IWD 2024: Active allyship: Making cyber a place for all
It's that time of the year again - organisations (in cybersecurity and beyond) showcase the incredible women working in their companies, they commit to change with flashy graphics and bold statements, they pull statistics that show how good they are or how bad the industry is and then, as the clock strikes midnight on the 9th of March, business as usual resumes with little follow through.
Therefore, this International Women's Day, I am proposing that organisations need to commit to being 'active' allies the whole year round. But what does that mean?
Performative vs. Active Allyship
With any big occasion comes a marketing opportunity to showcase how diverse an organisation is. This is 'performative allyship', where those with privilege claim solidarity with a cause but often disingenuously. It's a way to avoid scrutiny, look good, and appear forward-thinking, but studied closely, it's often the case that these bold statements and punchy comments don't translate into the ethos or make-up of the company itself. Last International Women's Day, for example, research found that only 21% of leadership roles in cybersecurity are held by women, with one in 10 companies listing no female leadership on their websites at all.
According to the Harvard Business Review, 'allyship' is defined as "a lifelong process of building and nurturing supportive relationships with underrepresented, marginalised, or discriminated individuals or groups with the aim of advancing inclusion." Allyship cannot be done effectively when only emphasised once or twice a year, and it certainly cannot be done in isolation. To make meaningful change, allyship cannot simply be performative or stagnant.
Stephanie Itimi, Founder and Chair of Seidea CIC, noted: "Active allyship demands we use our privilege and platform decisively to uplift and stand with marginalised communities, especially in fields like cybersecurity. It's action over words; we must actively open doors, dismantle barriers, and tackle systemic injustice. Championing diversity and inclusion isn't just talk; it requires our committed action to forge a fairer world."
Of course, some organisations are legitimately committing to real change, exhibiting 'active' allyship. The pillars of active allyship include displaying a deep curiosity, honest introspection and vulnerable interactions. Companies like Think Cyber Security Ltd., for example, offer part-time, flexible working to actively engage an often dismissed part of the workforce: mothers.
How Can We Make the Industry More Welcoming for Women?
Active allyship is about meeting people where they're at and fostering an environment that meets the needs of those within in, rather than shoehorning people into an environment not made for them. Whilst a lack of official research has been done on the matter, it is quietly known that women are expected to put their careers on hold to have children or put children on hold to have a career (that is, of course, if they want to have children at all, which comes with a whole other layer of workplace discrimination). The idea of having both is, for many, a utopia. Women are expected to compromise, whereas men can have both. The division of responsibility is unevenly weighted, and the security world suffers for it.
To fight threat actors from a variety of backgrounds, we need a diverse workforce with a wealth of experience. Drawing on that experience makes the industry stronger and safer. However, a 2021 survey showed that only 25% of the cybersecurity industry is made up of women, despite a 3.5 million worker gap, so how can we make cybersecurity a more appealing industry for women to enter? With a sizeable pay gap and a poor retention rate (50% of women who work in tech in the US are likely to quit before age 35), it's clear something has to change in order to make the industry better for women.
One thing the industry can do to make cybersecurity a viable career choice for all is to emphasise the very real possibility of upskilling and reskilling. Retraining is important and opens the doors to people with transferable skills who may not be graduates or young people. Tapping into work returners, veterans, and/or cross-industry talent can be invaluable.
However, to engage this audience, flexibility is key. Something I've noticed recently is the number of women talking about their 'squiggly careers'. There are times when people move up and down the career ladder; cybersecurity is not a linear career. Both should be celebrated and nurtured and not scorned. Making cyber a career that prioritises life/work balance is important for many. Giving people time and flexibility as well as fostering an environment that works for the individual also reduces burnout and boosts productivity, which is a win for all!
Also, business leaders should actively listen and seek feedback from women within their teams. Going back to basics – asking the women already on your team what they want/need – is a good place to start.
The Future's a Joint Effort
The future of the industry is reliant on allies who are actively striving for change. As women, we cannot discount the role men have to play in changing the future. Stepping up and stepping back, for male leaders, can be uncomfortable though and knowing when you should say something or let someone else speak is even harder.
Tim Ward, CEO of Think Cyber Security Ltd., explained it well when he said: "I think the first stage [of active allyship] is being willing and open to understanding and learning about the situation and then overcoming the concern that you will say the wrong thing or put a foot in it - of course, you will! But inaction and silence are worse, so you have to be willing to try anyway.
To conclude, going back to Poornima Luthra's words for the Harvard Business Review, "allyship is about progress, not perfection." Supporting women in cyber every day and not just International Women's Day/Month is key.