Why We Need More Women in Cybersecurity Capacity

https://unsplash.com/photos/bPVM4nOy0Rg?utm_source=unsplash&utm_medium=referral&utm_content=creditShareLink

On 20^th October 2021, I had the pleasure of attending the ITU’s Cyber Drill session as a speaker and as part of the audience. Our session was titled ‘Role Modelling,’ where Yomna Sheriff, a Software Developer at IBM, and I talked about the role of mentorship in bringing more women in the cybersecurity field. In this session, I also shared my experiences as an alumnus of the ITU Women in Cybersecurity (WiC) mentorship program. The program involved immersive mentorship activities that included talks from women in cybersecurity. Mentees were also paired up with other women in the field with similar cybersecurity roles. For example, as a communications and engagement officer at the Global Cyber Security Capacity Centre (GCSCC), I was paired up with Lessie Longstreet, Global Director and Partner Engagement at the Cyber Readiness Institute. So as a person whose background in public policy with experience in other topics of internet governance, I was able to take dive into cybersecurity engagement as a speciality.

Through this mentorship I have realised how my work at the GCSCC and at the Cybersecurity Capacity Centre for Southern Africa (C3SA) directly promotes inclusion and gender diversity in cybersecurity capacity building through regional capacity building programs and research. In this blog I will attempt to give some of the examples of how women can shape national cybersecurity capacity building.

The GCSCC works with C3SA as a regional constellation partner in South Africa to generate in-depth research and knowledge and build cybersecurity capacity in the region. We work with our flagship Cybersecurity Maturity Model for Nations (CMM) which is a tool that helps countries assess what works, what does not work and where they need to invest in order to develop their cybersecurity capacity. The CMM considers cybersecurity capacity to include 5 Dimensions, which together constitute a breadth of national capacity that a country requires in order to deliver an effective cybersecurity capacity. Dimension 1 is about developing national cybersecurity strategy. Dimension 2 is about cyber culture, the different societal elements at play in cybersecurity capacity. Dimension 3 checks the availability of awareness creation initiatives by different actors, an educational framework, and training offerings. Dimension 4 covers legal and regulatory frameworks to fight and discourage cybercrime; and Dimension 5 is concerned with the availability and access to protective technologies and standards.

National Cybersecurity Strategies

Cybersecurity strategies are essential in mainstreaming a cybersecurity agenda across different government agencies, the private sector, and the civil society as it coordinates and determines distinct roles and responsibilities of both government and non-governmental actors. Countries aim to have robust national cybersecurity strategies that can create safe cyber spaces for their citizens, provide a strong national defence and protect their critical infrastructure from any attacks. When developing national strategies, countries need to anticipate and understand possible attacks in order to prevent them in advance and prepare for them. This has become more complicated because today cybersecurity, like other global problems, has become so complex in nature. Criminals have multiple backgrounds, with different motivations, and from different cultural and geographic locations. Also, cybersecurity incidents have different effects on different types of population and hence they need different types of solutions and strategies for prevention. Diversity, and women involvement, in strategy development can help strategy development teams imagine a wide range of possible cybersecurity incidents and prepare for these attacks from different possible angles.

Another reason to involve more women in cybersecurity strategy is because cybercrimes and online harms tend to shape differently along the lines of gender. Women are most often the victims of online bullying and trolls. A recent survey by Plan International found that 58% of women using the internet have been trolled and a joint study by the World Wide Web Foundation and the Girl Guides and Scout found that 84% of women think that the problem is getting worse. These harms have driven women offline and, in the end, made them lose out on the economic and social benefits of online engagements. Because cybersecurity strategies present opportunities to develop new policies and allocate agencies responsible for their implementation, this is the best stage to mainstream online safety for vulnerable groups in government security agenda. Including women in the development task forces and bringing in their voices as part of the solution is therefore important. Public participation can be used to complement the diversity in such policy working groups as they also serve to include different country contexts, and policy awareness that is sometimes needed during implementation.

Trust in e-services

The second and third Dimensions of the CMM not only focus on the role of different actors, but also the ability of users to use digital technologies and protect themselves from harm. Today everyone depends on different technologies in their daily lives. Government services, private sector services and civil society initiatives have increasingly moved online, especially after the pandemic for efficiency and continuity. Services that were previously offered offline are now entirely online. However, increased digitization has also come with increased vulnerabilities. There were more cases and new forms of cybersecurity incidents during the pandemic. It then goes without saying that countries recovery from the pandemic is going to depend on the safety of their cyberspace and users' ability to access and trust in digital services and transactions.

A study by the GSMA that demonstrates patterns of patterns of gender gap in the use of mobile money services in Kenya, found out that 26% of women (compared to 20% men), are prevented from using mobile money services because they are worried that they might make mistakes. Gender disparities, especially in developing countries, also exist in the levels of digital literacy and cybersecurity awareness. In some cases, these gaps are widened by variations of access to digital technologies and levels of income. Solutions such as digital literacy and cybersecurity awareness drives and can have gendered perspectives at the ideation and planning stages to ensure their effectiveness.

Reporting Mechanisms

The ability to report cybercrime by users and the ability to deliver justice by government agencies are essential in discouraging cybercrimes and putting an end to the continued prevalence of online gender-based violence. It also promotes financial inclusion, as people are able trust financial services at macro levels. One driver for cybercrime is the little investments and high rewards for cybercriminals. One can carry out a cyber-attack at the comfort of their homes, sometimes with little technical expertise and easily available technologies in the market. Reporting mechanisms raise the risks of cybercrime industry. Authorities are also able to understand the nature of crimes so that they give better response to future attacks. Effective cybersecurity reporting mechanisms depend on several factors including; whether users are aware of them, whether they are easily accessible, their ease of use by different categories of the population. It is also important that these mechanisms allow for reporting of various kinds of harms targeted towards different types of users and the complexity of contexts around them.

Awareness Raising

When people are aware of possible cyber threats and are able to navigate through digital technologies, they are better placed to prevent cybersecurity incidents such as frauds, hacking and even the ones that are caused by users’ mistakes. Dimension 3 specifically looks at different initiatives by the government, private sector, and the government in conducting cybersecurity awareness initiatives in the countries. Further research by the GCSCC and C3SA have been conducted to look at the effectiveness of awareness initiatives in reducing cybersecurity risks and incidents. The studies found that these initiatives have been ineffective because of lack of or poor coordination between different actors. For example, some initiatives have failed to link their plans and objectives to their national strategies. Some have also failed to coordinate between different government agencies that are better linked with their respective target groups. The initiatives also lack involvement of communities at grassroot levels. Involving women at all these levels helps give more targeted messages that connect the agenda of cybersecurity to how women understand and use different technologies.

A study by the Oxford Internet Institute demonstrates how initiatives seeking to get more women into the computing field need to be carefully designed to deliver the right messages across boards. The key messages should help and inspire women to get involved in cybersecurity because they are part of the solution, and not because it is part of a trend or requirement. One of the successful approaches are mentorship programs, because they provide closer interactions between the mentees and the role models.

Authors: Liz Orembo, Carolin Weisser, Laban Bagui