Jane Frankland – Managing Director at Cyber Security Capital
Jane Frankland is an award winning entrepreneur, speaker, author, and business consultant. She is also an SC Awards Judge for Europe and the USA, and has been identified as one of the top 50 influencers in cybersecurity in the UK. Jane has 19 years of experience in the industry, has built and sold her own global penetration testing firm, Corsaire, and has advised boards and held senior executive positions at several large PLCs, including the NCC Group. Through Cyber Security Capital and her community IN Crowdd, she now helps cybersecurity professionals, CISOs, and entrepreneurs meet their performance objectives. As an ambassador for cybersecurity, she is passionate about strengthening cyber space by empowering and mobilizing a diverse and optimized cybersecurity workforce. Her book, In Security: Why a Failure to Attract and Retain Women in Cyber Security Is Making Us All Less Safe, is due for release in 2017.
[OnlineEducation.com] Jane, I think it’s fair to say that you have a rather eclectic and perhaps even unusual background for a cybersecurity professional, and I think that may be instructive/inspiring for others who may be considering a career in the field if you gave a clear description of Cyber Security Capital, info on Corsaire, and details about your involvement with organizations like the NCC Group, ClubCISO, and any other relevant professional groups and companies.
[Ms. Frankland] It’s interesting you say that I have a rather eclectic background but here’s the interesting thing: I know lots of people in the industry, in senior positions, that have a background as eclectic as mine. For example, I know people who were bricklayers, nurses, florists, hairdressers, actors, artists/painters, from musical theatre, sociologists, philosophers, lawyers, HR professionals etc…
Cyber Security Capital is a consultancy and has a mission to strengthen cyber space by empowering and mobilizing a diverse and optimized workforce. I founded it when I witnessed a changing workplace, a dire need for improved connection, and access to resources, particularly for women leaders and entrepreneurs. As a solution provider, it offers a variety of services from consulting and training to networking, mentoring and sponsorship. Through IN Crowdd, we’re bringing a community together and creating an environment that dictates remarkable performance.
My former consultancy was Corsaire, a market leader in information security consultancy and vulnerability research. Privately founded in 1997, it was one of the oldest penetration testing firms and provided a range of consulting and penetration testing services to help organizations measure their security posture and build a thorough compliant security program to support their business strategy. It operated on an international basis and had a presence in the UK, Europe, Africa, and the Asia-Pacific rim. Our clients included some of the world’s most famous, blue chip multinationals, many of whom were listed on the global stock indices, although we also had a selection of UK government agencies and mid-range organizations. Most were drawn from finance, telecommunications, insurance, legal, IT, and retail sectors. They were all mature buyers, operated at the highest end of security, and understood the differences between the ranges of suppliers in the market place. It was incredibly pioneering for its time considering how it operated, as we only employed Principal Level consultants, were one of the first companies to perform vulnerability research, and allow consultants to work remotely.
At NCC Group, I was an Associate Director of Operations, in charge of the SE division in the UK, Australia and US. I was responsible for one of the largest penetration testing teams in the world. My remit was operational, although I also had responsibilities within Marketing and Group. For example, I was instrumental in revising the corporate website, and merging the Group’s latest assurance acquisitions. I was also the SAP Group Business Process Owner, a £6.5M project, and responsible for an ISO9001 project.
I was invited to join ClubCISO as a Board Advisor and helped it grow its membership to 170. It was a voluntary organization that was lead by CISOs for CISOs. We were working on one project only – metrics, which had an objective to provide a standardized means of reporting within our field and to the Board.
Over the years I’ve had strong links with the ISF, (ISC)2, ISSA, ISACA, BCS, OWASP, CESG, CREST and Cyber Essentials.
[OnliineEducation.com] But, you came out of school with a non-technical degree, and moved into a fairly technical field. How did you accomplish that? Did you take programing classes? Did you do certification training? Or, was this something that you were essentially able to learn on the job?
[Ms. Frankland] I created my own company and worked with my business partner, who was technical. He was also my boyfriend, so I lived and breathed the stuff. I surrounded myself with other smart, capable people (my employees), asked lots of questions, read, studied via blogs and white papers, and learned on the job. I didn’t certify in anything. There weren’t really any for those in penetration testing at that time. Nowadays there are a few, and depending on your objective they can be worth investing in.
[OnlineEducation.com] What drew you to cybersecurity and penetration testing when you were launching Corsaire?
[Ms. Frankland] James Bond drew me to cybersecurity, or as it was called then information security. I knew nothing about technology but had been drawn to it from an early age, playing computer games in the late 1970s. When it came to building a technology company there were only two things that really interested me – AI or information security. In 1997, when Corsaire began, AI was too new, whereas information security was feasible. I thought it sounded really cool. As I was starting my own company I was able to build the direction.
[OnlineEducation.com] When you began your career in IT security, was it your impression that it as an unusual career choice for women?
