‘Diversity In Security Is A Business Imperative’: EY Partner Shelley Westman

'TF7 Radio' Guest Pushes For More Women In Cyber Sec.

Add bookmark

Dan Gunderman

Diversity of thought in the cyber security space is a business imperative. That was the message on the Aug. 21 episode of “Task Force 7 Radio,” where host George Rettas was joined by Shelley Westman, Principal and Partner, Ernst & Young (EY) Cyber Security Practice.

Prior to moving into the enterprise security space, Shelley practiced law, and was later the Vice President of Operations and Strategic Integration Initiatives for IBM Security.

In explaining her background, Westman told Rettas that she did not enjoy practicing law, and felt more at home with a corporate role, where she became “someone who could get things done.” Ultimately, Westman migrated into cyber security after being promoted through the ranks.

She said that on pivoting between careers and industries, it’s a matter of using skillsets, learning quickly and applying your knowledge to the new role.

She said that the challenge on the cyber security side, however, was that she had to learn an entirely new “lingo.” She said: “I was one of those people that changed my password eight times in a row to get it back to the same password.”


While cyber security and the legal field appear quite different from one another, they actually share a number of traits (in those filling the ranks). That is: an analytical mind.

However, Westman said that the largest difference is that law, specifically litigation, is “very adversarial.”

“In court, you’re working toward a date. In cyber, while it’s adversarial against people trying to get into your systems, by its nature it is very much a team sport,” she said.

In cyber security, she added, “everyone’s in a boat, rowing together. It’s not adversarial, at least from one side of the house.”

Current Role

In her current position with EY, she leads advisory practices, assisting clients in all areas of cyber security, “to prepare for the inevitable.”

She told Rettas that involves using digital analytics, reviewing ops and strategy, teaching enterprises how to be resilient and taking them through numerous exercises.

See Related: Collaboration & Motivation: Cyber Security Exec Shares Helpful Tips

What Westman is finding, however, is that organizations using point products are likely at a disadvantage. She said that these products, “from 40-50 vendors, don’t talk to themselves; they’re not integrated.”

The “TF7 Radio” guest opined: “You really have to start from an organizational perspective, and look entirely across the board. You have to make sure the strategy is integrated.”

Women In Cyber Security

For the remainder of the show, Westman and Rettas discussed the underrepresentation of women in the field.

“I read a statistic,” Westman said, “that only 10% of cyber security professionals were women. I decided I needed to take action. It was the first time in my career that I felt like I had a responsibility to all those out there who could be a part of the field…”

From there, Westman formed an internal IBM group (comprised of 200 people, which has since grown to 800) dedicated to growing the female ranks in security. She’s also a member of a group at EY with the same objective.

She continued: “Men are four times more likely to hold C-Suite and executive positions than women. Why? There has been discussion and effort, and women have been speaking up for change.”

However, the “TF7 Radio” guest suggested change takes time and women cannot influence the wider industry alone.

“I can stand on every rooftop (and shout about it), but I’m still not going to really drive change,” she said. “We need men, or 90% of the cyber interest, to talk about this. Diversity is a business imperative. Diverse teams drive better results across the organization. Diverse teams are more innovative, objective and collaborative. That’s critical in cyber security.”



Are there specific reasons the space has not yet been totally transformed? Westman said a portion of that has to do with “connotation,” and the portrayal of a “hacker.”

“(The hacker stereotype) does not look like them (women),” Westman said. “There’s also the belief that cyber is a lonely job…”

She stated that women make up 50% of our college graduates, yet they comprise only 11% of the cyber security field. “That’s a lot of talent we’re not getting into our industry,” she said.

Retaining Women

Retaining talent: another challenge in the space.

“We can’t afford to have any of them leave,” Westman said. “There have been studies that showed that women face discrimination in the field. Twenty-eight percent said their opinions are not valued in the organization. Fifty-one percent said they experienced some form of discrimination. (They also face) up to 8% lower pay across every type of security job.”

See Related: 'Demonstrating Business Value': Communicating Cyber Security ROI

The featured guest said women need more support from the “very moment they decide to pick the path, and throughout their careers.”

What’s The Solution?

“There are so many reasons for optimism around this,” the “TF7 Radio” guest continued. “If you look back at history, women have made great strides in fields once dominated by men… It’s possible to solve, but the problem is that there’s not just one answer. It’s going to ‘take a village.’ We need a 360-degree effort to hit this from all fronts.”

Hiring Quotas?

In discussing some organizations embracing a “50% female hire” policy, Westman said the question comes down to “unconscious bias.”

“People tend to gravitate toward people like them. They’d prefer a candidate that has the same background as them,” she said. “If you place a ‘target’ out there, it forces you to look at (the situation) differently. Is 50% the right number, though? It’s hard to meet, but it’s a great goal to start with. We have to make sure we’re not losing candidates through the pipeline due to unconscious bias.”

Furthermore, in entering the field new, the EY partner said, “We can’t let a lack of knowledge or experience stand in the way. Getting more women and minorities in the field helps us as an overall industry.”

Parental Guidance

Rettas then asked the EY partner about parents’ roles in the growth process for cyber security and STEM applications in general.

“(The parents must) talk to them (their children) about what they can do, what they can be,” she said, before adding the young students cannot get caught in a “gender gap.”

Her advice to parents: “Understand what your child likes to do, and expose them to all different things.” That includes STEM camps, movies such as “Hidden Figures” and other mathematical applications.

Companies & Universities

For enterprises charged with hiring security roles, Westman suggested that they “think differently” to ensure the job appeals to a mass audience. That involves distilling the “hacker connotation” and emphasizing collaboration, analytics and more.

For universities, the EY partner stated that by the time students turn 16, they may’ve already turned against STEM fields. “Universities have to partner with middle schools and high schools.”

That could mean university programs, “capture the flag” events, and more efforts to boost the ranks.

“(Keep in mind), this is a very lucrative field. The starting salaries are extremely high, and there’s virtually no unemployment,” she continued. “It’s a great field to get into.”

Overall, however, Westman emphasized the male role in this transition. She called on them to “get on the bandwagon” so that real change can take hold, and now, instead of decades down the line.

The "Task Force 7 Radio" recap is a weekly feature on the Cyber Security Hub.

To listen to this and past episodes of "Task Force 7 Radio," click here.

Connect with Westman on LinkedIn, here.

Be Sure To Check Out: Industrial IoT Concerns Worsen As More Devices Connect To The Web