It was at a high-energy Women in Cybersecurity (WiCyS) conference in Cleveland on March 2022 when Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), excitedly told an audience of 1,700 female cybersecurity professionals that she wanted to see more opportunities to bring women into the field.
“We need to get to 50% of cybersecurity by the year 2030. Think we can do it?” Easterly challenged the audience; a question that was received by cheers and enthusiasm.
At the time, Easterly told press that she was used to setting unreasonable goals.
“Right now, we're at 36.4% women at CISA's workforce, but I think we can get to 50% before 2030. Actually, I'm hoping we can get there before 2025,” she said at the event.
A year and a half after that goal was announced, SC Magazine wanted to know: How’s it going?
According to Kiersten Todt, former chief of staff at CISA and still a senior advisor to the agency, they have seen progress, but the objective is not simply to hire for the sake of hiring women.
“What we don’t want is to set goals that are a ‘check-the-box’ exercise,” she told SC Media in an interview. “We’re trying to create organic growth and development that is meaningful for both the short term and long term.”
Todt said the agency currently has 38.5% of employees that identify as female. A year after the initial announcement was made in March, CISA signed a Memorandum of Understanding (MOU) with WiCyS that outlines opportunities for the two organizations to formally partner on bringing awareness and building a pipeline for the next generation of women in cybersecurity, something that has been difficult to do through other initiatives.
The Department of Homeland Security (DHS) received authority from Congress to create the Cybersecurity Talent Management System (CTMS), which allows the agency to bypass some of the more onerous aspects of the federal hiring process for cyber roles in 2014. It officially launched in November 2021, and after a slow start, the agency told Nextgov/FCW in August that is has brought on 67 employees through the program thus far.
The partnership between CISA and WiCyS is one of several initiatives in the agency that is part of a larger ongoing mission to recruit diverse cybersecurity talent, because gender diversity is only one part of the goal. In 2021, CISA awarded $2 million in grants to organizations that aim to develop cyber workforce training programs. The NPower and CyberWarrior organizations, are two organizations that received grants. Both are focused on unemployed, underemployed, and underserved communities in urban and rural areas, including women, racial minorities, and veterans.
According to CISA, to date, NPower and CyberWarrior have recruited, placed, and graduated 172 participants combined. Out of the 172 participants, 30 participants have been placed in apprenticeships and 42% of graduates have been placed in cyber jobs.
“There’s an interesting balance to strike,” said Todt. “When you set a goal, you don’t want a ruthless pursuit of that goal. You want to see a more diverse workforce that looks across all identifiers of diversity.”
“Someone here that looks like me”
Clar Rosso, CEO of (ISC)2, a member association for cybersecurity professionals, said that overall, women comprise about 25% of the workforce nationally in cybersecurity. But data pulled from the (ISC)2 2023 Workforce Study, which includes answers from 5,915 respondents in the industry, finds just 18% of women are working in cybersecurity roles in government.
The barriers for entry — and retention — appear steeper in public sector positions, said Rosso. One of those reasons is that there is a lack of women in leadership roles.
“I don’t think one woman at the tippy top is enough,” she said. “Women need people to talk to. We have information that says people think ‘If I don’t see someone here that looks like me, I am going to move on.’ People come to the conclusion there is not a place for them to be successful.”
Jennifer Lyn Walker, director of cyber defense for Gate 15, said she remembers well what it was like to be in the minority in her past roles both working in local government positions and dealing with government agencies while in other roles. But now, in her work with Gate 15 as a provider or cyber defense support and analysis capabilities to WaterISAC (Water Information Sharing and Analysis Center) and Tribal-ISAC, she sees things changing.
“CISA is putting more of a push on hiring women and I see it. I am dealing with more women at CISA and in other government agencies, like the EPA,” she said.
Critical factors to female recruitment
Walker thinks sending the message that many jobs in cybersecurity don’t actually require deep technical skills can help attract candidates who may not traditionally apply for cybersecurity roles, including women.
“Whether it’s a policy person, or a security awareness role, there are many opportunities in the career that go beyond technical skills,” she said.
Rosso thinks another critical piece of filling the ranks with more women is mentorship programs. A study from WiCyS earlier this year on exclusion in cybersecurity found that many times, it’s people in leadership positions who make women feel unwelcome, something that may speak to the lack of mentorship in the industry. Among the 300 respondents, 68% of said leadership is a source of exclusion, 61% said managers were, and 52% said peers.
“Maybe you can’t get a mentor in your current job, but can you find one in the cyber community that may help you in your career? Someone who can help you assess the job descriptions? Or provide feedback on ‘how should you be presenting yourself in an interview?’ Or how you can get exam ready when preparing to sit for a certification test? All those things will help with getting women in cyber.”
Dara Gibson, senior cyber insurance manager at Optiv and president of an Arizona-based chapter of WiCyS, says WiCyS is focused on providing opportunities for people to learn about cybersecurity as a means of getting more women interested.
“Our local affiliate in Arizona provides mentorship, professional networking to expand business opportunities and education through in-person and virtual training sessions,” says Gibson. “We also provide free opportunities to attend local conferences to learn more about cybersecurity and the people within the industry.”
And Todt also says the need to recruit a more diverse cyber workforce expands well beyond public sector walls. Ultimately, partnership between public and private sector efforts will be essential to filling out the cybersecurity workforce of tomorrow.
“You no longer go into a government job and stay 25 years,” she says. “The product CISA is building also has industry benefits because there is an important need for professionals to shift back and forth. After working in private sector jobs they can come into government, they can take lessons learned, and apply them.”