Women in IT Security

Hiring practices

Women are underrepresented in cybersecurity. But, despite bias and other disadvantages, advances are being made, reports Greg Masters.

It's hardly news that jobs are – and will continue to be – available in the cybersecurity marketplace.

More than half of the executives recently surveyed by ISACA, an association for IT and information systems professionals, noted that their companies are facing a shortfall in capable tech workers. But, the challenge is only compounded by the fact that only one in four technology positions is filled by women – despite the fact that nearly 87 percent of those queried for the study, "The Future Tech Workforce: Breaking Gender Barriers," responded that they were concerned or very concerned about the lack of women in the tech workforce.

Although women make up half the overall global workforce, within the tech sector males rule the roost – particularly at the executive level. "Only 21 percent of executives in tech are women – this despite evidence that more women lead to greater innovation and enhanced profitability," the ISACA study stated. Worse news: that number is declining.

A number of reasons are profferred for the scarcity of females in the tech workforce and the dim outlook for improvement. Females face a number of obstacles participating in the tech sector, not least of which is a bias that begins in grade school with a lack of encouragement for girls to embrace STEM fields. The percentage of women receiving computer science degrees has fallen by half in the last 30 years – from 37 percent in 1984 to 18 percent last year, according to Girls Who Code. And this drop comes at a time when more computer scientists are needed than ever before

And, once in the workforce, there's a lack of mentoring and role models. In fact, nearly half the women surveyed by ISACA responded that they experienced a lack of female mentors (48 percent), a lack of female role models (42 percent) and limited networking opportunities (27 percent).

And the pay that tech women receive, compared with male counterparts, stinks too. While females in the tech sector do earn more than women in other sectors, female tech workers earn 18 to 22 percent less than their male counterparts, according to a study from Payscale, an online compensation information company.

Bias against women can be insidious, the ISACA report explained. "It can take subtle forms – from being overlooked in meetings, to having ideas dismissed only to be usurped by male colleagues later, to inexplicably being passed over for promotions."

OUR EXPERTS

Domini Clark, principal, executive & technical recruitment, Blackmere Consulting
Maxine Holt, principal analyst, Information Security Forum (ISF)
Rinki Sethi, senior director, information security, Palo Alto Networks

The meager numbers of women in the tech sector disincentivizes other women from entering the field, the ISACA study found. At the same time, women who are in tech positions often feel disempowered to engage with female role models, find mentors or participate in networking.

But, there are solutions to turn the tide. Companies can pump up their efforts in encouraging more women to apply for tech jobs, as well as do more outreach in providing appropriate training, networking and mentoring for their female workers, ISACA suggested. As well, compensation packages that are fairer and incentives to evolve in the position must be offered, the study concluded.

Challenges women face

The problem begins with the fact that hiring managers often – but not always – hire people like themselves and/or like the previous job holder, says Maxine Holt, principal analyst at the Information Security Forum (ISF). "Cognitive biases mean that we gravitate toward people who are like us," she says. "Given that there is such a high proportion of men in information security – 89 percent according to the latest (ISC)2 survey – and that men are four times more likely to occupy senior positions than women in cybersecurity, the likelihood is that more men will be hired."

The (ISC)2 survey also pointed out a projected global cybersecurity workforce shortage of 1.8 million people by 2022 – surely the projected shortage could be addressed at least in part if the sector encouraged more women to join, she adds.

Rinki Sethi, senior director of information security at Palo Alto Networks, cites another survey, "The 2017 Global Information Security Workforce Study: Women in Cybersecurity," which found that women are globally underrepresented in the cybersecurity profession at 11 percent. "That in itself is the biggest challenge," she says. "Many women enter cybersecurity from backgrounds other than IT, computer science or engineering, yet most jobs require IT experience, computer science or an engineering degree."

This disconnect often makes candidates shy away from open positions because they don't feel they have the appropriate background, Sethi explains. The solution, she says, is companies hiring people from different backgrounds. "Not only will they attract more people from different disciplines, and perhaps attract more women, but they will be more successful in tackling the toughest challenges in the most innovative ways."

Domini Clark (left), principal, executive and technical recruitment at Blackmere Consulting, says she feels strongly that companies around the globe are genuinely looking to diversify their teams and most companies are struggling to fill security positions. "The math is simple: Women make up 50 percent of the population, but only 11 percent of the security workforce." 

Best strategies

The interview process is a step female candidates face in entering or advancing in the cybersecurity field. But, the purpose of the interview process is discovery for both parties, says Sethi. "On one hand, it's an opportunity for the company and the hiring manager to learn about the candidate and what she can bring to the position and the team. On the other hand, the candidate has a chance to get an insider's view of the organization – from team dynamics to company values to the spoken and unspoken culture traits."

