On International Women’s Day Tuesday, Forrester reported that women represent just 24% of cybersecurity professionals worldwide.
The report, which offers eight best practices to help encourage diversity in the workforce, found that while the industry has made significant efforts to recruit women, security culture across many organizations remains hostile toward women, making it not only difficult to hire them, but to also retain them.
“There’s an urgent need and enormous opportunity to become not just an ally, but an outspoken champion for women in tech and cybersecurity, especially when so many people tell women to solve workplace challenges by simply 'leaning in,’” said Jinan Budge, principal analyst at Forrester. “While personal responsibility is important, there’s only so far that your confidence can take in an industry ingrained with systemic sexism and bias. Engage with people who experience the adversity, and advocate for women in your team by creating a space where they, alongside male allies, can champion real change.”
Forrester's new research identifies practical recommendations for addressing the systemic cultural issues affecting women and holding back security teams from succeeding. Leading findings include:
Companies need bias training and must focus on retaining women in leadership roles. Forrester analyzed the LinkedIn profiles of more than 380 Fortune 500 and 150 EMEA-headquartered companies and found that of those with a formal head of information security, women held only 13% and 8% of those roles, respectively.
Toxicity is rife in cybersecurity, and a toxic security team that lacks diversity will fail. According to Forrester, a lack of gender diversity was the “dirty secret” of toxicity, with many only highlighting it privately, causing stigma, shame and numerous resignations.
Businesses need to tackle gender bias head on. Today, 87% of CISOs at Fortune 500 companies are men and only 13% are women. For the majority of CISOs who are men, there’s an urgent need and enormous opportunity to become outspoken champions for women in tech and cybersecurity.
Jennifer Tisdale, CEO at GRIMM, said the industry clearly needs more diversity. Tisdale said if everyone in the industry looks the same, grew up the same, and received their education from the same universities, the industry will never achieve the ultimate goal: diversity of thought and problem-solving ability.
“We need to start talking to and encouraging our young ladies while they are children,” Tisdale said. “Middle school is the age most educators say they begin to lose girls from STEM programs. More encouragement, more representation in their lives, redefining what a career in a STEM field means and all the different interpretations of what this will mean in the future will be incredibly important.”
Saryu Nayyar, CEO at Gurucul, said as Ruth Bader Ginsberg famously said: “Women belong in all places where decisions are being made."
Nayyar said Judge Ginsberg’s comments apply across all industries, not just cybersecurity. However, Nayyar noted that it’s an unfortunate reality that women are sorely underrepresented in cybersecurity because of outdated and inaccurate sentiments about job fit and cultural bias.
“It's time executive teams proactively address this issue with constructive measures and Forrester has done a fabulous job outlining eight initiatives to attract and retain women," Nayyar said. “We need to lead the change and fight for increased female representation at all levels — as security analysts, data scientists, product managers, forensic investigators, SOC engineers, and CISOs. The first step is acknowledging there is work to be done.”
Jamie Levy, director of R&D at Huntress, added that cybersecurity definitely still has a gender gap and other biases baked into it. While she agreed that having male allies can help influence change, Levy also pointed out that women in positions of power can also help influence change.
“I’ve personally worked with other women who viewed female new hires as competition instead of colleagues,” Levy said. “A dark secret is that sometimes the source of negative experiences aren’t always from men alone."
Levy also pointed out that cybersecurity conferences have definitely improved over the years, but still have a long way to go.
“It used to be the norm to have ‘booth babes’ and visits to strip clubs during Black Hat and DEFCON,” Levy said. “Attendees have pushed back on this behavior and you don’t see it nearly as much. I’ve also noticed that there are more and more women speaking, training at, and attending these events each year. While there are still incidents that happen here and there, I’ve personally been impressed with the responses on social media from male allies trying to right any wrongs."
Two main challenges here are really: overcoming bias and increasing ally visibility, said Karen Walsh, founder and CEO at Allegro Solutions. Walsh said as any woman in the workplace knows, historic bias is difficult to overcome.
“Whether it’s being stuck on the ‘mommy-track’ that leaves you with gaps on a resume or the fact that women in STEM has only been a movement since the 1990s, we’ve still got a long way to go trying to remove ourselves from institutionalized issues,” Walsh said. “On the other hand, we do have a lot of men working at allyship. Several women-in-cyber organizations have awards for male-presenting allies. Visibility into allyship — and making it the norm rather than the exception — goes a long way to providing examples of how men can overcome their biases and work more purposefully.”