Infosec still (mostly) a boys club
Women who do join get paid and promoted less, leave faster. What can be done to stop that?
Feature The infosec industry remains mostly a boys club. And while there are some indications that it's becoming more diverse, bringing women into the room continues to move at a glacial pace.
Globally, women make up about 25 percent of the cybersecurity workforce [PDF], according to International Information System Security Certification Consortium, or (ISC)2, an organization that trains and certifies IT security professionals.
Granted, these 2021 numbers are an increase from 2017's findings that showed only 11 percent were women. But in an industry facing a worker shortage of about three million amid growing threats from nation states and criminal gangs alike, a mere 25 percent of the workforce is still pretty dismal.
"In some parts of the world, the percentages are much lower," (ISC)² CEO Clar Rosso told The Register. "And women leave the cyber profession at higher rates than men, so organizations must take steps to increase the retention of female infosec professionals."
Women leave the cyber profession at higher rates than men
Rosso suggests organizations do this by paying women the same as their male counterparts, and also providing them with equal career advancement opportunities — both of which should be no-brainers, but, sadly, aren't.
Other processes, such as developing an inclusive culture, implementing zero-tolerance policies on harassment and discrimination, and providing access to mentors and advocates play a role in retention, as well. But by first focusing on eliminating pay and advancement inequalities, "you can take a giant leap forward on the retention front," Rosso said.
Before organizations can work on retaining female infosec professionals, the industry needs to bring more women into cybersecurity jobs in the first place, she opined.
Where are the women?
Microsoft Security earlier this year commissioned a survey that looked at the gender gap in cybersecurity and how to increase the number of women in these positions. It found more than half (54 percent) of women believe the industry has a gender-bias problem that results in unequal pay and support.
Additionally, while 83 percent of respondents said they believe there is an opportunity for women in cybersecurity, only 44 percent of female respondents believe they're sufficiently represented.
"A lack of representation can perpetuate and reinforce the gender gap by dissuading women from entering the industry," Vasu Jakkal, a Microsoft Security corporate vice-president, told The Register.
Women, even more than men, according to the survey, reinforce these biases: 71 percent of women (compared to 61 percent of men) think cybersecurity is "too complex" a career, and more women than men (27 percent and 21 percent, respectively) believe men are seen as a better fit for technology fields.
"These statistics break my heart," Jakkal said. "To bring more women into the field, we need to dispel these harmful myths about cybersecurity careers, provide the skill-building and mentoring to empower women and increase their confidence, and share real examples and stories of what female leaders are doing in the cybersecurity space."
This is something that Enterprise Strategy Group senior analyst Melinda Marks has been doing with her Women in Cybersecurity video series that features women in the field and asks them about challenges they've faced and overcome as well as resources and ways to increase diversity in the industry.
Case in point: Security conferences
"If you go to cybersecurity conferences, it's still male dominated, and unfortunately too many of us have stories about being the only woman on the team, underestimated, underpaid, or otherwise mistreated," Marks told The Register.
"I think sharing our stories and how we've overcome challenges helps so other women coming into the field have fewer challenges if we can address and fix some of these problems."
The problem, however, begins well before women enter the workforce. Katelyn Bailey, director of strategic intelligence and government at Google's Mandiant, says we need to look as far back as kindergarten and continue emphasizing science, technology, engineering and math (STEM) education for girls through high school.
"It's obviously more complicated than funding education, but it all starts there," Bailey told The Register.
"We cannot be dependent on home education to provide introduction to the STEM fields, as parents are more likely to expose boys to the foundational elements that lead to STEM fields."
Men, in turn, are more likely to enter STEM professions. In the US alone, despite making up nearly half of the workforce in 2019, only about 27 percent of STEM workers were women with men dominating that field.
Job listings, because of biases in algorithms and wording, may attract — or repel — female candidates as well. But even something as simple as changing hiring language, may help, Gartner senior principal analyst Patrick Long said.
Women currently achieve higher level degrees and certifications than their male counterparts, and place higher value in those certifications, he told The Register.