[Ms. Frankland] No. Gender didn’t factor into anything. I’d never been held back by anything, and quite frankly I never even noticed that there was a lack of women in the industry. My business partner and I set out from the offset to build a multi-million dollar company, which we could sell and exit. We had a 3- to 5-year plan, and wanted to get on and do the things we really loved. For me that was my art and design. For him it was his music. We worked mostly with European companies, although we had global tech and financial clients, which required us to work all over the world. We did see cultural differences.
[OnlineEducation.com] Clearly, at some point, it became apparent to you that women were underrepresented in cybersecurity fields. I know you’ve been working on that subject, and I’m wondering what you’ve found through your own experiences and through your work on the book?
[Ms. Frankland] Yes, women are highly underrepresented. (ISC)2 reported on this recently, in March. In Europe we only have 7% of women in cybersecurity. I’ve written 82,000 words on this subject and have nearly 200 reference points, so I’ll try my best to answer this question. The book is called IN Security: Why a Failure to Attract and Retain Women in Cyber Security Is Making Us All Less Safe.
It all began with a blog. I’d just read the (ISC)2 report on the state of women in the workforce. I was shocked at the low numbers of women, as I knew a lot of women in the industry. But what concerned me more was the fact that women were declining year to year. In fact, from 2008 they’d dropped from 19% to 10%. Now, I knew what it felt like to be a minority in cybersecurity so I got onto LinkedIn and started writing about my experience. Having served in the industry for 17 years (at that point) and having done something pretty unusual – building a 7-figure penetration testing business in my twenties – I wanted to put my view across. I was terrified of doing so, yet I found the courage somewhere deep inside of me to push that blog out.
I talked about how performance increased. Most people know that profits rise when women are in business and McKinsey & Co have reported that GGDP would rise by 26% or USD $28T if we were to achieve gender equality by 2025. When women are in business, productivity increases, budgets are maintained, and innovation improves. When women are politically and economically empowered, countries are more stable.
Those things excited me but there’s something that women bring to cybersecurity beyond these things. Women are different to men. We see things in different ways and that includes risk. Many believe that it’s because of the way that we’re wired – programed to give birth to children. Anyway, this excited me, as it meant that we had an opportunity to outperform our adversaries by thinking differently and working together.
Increasingly, cybersecurity is recruiting from the same pool – computer science, technology, and the armed forces or intelligence. While these professionals are needed and hugely valuable, having one type of profile in cybersecurity holds us back. It makes us miss things and be blind sighted. If we’re all thinking the same thing, then you could argue that no one is really thinking. Winston Churchill knew this, and that’s why he implemented “Corkscrew Thinking” during the Second World War. He brought men and women together in Bletchley Park, and ensured they came from diverse backgrounds. He had authors, like Ian Flemming who wrote the James Bond books, Alan Turing, who was most likely autistic, and thousands of women who were mathematicians, linguists, chess champions, and good at crosswords. Some may have been fresh out of school, college, or university. Many believe it was this approach that lead to the Allies winning or war, or at least shortening it by several years.
The book deals with issues around the attraction, identification (hiring), and retention of women in cybersecurity. There are standard issues across the world but there are also issues that are not standardized due to culture, both in terms of the company, and the country of work. For example, there’s much talk about getting more girls into IT or cybersecurity. However, this isn’t an issue for girls in India. They do an amazing job of that. Their issue is retention, as many highly skilled women leave the workforce prematurely when they get married or have children.
When it comes to identification, or hiring, many companies do a poor job. There are many issues with HR, and recruiters who tend to lack knowledge of what we do in cybersecurity, and look for keywords and certifications. Hiring managers usually lack interviewing skills. Some don’t have adequate hiring processes, which results in them hiring staff like themselves. They usually defend their actions by talking about “fitting into company culture,” yet this is often just code for hiring in their mirror image. Writing job descriptions each time someone leaves, thinking about the responsibilities of the role that’s needed, checking for gender-coded language can help when advertising for positions. Then, having well thought out, defined processes at the interview stage, along with technology that can strip out all references to a candidate’s gender, age, ethnicity, religion, etc… can further help.
Some companies do an incredible job of recruiting women into their workforces – equal numbers to men – but they have problems retaining them. The issues they have largely boil down to company culture. Flexible work settings, and managing gender discrimination policies, unconscious bias training, and understanding the subtle differences between men and women can help.
[OnlineEducation.com] It’s clear that gender wasn’t an issue for you when you launched your first cybersecurity venture. That’s in keeping with many of the successful women I’ve spoken to in the field. And yet, most, like you, readily admit that there are definite barriers that have led to women being underrepresented in the field. With that in mind, when did you begin to recognize that there were fewer women and, based on the data points you reference, do you feel that this is a fairly new development, or just something that has only recently surfaced as a major concern?