The best strategy, Sethi says, is for the candidate to ask questions that help shine a light on which of her past experiences and skills are most applicable and on how individuals can change the mix to inspire positive change and new ideas.

Blackmere's Clark has five tips for everyone interviewing for any position:

Do your homework. While the old adage is true that interviews should meet the needs of both sides, your job is to make sure they know you can meet their needs. Pull that position description apart and analyze what they're really looking for in this new hire. The details they've included will tell you how technical the role is, how realistic the manager is and will give you clues to what problem they're trying to solve with this hire. Then, find someone who works with the company, even if it is just a reach out through LinkedIn. Your recruiter can be a great resource too. Make sure you know your audience before you walk in the door so that you can…..

Project confidence. Go into that room with a clear understanding of what problem the interviewer is trying to solve. Your interviewer is not looking for solutions for how you get the best benefits possible or the perfect percentage in your next wage increase. They have a business problem to solve and they are looking for an expert to solve it. Are you that expert?

Tell your story. I don't mean tell your life story – leave out your personal details as much as possible. Tell the story about how you are the expert in solving that big problem they have. Don't just list the technologies you've used, paint a verbal picture of your accomplishments and your professional passions that will engage your interviewer. Provide examples of where you solved a similar problem for someone else. Don't leave out details like the size and scope of the monster you slayed and be certain to remain authentic as you craft your tale. Highlight the challenges as well as how you handled them. Challenges and mistakes can be an excellent way to present an authentic view of yourself, particularly if you can add a little humor, and make to sum up the example with your success.

Pat yourself on the back. This is something I see a great deal from male candidates. Most are not shy about talking themselves up, while female candidates tend to be a bit more reticent to “boast”. Instead of shying away or giving the credit to others, think of the top five things you've done in your recent career that you are extremely proud of and learn how to talk about it. Own it. 

Guard your pay. Don't talk about what you're making today or even in your last job. The fact is that women are generally paid less than their male counter parts and many HR teams base future compensation off current compensation. If you're getting a 10 percent bump to take this next job, that might sound great. However, if you were underpaid by 10 percent already, you are now up to where you should have been and you're still behind the curve. Talk about a “flexible target” based on market rates for your experience. Let them make an offer or reveal their compensation band before you show your hand. 

Female candidates preparing to interview for cyber positions, says Holt (left) is: Be yourself. "Know what job you have applied for and be clear about what benefits you will bring," she says. "Explain how you are competent to fill the position and be confident in your answers. Be an active listener – and ask questions as well as giving your answer. Over the longer term, candidates can take up opportunities for public speaking to build confidence."

Sethi suggests candidates be prepared to talk about skills, experiences and perspectives. "Share both the wins that you're most proud of and the situations in which you have been most challenged," she says. "These examples are key to showing how you think, how you lead and how you solve problems.

Sethi also stresses the importance of researching the company and the position. "This will help highlight specific critical skills and experiences that demonstrate how you are the best candidate for the job."

Finally, she suggests that candidates bring their passion and ideas to the table. "Throughout the interview process, don't be afraid to test how open the company is to thinking differently."

What are HR departments looking for?

But the question remains: What are HR departments looking for in a female candidate?

Holt says she believes that HR is looking for anything other than a person – male or female – who fits the job description. "Unfortunately, there are few HR functions that understand what is needed in an information security function, therefore HR tends to operate a scattergun approach, obtaining as many CVs/résumés as possible and hoping that one of them hits the mark."

Sethi reframes the question to: how can cybersecurity managers prepare their HR departments when recruiting? Cybersecurity managers, she advises, must partner closely with their HR department throughout the recruiting process. "Even before the job requisition is written, cybersecurity managers need to think about what technical skills the job requires. More importantly, however, cybersecurity managers can help the HR team understand the leadership skills and decision-making courage that the candidates need to have."

At the end of the day, Sethi says, the recipe for success in cybersecurity is a combination of strong technical skills paired with the high potential of leadership, team building and negotiation skills. "There is so much innovation and change within the cybersecurity industry today. Teams need to build the pipeline for thought diversity and welcome individuals who can solve the challenges of tomorrow."

Holt too believes HR personnel struggle when recruiting for cyber talent. Recruiters should be working with the information security function to help develop a workforce plan that identifies the skills needed both today and tomorrow, she says. "The terms cybersecurity and information security suffer from an image crisis, bringing out fears of ‘all things technical' in both men and women," says Holt. "Yes, technical subject matter experts are required in information security, but this is not where it ends."

