ETSI Security Conference 2023: Diversity and Careers in Cybersecurity with Helen L. and Jane Wright

ETSI’s annual flagship event on Cyber Security, the ETSI Security Conference, took place face-to-face from 16 to 19 October 2023, in ETSI, Sophia Antipolis, France and gathered more than 200 people. This year the event focused on Security Research and Global Security Standards in action The event also considered wider aspects such as Attracting the next generation of cybersecurity standardization professionals and supporting SMEs.

At the ETSI Security Conference 2023, we spoke to Helen L. And Jane Wright. Helen, from the National Cyber Security Centre, has worked in Security for over 20 years and is a mentor at the CyberFirst programme. CyberFirst intends to inspire and encourage students from all backgrounds to consider a career in cybersecurity. Jane Wright is a Cyber Security Engineer at QinetiQ and has been participating in the CyberFirst.

Can you share more about your experience with the CyberFirst programme and how it supports diversity?
Jane: The CyberFirst programme is very inclusive, and it encourages people from any background to apply. I didn’t study computer science, I am a mathematician by trade. We have had politicians, economists, and historians come and join the programme. The CyberFirst programme allows for a base level of training. So, if you have no knowledge of cybersecurity, they put you through an intensive, 8-week academy which, unfortunately, I did online. But it just means that everyone’s got that baseline of information when they’re applying to jobs or applying to internships. Something else they provide is a vast list of contacts and a portal to apply for these jobs. You kind of accelerate through the recruitment process, which you wouldn’t necessarily have without the programme. It is a very inclusive, very encouraging and certainly a positive, experience I’ve had.

In the CyberFirst programme, do you have mentors and what is their role?
Jane: I think it depends on what year you join. In my year, we were the first year to go through it virtually, so everyone made a real effort to reach out to other members of the community because we were all stuck at home, experiencing the same thing. But, I see it as what you put into the programme is what you get out. So, if you reach out to alumni or staff, they will give you their time, they will answer any questions you might have, and they will point you in the direction of the answer.

What are some of the strategies you found effective when promoting diversity?
Helen: From our perspective at CyberFirst, we have done a lot of work just to understand the state of things, to understand where we wanted diversity. What we had at that moment and understanding where the barriers were to inclusion, where things weren’t, perhaps, as accessible. We have young women who really don’t understand how they can add value to the cybersecurity industry. So we made sure that we really understood where we were targeting. We cannot do it all at once, but building those jigsaw pieces and building that pipeline that people can go through in order to actually be guided all the way through, from beginning to end, is what we were aiming for. It’s a waiting game though, so when we started, across the whole pipeline, we had around 22% of women. But, if you look at the last couple of years, it’s around 42%, which is probably the result of the work that we did a few years before, the girls competition that we had done. You have to have a bit of patience, it is not going to change overnight.

What are some of the challenges that you’ve faced?
Helen: I suppose it’s reaching people. We’re very good as a cybersecurity professional, being a community and talking about things and getting together. But it’s when we start to try and reach those other parts where we do need to bring that diversity of thought whether that’s through gender, neurodiversity, or differences in disciplines and specialism. So, one of the challenges is reaching outside of our community.

How can organisations and individuals work together to promote diversity?
Helen: I think one of the things that really works well is, what I’ve said earlier in my presentation; you can’t be what you can’t see. The little big thing that organisations can do is really consciously make an effort to have role models, take photos, and put them on panels. It takes a bit of conscious effort to make sure you’re thinking about that. If all of the organisations did that, and all of the organisations had a really good narrative about how diversity is really fruitful for what they’re trying to do: that collective effort would be really impactful. And we’re already seeing the benefits of that so far.

Can you share a success story from the CyberFirst programme?
Jane: I am at the start of my journey, so I cannot say “success” yet, but I am here. So, I suppose we’re on the road. But it’s valuable seeing, as you say, you can’t be what you can’t see. It was very nice to see the NCSC’s CEO, and I was like, yes, this is what I want to do, that is who I want to be. How can I get there, and have a discussion with those around me while also working in the field? A really good bit of feedback I got was; that you don’t necessarily need to be one person, but talk to others who are leaders in their field, whether that’s technical, or focusing on diversity, and take the best parts of each person to try and build this engineer or role model that you want to be for the next generations coming up.

Both of you have backgrounds in physics and mathematics, respectively. How did you end up in cybersecurity? Would you recommend someone with that background to go into cybersecurity?
Helen: Definitely. Cybersecurity is so broad, there’s so much. I think it’s a very immature profession as well in terms of, for example, the medical profession that’s been around for centuries. The cybersecurity profession, with all its different aspects, it’s not dissimilar, but we’re only 10, or 20 years old. So, the complex problems you’re up against and the lack of precedent in a lot of areas, and the massively changing backdrop of both threat and how technology is being used – I think that provides a really rich ground for someone with physics or maths or a lot of other disciplines to really think about, how do I go about this complex problem, how can I break this down. These sorts of traits and skills that you might build up if you’re doing scientific method or have maths logic; even though you’re not doing exactly maths, you are taking those skills and that mindset, and the way of thinking to these complex problems. There’s definitely a never-ending set of things to do and I think that’s great for anyone to get into.

Which skills are useful in cybersecurity?
Helen: Logic, curiosity, system thinking, ability to think holistically; break complex problems down into many steps. That’s a really great trait. And being able to tell stories and communicate effectively.

What would be your most important piece of advice or message to someone who is considering starting a career in cybersecurity?
Jane: Just go for it. As we’ve said, cybersecurity is in every domain, in every discipline. You can do cybersecurity of infrastructure and cybersecurity of the health sector, so it almost allows you to have dual interests, or combine your job and your hobby, if you like. We see cybersecurity, but it’s a bit of a buzzword because that could be legal, that could be coding, or legislation and standards. So, I think, just go for it, you never know where the path is going to take you. You could end up doing all sorts of things.
Helen: Likewise, putting yourself out there, out of your comfort zone is a great piece of advice, because you really discover the limits of what you can do and it usually opens doors for other things.