Mind the gender gap

Mike Fell, NHS England:
Hello and welcome to the first episode of The Cyber Sessions Podcast. I'm your host, Mike Fell, and I'm lucky enough to have one of the best jobs in security as the director of National Cyber Operations at NHS England. I’m an accidental cyber bod, having worked in and around risk and traditional security for a number of years before attempting to teach myself how computers work. And I'll leave it to you to decide how effective I've been at doing that, but either way, it's a great role with a really important mission.

In this podcast, we're going to be exploring current cyber security topics that affect health and care and the broader system and at a national level. I'm really pleased to say that today I'm joined by some great women, Lucy Pike, Deputy Director at HMRC. And from NHS England we've got Robyn Dennis, Cyber security Lead and Orlagh Zielinski, a Trainee Cyber security Advisor.

So why are we having this conversation? Reports show that less than one in five of us working in cyber security are women, and that drops to only one in seven for senior roles. That doesn't feel right. So today we're going to chat about the thoughts on the gender gap in cyber security, why it's important, and also some ideas on how we can get more women into cyber security. So, to kick us off. We talk about the profession a lot, this kind of nebulous beast of a grouping of people with different skills.

But actually, some of the diversity that we do have in a relatively un-diverse profession is all the different stories and reasons that we kind of got into security.

So opening up, can you tell me what your role is on how you got here? So, let's start with yourself Orlagh.

Orlagh Zielinski, NHS England:
Yeah, of course. So, I'm Orlagh Zielinski, I'm currently working in the threat intelligence team within the NHS England CSOC, and I'm actually a degree apprentice, so my route into cyber started straight out of sixth form where I entered this job in which I study at university and I work for NHS England simultaneously. And this is on a four year long course in which I'll get a degree in the end, and I'll be quite honest, I wasn't actually aware of what cyber security was before applying to my job. Instead, my interest actually stemmed from studying computer science in school.

And then you know, the various job applications and interviews, sifting through them all eventually led me to the Cabinet Office Cyber Apprentice programme, which is the one I'm on now. So I was lucky enough to land that and I got placed in NHS England and then since then, that's how I kind of fell in love with working in cyber security.

Mike Fell, NHS England:
Thank you very much and I know you are amongst a number of peers that have kind of evolved through that scheme that are making a real difference in, in the community, in the NHS, in a range of organisations as well, not least in HMRC where Lucy joins us from, so over to you, Lucy.

Lucy Pike, HMRC:
Yeah. Thanks, Mike. And I've worked with Mike for a number of years. So I'm really pleased to be part of this podcast today. But yeah, I am a Deputy Director in HMRC and I'm the Head of Enterprise Security Risk and Resilience. I'll try and keep it brief, but it's a really broad role. So I run essentially a GRC function - a governance risk and compliance function. So I manage the two departmental risks of security and technical health for HMRC. And underpinning those two risks is a cyber risk. So I have a really keen interest in the state of cyber risk at the moment.

I look after the security policies, technical standards, enterprise security controls, which we've recently aligned to NIST, so that's fantastic, that cyber framework we're using now to align all our security risks line to assurance departmental reporting around all those risks and then the resilience side of the house. So all the security incidents we have oversight of those, we've got the departmental operations centre. So that's a 24/7 function which supports operations like bridge operations but also incidents of any sort.

And also our business continuity strategy policy and our subject matter experts, so a really broad role and you'll I'm sure as we come to answer some of those questions, you'll find out why for me that's such an interest. But like Mike, I'm an accidental cyber, I suppose, supporter. I started life in what was the Inland Revenue on their graduate tax inspector scheme and I did tax around 14 years and the only reason I'm now working in security and have been for variations of this role for the last seven years was, I saw an SCS role that talked about security risk and yeah, it mentioned cyber. I knew nothing about cyber at that point, but I thought I could do risk, transferable skills. Let's give it a go. And here I am seven years later and have never looked back because I love it and the amount of knowledge I've got around cyber now allows me to talk to people in the organisation who had a background like me who don't understand cyber but absolutely have to run a very large department that brings in most of the money the UK uses to service its functions, including the NHS. So yeah, how I translate those technical cyber risks into business language.

And for me, that's absolutely one of the benefits of having a bit of a more diverse background.

