like having private education in Bangladesh, where state education is not normal, which means those who study have a financial advantage. It’s important to understand different types of privilege and to recognise that every level of privilege breaks one barrier of entry into any industry - not just cybersecurity. If you’ve had privilege, your struggle will be a few degrees less intense.
“Understand privilege in the context of your peers and then get rid of the impostor syndrome, build confidence and be motivated to get really good at what you do. That’s the only way to really challenge bias from the get go,” concludes Mahbubul.
We, at Cyber Management Alliance, will continue to reach out to all professionals in our vast network, including women, men and folks from the BAME community amongst others. In a nutshell, everyone in cybersecurity and privacy who has a story to tell and an interesting journey to share, will be featured on cm-alliance.com.
It’s our belief that their stories should be shared with the young and old alike. Their stories can inspire others to widen their horizons and take on challenges that they may not even have imagined confronting otherwise!
Senior Information Governance Officer, Tanya Fleming, shares her perspective on undergoing our NCSC-Certified cybersecurity training & how the trainer Amar Singh’s unique delivery style and rich experience helped her refresh her knowledge and prepare herself for a new role.
Cybersecurity is one of the fastest evolving and most complex sub-domains of Information Technology. Very few people can claim that they understand all of its many nuances and are well-equipped to optimise security infrastructure, implement just the right processes and always be ahead of compliance issues, let alone be prepared enough to beat any cyber-criminal in their tracks.
This is why, like many other similarly dynamic and challenging fields, training in cybersecurity is always essential and never enough. No matter how many years one may have spent managing compliance and data security, one can always learn more and benefit from a specialised course.
One of the recent participants from Cyber Management Alliance’s NCSC-Certified Cyber Incident Planning and Response Training is a paragon of the age-old adage that learning never stops. Tanya Fleming, Senior Information Governance Officer at VERITAU, has spent years implementing information assurance mechanisms, governance frameworks, creating policies to ensure compliance, providing consultancy on data protection and leading the Information Security and Incident Management team at her organisation.
Despite all this extensive experience, she was far-sighted enough to know that she would stand to gain tremendously with the world-renowned cybersecurity training delivered by Amar Singh.
Tanya was on the verge of making a career leap. She understood that a training course that would allow her to brush up her knowledge, enhance it with the shared insights of others like her and enrich it with the thought leadership of Amar Singh, would be just the kind of skill enrichment right for her at that crucial juncture.
Explaining her decision to sign up for the training, Tanya says, “I already handle security incidents and data breaches through my current role but I wanted to make sure that my understanding of processes was more aligned with what was happening in the corporate world rather than just within the public sector. By undergoing the training, I wanted to make sure that my methodology was correct, accurate and up to date as I start a new incident handling role.”
Tanya is happy to report that the training met her expectations to the letter. It reinforced the fact that she understood the processes and procedures she was most concerned with and it helped provide clarifications in a areas she felt she was rusty in.
Corroborating her positive feedback for the trainer and the delivery style, she adds, “Amar was very informative while delivering the training and he explained things in a way that’s accessible to anyone who may not even have past experience, through to those who are well-experienced. The fact that he delivers the training gives it a lot of credibility. You can tell that he has had a lot of knowledge in the area.”
Tanya enlists the following as the key aspects that made the training stand out in her opinion:
- Delivered at a great pace
- Trainer understood his audience really well
- Provision of breakout rooms which helped to intimately interact with others and get a flavour of their opinions/different approaches
We asked Tanya to share her biggest takeaway from the training. Interestingly, what she highlighted may be a seemingly simple point, but one that is most often overlooked by data security and crisis management teams – Don’t call an incident a “data breach” until you’re sure that data has indeed been breached.
“The highlight of the CIPR Training for me was that Amar kept a bit of humour through the dry bits and that really maintained everyone’s interest and made the training more effective,” quips Tanya.
