Category Archives: Women in STEM

Women in STEM

Role Models and Trail Blazers: WISDOM Q&A with Celine Pypaert

Every month, WISDOM highlights the achievements and perspective of inspirational colleagues in the field as part of a Q and A series. Our November role model and trail blazer is Celine Pypaert, an Associate Security Solution Engineer and VMinclusion UK Communications chair at VMware, and part-time mature student finishing her Bachelor’s in Computer Science with Honours at University of Derby.

Celine entered the field after teaching herself cybersecurity skills, leading to a pentesting internship for a few months at a small British cryptography software firm, after which she joined VMware. Previously not being a technical person at all, Celine is also a public speaker and tries to inspire others to go after their dreams in infosec and learn the skills to get to where they want to be! She believes that security should be accessible to all and will continue contributing to initiatives and talks to help “non-techies” become more secure.

1. What do you think is the most challenging aspect of information security?

The most challenging aspect in information security, to me, is the constant challenge of having to stay up to date and learn as much as I can – as low-level as needed, too. Thankfully, I am so interested in it that keeping up to date on the latest hacks, malware, and technology, is no chore for me. Nonetheless, balancing all the self-learning on top of my other work duties, and my university studies (as I am finishing my BSc in Computer Science part-time) can be quite a time-consuming challenge. An additional challenge, of course is having to stay or try to stay one step ahead of the attackers. But I do love a fast-paced job and environment, and if you are a curious person, then staying on top of things and continuous learning can often be a passion and hobby, and not just a job or a chore.

2. What has been the proudest moment of your career to date?

I have a tie between my proudest moments: helping secure a small software company’s web app; giving security training to non-security colleagues in my company; and getting to do my first public talk at Women Driven Development 2020 – highlights in my life and career!

I am happy to help others become more secure, whether that is a client/customer, regular users or friends, companies, or my friends and family – as I believe security should be more accessible to all.

3. What are the most enjoyable parts of your work?

The most enjoyable moments so far have been testing and analysing Linux malware and non-malware attacks (yes, that exists! For Mac, too) and being given permission to “hack” a company or app. It is fun and enthralling trying to find ways in, find vulnerabilities and help secure those holes. I also enjoy talking to customers, learning what their challenges are and how we can help them. The nice thing about being a Solution/Systems Engineer is that it’s often a mixed role of technological focus and customer interaction. I am not just using command-line all day every workday (although I sure enjoy that, too).

4. What are the most challenging parts of your work?

The most challenging parts of working as a Solution Engineer in cybersecurity, is to balance between the technical priorities and the business requirements/ needs. It is trying to find what the business needs and how we can help them. It is also realising that sometimes, budgets can get in the way of what is technically and architecturally more secure. Echoing my answer in question one, another challenge having to continuously learn and keep up with all the latest in infosec and learn the latest tech. In my role, I will forever be learning even as I become an expert, but that is fine by me, as I am a firm believer in lifelong learning!

5. What lessons have you learnt as your progress through your career?

I’ve learned that being honest and saying “I don’t know” is better than trying to ‘BS’ my way around; for example when a customer (or colleague) asks me if I know something technically, but sometimes I don’t. This can sometimes can be hard to admit, especially as I still face impostor syndrome and fear fulfilling the stereotype that “women aren’t as good as men in engineering/cyber/tech.”. But now, I’ve learned that it doesn’t matter: no one comes out of the womb knowing everything, and it’s honest of me to tell the truth and say I will find out and get back to them, rather than try to get away with lying! Authenticity, integrity, and honesty are really important.

I have also learned that even in technical roles, improving communications and people skills, part of “soft skills”, is equally as valuable as technical skills. What use would it be for me to become the best technically if I cannot work in a team, or speak kindly to a customer or work well with?

I have also, technically, learnt a lot about systems administration, hacking attacks/techniques, command line, and networking as well as programming skills too. All things that really help in infosec – getting those strong IT, sysadmin, web development, and networking foundations which enable you to go further in infosec. I am still continuously learning and improving on these.

