There’s no GPS or roadmap to follow to get women in security to a place where they are on equal footing with men, but there are plenty of ways the industry can help them arrive at equality and parity. Teri Robinson reports.
If the longest journey begins with a single step, then women have made some strides in what can only be described as an expedition toward greater equality in the security industry and beyond. Consider all the milestones just in the past couple of years.
While the U.S. may have missed an opportunity to elect the first female president in 2016, the blue wave that swept in during the 2018 midterm elections was propelled mainly by women and, in fact, more women are seated in Congress than ever before. Former CIA spy Valerie Plame is running for a Senate seat in New Mexico. For the first time in National Guard history a state guard – in Maryland – is commanded by women. #MeToo has dragged harassment into the sunlight and taken some of the sting of reporting it out of the workplace. And, in security, the familiar 11 percent figure that has long marked the number of women in the information security workforce has, by some estimates, more than doubled.
But still, there’s work to be done.
Sure, badass high-profile women like Circadence cyber evangelist Keenan Skelly, The Santa Fe Group and Shared Assessments CEO Catherine Allen and DevCon founder Maggie Louie continue to break molds, blaze trails and make it all look easy. They’re not exactly the exceptions any longer but by no means are they the norm.
“The industry still has a long way to go to involve women in security more,” says Skelly. “As a cybersecurity community, we have to get better at messaging that cyber is everywhere. Cyber is in everything we do. Every job has some element of cyber.”
But if young people don’t “realize that a security track is available to them in these other professions, [it] means that we have a messaging problem,” she says, though the rising number of women in security offer some hope that the message is getting through.
After years of hovering at just over 10 percent, women now account for 24 percent of the overall global workforce, according to a recent cybersecurity survey by (ISC)2 may more accurately reflect women’s ranks, says Deshini Newman, managing director, EMEA, at the organization.
“It’s important to note that we used a different methodology in our most recent study,” Newman explains. “In the past we only surveyed traditional cybersecurity roles, but we’ve made the shift to poll people who apportion at least 25 percent of their job function to cybersecurity. We wanted to get a better sense of who was really doing the work, to match the evolution we’re seeing in IT departments.”
Newman adds that while men still outnumber women in cybersecurity by a three-to-one margin, more women are participating in the field – and they are gunning for leadership positions. She says the data shows that women pursue higher levels of education and more certifications than their male counterparts, and that’s why compared to men, higher percentages of women cybersecurity professionals are reaching positions such as chief technology officer (seven percent of women vs. two percent of men), vice president of IT (nine percent vs. five percent), IT director (18 percent vs. 14 percent) and C-level/ executive (28 percent vs. 19 percent).
“The figures show that women are forging a path to management,” Newman says. “And they are generally better educated and younger.”
For example, while 44 percent of men in cybersecurity hold a post-graduate degree, 52 percent of women hold advanced degrees. Nearly half of women cybersecurity professionals surveyed – 45 percent – are millennials, compared to 33 percent of men. By contrast, Generation X men make up a bigger percentage of the workforce (44 percent) than women (25 percent).
While the overall number of women in the industry has not increased dramatically, “women are making inroads into senior positions marked by the growing number of CISOs,” says Catherine Allen, chairman and CEO at the Santa Fe Group and the Shared Assessments program.
With the addition of McKesson Corporation Executive Vice President, CIO and CTO Kathy McElligott and Schneider Electric CIO Elizabeth Hackenson, Forescout’s board is now one-third female – and headed by a woman, Aspect Ventures Co-founder Theresia Gouw.
To show how far women have come, Tricia Phillips, senior vice president of product and strategy at Kount, recounts a conference call with a bank to discuss security issues while in a previous role. “There were five of us on the call, mostly vice president level, and all five were women,” she says. “That’s progress.”
Indeed, Forrester predicts that women CISOs at Fortune 500 companies will increase their ranks to 20 percent this year – that’s up from 13 percent in 2017 – which tracks with Boardroom Insiders research that finds women hold 20 percent of the Fortune 500 global CIO positions.
In addition to “seeing more women in key roles and at the executive table,” Shauntinez Jakab, director of product marketing at Virsec, says, “women are also being regarded as subject matter experts on specific security topics and as researchers.”
