Where have all the women gone? And how do we get them back? And keep them? While a quick perusal of a cybersecurity conference or a company roster suggests that women's ranks are increasing, the numbers indicate something different.
Some experts, including Kathie Miley, chief operating officer (COO) of Cybrary, an online training firm, claim now that the widely reported 11 percent figure cited for women in cybersecurity jobs in 2016, may actually drop to single digits (nine percent) in 2018. And nearly half the women – 48 percent – are less than experienced, having spent three years or less in the field, according to a soon to be released Cybrary survey.
That's not good for many reasons, chief among them, gender imbalance in the cybersecurity industry poses a threat to our nation's security at a time when public and private sector organizations must fend off an ever-growing array of cyberattacks. Undoubtedly, attackers come from every conceivable race, religion, sexual orientation, and range of abilities. “If the only people defending us are overwhelmingly from a single demographic orientation, we will fail to protect against evolving attacks,” says Tina Williams-Koroma, founder and president of TCecure LLC and cybersecurity academic innovation officer at the University System of Maryland.
On May 30, the Departments of Commerce and Homeland Security proposed that the U.S. make immediate and sustained improvements to the cybersecurity workforce situation, citing that “other nations are paying greater attention to their cybersecurity workforce needs and the cybersecurity weaknesses of their adversaries.”
Organizations of all types, it contends, must figure out how to increase diversity, proposing “retraining those employed in non-cybersecurity fields and increasing the participation of women, minorities, and veterans as well as students in primary through secondary schools.”
To attract more women, it's important to strip conscious and unconscious bias from recruiting and hiring practices. Having a more diverse selection committee helps, as do specialized services and tools, such as Textio and Diverseo, that can help strip gender information from job candidate CV forms. The job board Workfountain also helps employers focus on job skills needed. Applicants may then fill in skills they possess. With no name or gender data, there's no feeding into unconscious bias when matching skills to needs.
Colleges must also do more to embrace women in science, technology, engineering and mathematics (STEM) especially early in their educational careers. “It's not uncommon for STEM-savvy young women to switch to other majors, often as early as freshman year, if they see no other females in their classes or get discouraged by a bad grade in an introductory class,” says Mark Ciampa, associate professor of information systems, Western Kentucky University.
The nation's K-12 education programs must also adapt to foster a greater focus on cybersecurity education from an early age. Following the massive cyberattack on Estonia in 2007, for example, the tiny nation “implemented broad protections and added cybersecurity training, alongside ABCs in elementary education, to help build a stronger, more protection-minded workforce,” says Maryam Rahmani, global partnership officer at the Global Cyber Alliance (GCA).
Estonia now ranks among the most secure nations in the world.
Lance Spitzner, director of SANS Security Awareness, sees the gender imbalance as less of an HR problem, and still more an education challenge. “When I spoke recently at a junior high school, almost no one saw cybersecurity as a career path. We must do better to make this an option before students enter colleges,” he says.
Increasingly, industry observers maintain, organizations see the value of diversity to help them gain an upper hand in cybersecurity protection. “This is why organizations are starting to embrace diversity as a cultural value, and leveraging available tools and services to remove conscious and unconscious bias,” says Joyce Brocaglia, CEO at Alta Associates and founder of the Executive Women's Forum (EWF).
In the last decade, Harvey Mudd College in Claremont, Calif., has achieved success by recruiting more female professors, administrators, and changing introductory programming classes that focus on practical uses for programming, and team-based projects. The number of undergraduate women choosing to major in computer science has grown from 10 percent a decade ago, to 55 percent today.
CompTIA, meanwhile, is focused on promoting STEM and cybersecurity opportunities for women. CompTIA's IT Futures Lab promotes cybersecurity training for teens in middle and high schools. “And we partner with TechGirls, which supports girls in IT, along with the Technology Student Association (TSA) which boasts 250,000 student members,” says Elizabeth Hyman, executive vice president of public advocacy for CompTIA.
Machine learning and artificial intelligence (AI) are expected to help reduce recruiting bias. But there's a caveat. “I take AI with a grain of salt in removing bias,” says Williams. That's because product testing and development typically do not include large numbers of diverse test subjects, so the AI algorithms used are often inherently gender-biased.
Williams, for example, has faced challenges re-entering the U.S. following foreign travel. “I never pass through AI-based passport recognition systems on the first try.”
Williams's research shows that's because the AI system's match rate for white males is 99 percent, but only about 42 percent for women of color.
