Progress towards achieving equal representation in tech is headed in the right direction. The representation of women in the Australian tech industry increased slightly, rising from 29% in 2021 to 31% in 2022. Additionally, the gender pay gap in the sector is half that of other highly paid sectors, such as finance or professional services. While this progress is a step in the right direction, there remains one area in tech where adequate representation is lacking - cybersecurity.
Australian women make up only 17% of the cybersecurity workforce. Research suggests that, in part, this is attributable to the highly technical nature of cybersecurity, with most roles in the industry typically demanding specialised skills acquired through STEM (Science, Technology, Engineering, and Math) education. However, given that females constitute only 37% of university STEM course enrolments, it is unsurprisingly that men outnumber women in cybersecurity jobs.
Must STEM really be the barrier that prevents women from pursuing a career in cybersecurity? Certainly not if you are looking to be a CISO.
The role of the CISO
The CISO, or chief information security officer, requires skills that go beyond STEM. The role requires a strong leader to guide the business through security initiatives, convince C-level executives or the board to invest in cybersecurity programs and steer the business on a path that aligns security with its overall business objectives and goals.
While CISOs were not mainstream in Australia and the Asia-Pacific region about a decade ago, today, they have become immensely important and are widely regarded as the key to protecting organisations.
The CISO often has the CEO’s ear and is considered a peer to the CIO and CTO rather than working under them in the depths of IT.
I have met many talented and exceptional CISOs, both male and female, who were accountants, lawyers, teachers, and even a botanist in their former careers. They may not have a deep level of technical knowledge, but they know how to ask the right questions, are tech savvy, translate cybersecurity threats into business implications, and guide teams into implementing effective strategies. Those are the skills that help successful CISOs drive the business forward while ensuring risks are balanced.
This is exactly why organisations can benefit by looking beyond traditional requirements to ensure they find the right mix of talent and skills–regardless of gender.
The six critical skills CISOs need:
To be a successful CISO, skills like communication, leadership, risk and incident management, empathy and emotional intelligence, as well as strategic thinking, are most crucial.
● Communication — the CISO must articulate cybersecurity threats and priorities to a wide range of stakeholders, as well as drive the security conversations. This includes both fast-paced activities during a major incident and more typical settings, such as board presentations. CISOs are also frequently the face of the business, internally and externally, for security matters.
● People and leadership — CISOs do not work in a bubble. People and leadership skills expand on communication proficiency to help the CISO foster relationships and influence peers and teams across multiple functions. This individual must also work with marketing, corporate communications, legal, operations, and other departments, and building relationships with them makes the CISO more effective when a crisis emerges.
● Risk management — cybersecurity is all about managing risks based on your highest priorities and biggest threats. As a risk expert, the CISO has the job of understanding how cyber risk connects to other risks across your business, including the financial implications—and then articulating this risk to your leadership team.
● Incident management — security incidents are all but guaranteed in any organisation, and the CISO needs to own the room. Exuding confidence and providing knowledgeable guidance is especially important when your incident response team is under pressure and working in a high-stress environment to contain a threat. You need to be the air traffic controller.
● Empathy and emotional intelligence — these skills are becoming more valuable for a CISO who must understand and empathise with people within and outside of the organisation. Striking the right tone in important conversations takes emotional intelligence and the ability to communicate in a relatable, non-technical way.
● Strategic — to protect data effectively, the CISO needs to not only understand the bigger picture but also have a roadmap for analysing and filling security gaps, whether you are outsourcing security activities or managing them in-house.
Besides these core skill sets, it is also important to think about additional needs based on the industry or company size. In a software company, for example, software development skills may be useful for understanding the core business operations, so that could be a secondary consideration. For a smaller company, tactical experience is more imperative. However, even in those circumstances, technical skills aren’t everything; soft skills should still be the primary consideration.
What does matter is that the CISO, male or female, should be a business-focused leader first and a technologist second. As long as they display a keen interest in cybersecurity, the right mentality, and the drive to succeed, taking this non-traditional recruitment path and considering them for the role of the CISO could very well pay great dividends for the business.