One foot in front of the other
Progress may have come slowly to cybersecurity but it has come. Angela Dogan, director of vendor risk and compliance services at Lynx Technology Partners, sees that “strides have been made in bringing awareness to the fact that women are a minority in security.” She’s “seeing more women becoming interested in security” and answering that call to enter the workforce.
“The one thing the industry has done right is to bring awareness to the fact that there’s a great need for women in security and they are creating opportunities for skill development and mentoring,” says Dogan.
Outreach to women has improved as well. “Many organizations have specifically targeted getting more women and minorities into the field, as well as the professional associations like the International Consortium of Minority Cybersecurity Professionals (ICMCP), and the Executive Women’s Forum, founded by Joyce Brocaglia. Community colleges and universities have developed cyber programs,” says Allen. “The Shared Assessments Program has third-party risk management, which includes cybersecurity and certifications, and encourages women to attend. Girls Who Code and the Girl Scouts both have programs to encourage girls to get interested in coding, IT and cybersecurity.”
Organizations such as Girls Who Code and Cyber Patriot “and more recently Women’s Cyberjutsu have grown over the years and encouraged more young girls to get involved,” says Skelly, who commends the Girl Scouts for adding a cyber badge. “All of these organizations and their initiatives are great ways to introduce young girls to the industry and teach them why it’s important to stay safe online and contribute to this industry in the future.”
Perhaps a more significant shift is what Phillips pegs as a “growing understanding that security in a modern business context is both art and science. It is not just a compliance function; it is not just a technology function. Modern security is the foundation for business innovation and growth.”
The evolving roles of security leaders like CISOs have “opened doors for more women who may not have a computer science background, but who understand the technology landscape of threats and innovation, and who can understand, articulate, and advise about the appropriate balance of business risk and security risk,” she says. “This is an evolution in our understanding of the security function, which has led to a broader net being cast for the right leadership for today’s security leader. That net, more and more, is finding women who are the right leaders for the job.”
Many organizations like Microsoft “have taken a strong stance on diversity and are moving to make incremental changes strategically,” says Jakab, pointing to her own company’s conscious effort to seek out female candidates for engineering and sales positions. “I have also noticed that larger security companies are bringing on females to champion the product teams. Women do look at things differently, thus bringing a new perspective and way of doing business.”
Because companies must “think differently to stay ahead,” Jakab says, “we are seeing more females driving efforts to define, build and position security products. I think the industry may be slowly waking up to the notion that the best person for the job may be the woman over there.”
In addition to acknowledging the need for more diversity, which in return breeds creative problem solving and perspective, Allen sees support for programs and efforts “to encourage girls and women to enter the field” and more women CISOs turning out to be mentors, “bringing other women along.”
And training is more accessible than ever to candidates from all walks of life. “Today, we have many ways to learn cyber – from online classes, to in-person trainings and certifications and credits to support all kinds of professional development needed,” says Skelly. “In addition, I’m pleased to see more organizations turning to internships and apprenticeships to recruit women in cyber to their companies. Inviting young professionals into the field in these ways gives them the space they need to learn and grow and fail and advance.”
And the industry has proven itself “open to adopting new technologies like AI and machine learning to start automating and augmenting the workforce to scale defenses and reach an infinite number of operators (at a much lower cost),” she adds.
We’ve only just begun
As on any long – and sometimes difficult – journey, one question keeps popping up: Are we there yet? The resounding answer: No. “Women are still grossly underrepresented in the cybersecurity industry,” says Skelly. “There’s an air of uncertainty about the field and a misunderstanding that it is ‘too technical’ for women, which we know isn’t true.”
That message has been reinforced, whether deliberately or inadvertently, perhaps because cybersecurity traditionally has been male-dominated and has its roots in military and government organizations.
“The workplace is often hostile to women … especially if they have children. Long hours, lots of stress, 24/7 on call, sexual harassment, ‘boys club’ attitudes, etc.,” says Allen. “There are more women in risk, privacy, compliance and IT, but still not enough to fill the job opportunities in cyber.”
The industry has fallen short “in making security attractive to women and there’s still a significant gap in pay for women in security,” says Dogan, contending that it has failed to truly understand what skillsets employees need. “We are just beginning to become aware that those with all of the technical skill and background don’t necessarily make the best security professionals,” she says. “Soft skills are a major factor in security and we’re struggling with knowing how to teach that.”