6. What are your reflections on diversity and inclusion within your field

Women in infosec are still largely underrepresented: I think the latest numbers I saw were around 11%, which is (in some statistics) less than the average of women in game development, also a field notorious for being male-dominant. But I can attest to the fact that, increasingly, large companies especially are making concrete efforts to hire more from underrepresented groups (more than just gender). VMware, for example, are improving in this, as are others. And at the same time, it isn’t based on quota or just for the sake of it. I mean, practically speaking and thinking of the “bottom line”, why would a company hire someone just for their “group” if they don’t have the experience or skill set needed? Overall, you will still get hired based on perceived merit, skills and/or experience. But more companies are trying to reach out to underrepresented groups and making efforts to train managers and talent acquisition teams, how to reduce unconscious bias. I believe we are making improvements and will continue to do so. But overall, it isn’t so much a hiring issue as it is more of a systemic societal problem: it comes down to the fact that most of us women and girls are not encouraged to pursue STEM fields. I can recall for myself, as an example, how I was even discouraged from pursuing university and a career in favour of marrying young and raising a family! These are still issues that plague our society in 2020, and will take significant effort to improve. And it is more than gender. Discrimination is taught. Unlearning it and discouraging it starts in the families and schools – parents/guardians and teachers, as well as media and social media. But we are making some progress.

7. In your view, how can we increase effective diversity and inclusion in information security?

I believe we can increase D&I in infosec by reducing some of the “gatekeeping” that I have seen in job posts: not asking for a CISSP for entry-level jobs in the UK; increasing apprenticeships and paid internships leading to permanent roles; and making infosec friendlier to all. I recall that the thing that scared me the most in the beginning was my lack of technical knowledge and fear of being ridiculed, as well as fear of fulfilling a stereotype: at my first infosec conference, Steelcon in Sheffield, I didn’t even know what those hexadecimal numbers meant (now I know, and I use them in x86 Assembly, doing reverse engineering of malware at CTFs and systems programming at uni). We can increase diversity and inclusion effectiveness by making the field more welcoming to “newbies” – being open to those who are honestly curious and willing and seeing the potential in people, even if they lack the degree, experience, or certification. To quote one of my role models, Heath Adams (@thecybermentor): “I’d hire motivation and passion over education every single time“, “Give me someone who hustles, loves what they do, and is motivated – I’ll educate them myself”.

My degree has helped me a lot, in terms of gaining an internship then a sandwich-year placement, but the cybersecurity and pentesting was almost all stuff I taught myself outside of university, which eventually landed me that first internship. I went from non-techie person to security engineer in two years. Infosec is a field where people who are hard workers, motivated, and passionate can thrive, and so things like class/poverty, gender, ethnic minority, etc., should not be allowed to hold someone back. Grit and determination are more important. I say, give people a chance, just as I was given a chance before even finishing my degree.

So I think making some exceptions and looking past conventions can really help increase effective D&I. We also need to make the field more enticing to entrants, letting girls at school know that tech and infosec is for them!!!

8. What advice would you give to someone just starting their career?

I would tell you: don’t ever give up and know that this can be for you too. I know how scary it is to start out, especially if you stand out as ‘different’ in any way to the average or norm. Do not let fear of fulfilling stereotypes hold you back and try to ignore the naysayers. Try to find mentors and sponsors who will help you and push you up. Keep working at it and you can get to where you want to be. Do not give up. Keep going!

9. What advice would you give to recruiters for your field?

I would tell recruiters to consider not only the degree, but the self-taught technical skills the candidate or potential candidate has taken the initiative to develop. Lots of people in infosec are autodidacts, like in tech in general, and having the passion or willingness and determination to teach oneself says a lot about that person – willingness to learn, improve, and building discipline. I would say do not only look at the current technical skills or experience the person has, but also their soft skills and their attitude. Be willing to make a few exceptions and give people a chance – you never know, you could get someone incredibly skilled and well-matched for the role and team!

