For someone who has excelled in a male dominated world, I’m surprised to hear that Cath Goulding, Head of Cyber Security at Nominet, has grappled with imposter syndrome throughout her career; something she admits to having tamed in recent years.
"Girls should be encouraged to take more risks," she says, as she references Reshma Saujani’s TED talk Teach girls bravery, not perfection, which particularly resonates with her.
She moved to Nominet in 2012, the official registry for all .UK domain names, where she finds herself increasingly being an ambassador for the industry by talking at events. It’s a role she is happy to undertake as she feels there is “a big problem with the gender gap and not enough women going into cyber”.
The gender imbalance
“I've realised one of the things I can do is to put myself out there and be a role model and say this isn't just a job for the boys,” Cath states. She feels passionately that this is not just a gender issue but a business one; we are critically short of cyber skills across the board.
She recalls a conference she recently spoke at which was to a room of 100 men and only 3 women. Ironically one of the themes of the event was “how we need to look at things differently because the pace of technology is moving so quickly,” she adds. She finds it “disappointing because it's not just an equality issue, it's about offering different perspectives.”
Cath works with NCSC on the CyberFirst initiative - free summer courses designed to drive young talent into cyber security. Whereas the places for boys are always oversubscribed, they struggle to attract girls. The onus, she feels, is upon teachers and parents to encourage girls to pursue STEM subjects if they're showing an aptitude for them. Cath sees this as a problem which is quite pertinent to the West. If we look to China, India, Turkey and Israel - girls gravitate to the STEM subjects which are seen as a path to success. “Females consider the cyber industry a privilege to work in,” she highlights.
Interestingly it’s men Cath owes much of her own drive to. Her grandfather, father and uncle had a high regard for education and always encouraged her to embrace and apply for opportunities along the way.
Also of interest: Diversity in cyber: why the man vs women debate is getting boring
Cyber before cyber
Cath’s earliest ambition was to be an architect, but instead chose to read maths at university, followed by a masters in human computer interaction. Unsurprisingly Cath loves to solve problems, describing herself as both logical and creative in the way she approaches them.
Whilst at university, a lecturer encouraged her to apply to GCHQ. Her application was successful and she spent 15 years there handling intelligence and information security for the British Government.
At a time when the word “cyber” didn’t even exist, she gained experience across the spectrum from IT support to data research, as well as taking on a role in a new area called “network defence”. There she essentially acted as the “gatekeeper”, to monitor and observe data and look for any patterns of anomalous activity that might give rise to cyber attacks.
Back then, at the turn of the millennium, there were two types of perpetrator. At one end of the spectrum there were hackers, not motivated by money but for “street cred from peers” who’d enjoy spreading viruses and causing damage to computer systems. The other type would be nation states; countries were beginning to get interested in how they could use cyber to gather intelligence and her role was to observe unusual activity on that front.
No such thing as a typical day
At Nominet, Cath sees herself as an adviser, rather than an inhibitor, to the business which entails being privy to projects at the outset “so you can build security into the design”.
“I try never to say no, but I'll stress the importance of security and open up some examples that we've had to discuss their impact or impact they potentially could have had.”
It’s a two way process, however, as she also asks staff for their help. “If you see a particular process or issue that is vulnerable then I ask employees to please come to me and we'll sort it out. I really believe it's about getting the culture right so that people think about security in their day to day job and are also proud of it because it is a business asset now.”
Also of interest: CSO of Bacs and Faster Payments, Craig Rice, on cyber resiliency
Getting the culture right
Cath says that security has to come from the top down and it has to be visible.
Coming from GCHQ, “an organisation that had security ingrained in its DNA from the moment you walked into the building" to Nominet - an academic and more open environment - was quite a contrast. Cath introduced fun ways of fitting security in their everyday lives, such as a competition with a trophy awarded every few months to the team with the tidiest desks.
“I had to come up with a way that didn't obstruct that free flow but also makes security a positive thing, rather than it being a punishment,” she explains. It’s a bit of fun, but “also there is a league table and nobody wants to be bottom; it comes back to that visibility.” It serves as a great way to make people think about security at least once in their day.
In the case of a security error, Cath leaves little stickers on desks saying “don’t forget about security” to remind them about their security hygiene. Good security action rewards them with points on the trophy board, whereas bad hygiene will knock points off. However, demonstrating that you’ve taken training will neutralise negative scores.
Cath finds that the point system works well. "I don't want to punish people. Phishing is a prime example where there are lots of tools to send out test phishing emails to all the staff and look to trick them. Everybody's going to click on a link nowadays if it's sophisticated enough, so I won't punish somebody for clicking on it,” she explains.
Greatest challenges in the industry: technology and the cyber skills gap
Keeping abreast with the rapidly evolving pace of technology is one of the greatest challenges of our time, for Cath. "The IT Department is no longer the gatekeeper so it's ensuring that people understand if they haven't read the policies at least they know to come and talk to me if there's a new software as a service, for example, to make sure that they implement the right controls."
She also thinks the skills gap is a massive problem. “There's not enough people in this industry and getting the “right people in is really hard”.
I ask Cath what are the key attributes she looks for in a cyber security professional.
Attitude is key. "Enthusiasm, teamed with raw ability - someone with the foundations but who can be taught." Another attribute is being a “translator”; they have to “ask questions of everybody in the business but also translate that into cyber risk," she says.
Also of interest: How will cyber threats evolve in 2019?
Down time: the French connection
Cath enjoys being outdoors, in the heart of nature, walking and cycling with her family. They visit France on an annual basis; the wine and food being of particular appeal.
“I'm lucky my husband's a good cook. I'm definitely the taster,” she admits. She also likes to read fiction; Kate Atkinson’s novels being among her favourite.
Unsurprisingly, she spends much of her time reading about cyber security. Currently, she’s got a couple of books on the go; Nudge: Improving Decisions about Health, Wealth, and Happiness by Richard H. Thaler and Cass R. Sunstein and How to Measure Anything in Cyber Security Risk by Douglas W. Hubbard and Richard Seiersen. With regards to the latter, Cath says a lot can be learnt from the financial sector who are adept at quantifying and translating financial risk as a business risk to the board, an area where the cyber security industry needs to improve in.
The greatest lesson she’s learnt over the years is: “There's no such thing as a stupid question”. Cath is an advocate of not holding back and asking questions that come to mind because, chances are, other people in the room have been thinking the same thing but have been too intimidated to ask.
As I am leaving I ask whether there is anything she learnt from her GCHQ days that she’s still mindful of in her role today as Head of Cyber Security. “Yes, they’re all at it - nation states, everyone is at it,” she says with an air of certainty in her voice. “You’re going to use that as your headline now aren’t you,” she adds. And she wasn’t wrong there.