More Information on the Certified Cyber Incident Planning & Response Course
The CIPR course is the perfect stepping stone for those who want to understand the basics of cybersecurity. It is also ideal for those at senior executive levels looking to enhance the cyber resilience at their organisations as well as developing their own competencies in planning, detecting and responding to a cyber-crime.
Not only is the course delivered by one of the most renowned cybersecurity trainers in the world, Amar Singh, it comes with a great reference material pack including worksheets, checklists, mind maps and free templates. It is the easiest and most effective way to enhance the efficiency and cyber-resiliency of your staff and make your business more compliant with data breach response regulations.
The world of cybersecurity and to be honest, tech in general, continues to be beleaguered with issues related to gender diversity and underrepresentation. According to a recently-released *report, women will represent 20% of the global cybersecurity workforce by the end of 2019. In the same period, Forrester predicts, 20% CISOs at Fortune 500 companies will also be women.
This figure is far too low and is nowhere near a decent representation of women in the domain. However, the scales do seem to be gradually tipping towards a more balanced position, albeit very slowly. A lot of organisations are reimagining cybersecurity roles and are opening up to the idea of having a diverse pool of professionals with diverse approaches making up their infosec teams.
Interestingly, many of these professionals, who are new to the field and many of whom are women, come from a variety of different backgrounds that have nothing to do with tech. Organisations are realising that the threat actors they need protection from comprise a diverse demographic with different backgrounds and to suitably combat the threats they pose, they need to have teams that also represent such diversity.
Two Boss Ladies of Tech
We recently spoke to two power ladies who don’t just make up the handful of women in cyber, they also represent the changing composition of cybersecurity teams across the globe. Both come from non-technical backgrounds and both lead critical divisions in their roles at Metro Bank. Carole Embling is the Information Security Manager for Compliance while Katarina Puschmann is an IT Risk and Controls Specialist within the IT Governance team.
Their non-technical past, they believe, never comes in the way because cybersecurity today has to do with a lot more than just technical knowledge. Building a robust security posture involves many other aspects such as soft skills, communications, team-building skills, crisis management, all of which cannot be taught and some of which must be innate, putting women at a unique advantage within the industry.
Carole and her 20-year journey in cyber
Carole started her career in IT security at the Royal Mail Group. Having begun as a Post Office Counter Clerk, she started on the path into Information Security by being trained as a junior business consultant back in 1990. She quickly learned the ropes of Information Security as part of a special training initiative and then became part of an integral team providing security consultancy at the Royal Mail Group. She later became an Information Security Manager at RMG and after being part of multiple organisations in the capacity of Information Security Advisor/Manager, she took on her current role as the Information Security Manager - Compliance at Metro Bank.
Carole shares that when she went into the business consultancy role in the 90s, there was an awful lot of discrimination against women and especially a young working mother like her. Most of this discrimination had to do with perceptions and the fact that nobody was used to a woman poking around asking questions about IT security at that time. However, within Royal Mail itself, there was wide acceptance because as an organisation it was very progressive, and this really helped Carole gain confidence to continue doing what she had identified would be the role defining the rest of her career.
Outside of Royal Mail, however, whenever she went for conferences or similar events, she was one of the only women in the room for many years. Carole admits that she’s still an exception and while the number of women in cybersecurity may have gone up on a global level, in smaller pockets there are still only a handful of women that can be seen in such roles. Carole quips that she thinks that she often gets invited to a lot of events related to tech and cyber, not because of her mettle as a professional, but as a token woman.
Fortunately, however, Carole does opine that the trend is changing even if it’s at a sluggish pace. This is in part because women are geared to break stereotypes of the career paths they are expected to take and in part because everyone is realising that cybersecurity is a lot more than just IT security. People are also seeing that given the right training, skills can easily be transferred from one field to another quite seamlessly.
From admin to cyber: Katarina’s interesting career transition
Katarina moved to London about 12 years ago and started working in the hospitality industry and then in the real estate space. She then worked in the HR team of a small IT company and later she took on an executive assistant role. She, in fact, joined Metro Bank, as an executive assistant but she always knew that she wanted to do something more than what this role allowed or had scope for.