You can read more about Celine’s story and motivation in ‘The Rise of the Cyber Women: Volume One: Inspirational Accounts From Women who are Taking the Cyber Security Industry by Storm’ available on Amazon

Do you have someone you’d like to nominate for our next WISDOM Role Model and Trailblazer? Contact amy.ertan.2017@live.rhul.ac.uk. For any questions related to wider diversity and inclusion within the STEM fields (within and beyond Royal Holloway) please contact the WISDOM committee

Role Models and Trail Blazers: Fatimah Adelodun – October 2020

Every month, WISDOM highlights the achievements and perspective of inspiratinoal colleagues in the field as part of a Q and A series. Our very first nominated role model and trail blazer is Fatimah Adelodun, the Cyber Security Engineer at Nigerian Bulk Electricity Trading Plc.

Fatimah has a bachelor’s degree in computer science from the University of Ilorin, Nigeria and graduated from Edhec Business School where she earned an MBA degree. Fatimah started her career as an intern in IT in the year 2012 and over the years she has worked and evolved to become a well-rounded IT professional with immense passion for cyber security. She has worked on numerous projects and applications and has acquired various certifications including CISA, CISM, CEH, ITIL. Fatimah is also well-versed in cloud computing and data analytics. She is a regular speaker at the annual “Girls in ICT Day” where she sensitizes young girls about IT security and careers in IT.

What do you think is the most challenging aspect of information security? 
Fatimah: Information Security is a constantly evolving ecosystem. Earlier security incidents were often contained to individual user’s systems, resulting in little downtimes. However, the complexity of security attacks have increased over the years. With the increasingly interconnected environment, information is exposed to a growing variety of risks such as computer hacking, malwares, denial of services, etc. and the resulting effects range from causing billions of dollars of damage to businesses and completely shutting down others. Even with the proliferation of security solutions in the market, threats have continued to grow in severity making remediation even more challenging. This makes implementing and maintaining information security arduous for any organization.

What has been the proudest moment of your career to date? 
Fatimah: That would be the moment I was confirmed as a full-time staff at my place of work. Having started as an intern with an organization in infancy, I was entrusted with a role to build the IT department from the ground up. I literally had to have a 360-degree understanding of running an IT department and as a fresh graduate then with mostly theoretical knowledge, I had a lot of challenging moments. Summarily, I enrolled in courses, broke a few things, built some, but mostly, I grew as an IT professional. I learnt and became even more passionate about IT. Getting retained as full-time staff (not a common practice in my office) based on my outstanding performance after the completion of my internship made all the hurdles even more worth it.

What are the most enjoyable parts of your work? 
Fatimah: As a firm believer in the advantages offered by technology and information security, I enjoy deploying robust digital protection (firewall, anti-virus, wireless security, etc.) against a cyber diverse range of issues. Ensuring that users can use computer systems and applications as and when needed while reducing the risks from potential threats to the barest minimum enhances productivity at work. I also enjoy a good challenge and working in cyber security ensures to keep me on my toes as protecting critical infrastructure is anything but boring.  Besides protecting systems and data, I love learning new things and because information security is constantly evolving and new technologies emerging, jobs in the domain evolve too and so do the required skills.

What are the most challenging parts of your work? 
Fatimah: Everyday comes with its own challenges. Some unique, others not. While security incidents are almost unavoidable, being proactive and putting necessary measures can help in reducing the risks to an organization. A rather challenging aspect of my work is convincing the management to view information security as an intrinsic part of the business.

What lessons have you learnt as your progress through your career?
Fatimah: 
* Enact a multi-layered defense strategy that covers the entire enterprise (endpoints, data, applications, mobile devices).
* Continuously back-up data to safeguard against incidents and attacks such as ransomware.
* Patch software regularly.
* Problems don’t finish, live a little.