Mike Fell, NHS England:
Yeah. Thank you, Lucy. And I think there's huge parallels there with that kind of technical tax administration profession that you bring to the table within your role and similar challenges that we face and endeavour to tackle in bringing clinicians and the people who are delivering health and care into to the kind of risk management conversations there. So thank you. And Robyn over to you.

Robyn Dennis, NHS England:
So my role, I am Tiger team lead within cyber ops at NHS England, I've been in post for just coming up to six months now. So I'm kind of a broad cyber generalist having worked in sort of cyber information security and data protection for around eight years. And so I'm really lucky to have a really varied role now where I get to call on my sort of wide-ranging knowledge and skills. It feels like a great fit and I get to work with loads of different professionals which is fantastic.

As for how I got to where I am. So when I was little I wanted to be an astronaut, but I'm actually scared of flying. So that really wasn't going to work out. So I kind of looked at my other options. I've always been a bit of a tech magpie. I've always been interested in sort of shiny computery stuff, tech gadgety type stuff. I studied computer science at college. Being honest, I didn't really know how to apply it when I finished, so I fell into some fairly unusual roles.

One of them picking flowers, one of them building hoovers, then kind of moved through a range of office roles. But the common theme amongst all of that was if there was a computer involved or anything kind of techie related, I would gravitate towards it. I eventually ended up in a bit of a sort of jack of all trades digital role for an education venture within a big sort of international group. That group had some really good definition around information and cyber security, and this was sort of shortly before GDPR came in.

So both those angles kind of got amalgamated into that jack of all trades position.

Which meant I was really busy, but I was incredibly lucky to have a great mentor and I quickly kind of determined that the security angle was the bit that really piqued my interest. It's an area where I could see an opportunity to help defend, protect others, which really helped me to find meaning in why I do what I do, and from there I've been lucky enough to get jobs that have allowed me to sort of apply focus in that area.

Develop and train and move up to my current level where I feel really kind of appreciative of how that's panned out.

Mike Fell, NHS England:
Thanks very much, Robyn. Thank you. And I'm going to take the opportunity of those kind of NASA astronaut based analogies jumping through that kind of Tiger team, which is a principle that was brought together by NASA, whereby when they had problems in space, they would put the best people together in a room with the kind of bits and bobs that were available to the astronauts with the problem and then try and work it out. And I know that's at the heart of your role as something you do kind of really well for us of using the available resources and the best people to do it and that kind of builds towards my next question about what do we think the examples of the best things that are happening already and I think the reason I ask, for asking that is the cyber security, and the security profession kind of does best when it shares intelligence, where it shares ideas about what's working well, what's going, what's going wrong. And I kind of see this through a security lens of a similar challenge really. When we look to those kind of rather depressing figures about the diversity. So yeah, open question as to whoever wants to kind of lead on it. What are the best examples of things that are working in practise to make it a more diverse profession?

Lucy Pike, HMRC:
I think for me there's a real strength and it's great to see Orlagh on this podcast. I think there's a real strength over the last few years in what we're doing to bring in apprentices, bring in industrial placements and give people that chance early in their career to, I suppose, get stuck in and learn and get the support they need. I think it's for me there's probably a perceived barrier, particularly for women, around getting into a cyber career mid-career because there is a lot of training. It is a technical expertise. You've got to try and balance that with often quite complicated personal lives. So I think by getting people in at the start of their career, getting that interest that Robyn has said she had from an early age actually there are careers that can support you if you're into techy things, if you're into shiny boxes with wires inside them or you're into, you know, the concept of how on earth do we take new technologies and things that are happening and apply them to what is often in our organisation, NHS might well be the same, these behemoths that are years and years old that just haven't changed and for me I think getting, dare I say in getting younger people in who've got some different ideas, seen some different things, understand all that new technology I think for us in HMRC, that's been a breath of fresh air and I think again it allows people from all backgrounds. We've got fast streams that we use across our teams, in HMRC security that have such diverse backgrounds, male, female, any background depending on you know where you grew up or where you where you currently live at the moment, it doesn't matter, it's not barrier. So I think those apprenticeship schemes, those fast stream schemes, I think those are absolutely vital and I've seen them. I've got one guy working on our AI policy who's a fast streamer. I'm not, it's not my traditional policy team. He's working on it, he understands it and he will leave a legacy. He will write that policy and leave it for us when he moves on to his next placements. So for me, those things have been a real game changer in particularly in HMRC to get that diversity of thought and also the profiles of our workforce changed as well compared to what it was five or six years ago.

