Analysis
Attacks and Vulnerabilities
Critical infrastructure
Features
Industrial Cyber Attacks

As S4x23 takes off, need for greater representation of women in ICS cybersecurity remains in focus

February 12, 2023
As S4x23 takes off, need for greater representation of women in ICS cybersecurity remains in focus

It’s that time of the year when OT and ICS cybersecurity professionals are heading to the S4x23 event scheduled for Feb. 13 to 16 in Miami South Beach, Florida. The action-packed agenda will be spread across three stages centered around this year’s theme of ‘Explore.’ The three key activities at the event will be Worthy Cause, Women In ICS Security, and SBOM Challenge at S4x23.

Although women make up more than half of the global population, and a majority of those enrolled in college, only 12 percent of the cybersecurity community is made up of women, highlighting an urgent need to increase the representation of women in these fields. While it is often difficult for women to enter and thrive in the male-dominated and often intentionally and unintentionally discriminatory ICS security field. 

The S4 event works on changing this situation out of fairness, with an eye on benefiting women. Looking at it pragmatically, by sheer numbers, women may represent the best chance to deal with the shortage of ICS security professionals needed to create and secure the future.

While women are making impressive contributions to the ICS cybersecurity field, S4 hosted its initial ‘Women In ICS Security’ program at S4x22, where an S4 record of 164 women attended the event. This year’s event will host the ‘Women In ICS Security Career Building Panel and Social Event’ early Monday evening between 6:30 to 8:30. 

Industrial Cyber reached out to panelists on S4x23’s ‘Women In ICS Security Career Building Panel and Social Event.’ They address the challenges faced by women looking at ICS cybersecurity as a career, while also providing advice to overcome these challenges. 

Saltanat Mashirova, advanced cybersecurity architect_engineer at Honeywell OT Cybersecurity
Saltanat Mashirova, advanced cybersecurity architect/engineer at Honeywell OT Cybersecurity

“Currently for most women, IT is more appealing since in IT you can have a lot of options such as cloud security, remote working options, IT governance, etc. Getting into OT cybersecurity is not as easy, and growing even harder,” Saltanat Mashirova, advanced cybersecurity architect/engineer at Honeywell OT Cybersecurity, told Industrial Cyber. “You have to know everything that IT security requires plus other expertise such as safety, operational process knowledge, all different vendor-specific architectures, electrical and mechanical engineering basics, industry protocol knowledge, etc. Knowing all of these can be quite challenging if we take into account that OT has traditionally been mainly male-dominated.”

Mashirova added that the percentage of women in OT has only started growing recently so women are slowly catching up. She also pointed out that another challenge has been the long hours of traveling to remote field sites, so the work schedule can make it harder for women who are trying to balance a career with commitments at home.

“Despite these challenges, this field is growing and has different roles within OT cybersecurity. Companies are doing a better job of supporting and creating an inclusive work environment,” according to Mashirova. “In this field, you never stop learning and try to make this world a safer place to live. Moreover, ICS cybersecurity is a field full of brilliant and intelligent people, and when you become part of this field, no one cares as much about who you are but more about what you can do. Therefore, women should always seek mentors, ask for help, be confident, and keep learning. This field – as one of my mentors told me – requires motivation, patience, persistence, and dedication.”

Diane Golden, system security architect at Rockwell
Diane Golden, system security architect at Rockwell

Diane Golden, system security architect at Rockwell Automation said that the challenges faced by women looking at ICS Cybersecurity careers are very similar to the challenges they face in any engineering career. “It is very important to build up your support network of peers and advocates. They can help you navigate career stages and provide additional perspective. Cybersecurity in general can seem like an intimidating field to break into. It may seem like there are no entry-level positions in cybersecurity,” she added.  

“For ICS cybersecurity, my advice is to learn about cyber-physical systems and the differences between IT and OT systems,” Golden told Industrial Cyber. “The other main challenge is figuring out what type of role suits you. Talk to people working in ICS cybersecurity and ask them about their jobs. Be curious and seek out free training, podcasts, and capture the flags competitions to see what interests you.”