It was around this time, when Katarina was deciding her next career move, that somebody in Metro Bank who headed the testing team approached her to work for him, to coordinate the environments team. This was her first IT role which wasn’t particularly technical. Her job was to understand the requests coming through for the environments team for testing. She also had to gauge her teammates’ skill sets to see which requests should go to which team member.
About two years into this role, another colleague at Metro Bank reached out to Katarina to implement certain sets of controls to ensure that the environments that were using certain kinds of data were monitored more closely and, in addition, to see which colleagues were accessing these environments. The implementation of the GDPR made such locational monitoring imperative and this was Katarina’s first exposure to implementing controls and monitoring the access management space. Thanks to this experience, she was asked by the said colleague to take up his job in the IT Governance team, which is the role she is in now.
Katarina now plays a critical role in IT controls management for the bank, providing assurance on control performance. After a recent round of restructuring, she is now also assisting with IT risk management for the bank.
Not technical knowledge, but technical understanding, says Katarina, is crucial to success in the infosec business today. She admits that her journey has been a lot different and a lot easier compared to Carole’s because she had the good fortune of entering the industry after it had already opened up. Katarina leaves no opportunity to reiterate that it’s because of the support of her team, most of whom are men, that she has managed to make a foothold in this space.
Katarina is also part of the networking group – Ladies of London Hacking Society - which supports women in cybersecurity or anyone who wants to learn hacking. The group is growing month by month which obviously demonstrates that women, in the UK at least, no longer perceive cyber or hacking roles as a preserve of men!
Our Thoughts On Women & Cybersecurity Today
While the number of women in cybersecurity is increasing every day, the main position that Katarina and Carole hold is simple – There are tons of jobs waiting to be filled in cybersecurity divisions across the globe. It’s clear that the current picture, that of a male dominated field, is not working that well. The need for watertight security is so high today and the impact of any possible risk on a business’s bottom-line and reputation can be so adverse that businesses are simply looking at roping in able professionals who can add value.
It really doesn’t matter what your color, gender or creed is. As long as you speak a common language, love to learn, challenge yourself, know how to keep your calm when the storm hits and are a hard-working person, you should look at a career in cybersecurity with deep seriousness. It doesn’t matter where you come from and what academic background you hold, if you are dedicated enough to acquire technical knowledge through self-training and have a good team to support you, you can definitely don the hat of a cybersecurity professional. If this means that the needle starts ticking in favour of a more diverse workforce and more women in cyber, then that’s a wonderful bonus!
Our CEO, Amar Singh’s opinion:
Coming from a one-parent family, I witnessed my mother’s struggle to maintain an equal footing in our male-dominated world. When it comes to women, I make no qualms about it - no woman should ever be helpless or subservient to a male, now and in the future. However, I am also a firm believer in merit and meritocracy, regardless of gender or sex, and, currently, there seems to be an urgency to balance the scales in the domain of cybersecurity.
As much as building a strong foundation takes time, building a pipeline of talent and skilled resources takes time too and it has to start from the younger years.
All organisations interested in building a strong and vibrant cybersecurity team must encourage internal upskilling - as Metro Bank did with Katarina. In addition, they must allow talented professionals from diverse backgrounds, including ethnic minorities, to see that taking up a role in cyber isn’t all that complicated. Furthermore, they should encourage existing employees in IT and cyber to help and support others when they embark on a new journey with a new role. However, all of this encouragement and upskilling must be focussed on merit alone, in my opinion, and not on the gender, race, age or creed of the employee in question.
We will continue to reach out to all professionals in our vast network, including women, men and folks from the BAME community amongst others. In a nutshell, everyone in cybersecurity and privacy who has a story to tell and an interesting journey to share, will be featured on cm-alliance.com.
It’s our belief that their stories should be shared with the young and old alike. Their stories can inspire others to widen their horizons and take on challenges that they may not even have imagined confronting otherwise!
**Report by Cybersecurity Ventures