[Ms. Frankland] I noticed the shortfall around 2002. One of my colleagues actually suggested I set up a women’s group and my reply was “there’s too few women, so it wouldn’t be worth it.” At that point I’d probably come across less than a handful. I gave it no more thought until I picked up the (ISC)2 report in November 2015. By that time I knew there to be many more in the field.
I do think this is a new development. Back when I started in 1997 no one really cared if you were a woman. No one cared if you were a man. All anyone cared about was getting the job done.
[OnlineEducation.com] You were attracted to the James Bond aspect of cybersecurity, which I can relate to. Is it possible that the 9% drop in women working in cybersecurity since 2008, and the difficulties you mention in terms of retaining women in cybersecurity jobs, might have something to do with the fact that in most cases the job is often less like being in a Bond novel and more like being in The IT Crowd?
[Ms. Frankland] Great question. I don’t. It’s such a diverse profession. It caters to multiple types. It really depends on whom you’re working for.
[OnlineEducation.com] Is there any specific advice you would offer to women who might be considering or preparing for a career in cybersecurity?
[Ms. Frankland] Women need to be qualified and accredited just to silence those who might perceive them to be defying their gender stereotypes, and working in a domain that’s not been built for women.
Networking can really help. It’s not a case of just being qualified or passionate about and interested in cybersecurity. You have to get a foot in the door. You have to look the part, be recognized for visible work (not invisible work, which typically women do), and communicate your value every step of the way. This is one of the reasons why I created a personal branding program just for women in cybersecurity – for those looking to get in, and for those navigating their way through it. This even applies to women at the top of their game. It’s also why I launched IN Crowdd, which offers networking, training, sponsoring and mentoring.
I don’t really think you have to be a certain type of person to work in cybersecurity, but being tenacious, thick skinned, and be able to adapt to change helps. You have to learn how to play a political game if you want to rise within a corporation. You have to accept that often you’ll need to be more mobile and hop from one job to another in order to receive promotions and pay increases. Sometimes, you’ll end up going back to the company you left but having climbed a few ladders.
The other thing I’d advise is to know whether you want to work for an end-user (for an organization), or for a researcher in government, or for a vendor/consultancy. All are very different. The better you can define your career aspirations the easier it becomes. And, try, if possible to define your area of specialism, but with the flexibility of knowing that you’re going to have to morph and transition as technology advances.
[OnlineEducation.com] Are there particularly areas or specializations within cybersecurity, like information policy or governance, that appear to be more accommodating to women, or in which you see women making greater headway?
[Ms. Frankland] This is an interesting question. I don’t think there are any areas that are more accommodating to women than others, although many women do work more in GRC (governance, risk, and compliance). I believe the reason why is because it’s more relatable, business focused, and the barriers to entry may be lower.
The other thing I’d say relates to consultancy. Often, in some places of the world, HR deselects women from these positions. The presumption is that women, irrespective of whether they have families, won’t want to travel. I’ve heard multiple stories relating to this over the course of the year.
Additionally, it really does depend on where you live in the world. For example, I was speaking to some professionals in Dubai and I heard how cybersecurity consultancy offers more flexibility than many other jobs there. Many women, with families, are attracted to these positions as it means they can start their day early, at 7.30 a.m., and finish in time for when their children return from school, around 3.30 p.m. Also, if they complete a deliverable early, they can return home.
[OnlineEducation.com] You’ve written about what it was like to be a single mom raising three children while building an information security consultancy from the ground up. I’m curious how you balanced those two facets of your life while working in a business that can require round-the-clock attention. Is work/life balance an important consideration for women who are considering a career in cybersecurity, and what advice would you offer in that regard?
[Ms. Frankland] Firstly, the work-life balance thing is a myth. No man or woman can achieve this. It’s like believing in fairies or unicorns. We’re living, breathing, and human. Sometimes our priorities shift. Sometimes the children will demand more of you than work, and vice versa. Obviously both are important but I’ve found it easier parenting my children and building a business than working for someone else, as an employee. No one can have it all, and sacrifices always have to be made. It’s an individual’s prerogative which ones they make, and it will vary.
Secondly, no job can make you work 24-hours. It’s illegal, not to mention unproductive. Cybersecurity does demand round the clock attention, but that’s why you have teams working within it.
[OnlineEducation.com] Is there anything else you’d like to add that you feel would be helpful to women who are considering a career in cybersecurity?
[Ms. Frankland] Yes. Don’t give up. If you’ve got your heart set on working in cybersecurity seek out those who can help you. Keep asking for help. Be tenacious. During the course of your career you’ll have men and women who’ll stand in your way, so learn to play the game. Don’t give energy to those who oppose you. Instead, surround yourself with people who can lift you up and be strategic, tactical, and a giver.
Also, remember to keep educating yourself – on your hard skills (tech), and on your soft skills. Often women can be very bad at self-investment, but there’s an old saying isn’t there – the more you learn, the more you earn.