What can be done to encourage more women to look at cyber security as a career opportunity?
In search of the answer, we spoke to two successful cyber security professionals making a significant contribution in their field: Dani Michaux, KPMG's EMA region Cyber Security Practice Leader, and Olga Kulikova, Senior Manager of Digital Transformation and Cyber Security at KPMG in the Netherlands.
The two were in Bulgaria to participate in KPMG's Global Women in Cyber Summit, part of a two-day cyber security forum in September. The focus of the event, attended by representatives of 52 countries and territories, was the future of cyber security in Europe, the Middle East and Africa.
It was not by chance that Sofia was chosen to host the forum. KPMG IT Service Sofia is part of the global KPMG organization of independent member firms and aims to grow its activity as a cyber talent-development center as part of the KPMG Delivery Network (KDN), the third in the world after those in India and Mexico.
The center will actively work with universities and offer internship programs to aspiring students. KPMG firms are committed to providing these programs in addition to training to develop students further and help them secure professional development certificates and expertise.
Dani Michaux: Women can contribute with their creativity
Dani Michaux, KPMG's cyber security leader for Europe, the Middle East and Africa region, has been with the organization for 15 years, most of them in Asia. She graduated in computer technology from the Technical University in Varna, Bulgaria.
Why are so few women pursuing a career in cyber security?
This is a global problem and a social phenomenon, and, in my opinion, it doesn't start with organizations that don't want to empower women. It all begins at home.
There aren't many parents who, when asked: "What would you like your children to graduate in?" will respond: "Cyber security."
This new profession did not exist until recently compared to traditional and well-established disciplines such as accounting, legal or medicine. Even when I was studying computer technology, very few women wanted to study it. Parents often imagine young girls in more-traditional professions, such as doctors, teachers or nurses, not so much as engineers, a shipbuilders or astronauts.
In the region I work in - Europe, the Middle East and Africa - women are significantly underrepresented in senior cyber security roles. Unlike junior positions, where the number is much higher but still not where it should be. This is one of the reasons KPMG firms also continue to invest in programs such as this one, where we can provide support for women and encourage them to pursue careers in cyber security.
In many cases, there is also a perception that the profession will not exist in the future. My own opinion is that this is a profession of the future. Twenty years ago, we didn't have mobile phones widely available and part of our daily lives. Today, even our cars are connected to the Internet. What will we see in the next 20 years?
Technology is evolving quickly and becoming integral to our lifestyles. Trust in technology is a large factor influencing its adoption and we will need even more professionals in the future to enhance trust.
How can women contribute to the profession?
Apart from their technical skills, women can contribute to cyber security with their creativity. They have highly intuitive and creative thinking. We sometimes see things that others don't.
It's interesting to note that in Bulgaria, many women work in the field of consulting services to create strategies or implement software. But when it comes to cyber security, the resource pool gets very limited. There just aren't that many women who think they can work in cyber security or develop a career in this field.
We believe in diversity, and for KPMG, it is truly important to attract more-diverse professionals who think differently about how today's problems can be solved.
The big problem for many organizations is that cyber security is a kind of black box - once opened, you don't know what might happen. Issues that need to be dealt with are constantly evolving. And sometimes, we women worry a lot about getting it wrong. We are too demanding and think that everything must be perfect.
So, you should tell yourself: I'm going to train to be the best at every moment, but it's not a problem if I'm not absolutely sure about something because there's a system around me that can help me take the next step.
Is the profession reactive or proactive?
We do many simulations because humans create cyber-attacks and usually follow a certain logic of action. Again, for me, women have an intuitive vision that can help a lot.
The other interesting thing is that the more you look into the types of attacks, the better the methodologies they follow. Thousands of organizations are being attacked in the same way. KPMG firms have investigated cases in multiple jurisdictions around the world and seen the same attack go through different countries simultaneously. Unfortunately, most people think they're the only victim and don't share information that can help battle cybercrime.
Why did you choose a career in cyber security?
I have a degree in computer technology, and when I started working abroad, information security standards emerged. It became interesting to me - what was this, why was it so, why should it be done? When I started dealing with cyber security, the main thing for me was not to be afraid that it's something new and that there are no developed methodologies. What attracts me is the profession's future and the opportunity to create something that did not exist before.
Innovation can also help to save lives. I was involved in investigating an incident in which we helped save lives, potentially making the digital world safer. It is incredibly satisfying when you see the real essence of the profession. And perhaps what inspires me more now is helping the younger generation of talent understand all of this.
As part of our regional-development strategy, KPMG is establishing centers in Europe and around the world to develop cyber security talent. These centers support the KPMG Global Delivery Network, through which KPMG professionals work on various global projects. This level of collaboration gives us access to a more diverse and inclusive team who can contribute with different mindsets. I believe this center will create an opportunity to develop young talent here.
What is the role of both business and government in driving women's participation in cyber security?
In my opinion, a multi-level strategy is needed. To begin with, are we giving enough publicity to what these new professions mean in the digital world and the digital economy? This should also be part of government policies. In many countries, governments are creating funds to develop the next generation of talent to enter women into the field or to support their return to the workforce.
The next level is universities, schools and teachers. They should talk about the professions of the future. We see much focus on STEM topics in schools, which is inspiring. People need to know that in the future, many of the things we do will be technologically dependent.
Regarding organizations - it is good to have role models, to support young mothers with more-flexible conditions, so they feel comfortable. As we go through different career stages, flexibility at work is beneficial. We, as a company, do a lot to support our employees through their journeys. First, when they come to the company, they learn about their opportunities to grow and succeed. Second, when they start a family, they will have flexibility when returning to work to find the right work-life balance.
