As Director for Security Strategy and Architecture at Bupa, Eleanor Sim is passionate about meeting the challenges of modern cybersecurity and creating opportunities for diverse talent to thrive in the industry.
Female, neurodiverse, LGBT+ and state school educated, she stands at key intersections that the sector must embrace if it is to be fit for purpose. The sector’s output is undermined by groupthink and urgently needs better problem solving from a more diverse talent pool, she says.
How did you move into cybersecurity and what about it appealed to you?
I went to a state school in Edinburgh, but I left school early and worked as an outdoor instructor before going to the University of Edinburgh to do a degree in Computer Science and Artificial Intelligence. Only 10% of the computer science undergrads in my year were women and I accepted it as ‘normal’ that I would always be in the one-in-ten as a female. After university, I joined the National Cyber Security Centre (NCSC), where I spent ten years, starting as a cryptographic consultant, eventually evolving into a cybersecurity expert through an internal development programme. Fundamentally, cybersecurity is about evaluating the risk to taking a business opportunity and designing appropriate controls to arrive at the best outcome. It’s an industry that forces you to keep growing your skills and knowledge and as someone who loves to learn and to problem solve it is a perfect fit for me.
What was it about the challenges of cybersecurity in healthcare that interested you?
I joined Bupa in 2021 because I was excited by the opportunity to work in healthcare. It’s a massively expanding industry with huge amounts of data, new technologies and important cyber security challenges. My team is relatively small at Bupa, but our working environment is a dynamic one that encourages collaborative working. This is essential as a security architect because it’s all about problem solving. Different people want different outcomes from a system; the business wants to thrive; the users want it to be easy to use; everybody needs it to be secure. Our job is to balance competing priorities to come up with a solution. As a leader, I invest my energy into my team, because they’re a force multiplier. I have 40 hours in the week that I can work — but if I have four great people in my team we then have 160. And for me, leadership is about helping them to use those hours well, be the best that they can be and in giving them the skills and drive to do the job and meet the challenges we face in healthcare cybersecurity.
How does security in particular suffer from a lack of diversity?
A lack of diversity and ‘groupthink’ bakes biases and problems into both AI and security systems. That will be a problem because an attacker is going to come up with a way of attacking something that you haven’t even though about defending. You want as many different people as possible to have a voice in that process — to find and fight those biases and assumptions. I was proud to help deliver the first CyberFirst girls’ competitions in 2016, and the work that the NCSC has done continuing that initiative is great. However, there’s no single point of intervention that will suddenly fill the female pipeline in cybersecurity. We need to create support at all stages of school and careers to make sure that people can see this as a career pathway for them and other under-represented groups in cyber-security.
How has diversity in cybersecurity evolved over your career?
It has improved, mainly because we’re talking about it, but the industry still feels male-dominated. We reinforce biases by putting in barriers to entry that don’t need to be there; such as the need for a degree. This could stop someone with the right transferable skills or passion even applying. Yes ok, there are many more women and ethnic minorities coming through the pipeline, but in 95% of the meetings I join I’m still the only woman.
Is there a perception issue for women around the industry as a career path?
We still have stereotypes about what cybersecurity professionals look like and what experiences and skillsets they need, and we still often talk in military and defensive models, but a lot of these are proving to be less effective in a modern security environment. The industry needs people who can communicate; can design content that brilliantly explains security concepts to people; who enjoy solving problems in different ways; who bring different perspectives. Ultimately, we have to evolve the way that we think about things — if you only ever go back to the same set of people to solve a problem, they’re just going to keep giving you the same solution.
What has been the biggest change in cybersecurity over the past 10 years?
Computing and cryptography are now ubiquitous; we’re surrounded by everyday tech, some of which can have more computing power than we used to send the first astronauts to the moon. The biggest change though is that everything is accessible on the internet now. Internet connectivity brings challenges that systems were never originally equipped to cope with — in terms of security, we used to think about creating ‘castles’ with high walls that were hard to get into. Nowadays, those walls are meaningless, and we have to think about what happens when someone’s entered the castle. How do we ensure that we can limit damage that might happen, or that we recover as fast as possible?
Where’s the human value in the age of AI and cybersecurity?
AI helps us process vast amounts of data — volumes that humans are not capable of dealing with — and find the anomaly we might not be able to spot ourselves. But AI doesn’t know what it’s found —it’s simply followed rules you’ve given it, so human intervention is essential for making sense of the data in order to understand how to respond. So, one way to look at AI is that it’s about helping humans be more effective in getting the right information to make decisions — and, of course, taking away repetitive work. As we move into more dynamic security strategies, we will see more and more of these techniques being used to help work out where we need to focus our attention.
How can neurodiversity bring an extra dimension to security?
I am dyslexic, and a high proportion of security architects in the NCSC are too. The benefit for the industry is that we approach problems differently. So, we have to create environments where we recognise the value of that diversity, and where people can thrive. The conversation has to move from ‘Do we have enough people who are different?’ to ‘Are these people able to give us everything they have the potential to give us?’. If you feel uncomfortable being yourself, you hinder your ability to perform at your best. When I wasn’t ‘out’ about being married to a woman, a part of my brain was always busy working out what pronouns I was going to use or how I was going to answer questions. When I’m in an environment where I can be me and talk openly about my wife then I can concentrate all my brainpower on the work problem in front of me. That’s why inclusive environments are the most effective ones.
What advice would you give people who aren’t from a ‘traditional security mould’ about going into cybersecurity as a career?
You don’t need to know what you want to do from day one. Cybersecurity is a huge industry that encompasses so many different skill sets, so don’t be afraid to take a role or an opportunity to learn more about what’s possible. It can be an amazing opportunity for people, especially young women and people from diverse backgrounds, and anyone who wants to solve problems and learn new things.