Mike Fell, NHS England:
Thanks, Lucy and I, kinda know personally from seeing the successes of people that 5-6 years ago joined straight out of school who are now, you know, middle and senior managers really making a difference on it. And it's absolutely the future. So yeah, what other things do we think are things that we see as helping?

Orlagh Zielinski, NHS England:
I think mine kind of just expands on what Lucy has said, but obviously it's from a first hand perspective, but definitely the expansion of more pathways into the career really helps. I know personally I was considering university. I was actually leaning towards more of an arts route, a graphic design route, but luckily apprenticeships were really strongly pushed in my sixth form. So this is what actually led me to discover the path and the career that I'm on right now. And I think you know, I would not have been aware of finding out that I could actually enter this role into cybersecurity and also at such an early age.

And just getting quite hands on experience, I think it's quite a nice thing to know. I'm definitely more of a practical person and things like full time university and sitting in lectures, I knew it wasn't quite right for me. So it's very nice and it's very satisfying to finally come across something that definitely suits your personality and suits you as a person. So I think the increase of these pathways has definitely helped to start to combat this.

Mike Fell, NHS England:
I think it's a really interesting point you make there about kind of making that decision straight out of school. One of the things that kind of always interests me in this space is that workplace problem or is it a societal problem? Or is it a school problem? I think the answer is probably all in a little bit of it, but I'm going to ask a slightly cheeky question of all of us here, if you had to choose between fixing the problem in school, and fixing it or investing, you know, in making the change at primary school level or in the workplace. What do you think would be kind of most effective?

Robyn Dennis, NHS England:
So I think from my perspective, thinking about the long term, we need to promote information security careers, cyber careers at a school level.

I never knew there were jobs in this field. I know things have moved on. It was a long time since I was at school, but it feels to me like the best way to ensure there's a mix of all types and characteristics and you know that full kind of spectrum of diversity is to ensure that everybody has visibility, that these kind of roles are an option at an early age before there's some of that, perhaps sort of learned view and bias that boys do that and girls do this, etcetera, that kind of thing. I think recruitment wise, you know there is a need for us to ensure that selection methods avoid any conscious or unconscious biases as well.

I've been really lucky as I've had a few roles in this area now. So I've been lucky that I haven't been weeded out for any kind of those kind of reasons, but I think overarching culture is probably more important than the selection process itself. I've been recruited by all male panels in previous roles, not here. When I've actually been in post, those same people haven't actually advocated and supported my position. And I wonder if some of that is because they're concerned about how that looks to their peers.

You know, talking about that kind of culture of do we have in some cases a sort of stagnation of opinion and type?

I think promoting it at the school level means that culture will ultimately change in the long term.

Mike Fell, NHS England:
Yeah, it's really, really good point there and it reminds me of a phrase that a former leader I used to work with used to say about the difference between diversity and inclusivity, and diversity being, I think what you've described there about having the right panels, and inclusivity being actually a way there and she, it was Jackie Wright who at the time was the Chief Digital Information Officer at HMRC and also kind of senior leader in Microsoft now, she used to say that diversity is being invited to the party. But inclusivity is being asked to dance, and I think that's that's absolutely something that kind of we run the risk of, I see if it's like a policy based approach and a kind of binary approach to thinking that you get the right outcomes by just putting you know the right people on the interview panel and that. Thank you, Robyn. Is there any other thoughts, on things that we can kind of see doing well elsewhere?

Lucy Pike, HMRC:
So I'll throw in a, I suppose a room for improvement, one I absolutely believe. Yeah, we have to get youngsters interested in careers in our area. But what I would love to see change and I see it in our organisation is, I think the requirement of our technical team. So my peer who runs the cyber technical services, they want fully fledged fully formed people. So when they write their job adverts, they write them written for a professional who's been in that organisation or been in that career for a long period of time. And I think we've got to be a little bit more, take a little bit more of a risk, I think on people, it's why I'm in my job. People who've got the right skills or the aptitude for it, and they need that extra bit of support. And yeah, they won't be fully formed on day one, but six months in they'll be better and 12 months in, they'll be an absolute superstar. So I think we've also got to try in the recruitment process to not put people off who maybe are interested but have not followed that path through school, who might have gone down a slightly different route but are saying, I realise now that I'm really interested in in cyber. I'm interested in information security.