More importantly, she points out, the function needs individuals and teams who can apply different ways of thinking, can understand the threats to the organization and how these threats might be mitigated, and who has an ability to explain the importance of information security to the rest of the organisation. These people, she says, do not need an undergraduate or masters degrees in information security.

"Women rarely apply for jobs for which they feel they are only partially qualified, whereas men apply for jobs for which they feel at least partially qualified," Holt says. "To encourage more women to apply, job advertisements should focus on fewer requirements to cast the net wider."

Important attributes

When it comes down to it, Holt says it's irrelevant whether a candidate is female or male. "Male and female candidates should be given the same opportunities, and we should not look for different attributes based on gender."

She backs up her assertion citing research studies which have found that teams with equal numbers of men and women achieve more. "They are more likely to experiment, be creative and share knowledge," she says. "Diverse teams deliver better outcomes. Hiring managers should focus the workforce plan on building teams comprising of these different skills, including a mix of men and women."

Meanwhile Sethi says that for any candidate to be qualified, regardless of gender, he or she needs to have the required certifications and technical skills to do the job well. "Nowadays, leadership skills and teamwork as well as clear communications skills are all must-haves."

When dealing with an incident where experts from various functions – including HR, legal and communications – need to work closely together, or when communicating relevant updates to executives, these skills are crucial for success and quick resolution, Sethi says.

"In addition to these foundational attributes, what sets candidates apart is when they share their perspectives and let their passion shine through," Sethi (right) emphasizes.

Clark agrees that the most important attributes for female candidates (and every other candidate, for that matter) is combining technical expertise with the ability to communicate. "This is the most troubling issue for many organizations," she says. "The technical expert with excellent communication skills is sort of like the rainbow Unicorn in the Fangorn forest [it's a Tolkien thing]. If you are that person, make sure your hiring team knows you have earned your technical chops and you can serve as the translator to the business side."

Skills, certifications and experience all have potential value, Clarks add, as long as they are relevant to the environment. "A candidate's résumé may include an impressive list of technology used or certifications achieved, but if the work was done five years ago, it may not apply today."

The rapidly changing nature of technology calls for less focus on specific tools or certs, she explains. "The most important skill to look for may be the ability to quickly learn and apply new knowledge. In addition to asking for an example demonstrating that skill, consider a question related to resiliency. Particularly in security, the tools we use today may not work on new threats. The most impressive candidates will be able to provide details about their ability to think around problems and leverage tools, past experience and creativity."

Personality qualities

Holt says there's an argument to suggest that for women to be successful they need to take on at least some male attributes – such as assertiveness – to get on. "The reality is that this may well be the only way forward at some organizations. However, organizations need diverse teams and diverse leaders to be increasingly successful. The only attribute that women should adopt, if they haven't got it already, is confidence."

Sethi believes that when there is no culture alignment between the candidate and the team, no amount of technical skills and certifications will make the situation positive and successful. "I would encourage all candidates to look for positions in companies where the culture thrives on personality qualities – such as assertiveness, bold thinking, courage – and not being afraid to work hard. These are important qualities for cybersecurity professionals to have."

Candidates will be expected to assess situations quickly, make bold decisions in a short amount of time, have the courage to be the one person in the room to ask the tough questions, and drive results, Sethi explains. "If you enjoy opportunities where these qualities are necessary to thrive and grow, we want you in the cybersecurity workforce!"

To that end, Holt has some words of advice for hiring managers: These recruiters should stop developing job descriptions for open information/cybersecurity vacancies that replicate what the previous holder of that position did, she says. "Instead, think about the minimum skills and qualifications that are really needed to fill that position, and try to limit this to a list of no more than six."

Then, advertise that position, she says. "Yes, you will get more CVs from potential candidates, but these CVs will be more diverse and it is highly likely that they will include more women than you have previously received applications from."

Further, she advises that hiring managers focus on "recruiting in" when sifting the CVs. "Look for reasons that an individual might be able to do the job," Holt says. "Filter the list down again with telephone interviews, followed up by face-to-face interviews for those passing the telephone interview."

This might take a little longer than the usual recruitment process, she says, but will build a more diverse team and likely include more women. 

[sidebar]

Transformation: Begins at home

Domini Clark of Blackmere Consulting offers some suggestions on how to better the situation for women in the IT security field:

  • Create environments where women feel valued.
  • Embolden women to share their ideas and perspectives on security – and really listen when they speak.
  • Encourage young girls to enter STEM fields and make sure they know security is a growing field that needs their help.
  • Transform our security team members into Security Ambassadors who spread the word to high schools, universities and associations.
  • Foster workplace flexibility for all workers, allowing for parenting or other caregiving to be a shared task within families.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.