Michelle Balderson, global security executive at OTORIO
Michelle Balderson, global security executive at OTORIO

Women face changes in developing careers in cybersecurity and then specifically ICS because they are not promoted as options from them when they are seeking education, Michelle Balderson, global security executive at OTORIO and Thought Leader in addressing risk in operational environments, told Industrial Cyber. “We must remember that Operations is an Engineering Discipline, and computer science is really a part of Science, Technology, Engineering, and Mathematics.”

“Girls are dissuaded from entering STEM careers from an early age because of Gender Stereotyping. I am a Transgendered individual who grew up a boy, then a man, transitioning to a woman later in life,” Balderson shared. “I always enjoyed STEM programs, and therefore naturally gravitated toward Cybersecurity & ICS because of being inquisitive about how IT & Operations interacts with the physical world.” 

Balderson added that her career developed towards this “because of a desire to help protect society and critical infrastructures that are truly transparent to us when they are readily available. If they are not, that is when society breaks down, and I do not want that future for myself or our world.”

In transition, “I mulled over going into traditional career roles for women, ended up concluding that I was reflecting Gender stereotypes upon myself, and I was fearful of transitioning in a male-dominated IT and Operations world. Self-reflection & Therapy allowed me to see and appreciate the skills I have, which meant that I had to calm my nerves about transitioning in this male-dominated career,” Balderson said. “Utilizing a ton of willpower, and help from others I was able to transition, and when re-entering the workforce I was welcomed with open arms. It was a very positive experience, with very little negative.”

Madison Horn, CEO and founder of Roserock Advisory Group
Madison Horn, CEO and founder of Roserock Advisory Group

Madison Horn, CEO and founder of Roserock Advisory Group and former US Senate nominee said that she “could sugarcoat my response to make it palpable to the faint of heart, but the reality is cybersecurity is still a male-dominated field, and in the world of ICS, it’s even more so.” 

“My perspective comes from being a salt-of-the-earth individual from Oklahoma, a state you could say defines the word ‘grit,’ with almost 15 years of experience in the industry, interacting with individuals across organizations and all levels of the corporate ladder, who would say they are the ‘Elite of the Elite or the ‘Change Makers in Cyber,’” Horn added.

Addressing the challenges faced by women in ICS cybersecurity, Horn highlighted that  misogyny is still very present, in the assumption that women who work in cybersecurity aren’t technical but work in ‘marketing, sales or as project managers.’ This stereotyping, coupled with the prevalence of inappropriate advancements and off-color comments, is seen as commonplace without any flinching. 

As far as advice for women in cyber, those looking to enter the field of cybersecurity, or even individuals in their first corporate role, Horn provided four things to remember. These include knowing one’s strengths, weaknesses, and blind spots and seeking feedback from those around, both within and outside one’s reporting structure, to understand growth areas and how to complement the team around. She also suggested, “speak out and create space for yourself; it’s essential to recognize the difference between entitlement and what you have earned as you pave a path for yourself while learning from trusted leaders who have your best interest in mind.”

Horn further advised “get comfortable in your skin. It’s natural to want to fit into your surroundings, but when you look around, and there are only men, you have to recognize that you don’t have to contort yourself to conform to what success looks like around you. Your feminine traits are your power!” She also pointed to the need to know one’s arena, understand an organization’s leadership structure, who the mentors are outside of one’s direct reporting structure, and who the people-leaders are within the organization, working to create a positive organizational culture.

Based on their experience, the experts assess the progress made by women in the field of ICS cybersecurity, and how this headway can be built upon.

“Currently, I see the traditionally male-dominated industrial environment undergoing a transformation as more and more women discover the rewards of a career in OT Cybersecurity,” Mashirova said. “Many big oil and gas companies have seen pioneering women joining as role models, and as more have followed, they have seen impressive contributions from them in this field. If everyone on a security team thinks the same way, the race has already been lost with attackers. Therefore, diverse teams bring a wider range of backgrounds and experience.”

