Carving a path for women in security

How can we contribute to a better cybersecurity industry? Amie Dsouza and Audrey Jacquemart share their personal stories, and discuss how the sector can change for the better.


Both your backgrounds have similarities and you’ve ended up in similar industries, but you probably came through different pathways. What are some of the challenges you’ve experienced that need to be addressed?

Audrey: For me, it’s mainly been the accumulation of little things. But I’d say the most noticeable unconscious bias that I see is probably around women having children. It seems, in a way, that you can never win. You come back from maternity leave and sometimes your manager will ask, “How were your holidays?” But on the other hand, you feel like your colleagues are thinking, “Oh, you’re already back at work?” and you feel judged because you’ve put your kid in childcare. So it feels like you can never win.

When it comes to the pay gap, one of my friends realised that she was being paid about 30% less than her peers – and her peers were all men. There was no legitimate explanation about why her pay was so different.

Amie: I resonate with what Audrey is saying there. I have been lucky in that I’ve had good managers and worked at good organisations where they have been very mindful of how women are treated. The one thing I do recognise a weakness in myself is that I’m really bad at salary negotiations. I find it very awkward to talk about my salary, even though my career path has been quite linear – like engineering, management, business analysis. You can literally predict what I will do next and I can say that this should be my salary band, but even though I know what I should be getting I am hesitant to speak about it.

I know this is my weakness, so whenever I have to have that chat, I take help from my partner because he’s really good at it and he guides me with simple bullet points to help me negotiate my salary. I believe if there is a weakness or if you’re being discriminated against in any way, recognising it is one of the first steps to solving the problem.

In terms of bringing additional talent into a security business, should firms be looking to hire based on transferable skills – so they might not necessarily be cybersecurity skills, but there is talent there that could be applied and it may help solve some of the imbalances of certain skill sets?

Amie: Yes, absolutely. I do believe a lot is being done in attracting talent at the junior and entry-level jobs. A lot of students and graduates are now armed with cybersecurity degrees or cybersecurity education. So solving the problem at that level has become slightly easier.

The other part of the spectrum is the CISOs. In 2020, women accounted for 14% of Fortune 500 CISOs. In 2021, that number is 17% – a 3% jump in just one year. That means organisations are doing a lot at that level as well.

What I feel is missing is the middle management, where there are very few women in the cybersecurity space. If you look at my role, which is in middle management, I’m actually involved in recruitment, training and working directly with different teams. If there are more women in that space, we can be more mindful about how we recruit talent and look out for those transferable skills.

For example, there are skills such as governance, risk, compliance, business analysis, project management and DevOps. These skills come from various industries. They don’t have to be just from the cybersecurity industry. With training or even exposure to the cybersecurity team, they can catch up.

That’s true of even me. I did not have any cybersecurity experience. But then I caught up and within five years I’m able to have this discussion. So it’s absolutely possible. But the people who are recruiting for those jobs should be mindful and try to attract the right talent – even if they don’t have the traditional 10 out of 10 specific skills.

There are organisations and standards in place – things like B Corp – that help try and drive change within businesses, and also set expectations for the market that they can then develop strategies for. How much of an impact do you think they actually have?

Audrey: It depends on how it’s being used and why it’s being done. I think initiatives like B Corp are good, but we need to know what controls are in place to ensure a business is doing what they say they’re doing. It’s also not just about getting the certificate. You also need to identify the gaps when you go through a process like the certification, and decide what you’re going to do about it.

Businesses need to walk the talk. We do gap analysis every day in our jobs. Remediation plans for technology, product, support, every layer. We need to do the same when it comes to our social gaps and, most importantly, be transparent with our employees. Organisations shouldn’t be afraid to share those gaps – unless they don’t intend to do anything about them.

What steps or initiatives or policies do you think would help you – and women generally in similar positions within the cybersecurity sector?

Audrey: We can’t wait for the government to fix all the issues, so organisations need to take action to reduce those gaps. And one initiative is probably quotas.