"Hiring organizations can also change their barriers of entry by using frameworks such as NIST's Workforce Framework for Cybersecurity, also known as the NICE Framework, to identify specific needs as opposed to position titles," he added. "Doing this can lead to non-cybersecurity experts transitioning toward cybersecurity roles."
The ladder's broken
Once they're in an infosec job, however, women often find a "broken rung" when trying to climb the corporate ladder in that men are more likely to be promoted. This continues all the way up to the highest levels of leadership, and in cybersecurity it's especially pronounced because there are fewer women to begin with.
"It is human nature to support and champion those like you," Bailey said.
"If you see no one like you anywhere up your leadership chain, you may feel isolated and hopeless in terms of career progression, you may struggle more than your male counterparts to find a champion, and may struggle to feel a sense of belonging or support."
Plus, she added, "women also take on more unpromotable tasks than their male counterparts. If these things combine at once, it is the perfect storm for attrition."
Some industry-wide organizations such as the Executive Women's Forum and Women In Cybersecurity (WiCys) are taking on these issues, and industry trade groups have developed initiatives to increase diversity hiring and retention across the sector.
(ISC)², under Rosso's leadership, established a Diversity, Equity, and Inclusion (DEI) program. And the Information Systems Security Association (ISSA), which was founded by two women 40 years ago, has its Women in Security Special Interest Group (WIS SIG) to develop leaders and build a stronger community for women in the industry.
"The vision is to enable women in cybersecurity to improve their brand, showcase their capabilities, and create new opportunities," ISSA International Board Member Betty Burke said.
- Infosys must face claims it told recruiter not to hire women with kids 'at home'
- Girls Who Code books 'banned' in some US classrooms
- California passes bill requiring salary ranges on job listings
- National Cybersecurity Awareness program 18 years on: Don't click that
Additionally, some private corporations have their own internal initiatives and training programs. That's not to say women are preferred over men in these processes; it's that women are given an equal crack when it comes to hiring, retention, compensation, and promotion.
For example, Secureworks CEO Wendy Thomas set a goal to have women make up 50 percent of the company's global workforce by 2030. Over the past year, the security firm's female employees increased from 26 percent to 34 percent.
Microsoft partners with Girl Security that works to develop cybersecurity career paths for girls, women, and gender minorities. Similarly, Palo Alto Networks' Unit 42 created an associate program that trains the next generation of incident responders that just graduated from college.
"For this hands-on program, we ensure that at least 50 percent of the class is female," said Wendi Whitmore, SVP and head of Unit 42. "Our current group of associates is actually 55 percent female. Of course, it's not only about getting them into the pipeline of employees, it's really about keeping them there."
Equal pay … and flexible work
For this, Whitmore points to flexible work hours and locations. "Providing these options helps women stay in their careers and move up the ladder," she told The Register.
Because, as the global COVID-19 pandemic made painfully clear, working women still shoulder the bulk of the household and childcare responsibilities.
"Women do so much outside of their careers," Whitmore said. "They're often running their families and households. What we've seen is that the normal course of life tends to drive women out of the security industry."
What we've seen is that the normal course of life tends to drive women out of the security industry
And keeping women in the industry is good, not only for the sector itself, but for society in general that relies on infosec workers to keep IT systems running, personal and corporate data secure, and prevent cyberthreats from bleeding into physical ones.
"The cyber threat landscape is complex and spreads like wildfire," Rosso said.
"To successfully solve the dynamic issues facing the cybersecurity profession and to close the skills gap, we need to lift new voices. We need to bring problem solvers, analytical and critical thinkers, and a diversity of other skill sets and backgrounds to the table to solve our challenges and secure information and systems globally."
This means targeted programs to bring more women and minorities to the profession are important because, as the adage goes, "you cannot be what you cannot see," she said. "People across the globe have told me they lack a sense of belonging when they are the only woman, Muslim, or person of color in the room."
Plus, "organizations with diverse teams are more successful at recruiting and retaining women," Rosso added. "We won't close the cybersecurity workforce gap or adequately secure our information and systems unless we cast a wider net and embrace more diversity, especially women, within the profession." ®