Why and how to build a career in (cyber security) policy

 Despina Spanou, a founding member of the Women4Cyber initiative, shared the inspiring story of her own career in cyber security policy, and explained why more women should enter the field. She is currently Chief of Staff for the Cabinet of Margaritis Schinas, Vice-President of the European Commission, overseeing the EU’s policies on security, amongst other topics.

Previously, Despina worked as Director for Digital Society, Trust and Cyber Security at the EU Commission, where her responsibilities included the implementation of the EU legislation on network and information system security (NIS Directive) and negotiations for the EU Cyber Security Act, which recently entered into force.

Accidental hero

Despina started her career as a policy lawyer before entering the field of cyber security. “I had no experience in or knowledge of cyber security, but I was very interested in the topic. Thanks to the opportunities I was given by my (male) mentors, I accidentally became a role model for many women in the sector. The first lesson I can teach you is to expand your interests by educating yourself. You need to understand what cyber security is about, have a basic technical understanding, and (perhaps most importantly) learn the extent of the threat landscape,” Despina advised the participants.

Since the Covid-19 pandemic and the start of the Russo-Ukrainian War, the geopolitical situation has changed the cyber scene tremendously. “Cyber security has become an economic problem, because it can bring down important systems. Cyber criminals target the healthcare sector now, because getting hold of their data and crashing their systems can destabilise our entire society. You cannot open a newspaper without reading about it. The news is a great tool to assess the threat landscape, and an easy way to upskill yourself daily.”

Quote: “Do not be intimidated by the field. Not every cyber security job is 24/7.”

Diversity yields results

In 2022, a regulation was proposed, which is changing the cyber security landscape. The Cyber Resilience Act (CRA) defines cyber security requirements for products with digital elements, to ensure more secure hardware and software products. Despina Spanou: “Essentially, everything must be secured by design. You can compare it with product safety controllers: we need cyber security experts at the end of the chain, who will control and guarantee the level of security.”

To meet this demand for new cyber security experts, the European Commission created the Cyber Security Skills Academy. “Men and women think differently, and we need every possible mind to deal with the economic impact. One thing I learned from Jane Frankland’s book INsecurity is that women have missed their chance in cyber by not seizing the opportunities with both hands. Cyber security is universal, and requires diversity to get the best results. We must fill the skills gap, not just reduce the gender gap, in the cyber security sector. So, women, upskill yourselves and don’t be intimidated by the job nor by the men working in it. And men, hire and attract women so they feel welcome, but also invest in your own re- and upskilling,” Despina encouraged.

Recent policy evolutions

The CRA will also impact new technologies and platforms such as ChatGPT. “Today, ChatGPT is being fed by the public as they use the tool. Once the CRA is completely deployed, these types of tools will only be able to enter the marketplace after being fully tested on cyber security compliance,” Despina explained.

Some people doubt the CRA will result in the intended effect. Despina Spanou: “When the GDPR was announced, there was also much disparagement against it, but now this data protection law is being embraced. The same will happen with the CRA – and for digital evolutions such as Artificial Intelligence and the cloud. AI should not be seen as a threat, but as a defence method and an opportunity. AI will generate new jobs in science. Children today are already learning to code, and it is also part of the upskilling course of the cyber professional.”

Hilde Vernaillen, CEO at P&V (where the event took place), was delighted to host an event for women in cyber, to highlight the importance of diversity in the sector. “You just have to do it, and not assume that something or someone stands in your way.”