I changed my mind recently about quotas while I was listening to Christine Lagarde, the former leader of the IMF. She was talking on International Women’s Day about her experience in a very male-dominated environment. And yes, as they are currently used, quotas are inefficient, because they don’t address the problem properly. Like Amie touched on, you can’t expect to have 50 per cent of women in leadership positions when there wasn’t women in 50 per cent of the roles from the start of their career. It just doesn’t make sense. So the strategy around quotas must be applied across all levels of the business, and it’s a process that may take 10, 15 years. We need to understand that it’s not something that you can fix in a two-year transformation plan.

So there’s a timeline to reaching an equitable position in terms of representation across our industry. But in the short term, we have to implement strategies to set that in motion. What can be done?

Amie: The long-term view is about setting us up for success by encouraging kids, especially girls at uni or even at an earlier age, and then giving them great exposure to different areas of technology and why it could be a good career choice for them.

My daughter is in Grade 3 and when I talk to her about what I do, she finds it very boring. So I try to make it interesting by saying that because I was so agnostic to industries, I was able to travel to four countries and work in seven cities. That’s the line I give her: that if you look at technology or cybersecurity, you can work from anywhere and be a global nomad. That’s the only thing that has stuck with her.

But she’s nine. I think as they grow older – when they’re 14, 15 – there’s a different kind of messaging that surrounds cybersecurity professionals. They are not just the hackers and the people in hoodies; those ideas will not attract girls at that age. It’s more about explaining that they would really be giving back to society by being a cybersecurity consultant or an expert in that area. They can help organisations, but they can also help individuals. They can help their grandparents. They can offer support to a lot of different kinds of people and protect them, protect their data, protect their bank accounts.

Amie, we met you through the Australian Women’s Security Network (AWSN). How did you get involved with the organisation and what impact has it had on you?

Amie: I came across AWSN when I was on maternity leave a few years ago, and looking for ways to keep in touch with the community and industry.

I believe AWSN – and other networking communities – are very beneficial no matter where you are in your career. For me, being mid-career, it’s about a couple of things. Networking – building that network – and paying it forward. So I’m involved in a lot of initiatives where I can mentor younger women, or women who are coming from different industries trying to get into cybersecurity.

How important is mentorship?

Amie: It’s really valuable for helping women find roles in cybersecurity. I’m working with three or four different women right now, getting to know them, understanding what their skill set is, and I’ll look out for them when any roles become available. I’ll be able to advocate for them through my network and that’s how mentorship helps people who are new.

It also helps me as a mentor to understand how I can be better and help other people. Ninety per cent of my managers have been male. They were really good, but I did miss having female role models throughout my career.

What do you wish you’d known when you first started out on your journey?

Amie: I’ve been lucky. I’ve had a great career. I got to travel the world, work with different organisations. I was really very bold when I was young. I used to just demand what I wanted and I would change projects every six to eight months.

My suggestion would be to my slightly younger self, not when I started. Once I had kids, I slowed down quite a bit because I thought I wouldn’t be able to manage. But these days, the flexibility that is offered at most organisations can actually help you, so even if you’ve had kids and lots of responsibilities, you can keep going on your career path – you don’t need to stop. Yes, you might take a few breaks, but you can also go full steam ahead.

That’s my message to anyone who is feeling the same as I did a few years ago. For example, during lockdown when both of the kids were at home, I used to take breaks in the morning and the evening to be with my kids, and then I’d come back if I had to complete any work. My team was absolutely fine with that. I never felt left out. I think people should continue making those bold decisions.

And while I have never done it in my career, if you think you are not on the right path then it’s okay to make a complete U-turn and find another path, especially if it will give you more success or satisfaction. For example, I’m mentoring someone who has been in the travel industry for 20 years and now she is looking at the cybersecurity space. She actually got a role after doing some studying and networking and talking to people, so that is very inspiring. If one person can do it, a lot more can.

Audrey: I’ve also been very lucky so far in my career. What I really like doing is learning about everything. And I need to be able to keep learning every day. That’s what I’ve been doing all along. Whether it’s about technical or business skills, or culture and moving from country to country.

I would probably say don’t insist on trying to do everything perfectly at all times. It’s not possible. Once you realise that, you can enjoy your journey even more.



Want more insight into the world of security, identity access management, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.