Golden also said that she sees “more women in ICS cybersecurity than I do in the broader field of cybersecurity. At Rockwell Automation, about half of our product security managers and product security leaders are women. We also have diverse representation in product security test, research, and services teams.” 

“ICS cybersecurity is a growing industry, so it took a bit of time to create defined career paths,” Golden evaluates. “I only see the opportunities for career growth continuing to improve as we welcome more people into our industry, men and women alike.”

Balderson said that she works with a tremendous number of women in ICS cybersecurity, “I believe managers have realized the tremendous value women bring to this career choice. I have seen the number of women grow from little numbers when I started my career, to now where our numbers have grown dramatically over the years.” 

She added, “I am very impressed by the number of women’s groups that bring women together to help create a woman-to-woman connection where we are helping each other to propel our careers. This momentum will only continue to grow because it’s a positive experience for all involved. We need to invite women who sit on the sidelines looking in to join, and there are many strong women I know who are doing exactly that.” 

One area that Balderson does believe needs development is the lack of women within middle and executive management roles. “I believe this lack of women in these roles will change in the next 5 to 10 years as we see more women promoted within the ranks of our corporations because of their skills being recognized and rewarded. It’s a constant evolution, where I believe HR teams are assisting organizations to think diversely because the overall organization does understand the value women bring within their organizations.” 

“DEI programs do need to expand their concepts of what Diversity truly means,” according to Balderson. “Organizations I have worked for always try to develop women’s groups, but neglect to see that diversity is not only Gender. Corporations need to consider creating a dedicated Executive level, C Suite Leader whose position is to focus solely on DEI with the same level of responsibility as the other executives.”

Despite the existing challenges, Horn said that the cybersecurity industry has made significant progress in terms of inclusion and diversity as the industry recognizes its deficiencies. “More women in leadership roles appear on the main stage of conferences, and sparks of color are emerging, with flare in the halls among an ocean of navy suits and hoodies. However, with a positive trend showing more women are entering the field, a retention issue nearly cancels out this growth, showing the culture within cybersecurity still needs to be addressed.”

“One can derive that steps one and two have been completed – recognizing the problem and investing in solutions – and now we need to recalibrate to understand the underlying issues that make it less conducive for women in the cyber community,” Horn added. “From my perspective, it’s the culture. Cultural shifts are as tricky as driving societal changes and require in-depth reflection and hard conversations across society or an organization.”

The experts also looked into measures that they propose to get more women involved in ICS cybersecurity. Additionally, they also go into the roadmap that the industry needs to adopt to achieve this goal. 

“The main problem isn’t that there are too many male colleagues in the industry, but rather that there are not enough women in this industry. Most companies are already doing a great job supporting women by having several programs and plenty of vacancies available where women have not previously applied,” according to Mashirova. “In addition to that, there are a lot of communities and institutions who are giving scholarships to females to pursue careers in cybersecurity.” 

Mashirova pointed out that one barrier that is often pointed to is the lack of female role models in the field. “Therefore, female leaders and executives should be encouraged to act as role models and mentors for younger colleagues and students. I hope the day will come when companies don’t see gender inclusion as an obligation, and when they also can focus on skills.”

Golden said that the key is to get more women engaged and involved with ICS in general. “Manufacturing and other critical infrastructure sectors are so important to our world. In ICS cybersecurity, we focus on making those automated systems both safe and secure- to protect our environment, human health, and safety, as well as protect the equipment from damage.”  

This is a mission that resonates well with women; we just need to make sure we are making people aware of the opportunities ICS cybersecurity provides, Golden added.

“In efforts to get more women into ICS cybersecurity, we must first attract more women to STEM careers. To effectively have women enter cyber-physical systems security we must promote cross-functional, cross-domain education and training that focuses on the skills of women in these technology roles,” Balderson said. “We must develop programs that respect the Engineering aspects of ICS while training on the knowledge that encompasses skills that most women naturally possess that are beneficial to the business.” 

