Women bring new skill sets, but early encouragement, training in grade school and mentoring are all needed to succeed, reports James Hale.
How bad is the gender imbalance in the security industry? It sounds like the setup for a punchline, but although the question elicits a laugh from Kris Lovejoy, general manager of Marlton, N.J.-based IBM Security Services, it really is not a joke.“There's no balance whatsoever,” she says. “Systemically, we don't have enough people in security in general, but there are very few women.”
How few? Few enough that Lysa Myers, a security researcher for ESET, the Slovakian company with U.S. headquarters in San Diego, recalls a conference with so few females in attendance that the women's washroom was converted for male use.
“There's a pretty dramatic shortage of women,” she says. “Most women I meet outside the business are not even aware of security as a career choice.”
OUR EXPERTS: Fostering women
Michelle Dennedy, vice president and chief privacy officer, McAfee, an Intel company
Jamesha Fisher, DevOps system administrator, CloudPassage
Kris Lovejoy, general manager, IBM Security Services
Lysa Myers, security researcher, ESET
Karen Wensley, lecturer, University of Waterlooy
“It's so true,” adds Michelle Dennedy, vice president and chief privacy officer of McAfee, an Intel company, based in Santa Clara, Calif. “We can usually refer to other women in the industry by their first names and everyone knows who we're talking about.”
What is more, Dennedy says she has seen a distressing trend toward women dropping out of the privacy sector, too. “It's not a glass ceiling, it's more like a glass cliff. In many cases, there are enough women in the pipeline, but they are dropping off at engineering schools. It's exhausting to be the only woman in the room. The attitudes you sometimes have to face can be daunting.”
As an example, she tells a story about riding in an elevator in a Las Vegas hotel, on her way to give an early-morning keynote address at a conference. Focused on the task ahead, she paid little attention to the group of men trying to chat her up.
“You're coming to breakfast with us,” one cajoled her. When she walked off with only the merest of acknowledging smiles, he called after her: “Bitch!”
“Why is anyone surprised when women avoid male-dominated environments?” she says.
The numbers show that women largely avoid all aspects of the information and communications technology sector. Statistics from the National Science Foundation show that about 25 percent of those employed as computer scientists are female, while women make up about 17 percent of the engineering profession. While women comprise 47 percent of the U.S. workforce, only one in five software developers is female. Thirty years ago women earned 37 percent of all computer science bachelors degrees, today that number is just 12 percent. By 2020, the U.S. Department of Labor predicts that 1.4 million jobs will be created in computer-related fields, but American graduates are on pace to fill just 29 percent of them.
Among the high-profile technology companies that recently revealed the makeup of their employee base, Google admitted that less than a third of its employees were female, and only 17 percent were in technical jobs. Yahoo's workforce is 37 percent female, and less than a quarter of its senior managers are women.
Specific numbers on security-related functions are hard to come by, so anecdotal information must suffice. What is clear is that the numbers are low.
Karen Wensley, a former partner at Ernst & Young who now teaches business ethics at the University of Waterloo in Ontario, Canada, has studied gender diversity in the technology sector. She says more women are finding employment in non-technical jobs in the field, but change is slow to occur in jobs related to engineering and software.
“I can't say I'm optimistic for the next decade,” she says, “but the tide can turn fast once a tipping point is reached. I saw that happen in the accounting sector. In the 1970s, it was rare to find women there, but by the 1980s we made up half the field.”
Wensley, who conducted a landmark study of gender diversity on the boards of technology companies for the Information Technology Association of Canada, says one of the problems facing the security field is that too many young women perceive the jobs there to be focused on writing code in isolation.
“Women want more teamwork and collaboration than men, and if the security sector wants more diversity it needs to tell its story better. Let girls know what kinds of jobs really exist.”
Myers (left) agrees. “Too many young women think security workers spend all their time sitting in a dark room, breaking things,” she says. “Companies are not doing enough to get the word out on what they need. For example, the sector is starved for people who can communicate upwards well in non-technical terms. If they start to recruit people who are interested in communicating, women will be there.”
Lovejoy, who majored in English and political science, thinks companies should start to identify potential employees as early as middle school. “We need to find young people who are good at problem solving, managing risk and game theory,” she says. “Let's frame the security experience for them, and let them know that how you think and the life experiences you've had are as important as what you studied in school.”
Jamesha Fisher was the kind of student Lovejoy would like to find. “I definitely was not a math nerd,” says the DevOps system administrator at CloudPassage, the San Francisco-based manufacturer of Halo software, “but I got involved in things like Linux and other open-source systems. I liked networking with people and being involved in technically related organizations. That was fun.”
Eventually, her interests led to an internship at Google. Fisher (below) says technology companies need to provide more informal opportunities to young women and offer encouragement to join the industry. “Facebook conducts outreach to high school girls in Palo Alto, for example, but there could be a lot more mentorship.”
Wensley agrees, but says that young women need “focused mentoring” – finding good role models among established women who started out in engineering.
Dennedy believes it needs to go beyond young women finding more experienced women to coach and inspire them. “At this point, it's still really important for women to have male sponsors. You need to find a senior male executive who will say your name when you're not in the room.”
That outlook strikes Vanessa Dawson as outdated. The co-founder and CEO of a New York-based organization called Girls Raising, says: “The idea of having to win male approval is an outdated model. Things have changed, and women need to take advantage of their differences rather than trying to fit into a male world.”
Her organization stages workshops to bring together ambitious young female entrepreneurs and women who are in a position to fund startups, and is also working toward launching its own $10 million venture capital fund.
Dawson believes the stage may be set for the gender imbalance in security to shift. “Young women are gaining a lot of confidence, and an increasing number of businesses are realizing that more diversity – adding a broader range of approaches to problem-solving – can have a positive impact on their financial outlook. They're starting to look at hiring more women from an economic basis and not as a social cause.”
Wensley says her research supports that contention. “The more diverse group you get, the more creative you become,” she says, adding that hiring women – particularly at the highest levels of corporations – is quickly becoming a business imperative.
While she recognizes the importance of culture change within organizations, Lovejoy says ensuring there is a sufficient supply of qualified security workers should be a government imperative. “As we move closer to the Internet of Things becoming a reality, everything will be at risk. We're facing a critical shortage of skilled workers, and that's a problem that needs to be addressed at the nation-state level. We need to incentivize our education system to train more young people in the skills that we'll require.”
Myers says this training needs to start in grammar school. “More girls need to be introduced to the joy of creating things and solving problems. I think one thing that would turn girls on to security is the idea that you can do good in the world and really make a difference.”
She is encouraged by the advent of organizations like Girls Who Code, a national nonprofit that addresses the gender gap in technology through 19 summer immersion programs held in conjunction with companies like Amazon, Microsoft and Twitter.
But are companies doing enough, and does the pessimism for immediate change expressed by senior women like Myers, Wensley and Dennedy mean that organizations need to introduce programs to make hiring women a priority?
Dawson says the young women she deals with balk at the idea of affirmative action programs or hiring quotas.
“They don't want that,” she says. “We know our worth, and truly believe that we'll get there if companies simply look at it as hiring good people, not specifically women.”
Fisher, who says she has never seen many other women around her as she has moved through her first security jobs, agrees that affirmative action is not the solution. “It should be more about creating opportunities and finding the best person for the job. That said, if it comes down to two equal candidates, at this point I'd say companies should choose the female.”