What are your reflections on diversity and inclusion within your field?
Fatimah: The STEM fields and particularly IT is male-dominated. There are moments of awkwardness when I walk into a meeting-room filled with men. Globally, women endure work environments where their contributions are not as valued as much as their male counterparts and so have more to prove. Some people are of the opinion that men are more built for technical roles than women and this type of reasoning discourages young girls and limits our opportunities in the workplace. It is refreshing to have discussions surrounding diversity and inclusion. Although many companies put their efforts towards both on their website, only few actually implement it.

In your view, how can we increase diversity and inclusion in information security? 
Fatimah: At the core of inclusion and diversity should be the deliberate creation of an enabling environment that supports all genders, religion and ethnicities. More importance should be placed on competence than gender, the color of our skin or religious beliefs.

What advice would you give to someone just starting their career? 
Fatimah: I would advise anyone starting their career to dare to dream. The tech industry is a huge one. Take your time in deciding your areas of interests/specialization. Also, invest in self-development; There are loads of useful resources that can help in guiding you to becoming more grounded. Finally, build a network of professionals in the industry. This is really important for future opportunities.

What advice would you give to recruiters for your field? 
Fatimah: I would advise recruiters to let candidates know their status in recruitment processes as soon as possible.

Do you know inspirational colleagues who could be our next WISDOM Trailblazer? If so, please get in touch with wisdom-owner@lists.rhul.ac.uk and/or amy.ertan.2017@rhul.ac.uk.

Author: Amy Ertan

Let’s Talk Inclusion

Gender equality is usually considered one of the major forms of ‘diversity and inclusion’. Universities have diversity and inclusion programmes, as do large corporations, governments, and pretty much any formal grouping of people that wishes to codify their approach to underrepresented groups within a particular environment. Diversity is often celebrated as a proxy for equality (for example, hiring an equal number of women to men, or having a STEM course represent an equal female-male split). This blog post argues that this approach is insufficient, and that without well-thought out and robust inclusion programmes, diversity by itself will achieve little. Placing colleagues from underrepresented groups into a non-welcoming, non-inclusive environment sets them up to fail and fails to achieve sustainable meaningful representation.

The failure of inclusion programmes currently is highlighted in a recent study of female scientists in academia. Examining gender inequality across countries and disciplines, a group of researchers found that drop-out rates significantly decrease women’s contributions to the field[1]. More specifically, female academics were found to be 19.5% more likely to leave academia every year compared to their male counterparts. This results in a major significant advantage for male researchers, as despite the number of women increasing over the last 60 years, and despite relative publishing volumes being comparable in number, ultimately females make less of an imprint in their respective fields, as males stay in the field, submitting more research as their careers continue to develop. The issue here is shown through this study to be largely a problem surrounding the retention of female academics. The authors summarise their research findings as follows:

Fig 1: From Huang et al, reference 1.

The challenges in retaining talent from underrepresented groups is not limited to academia. Non-profit organisation ISC2 surveyed over 9,000 information security colleagues, summarising their findings a 2018 report titled ‘Innovation Through Inclusion: The Multicultural Cybersecurity Workforce’[2]. They found significant barriers to entry and advancement in the workplace for underrepresented practitioners including disenfranchisement and discrimination. To quote the results through the following excerpt:

‘Across all races and ethnicities, women experience greater rates of discrimination in the workplace than men, reporting discrimination in much greater proportions than men when viewed as a total U.S. population. Women who identify as Black, Hispanic, Asian or of Native American descent, report the highest numbers of discrimination.’

Such discrimination, coupled with pay discrepancies also noted in the report, create an uncomfortable environment in which to work. LeClair, Shih and Abraham (2014) suggest ‘climate dissatisfaction, pay inequity, pressure from family issues, gender discrimination, lack of social change, lack of support from employers for advancement’ as contributing reasons that encourage women to leave[3]. While hiring practices might reflect diversity strategy targets, looking at retention over time can give a much stronger indicator of how an environment treats underrepresented groups. In the case of information security, ISACA reports a ‘dismal’ retention rate with 44% of women leaving the field mid-career[4].