The issue of diversity, of course, isn’t limited to women. “While women are increasingly represented in the industry, our most visible ‘personas of impact’ are still lacking ethnic diversity,” says Jakab, who believes the problem runs deeper than matriculation or the inability to find women from diverse backgrounds. “There’s a problem in where we look for new hires. We still need to expand the pool from which we seek talent, to ensure a broader set of applicants that genuinely represent the world in which we live.”
What’s next?
If women in security were on a cross country car trip, they would have seen a few roadside attractions, gassed up and pulled back onto the highway by now with a lot of pavement ahead of them. Where do they – and the industry – go next? There’s no GPS or roadmap to follow to get women to a place where they are on equal footing with men, but there are some things that organizations, enterprises and women themselves can do to arrive at equality and parity.
Get out a broader message. “We need to do more to explain what security really is about. It isn’t just threat hunting or working in a SOC. Security is about anticipating the next threat and preparing for it – it is about having a broad understanding of business objectives and placing security in the appropriate context to both protect the business and enable new business opportunities,” says Phillips. “That is a very different picture than the traditional ‘security’ role and I think that it is more appealing to a broader set of women. By redefining and explaining what security is today and what it needs in the future, we demystify it and remove some of the psychological barriers that women have in pursuing these careers.”
Skelly notes that “as our digital footprint has widened, commercial and enterprise and consumers alike have realized that they too are impacted by the advancements in technology and how the interconnectedness of it all influences our daily lives and functions as professionals,” drawing in more women as technology evolves and integrates “into every bit and byte of our digital lives.”
On her appointment to Forescout’s board, Hackenson noted the reach of cybersecurity into every facet of business. “As a CIO of a digitally transformed company, cybersecurity is now a daily focus with the rapid proliferation of IoT within the enterprise and at the convergence of IT and OT in our factories,” she said in a release.
Recognize women’s accomplishments. Recognition can take many forms. “For example, when you save millions of euros and the case you resolved is shown on national TV. Also when a customer’s team appreciates your help and sends you a thankful letter,” says Ralitsa Miteva, business solutions manager, fraud detection and prevention, at OneSpan. “Or when after working really hard on a request for a proposal during a vendor selection process, you win and receive great feedback.”
Contending that men’s accomplishments are often promoted more prominently within organizations, Miteva says, women’s voices need to be heard and their contributions to a company’s success duly applauded. “We need to break the stereotypes,” she says. “We need to promote more female success stories.”
Just “getting women in the door in the first place” is a massive challenge, says Becca Stucky, senior director of demand generation and programs at Thycotic. Hiring women at tech companies is hard. “When women look at a company for their role models, for proof that the time and effort and self they pour into the company will be rewarded, they definitely don’t find resounding confidence.”
Broaden outreach. “Women are well-suited for, and extremely talented at technical fields such as information security, security engineering, and AI engineering; however, recruiting and retaining women in these fields is not where it needs to be,” says Skelly, urging the cybersecurity community to get the word out that cyber is part of everything.
Improve hiring practices. “The issue of gender representation in cybersecurity has gotten much more attention in recent years, which is leading to better outreach programs for women in college and high school, and a stronger focus on removing screening and hiring bias,” says Phillips.
Create a mom-friendly environment. “Part of the secret to hiring women is keeping the women you have and growing them up,” says Stucky. “Companies have to get women into leadership roles at every level and that means having an environment that promotes women and that helps them stay opted in.”
She takes issue with Facebook COO Sheryl Sandberg’s concept of leaning in, contending it doesn’t work for women with kids, aging parents or family members who require their care.
Plus, “it’s a recipe for burnout,” she says, explaining that while she answered this reporter’s questions she was nursing an eight-month-old baby and mentally running through dinner options. “Women still overwhelmingly take on the burden of managing a home and the invisible labor to remember everything.”
If companies are serious about attracting and retaining women cybersecurity pros, they “need to create an environment where they want to come back so they can rise to those higher levels, even if their parents are sick, even if they’ve had a child,” says Stucky. “That means creating teams where work life balance is encouraged and supported for the entire team.”
Stucky suggests companies offer new moms at least 12 weeks paid leave, ensure they have a private room to pump and give them a reduced schedule. “Babies often go to bed at 7:30. If a working mom is full time, that means she might get one to three hours tops with her new baby,” she says. “I know moms in all kinds of industries who leave their job because of this alone.”