But these job adverts just put me off because they're basically asking for someone who's in their mid-career, who's been doing it for a long time. So I think we've got to get a bit braver in thinking about the skills we need and the aptitude we need for the roles, not just on paper. You've got the, you know, all the qualifications in your fully fledged cyber professional. So for me there's something we can absolutely make a change there.

Mike Fell, NHS England:
Yeah, I think that's right. And I think kind of Robyn was talking to this point as well about that breadth of experience and it doesn't have to be that you know the entire technology stack and and these kind of unicorns that are being sold and for me personally that's why I quite often tell the story of me getting into this space through a geography degree that made me think about why people live on floodplains and then complain about the houses getting wet because actually that's just risk management, which is actually at the heart of a lot of this.

I know there's quite a lot of academic work around, kind of different approaches to the confidence levels of some people, to have a punt and apply for the job when they know that they haven't got everything versus kind of feeling the need to demonstrate everything. And certainly I think one way that the civil service and the NHS can address that is through looking really quite hard about essential criteria, a language that we all use, versus the desirable and for me like the essential criteria for. Yeah, there's the specific roles in this space where you don't want somebody that's like just going to have a go at it, but there's an awful lot where actually when you boil it down, the essential is really quite limited and the desirable is everything from, you know like yourself Lucy, knowing how the tax system works like clinicians that kind of interoperate with us like you know, Robyn, your kind of background within local government and kind of bringing all of that to it. So great. I'm going to rip the plaster off one a little bit here that you may want to answer or not, it shouldn't even need answering or asking some might argue, but do we actually need diversity in cyber and insecurity? I'm going to hide now.

Orlagh Zielinski, NHS England:
I'm gonna go ahead and just say yes. Yes, I definitely think we do. Having a team of cyber individuals all with the same background and the same experiences would definitely minimise the variety of their thought processes and just their perspectives that they come from.

I know that Forbes have said before I think they said that the threat landscape is you know it's ever intensifying and it's growing more and more complex.

And this just requires differing skills and cultures of viewpoints, and these perspectives, and that's what makes a security team stronger. And, you know, having a diverse range of threats definitely requires a diverse team to work to defend against them and to be able to understand them and to combat them.

Robyn Dennis, NHS England:
Yeah, I would totally agree with that. I think you know we have to kind of bear in mind that the threat actors are gonna be diverse, too, right? They're gonna be coming from different backgrounds, different sort of levels of education, skills, funding. They'll have different motives, and that's going to continue as the landscape evolves. And if our teams aren't diverse, we won't have the right match of skills and perspectives and thinking and ideas that means we can defend.

Lucy Pike, HMRC:
And yeah, while you're still hiding, Mike, I’ll join in too. So, coming back to my risk world. I suppose you could say provocative question, provocative answer. As long as we've got the right controls. It doesn't matter who's implementing them. But we've got to innovate. We've got to keep changing, particularly in the cyber world more than any other security domain. That world changes so fast and so quickly that if you are constantly doing the same things that way madness lies because you'll keep getting the same answer. So we do need to have those fresh ideas. We need to have someone who's got a different perspective. We need to have someone who looks at a problem in a different way because the bad guys move much, much faster than we do. And if we don't innovate, if we don't think differently about how we try and protect what we do, then we are going to stagnate and we are going to have huge problems.

Mike Fell, NHS England:
I'm very pleased that that was the answer for it, and I, and I think you know, part of the reason asking it is, is because I'm just, I'm intrigued that I still sometimes maybe not explicitly, but I do come across, as I'm sure all of us do sometimes, that just acceptance that it's OK, you know, next week I've been asked to speak on a panel that is an all-male panel and I just don't understand it personally because you're not going to get people wanting to listen to it. Hopefully an interesting thing and I think we've, you know, everybody's just said you get more interesting, effective kind of conversations, I think as well you know certainly well for all the organisations that we support, we support all of pretty much all of the population.

You know the NHS has 80 thousand suppliers, it has 2,000,000 staff. It has, you know millions and millions of people to support, and one can only hope that we don't make the mistakes in more innovative security that has happened certainly in the health sector. When you look at the kind of historic way that research problems have been approached. It has been reflecting the people that have been doing it. So yeah, I think we can all hopefully agree on that one and forgive me asking the question, but I think it is one that you know again it sometimes needs bringing to the floor again.