Fig2. Discriminating reporting by gender, see reference 2. ‘For the purposes of this study, discrimination can take the form of unfair treatment based on gender, age, ethnicity or an employee’s cultural group. The results of the survey reveal that discrimination is most prevalent along two intersecting axes, ethnicity and gender.’

Online discussions around the topic of diversity and inclusion have voiced concerns about how diversity is often seen as a ‘tokenism’ target, attracting and taking on women as an achievable and public-relations-friendly achievement, with less effort into actually ensuring the workplace culture and power dynamics are structured in a way that does not disadvantage women. Diversity is an essential objective, of course, and it is known that due to systemic issues in sexism and other forms of discrimination, initiatives including CodeFirst: Girls and  #WomenInStem, and Ada Lovelace Day can all do incredibly valuable work in engaging talent. That does not mean diversity is sufficient. Retention strategy should be a major consideration by academia and industry.  Equal opportunities should not mean getting a diverse number of candidates to a STEM degree, or graduate programme. It should be about making sure that all those who have the talent, ability and enthusiasm for a field should feel welcome there. It should be about making sure that discrimination of any form, in any environment should be managed swiftly, with a genuine culture that encourages talent to stay. Women should not be promoted into positions where they will fail, or made to feel like an outsider. Initiatives such as mentorship programmes[5], shared parental leave, and a consistent focus on an inclusive culture[6] (reiterated by senior colleagues) are just a few of the ways in which inclusion can be designed into a workplace.

This same argument – and proposal – may be made when speaking about any minority group, whether that is gender, ethnicity, class, sexual orientation, access needs – the list goes on. By showing that an environment is more than the physical presence of diversity, we can highlight the value of inclusion and draw attention to the sustainability of diversity as a women’s (or any minority’s) career progresses. Our research, work environments, and wellbeing will all be richer as a result.

[1] Huang, J., Gates, A.J., Sinatra, R. and Barabási, A.L., 2020. Historical comparison of gender inequality in scientific careers across countries and disciplines. Proceedings of the National Academy of Sciences. Available at: https://www.pnas.org/content/early/2020/02/14/1914221117

[2] ISC2 White Paper, (2018). Innovation Through Inclusion: The Multicultural Cybersecurity Workforce. [online] Available at: https://www.isc2.org/-/media/Files/Research/Innovation-Through-Inclusion-Report.ashx

[3] Peacock, D. and Irons, A., 2017. Gender inequality in cybersecurity: Exploring the gender gap in opportunities and progression. International Journal of Gender, Science and Technology, 9(1), pp.25-44.

[4] Reducing the Gender Disparity in Cyber Security. Available at: https://www.isaca.org/resources/news-and-trends/isaca-now-blog/2016/reducing-the-gender-disparity-in-cyber-security

[5] CSO Online: Women in security: Cultures, incentives that promote retention. Available at: https://www.csoonline.com/article/2992461/women-in-security-cultures-incentives-that-promote-retention.html

[6] DarkReading: Best Practices for Recruiting & Retaining Women in Security. Available at: https://www.darkreading.com/careers-and-people/best-practices-for-recruiting-and-retaining-women-in-security/d/d-id/1331114

Amy Ertan, PhD student

Some tips on the recruitment and selection process

Moss-Racusin et al (2012) carried out an experiment in 2012 designed to tease out biases held by academic staff in science faculties. Findings clearly demonstrated that predispositions and preconceptions exist, and that they constitute the precursor to gender disparity in science subjects.

Continue reading

Driving Innovation Through Diversity

Could becoming an entrepreneur be a route for more women to enter the cyber security sector? The WISDOM group, together with HutZero, an early stage accelerator programme, considered this issue and other strategies to promote women in tech at our recent co-hosted event ‘Driving Innovation through Diversity’ at Winton Group, London.

Continue reading