The figures speak for themselves: according to a study, the proportion of women in the industry is 11% and the shortage of skilled workers is dramatic. Now you have started a new award with Global Digital Women (GDW) – “Women in Cybersecurity.”
It really is these two topics/challenges that concern us. On the one hand, there is a shortage of skilled workers. According to a study, 3.5 million employees will be lacking in cybersecurity globally by 2021. We also have a lot of vacancies and are looking around worldwide – and of course, we are not alone. The demand for experts in this field is growing, and more and more companies are setting up their own cybersecurity units. Whether this always makes so much sense remains to be seen. At the same time, the issue of diversity is also extremely important to us. A proportion of women of 11% is indeed unbelievably low. At NTT Security we are around 24%. Significantly higher than the average, but still too low. We have therefore launched various initiatives, including the “Women in Cybersecurity” award, to make these women visible and reward them for their outstanding work. We hope to be able to win others over.
Okay, elevator pitch: what arguments do you use to get women excited about cybersecurity?
Cybersecurity is one of the most exciting industries ever. And all those who work in this field, especially in consulting in the security operations centres, are passionate about it. No matter whether men or women. And despite rumours of the contrary, it is not a playing field for nerds. Empathetic, emotional people are in demand. Women can bring their skills very well. Understanding and responding is very important for working well with customers. Cybersecurity is a people business. You have to have a certain feeling for people, to enjoy working with them. Our colleagues like that. I wish we had a lot more women on our team.
“We simply notice that we are more successful when there are more women in the team. This pays off especially in crisis situations when an attack occurs despite all protective measures.”
There is a study by the recruitment agency Hogan that has identified the ideal personality traits for professionals in cybersecurity: humility, selflessness, serenity, scientific ability, curiosity, scepticism, receptivity, curiosity. That sounds like Angela Merkel. Joking aside, it certainly sounds like women would be a real gain for this industry.
Yes, that’s true. Because our focus is not on being the star, it’s about the job at hand. For us, the customer is always the centre of attention and our task is to protect them in the best possible way. And that’s why diversity is so important to us. We simply notice that we are more successful when there are more women in the team. This pays off especially in crisis situations when an attack occurs despite all protective measures. It’s all about professionally assisting the customer and supporting them with incident response plans. Our mixed teams are optimally positioned for this.
What fascinates you about cybersecurity?
I’ve been working in security for twelve years. IT and the digital industry are exciting in themselves. In the cyber sector, the whole thing has a completely different dynamic, and it’s also dramatic. Ultimately, it’s all about the security of people, about fates and the well-being of entire nations. The spectrum ranges from cybercriminals who want to blackmail a few bitcoins to countries that are fighting each other. Our mission is to make the world a little safer. And everyone who works in this industry feels this responsibility. That’s something special.
So it’s not just about the economic component, cybersecurity also has a social and political dimension, for example when countries are attacked or elections manipulated.
Absolutely. And the technology continues to evolve. There is an arms race between cybercriminals on the one hand and the good on the other. As a company, our mission is to protect our customers. But this is also how we protect individuals. If, for example, we prevent a bank or an energy operator from being hacked, the citizen benefits indirectly as well. Seen in this light, we have an important social responsibility. We are therefore also very closely networked with other companies, associations, and organizations. We recently concluded a Memorandum of Understanding with Europol. As a result, we are combining our efforts to make cyberspace safer for individuals, companies, and countries and to prevent cybercrime. What we do, in this sense, goes far beyond pure B-to-B business or the protection of a company.
“There are even companies that praise hacking competitions, like Tesla, for example. They say people, come hack us!”
Are there any cases of defectors from hackers to the good guys? Or is that too Hollywood-like thinking?
There are few positive examples of someone reforming and switching to the good side (laughs). But the subject of hackers or hacking is not evil in itself. That started in the 80s, with the kids who taught themselves how to program and the Chaos Computer Club. They were then criminalized, but they’re not really bad people. It’s great to be able to convert such talented people to good. To tell them, “You’re great, you’re super skilled, but stop the mischief and come to us.” It happens. We also have so-called ethical hackers with us who are people who can hack anything but work with an official mandate. And they permanently do so-called penetration tests, which means that they hack companies on behalf of others and there are very few insiders. And the insight you gain is incredibly valuable. There are even companies that praise hacking competitions, like Tesla, for example. They say, “People, come hack us!”