Conscious that as the white male in the room, kind of chairing this, that some might argue that I'm part of the problem of that asymmetric demographic curve in the profession as we might want to call it. This is your opportunity to give me the kind of one piece of advice that you think will make discussions and podcasts like this unnecessary in years to come. So yeah, what's that kind of one thing that you think we should do?

Robyn Dennis, NHS England:
For me it's about considering the diversity of the people around you, in all the areas, not just at recruitment, not within your sort of immediate team, aim to ensure that all discussions, decisions, collaboration, any activity includes that diverse range of people and through doing that, notice the positives of doing so that will then help to advocate to others that they do the same too and just kind of reinforce the changing culture through that recognising and kind of promoting the benefits that come through increased diversity. Thank you.

Lucy Pike, HMRC:
There’s something for me here about role modelling, true collaboration as well around, I mean these conversations will continue I think for a long time to come. I think this is a cultural shift we need to make to get more people interested in a cyber career and understand what cyber careers are there. But I think role modelling through collaboration, so not being a leader and I can be guilty of this sometimes too. So I do have to check myself where you go, I don't have all the answers. I'm going to collaborate and actually I'm going to show vulnerability in saying, yeah, what I thought wasn't right and yes, someone else has the best answer and someone else is has helped shape that thinking. I think being open about the fact that you are using the views of others, so really demonstrating that diversity isn't just, coming back to the comment you made, we are asking people to dance. We're not just saying come into the room, I'm going to dance in front of you all and then you're going to nod like chickens and move on. I think we've got to absolutely show and give recognition for the fact that all those views have been taken on board and actually they've shaped where we've gone in the future. So I think, yeah, there is something for us as leaders just to sit and go, how do we role model that diversity? How do we role model using the teams around us to shape what we're doing rather than it's my idea and I'm just going to pretend that I'm talking to you all because I need to tick a box, so I'm sure we don't do that. But sometimes I have to check myself and just go, have I consulted, have I actually had that open discussion with other people? Who might have a different view and might have a different way of doing this because I don't have all the answers.

Mike Fell, NHS England:
Yeah. Thanks, Lucy. I think that kind of fits into the category that I sometimes use of surrounding yourself by people that are awesome at the things you're not, which I think is just great leadership and kind of advice around any of these challenges, isn't it?

Lucy Pike, HMRC:
Yeah, absolutely.

Orlagh Zielinski, NHS England:
I agree. What you guys have both said, I think it's also worth noting you know it's a big task. I think the numbers reflect this enough, like you said at the start, it's 17% of women make up the workforce in cybersecurity, 17% is so low. So it's definitely going to be a slower process, but it's something that has to remain consistent. I think it's something that we just have to kind of steadily work on in order to see the progress in the end.

Mike Fell, NHS England:
Great. Thank you and there is hope for me in this, and I say this as the son of a woman in medicine who, when she went into medicine in the 1960s, about 5% of people going to do medical degrees were women and I grew up in an environment where she championed to a point now where because of, you know, many people kind of championing and acting as allies, we're now in a world where more than 60% of people doing medical degrees are, are women. That said, that top level statistic isn't the full answer, because I think you've all kind of touched on that bit about the unconscious biases that can still be endemic even if the headline figure resolves. So what you know, personally for me, I don't want to get to a world where we can say we've got you know a lot less asymmetry in this if I know that all the technical roles are done by men and the system engagement ones and others are done by women because that's equally problematic I think for the reasons that we've spoken to that for it. So yeah as I say, I really do see there being hope. Not least because of the current section that we're talking to and the changes. But I think it was a reflection there of the ongoing need for it and the long term thing and you know I think hopefully by the insight that you brought, Orlagh, the future is absolutely a positive one with it and I just really appreciate all of those insights and the good work that is done to absolutely champion exactly why this is a better way of kind of delivering risk based secure outcomes for the population that I think we're all ultimately trying to achieve, whether it be by the hard work bringing in the money that pays for the public services or the hard work protecting those vital services. So I'm going to wrap up on that. So a huge thank you from me. I really hope we've done justice to a topic that is really close to my heart. A huge thank you for the insight and time from Lucy, from Robyn and Orlagh.

And all for listening to The Cyber Sessions podcast. I really hope that you enjoyed today's sessions. We've got an exciting series of these lined up as well. So look out for the next one. Thank you.