Olga Kulikova: The demand for talent is big
Olga Kulikova, a senior manager in Digital Transformation and Cyber Security at KPMG in the Netherlands, has been with the firm for 10 years. She has a bachelor's degree in electrical engineering and a master's degree in technology management from the Delft University of Technology.
What is it like to be a woman in cyber security?
I love the subject and have always been involved with technology. On average, I see more men engaged in electrical engineering, security or digital transformation. The key difference for me is how men communicate and collaborate with each other compared to how women communicate and collaborate.
Being a woman in cyber security is a lot about experimenting and finding the right style of communication that suits your work environment. Women in cyber security typically do not have many female role models, so we test and discover how to communicate, build relationships, ask for support, and lead in this field. It can be tricky. But I like this challenge.
What are the pros and cons of a career in cyber security?The big plus is that cyber security offers a variety of job opportunities, not only hardcore tech. People often perceive cyber security as a classic hacking story about breaking into websites or bank accounts, but that's only one part of the puzzle.
So many other things are less technical and more social but equally important. Consider cyber security governance, end-user security awareness, incident response, and data privacy. In these domains, non-technical skills are essential. Establishing solid security processes, explaining complex things in simple terms, helping companies manage security incidents and communicating with the outside world - I believe women can genuinely like these activities and excel in them.
Many women do not consider a career in cyber security because they think they are not 'technical' enough, but there is much to do beyond the technical. That's a big plus.
I often hear from women that there are few female role models in the field to learn from and consult with. So, from a career-growth perspective, it can often feel lonely and self-driven. We are trying to create more role models to show that women can build successful careers in cyber and that there will be the proper support on their journey - both from male and female colleagues.
I try to stay optimistic - with time and more female leaders joining the field, we will have more great role models to provide inspiration. So, I hope that this minus will soon become a plus.
If women represent a fraction of cyber security experts worldwide, how can this be changed?I'm a firm believer that people should do what they like to do. And I know that based on social research studies (on average), men enjoy working with things, while women prefer work involving social and human relationships.
If we want to increase the number of women in cyber, we should create and advertise security job profiles that go beyond very technical aspects and also address social aspects of security. I've always been interested in team dynamics and how people behave, so I chose cyber security to help clients build better security teams and underlying security processes. Women can successfully fulfil many exciting jobs, even if they do not like hardcore technology.
Let's also not forget that we develop our interests and aspirations in our childhood and teenage years, so what we hear at school and home can influence our career choices. If you look at Eastern European countries, for example - I grew up in Kazakhstan and studied in Russia - on average, we see more women in technology compared to Western European countries.
There are multiple reasons for this, but I want to highlight the one we're discussing in the Netherlands. At Dutch schools, girls are not expected to study technical subjects. The situation is slowly changing. But for this reason, we cannot find women filling leadership roles and possessing years of experience. In the past, no women were entering the field.
We should discuss cyber security career possibilities at schools and universities to get more women interested. At KPMG, for example, we organize a global cyber-safe day at schools - to improve cyber security awareness and increase interest in the field among men and women.
It was worse ten years ago when I started my cyber security career and only had one other female colleague in our team of 40. So, I do see positive improvements with time. We haven't fixed everything, and we still have lots to improve, but I think the trend is good.
So, if you ask me whether to start a career in cyber security, my answer would be definitely. There are many challenges, but the demand for talent is big, and the community is very supportive.
What is the government's role in encouraging women's participation in cyber security?
Well, I had a chance to study this because I received a scholarship. Governments can definitely create and promote scholarships for talented women who wish to explore technology and security. And yes, the same scholarship opportunities should exist for men while we encourage women to study in this area.
Should businesses have a strategy to attract women in cyber security and technology?
I think businesses are already trying to attract cyber security talent, so we need to ensure that we can find and support women who naturally want to work and grow in this field.
As I mentioned earlier, some women might have doubts that they can excel in cyber security. Companies should start promoting the reality that cyber security offers an incredible mix of jobs in security risk, security awareness, processes and standards, privacy, security operations and more.
We see many women becoming scrum masters and product owners - likely because start-up culture advertised these types of jobs well. Businesses should start doing the same with security jobs and promote them better. And once companies find women who want to build careers in cyber, we need to pay equal attention to retention, helping women learn essential leadership skills and how to integrate work and personal life to achieve the right balance.
You are engaged in digital transformation. Where do digital transformation and cyber security cross?
KPMG firms often see companies modernizing with digital technology. As part of this modernization, they may migrate to public-cloud services or acquire another firm that uses its own IT. So, from a digital transformation angle, we are helping these companies establish a strategy and roadmap to execute migration to the cloud or integrate newly acquired IT capabilities and digital technology.
From a cyber security angle, we need to make sure that this transformation is secure, that we do not introduce any new security risks while migrating to the cloud, and that we approach any IT changes with a 'secure-by-design' mindset. So cyber security is an essential part of digital transformation. Both activities should go hand-in-hand.
Digital transformation is a serious challenge for cyber security. Can a balance be found between the two?
Yes, it's all about the balance. On the one hand, you need to enable the business to achieve its key business objectives - to innovate, to be agile, and to be fast to market. On the other hand, we want to ensure that all those agility and innovation changes do not result in security breaches, data losses or operational disruption.
So next to digital enablers, we should continuously think of the right safeguards to minimize risk. Every company will have a different risk appetite so the balance will vary per company. I often see in practice how certain companies sometimes get too risk-averse regarding today's innovative digital solutions. And this can backfire security-wise, as business users often find workarounds.
At the same time, completely ignoring the need to innovate and evolve in the digital economy is also not the right way forward.