Beating the odds: A tale of women in cyber

It’s been a busy few years for those working in cyber. 2024 saw organisations north and south of the border hit by some of worst data breaches in decades, while ministers came up with policies to try and manage a digital world that kept developing at a pace faster than they could often handle.

And the new year shows no signs that the online safety crisis will soon stagnate, with statistics showing an alarming rise in online child abuse, and experts warning the Online Safety Act (OSA) will not live up to its promise.

It’s 10am on 16 January, less than two hours since Ofcom published its age checks to protect children online, when I log into a Teams call with cybersecurity leader Chelsea Jarvie. She is sat in a dimly-lit room at the University of Strathclyde, where she’s working towards her PhD on children’s online safety.

Jarvie has mastered the art of juggling multiple things at once. At her 32 years of age, she’s an entrepreneur, well-renowned cybersecurity speaker, student and author – all while being a mother of two.

However, the cybersecurity portfolio didn’t come naturally to her, she admits, recalling that during her time at high school in Perth she “couldn't have thought of anything worse” than going into computing. “I found it so boring – a stale and dusty subject”, she says.

I've had loads of amazing opportunities throughout my career but amongst that I've had some absolutely horrendous experiences and quite toxic working environments

But she quickly uses her experience to shine a light on the crux of the matter – the education system is flawed. “It’s so exciting," she says of her chosen field. "It's everything that we do now day-to-day, but the curriculum doesn’t help.

“Cybersecurity is now as important as English and maths because this is how we work, we communicate, we use our public services. It is all through digital channels, it can’t be extra.”

Now, more than a decade later and having held a string of leading roles in the sector, she has returned to the classroom – at least to an extent – to make the online world a safe place for kids to thrive. Driven by the “people element” of security, Jarvie is creating an age-verification tool to help detect those pretending to be over the minimum age required to create a social media profile or buy adults products online.

“It kind of feels like the horse has bolted with all the tech that's available for kids. The legal changes are coming along at a time when you're trying to ring fence something that's become an absolute monster”, she tells Holyrood. “I like the idea of being able to help people stay safe online and be able to protect them and their data.

“Kids don’t have that context or maturity to be able to have a bit of perspective on what they are seeing [and] social media can be really damaging for them, for their thoughts, for how they are formed as adults.

“And I don’t think the Online Safety Act goes far enough”, she insists.

The cyber expert is not the first to point out the bill could punch below its weight. Over the past year, campaigners have been calling on the government to “finish the job”, with research showing that tech companies are failing to comply with their duty to remove harmful content from their sites. And, earlier this month, the Internet Watch Foundation urged Prime Minister Keir Starmer to fix “gaping loopholes” in Ofcom’s codes for implementing the OSA that it says will allow for online abuse to continue.

Jarvie also points out the “shocking” amount of content parents share online featuringtheir kids – a topic on which she is about to publish a guidebook. The practice, known as 'sharenting', has become increasingly popular in an era dominated by retweets, likes and comments. Estimates suggest that the average parent will post their child’s image online almost 1000 times by the time they are five years old.

The framing of cybersecurity has to be moved out of IT into a business resilience issue

“Kids are our future leaders, our innovators – the future of our society. What if you are the future prime minister or you are the future chief executive of a big tech company and you've got 12 years of photos, videos, memories, data about you that your parents shared, how do you begin to comprehend the volume of data? Imagine how could that be used by other governments against you [or] by the media to paint you in a bad light?”

Having worked in the government herself, Jarvie acknowledges cybersecurity is a tough job. In 2017, she was recruited to build the security team at Social Security Scotland (SSS) and before that she was head of information security at Education Scotland. “I had a big security team when I left (SSS) and it was a great role helping ministers deliver the Scottish benefits system by the political deadlines that they had set," she says. "In the technical space, we had to make sure that everything was secure enough to be in the public domain for use by Scottish citizens, so it was very demanding”.

There is also a great misconception around who’s responsible for IT security, she explains. “The framing of cybersecurity has to be moved out of IT into a business resilience issue.

“Security is seen as an IT issue: ‘The IT team didn't do an update’. But actually if you trace it back, it's always a people issue and a business resilience issue. Cyber-attacks are something that could bring an entire business down. It's not just an IT thing. It needs to be dealt with and prioritised, it has to be funded right from the top and that has to filter right down.”

Jarvie’s journey to success has been an uphill battle, her progress hampered by a male-dominated industry laced with crippling misogynistic attitudes – the odds were not in her favour. “I've had loads of amazing opportunities throughout my career but amongst that I've had some absolutely horrendous experiences and quite toxic working environments.”

Fourteen years ago when she began her studies on ethical hacking at the University of Abertay, she was just one of two women in a class of 70. “I feel that I've had to become a lot bolder in my approach and be very forthright in defending myself or calling out poor behaviour, and it feels like I have to do it all the time.

“When I was coming through university there was so much support for women to get into cybersecurity and graduate opportunities and loads of [other] stuff. And then as you progress and you get into management, there's a kind of drop off to the support.”

Research has shown that more than a third of women in the tech industry leave it by the age 35, with maternity leave, gender-based double standards and family-life balance found to be key blockers for female progression. “I've tried to make this industry work for me, but it's really difficult”, Jarvie says, and eventually it was a key factor in her decision to start her own company in 2019. “I decided to start my own company cybersecurity consultancy, Neon Circle.

“It can be quite lonely anyway when you get into management. [And] you've then got your kids and you're thinking I would like flexibility; I'd like to work-part time, but there are hardly any part-time opportunities and how will working part-time impact my career? I've had questions and comments made for years about when I’ll want children, how long would I want to take off, then since having my kids, comments made about the things I can and can’t do in my career as a mum. So it’s really tricky to get the balance right navigating my career, while also still wanting to be a present mum, in an industry which doesn’t feel hugely supportive.”

So, what’s the next thing we should look out for? Cyber war has become a hot topic amongst political leaders. In November intergovernmental minister Pat McFadden warned Nato members of a looming Russian cyber-attack that could "turn the lights off for millions of people" by shutting down power grids.

“I think we're already there”, Jarvie argues. “Obviously, we've got the conflict in Ukraine, and we've got different conflicts happening physically right now. But that same conflict also has a digital element, but it's just not photographed because you can’t see the front lines, but taking down critical infrastructure is a massive issue, particularly when we rely on so much of it now in our daily life.

“Smart cities and progressions like that are amazing. But what happens if they are attacked. How do citizens access the essential services that they need? So, why wouldn't you attack digital infrastructure when it’s all online?”

Chelsea Jarvie will be chairing Holyrood events' Public Sector Cyber Security Scotland in Edinburgh on 4 February