Close the pay gap. If that seems like a no-brainer, that’s because it is. Equal work demands equal pay. Do it already.
Use technologies like AI to level the playing field. “We have begun to use AI and machine learning to augment and automate our lives; how do we ensure we are teaching it the ‘right’ things? Are we teaching without bias? Are we training algorithms to take race, culture, sex and class into consideration? Are we building the every-person’s AI, or are we building something unintentionally prejudiced?,” says Skelly. “Human beings are innately biased; therefore, it stands to reason that if we are training and programming AI, then by nature we are transferring our personal biases. I think we’re going to get there, but right now the biggest thing we can do is make sure we’re hiring diverse teams, as we’re building the AI.”
Understand and meet the challenge of elevating women. “Try to understand what is keeping more women from choosing the field, getting promoted and/or leaving the field mid-career. Once understood, do something about it,” says Allen.
Start education and inspiration early. “We need to elevate women from the beginning, with earlier outreach regarding technology fields to women and girls in college, high school, and junior high,” says Phillips.
Dogan says her company goes “into the public school system and begins to have conversations about the need for more girls and minorities in the field. We show them that it’s not just STEM and STEAM students that have a chance to be in security. We’ve got to meet them where they’re at and show the students how it can be fun and lucrative.”
Allen recommends aiming “young to get girls interested in IT and math, show them career options with internships and mentoring when they are in middle and high school, then give scholarships, mentoring and internships in college.”
Keep it up. Active recruitment and mentoring programs in one’s early career as well as support mid-career can help companies attract and retain women. “All this has to be based on an understanding of the pivot points and attitudes at each stage,” says Allen.
“I always try to inspire young girls and women to pursue careers in cyber and technology,” says Skelly. “I try to be as active as I can in groups like Cyber Patriot, Girls Who Code, and more recently Women’s Cyberjutsu. I encourage other women in these positions to do the same. Always help your fellow woman whenever you can!”
She says “getting female students and young girls exposed to cybersecurity and AI early in their academic journey is crucial in ensuring we have more women join the industry in the future. Current women in technology need to keep mentoring young girls on the value and importance of cybersecurity and how it’ll impact their lives and the lives of the generations to come.
Share and give back. “We need more women in security and especially more women leaders to inspire young women and to show them that women can be successful in the industry,” says Miteva.
“Women-in-tech programs are a great start. One of the biggest impacts that I have seen is when women in security and technology stand up and instead of defending how they are traditionally qualified for their jobs, they share the diverse path that they have taken,” says Phillips. “They talk about how a large portion of their job is managing fear, sniffing out what is true and credible, and making complex decisions. They talk about the satisfaction of a job that makes a difference in the safety of our society. We need to be candid about what we enjoy and what we don’t enjoy and talk about how a diverse workforce in security leads to better security outcomes.”
Invest personal development. “Let’s show the world we can command this industry. Stay adept in security technologies. Pick an area in which you can develop expertise [that’s] pertinent to your role,” says Jakab. “If you are a technical person, then go deeper to know everything about a specific technology. It is vital with relationships as a woman in security to not only understand security concepts, but you [also] should know how to communicate those concepts to others. Practice.”
Since “unfortunately, some people measure your aptitude by how much you know technically,” she says, “we must show them our technical astuteness is high. You do not have to know everything, but be familiar with technologies for which your business or group is responsible. If you are in a more strategic role, play around with the product your organization offers so that you have a visual for what customers use. I feel this is vital if we are going to be more present in the security industry.”
More to come
As demand for cyber skill grows, so will demand for women to fill openings. “Some industries may be more conducive such as healthcare and financial services,” says Allen. “The career needs to be reframed in how it helps society, not as warfare or gaming. Also roles in privacy, risk and compliance will continue to grow...combining cyber with those careers will help.”
Skelly believes women have more opportunities than ever before to get involved in cyber. “We have entire organizations dedicated to getting more women and girls in the field and events like national cyber competitions that position ‘cyber as a sport’ is an attractive and appealing message to communicate to young professionals and career changers,” she says.
“The other silver lining to the skills gap we are facing today is that people are realizing that we can’t train our way out of the problem and we can’t hire more people the same way we did 5, 10 years ago,” says Skelly. “Threats are evolving and we can’t rely on static training and material to combat the adversary – we need new thinking and persistent problem-solving to address today’s cybercriminals.”