Balderson added that programs must be built that demonstrate that ICS security isn’t simply a technically engineered solution but many aspects are intangible human interactions that need the power of women to bring people together in a common journey. “I am not saying that women are not technical, I am saying we will attract more women to the industries if there is a better understanding of the roles and responsibilities that are a great fit for women whether they are technical or not.” 

“We also need to build effective programs to demonstrate to women the skills that are needed within ICS Cyber-Physical Systems Security that are transferable skills from other careers that they are within today,” according to Balderson. “Women will become attracted to these roles if they understand how easy it is to transition to these roles.”

Horn said that given the positive trend of increasing representation of women in the cybersecurity industry, it’s crucial to double down on retention efforts. “This means leaning into the tough conversations and HR leading the charge by gathering honest and constructive feedback during exit interviews. It’s also essential for leaders to grasp the reasons behind women leaving the field and for allies to influence positive change amongst their coworkers beyond what’s outlined in a handbook.” 

To genuinely create an inclusive environment, leaders must rise above the current culture and work towards a more diverse and representative industry, Horn added.

The experts also weighed in on their expectations of the key takeaways from the ‘Women In ICS Security Career Building Panel and Social Event’ at the S4x23 event. 

Mashirova said that panel speakers will include women excelling in the industry with different roles, backgrounds, and experiences. 

“The main takeaways will likely include career tips from different aspects of ICS Cybersecurity,” according to Mashirova. “Speakers will share how they overcome challenges, what main skills are required, and how to build your career in this techie field. In addition to that, there will be 1-on-1 coaching sessions, where women can sign up and meet mentors/coaches at various times during S4. 1-on-1 coaching sessions will provide great opportunities to meet female leaders matched with your desired role and receive career guidance,” she added. 

“There are many paths to developing yourself as an ICS Cybersecurity professional and lots of opportunities,” Golden said. “Sometimes your next job has never existed before.  That’s great, you get to create it. Everyone working in ICS contributes to ICS Security, so you don’t have to be a security expert to get started.”

Balderson said that she believes that the Women in ICS Security Career building panel over the years it has been part of S4 has been evolving. “Success of this event would mean ongoing communication between the women who attend where they help each other to gain additional skills that benefit them and their employers.” 

“I believe this event will stimulate conversation between women, and we will also conclude that we must include men within the dialog so we bring an understanding of the issues faced by women in the ICS community, so we can build allies and empathy from men so we can drive true impactful change for all women, not only the ones who choose to work within ICS Security,” she added. “It’s an evolution over time, and we are on the right path for all women.”

Horn expects that the conversation will provide more transparency into the real challenges holding back the industry from being more inclusive, beyond corporate jargon that dominates the industry and promoting authentic discussions on creating a more inclusive environment for women in cybersecurity. “I expect to hear the importance and the benefits of diversity, innovative approaches for attracting skilled individuals, and an honest reflection of the current culture,” she concluded.

Anna Ribeiro

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related

Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
Dragos reports decline in ransomware attacks on industrial sector amid law enforcement measures
MITRE's CREF Navigator aligns with DoD's CMMC to boost cyber resilience in defense industrial base
MITRE’s CREF Navigator aligns with DoD’s CMMC to boost cyber resilience in defense industrial base
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
UK’s NCSC debuts CAF v3.2 to address rising threats to critical national infrastructure, boosts cybersecurity readiness
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Cisco Talos details ArcaneDoor campaign found targeting perimeter network devices across critical infrastructure
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
Forescout report warns of growing security risks to critical infrastructure as OT/ICS exposed data escalates
ASIS Foundation reports on impact of autonomous vehicles on security and technology
ASIS Foundation reports on impact of autonomous vehicles on security and technology
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
MITRE unveils ATT&CK v15 with upgraded detections, analytic format, cross-domain adversary insights
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
Hackers target Tipton Municipal Utilities wastewater treatment plant, prompting federal investigation
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
New CGCYBER report warns of cybersecurity risks in marine environment due to network-connected OT systems
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities
Ukrainian CERT details malicious plan by Sandworm group to disrupt critical infrastructure facilities