It's time to broaden the concept of what a career in information security looks like, particularly for women, reports Teri Robinson.Amid all the hoopla of Hillary Clinton making history by snagging the Democratic nomination for president, it's important to remember it only took 44 years from the time that Shirley Chisholm, the first African-American woman elected to Congress, made her unsuccessful but groundbreaking run at the presidency for a woman to ascend to the top of a major party's ticket.
The climb has not been quite as long and slow for women in information security, although it sure seems that way. But women in the field have yet to reach anything approaching the equivalency of Clinton's milestone.
It's not that the plight of women hasn't been thoroughly deliberated. Repeatedly. On the political stage, the discussion has often been loud, thought-provoking and (sometimes) tinged with sexism – the topics ranging from qualifications to clothing choices to voice modulation to, well, other things that don't bear repeating. In security, the chatter about women has been both laudatory and critical (and even defensive), but by and large boosted the awareness that is the foundation for greater equality between the sexes.
“It's more a top of the mind issue now, more people are aware of it, there are more conversations about how to attract and retain women in security,” says Jewel Timpe, HPE Security Malware Research and Research Communications Manager. Timpe directs HP's Zero-Day Initiative (ZDI) program, which provides zero-day research to mitigate weaknesses in the world's most popular software.
Despite ratcheting up the chatter, women are still under-represented in information security, an industry that quite literally has a shortfall, depending on who you're talking to, of 300,000 to one million skilled workers, and frankly could benefit from a larger universe of qualified personnel.
Yet women remain untapped. The “2015 (ISC)2 Global Information Security Workforce Study” found that the number of women in security is holding steady at 10 percent of the workforce, though retention has dropped a tiny, but significant, bit.
No doubt luring more women into the profession “would lessen the workforce shortfall,” the (ISC)2 report contends.
Still, the incredible growth of the security industry itself means the sheer number of women has increased and they feel less like oddities. “I started practicing law 30 years ago and for years I was the only woman in the room,” says privacy attorney Mary Hildebrand (left), partner at Lowenstein, who found more of her gender as the privacy space grew.
Shari Steele, executive director of The Tor Project, has seen a similar shift among the ranks of those leading nonprofits in the freedom space where just a few years back most were men.
That women are still underrepresented in the broader arena of IT security, though, is not surprising. Tech companies, in general, despite their stated and often earnest efforts to the contrary, still aren't, by nearly any standard imaginable, diverse. A study from the EEOC noted that “the high-tech sector employed a larger share of whites,” compared to the private sector in general – 68.5 percent compared to 63.5 percent. Asian-Americans make up 5.8 percent of the tech workforce compared 14 percent overall, and white men constitute 64 percent of tech compared to 52 percent in the private sector. African-Americans account for 7.4 (private sector: 14.4 percent) and Hispanics eight percent compared to 13.9 percent. Women weigh in at 7.4 percent of tech.
More troubling than their still smallish ranks is the fact that too few women hold leadership positions. “Women are, in general, underrepresented in senior leadership and information technology roles,” the (ISC)2 study notes. “In terms of senior leadership, in a 2015 global survey of senior executives, an estimated 22 percent of senior leadership roles are held by women.”
Those figures vary by region, though, with women leading at rates of 21 and 26 percent in North America and the E.U., respectively. Women fare much better in Eastern Europe where they hold down 35 percent of senior leadership roles, the (ISC)2 study says. But much of that leadership globally is “concentrated in support roles.” It seems that women are not pulling down CIO positions (four percent), but the 22 percent identified in leadership roles are more likely to have titles like human resource director (27 percent). Only nine percent are CEOs.
Nor do their voices boom as loudly in more public forums. Eyeballing the dais at most major security conferences easily bears that out – women behind the podium are still relatively sparse. With a few exceptions – U.S. Attorney General Loretta Lynch's keynote at the RSA Conference (RSAC) in San Francisco in March, for example – women leaders simply don't grace center stage as often as men.
Nor do they make as much money as their male colleagues. Salaries simply haven't kept pace with men's. Even in an information security subgroup, like governance, risk and compliance (GRC) where women clearly do very well, on average they make 4.7 percent less than men ($115,779 versus $121,513). The gap widens over $120,000 where men are represented in a higher percentage than women (47 percent versus 41 percent).