One of your most important areas is finance. According to the motto, “Follow the Money,” this industry is particularly affected by hacking. What else do you cover?
Finance is indeed very important, including insurance. In addition, there is the whole area of production with IT and IoT and the area of critical infrastructures such as energy suppliers and water suppliers. Nowadays everything is networked – cars, aeroplanes, ships, and trucks. And the more networked, the more susceptible to manipulation.
On the one hand, digitalization has opened up the field to cybercriminals. At the same time, however, technology is also becoming increasingly sophisticated; for example, facial recognition. In other words, can digitalization solve the problems it has created?
Yes, of course. Digitalization can simplify our lives, it can also make us safer. But the important thing is, and we keep preaching this to our customers, that security should be built in right from the start. Digitalization/digital transformation is one of the buzzwords of recent years. And many companies, including organizations, government agencies and entire cities, have handled it very carelessly. According to the motto, “We are now doing everything digitally, but it is not secure at all.” In some cases, there are already serious gaps, and that’s where we help. Our motto is, “Security by design.” That is, to think about security from the outset.
“Cybersecurity means, first of all, an investment. You need experts. At the same time, there is a huge shortage of skilled workers.”
What about the risk awareness of companies? Is there still a need to catch up?
Yes, definitely. Cybersecurity means, first of all, an investment. You need experts. At the same time, there is a huge shortage of skilled workers. Many companies are overwhelmed, they do nothing or not enough and then an attack happens. There are authorities who prefer to pay ransoms when they are blackmailed rather than invest a million in security. That is certainly the wrong way to go.
Is this short-term thinking or does it also have to do with shame to admit that you have been hacked?
Both. By the way, there are big differences between Germany and the USA. In Germany, people are still very cautious when it comes to security. In the USA, people are much more open about who you work with and whether you’ve already been hacked – to protect and warn others. We in Germany have not yet reached that stage. We are trying to break this up a bit with our Cybersecurity Leader Award. Together with IDG Business Media GmbH, we wanted to encourage companies to submit their security projects and to receive public awards. For us, it is a great step forward that people say we have projects and we are proud of them. Something is moving.
Now the system can be as good as it is, but the human risk factor remains. In a guest article, your colleague Orlando Bryant writes that employees are the biggest single cyber threat to organizations. How do you motivate and sensitize people to take the issue seriously?
This is a very important component: the employee is the problem and at the same time the solution. Employees need to be sensitized, again and again. What helps is the fact that the whole thing also has a personal dimension and can affect us at home on our own computers. It goes without saying that you have to take a close look at the sender of an e-mail before clicking on a link or opening an attachment. Nevertheless, there is still a lot of catching up to do. There is still too much carelessness. People think, “Oh, I’ll open it, I’ll click on it now, nothing will happen.” Or it’s simply annoying to deal with it. That’s why security also has to be easy to operate – everything that is complicated is rejected.
Time is such a central factor. 50% of the clicks on a phishing mail happen within the first hour after receiving the mail, 30% even within the first ten minutes.
Yes, that’s true. As a company, you have to be prepared to invest in regular training. It has to be part of a company’s security strategy. It is not enough to do this once and then not for three years. Everything changes much too quickly for that, the methods become more and more sophisticated. And the workforce is also changing. New employees are starting. That’s why there has to be regular updates and we have implemented this as standard. Several times a year we conduct so-called Security Awareness Trainings, which are very extensive. We then receive a certificate for it, and that applies to everyone. From marketing to security consultants, for whom this is probably rather annoying because they advise the customer on this every day.
Apply for the ‘Women In Cybersecurity’ Award
NTT Security together with GDW initiated the “Women in Cybersecurity” award. The awards honour outstanding female experts in the field of cybersecurity. In addition, women should feel encouraged to choose a career in the industry. There are two categories for the application: “Newcomer” for women who have only been working in the area of cybersecurity for twelve, and “Professional” for women who have been working in this industry for more than five years. The deadline for applications is 16 August 2019, for the DACH region and 13 September 2019, for Northern Europe including BENELUX, Great Britain, and Scandinavia. The finalists will be selected by an independent jury. The winners will be announced at the Cybersecurity Information Security World conference in Vienna on 17 September and in London on 15 October 2019. For more information and to apply, click here