The number of women in security may have stagnated, but it need not continue to do so, reports Doug Olenick.
The ongoing attempts by the government, private industry and independent organizations to boost the number of women in the cybersecurity field has basically come to naught as the number of females remains stagnant.
Only 11 percent of the cybersecurity workforce is comprised of women, according to the 22-page "2017 Global Information Security Workforce Study: Women in Cybersecurity," by Frost & Sullivan. The report was put together in conjunction with the Center for Cyber Safety Education, (ISC)2, Alta Associates and the Executive Women's Forum. This employment level remains the same as reported in 2013 and is holding steady despite the fact that the industry is screaming for help with the gap of unfilled qualified professions in the field expected to hit 1.8 million by 2022.
“Attracting women to the profession across all regions has the potential to shrink the workforce gap, but only if they can be hired, trained and retained in sufficient numbers,” the report states.
The number of women cybersecurity pros is slightly higher in North America, at 14 percent, with Europe, the Middle East, Latin America, Africa and Asia-Pacific regions all falling between five and nine percent, the report found.
What is particularly shocking is that the female participation rate stayed steady in an industry that saw its membership increase almost 41 percent and that women now comprise the majority of the college graduates in the United States.
However, the number of women in security is not the only thing that is stagnant and causing women to either not enter or leave the industry. Outdated corporate employment practices that do not include women on the interview panel is one problem, but this is made worse by what can only be called Neanderthal-level behavior by some of the men that are already in the field who continue to treat their female counterparts improperly: The report cited that 51 percent of women interviewed said they had endured some form of discrimination in the cybersecurity workforce.
“The stagnation is not only caused by the lack of women entering the industry, but the real problem is women are not progressing into leadership roles and are opting out,” says Lynn Terwoerds, executive director of the Executive Women's Forum.
Many women – and the cybersecurity industry – face an uphill battle even before a woman lands a job, with many female students being pressured to find another career due to their parents' belief that a STEM career is not something a woman should pursue.
“First, there are still deep-seated stereotypes about the kinds of jobs that are appropriate for men versus women,” says Shelley Westman, senior vice president, alliances and field operations at Protegrity. "Many parents unconsciously may be steering girls away from difficult jobs in math and science. I have spoken with many young women who tell me they were discouraged by their parents and others from a career in STEM."
Others view the problem as arising well before a young women even contemplates sending out a résumé. Shamla Naidoo, IBM's global chief information security officer, said many women have the wrong idea about what a cybersecurity job truly entails.
“We need to start connecting with them early in their education to help them learn about the opportunities for them and help them understand that a job in cybersecurity is more than hacking and writing code,” she says.
Westman concurs, adding that events have to be held in middle and high schools that provide young people with an accurate portrayal of the field, dispelling the fiction that it's filled with guys wearing hoodies banging out code.
Limor Kessem (left), executive security adviser at IBM Security, believes that some of what Westman and Naidoo noted is already starting to take hold and this will lead to more women entering the field.
“I'm optimistic that this is going to advance gradually as Millennial women graduate and enter the workforce. According to the Center of Cyber Safety and Education, 52 percent of women under the age of 29 have an undergraduate degree in computer science – that's bound to make a difference right around the corner," she says.
Meanwhile, Terwoerds says she hopes this is true, pointing out that the massive labor shortfall that is now taking place has to be fixed quickly.
Other problems cited by execs in the cyber industry are lower pay for women, lack of promotion and poor hiring practices.
Joyce Brocaglia, CEO of executive search firm Alta Associates and founder of the Executive Women's Forum, says companies are not requiring diversity during the interviewing process putting the onus on hiring manager to take active steps to correct this problem.
“When a company makes an effort, it makes a difference,” Brocaglia says.
The lack of women within the hiring process and in managerial roles are other factors that have led to the stagnant number of women in the industry. “It's a fact of life that we tend to hire people who are like us, even if we do so unconsciously,” says Brocaglia. "So, if men are making most of the hiring decisions, they will end up hiring more men. If you have a woman in a leadership position, there is an increased chance that more women will end up in the organization."
The Frost & Sullivan report found that only one percent of women can be found at the C-suite level, another one percent are in executive management, two percent are directors or middle managers and two percent are managers. Men are between four and nine times more likely to hold similar positions.
The top to bottom lack of women not only limits the cybersecurity industry's ability to fill in its massive employment gap, but it also leaves a gaping hole in an IT security staff's ability to do its job properly. Terwoerds (right) says that successful cybersecurity teams not only need people who bring in a new perspective, but those who have something other than a cyber background.
“Cyber lends itself to someone with an interdisciplinary background, which is something many women have,” she says.
Westman agrees, saying that companies should not get into the position of hiring someone to simply “check off a box,” since there is concrete evidence that adding diversity to a team is a benefit.
“It has been shown time and time again that having diverse teams leads to better results,” she says. "Having diversity of skills and thought is not just nice to have, it's required to improve bottom-line business results."
Kessem points out the salient fact that having only a singular culture does not make for a flourishing environment. “Tech and cybersecurity are in many places a monoculture of sorts, and monocultures don't typically thrive. Diversity is a winning factor both in nature and in business, and just as we need different roles to make an organization excel, we need different types of people to make it work better."
Brocaglia notes that she sees many companies replacing technicians with those who can take a more holistic approach.
Reversing the trend is no simple task, but Naidoo (left) believes another avenue to take is to broaden the potential cybersecurity talent pool by being willing to consider people from outside the field.
“One thing I'm passionate about is searching for talent versus experience, she says. "There needs to be a balance here. Look at any job description. It often requires a laundry list of experience and skills and it can be daunting. These are often a combination of requirements and “nice to have” skills, but often many of the skills can be trained and learned on the job if they have the right attitude, aptitude and creativity."
Westman agrees, saying recruiters, managers and those people who are interested in cybersecurity may not have the traditional skill set, but can open their eyes to broaden their considerations and take a chance.
“We need people from every type of background to join the war on cyber," Westman says. "We need people with excellent communications skills, we need people with deep analytical skills, we need people who can talk with and work with clients. Of course, we also need people with excellent math and computer skills. The point is that we need to change how we sell young women on this industry so they realize the potential of taking a role in the field of cyber.”