Ciampa maintains greater education about the cybersecurity field is needed, along with more diverse role models to help girls to see potential career paths. “Coding is not a significant element, and most security professionals would argue that a lack of experience in coding should not be a barrier to entering this field, yet this perception causes many women to stay away,” he says.
CompTIA has achieved some success via internships, mentoring and even a ‘women-only' IT Ready training course, recently run alongside typical co-ed training. Women liked the experience, felt free to ask questions and not worry about slowing class progression. “We are considering more women-only training as a result,” said CompTIA's Hyman.
Organizations, meanwhile, must take a more active role in valuing diversity. “That includes requiring hiring managers to interview a diverse slate of candidates, ensuring that women are included on interview panels and ensuring job descriptions are unbiased,” said Brocaglia.
More role models would also help. When girls see others who have achieved success, they will realize they too can be heroes, much like the social justice warrior and technologist who happen to be women of color, saving the planet in the movie, Black Panther. While it may take considerable effort to make programming more attractive to girls, when little girls believe they can, more will pursue careers in this field.
Top Ten Ways to Knock Bias from Hiring Processes
1. Go back to basics. Strip bias from recruiting processes, by investing in tools, or processes that can help disguise identities on resumes. “Tools can be expensive, so we turned to one of our trained HR professionals to remove names and any indication of race or gender. This person gives each resume' a number, and puts information into our internal template,” says Mischel Kwon, founder and CEO of MKACyber, which provides SOC services. She also founded the Cybersecurity Diversity Foundation to support diversity and inclusion in the field.
2. Check your words and motives. When considering a job candidate, consider whether that person is likable because he is, well, just like you? “In writing job requirements pay attention to ‘aggressive' words, such as attack, penetration and warrior. Those words are likely not necessary for the role,” says Joyce Brocaglia, founder of the Executive Women's Forum (EWF).
3. Add more flavor. Increase the number and types of people who will vet job candidates. “Are there diverse people on the hiring panel? It's important to carefully select those who will screen potential job candidates,” says Brocaglia.
4. Stop requiring five years of experience. Seek other milestones. “By now, all of the candidates with that much experience are working in the field,” says Kathie Miley, chief operating officer (COO) of Cybrary.Instead, consider focusing on skills such as collaboration, problem solving and practical application skills. “You may want to ask whether a candidate likes crossword puzzles,” says Elizabeth Hyman, executive vice president of public advocacy for CompTIA.
5. Job seekers must project confidence. While men typically will apply for jobs that fit approximately 60 percent of their skillsets, most women won't apply unless they meet 100 percent of a job post's requirements. “Cybersecurity domain knowledge is great, but can it be picked up on the job?” asks Charlotte Jupp, client technical lead, Panaseer Limited. “Girls need to be encouraged from a young age to embrace tough subjects, such as mathematics and not be told ‘its ok' to drop them if they find subjects difficult. Just because something is hard doesn't mean girls should give up,” Jupp says, adding the extra effort is worth it to improve future job prospects.
6. Focus less on gaming, more on problem solving. Women tend to approach problems in unconventional ways. That's why courses such as practical applications of programming tend to attract more female college students, says Hyman.
7. There's more to cybersecurity than programming. Compliance, governance and risk management are often attractive to women. “And jobs that focus on data analytics, artificial intelligence or securing IoT devices are critically important, yet largely unfilled,” says Lance Spitzner, director of SANS Security Awareness, who suggests organizations “seek candidates, such as those with musical talent, and focus on trainable aptitude, rather than traditional certifications and experience.”
8. Seek feedback. Some organizations have sought insight on the hiring experience from newly hired employees to gain their feedback on possible unconscious bias. “Investing in diversity training is also helpful,” says Tina Williams-Koroma, founder and president of TCecure LLC and cybersecurity academic innovation officer at the University System of Maryland.
9. Eliminate the pay gap. Salesforce.com's CEO, Marc Benioff spent $3 million to eliminate the gender pay gap in 2015 and will do it again in 2018 due to adjustments required by firms that the company has acquired since initiating its program. “It's critical to provide continuous monitoring to ensure diversity,” says Brocaglia.
10. Stand up for diversity. Organizations must be willing to embrace cultural diversity. “We lost a senior executive who was unwilling to support our decision to embrace more diverse hiring processes,” says Kwon.
“We understood the benefits, however, and stood behind our decision. “Today, you can see a cycle of prejudice creeping into society. We must remain vigilant to address this challenge now and in the future, she adds.