When I first started in the cybersecurity industry in the 90s, I was an oddball: a 20-something ethical hacker – and female. A couple decades later, I'm still waiting for women in the industry to budge above 11 percent. This is a depressing statistic. And as a reasonably prominent representative of that minority, I'm often brought out on stage to once again answer the same lingering question: Why aren't there more women in the cybersecurity industry?
Now forgive me if I seem a bit tart on the subject, but asking the same question year after year, with no meaningful improvement, is getting a bit old. Somehow the way we're asking and answering the question is doing nothing to attract and retain more women to this critical and growing field – a field which desperately needs more participants, but also the perspectives and sensibilities that women bring.
We should ask a better question: Why aren't more women choosing to enter cybersecurity? If we look at the numbers, it's not really a retention issue, it's a problem of getting women to enter the field in the first place. Let's next stop repeatedly asking why “women” as a monolithic group make their decisions. We're not a herd that makes decisions en masse. Let's instead zero in and ask why “a woman” makes the decisions she does.
So I'll volunteer myself, and share the considerations and tradeoffs that drove my decision to enter and stay in this industry.
There were no barriers to entry. Unlike today, all I needed to land my first job were “trade school” network engineering certifications, an aptitude for security analysis and a willingness to learn. Today the hurdles are higher and more expensive, with an emphasis on post-secondary and master's level degrees in cyber. I worry that these stringent requirements artificially constrain the candidate pool. Let's face it, in a world where we're so short-staffed we'd hire a codfish if it had a pulse and could parse a PCAP file, these educational requirements seem misplaced.
Great benefits. When I began my career in tech I was a single mom, newly and solely responsible for two very young children. The company I worked for offered me a flexible schedule and full health and dental insurance – both of which I needed, with a son born with two rows of teeth (no joke, just like a shark). These benefits were extraordinarily meaningful to me, and over the course of my career, my anecdotal sense is that robust benefits are more motivating to women than to men (this may explain why most women in security go to large companies that tend to have better benefits).
I felt needed. Over the years I have often found that women and men take different approaches to problem solving, particularly under stressful situations. At the grave risk of generalizing, I've observed that where men can urgently drive to solutions without looking at all the angles, women can bring a holistic and methodical perspective that assesses multiple courses of action. In this, as in all areas, diversity of thought is invaluable, and I was fortunate in that I had the opportunity to work in companies where the diversity of perspective – though not necessarily diversity of gender – was appreciated and applauded.
While I'm only one example of a woman in the cybersecurity industry, I'm still sadly one of the few. Let's change that. I challenge my fellow industry leaders (both men and women) as they ponder the great cybersecurity employment gap to think less about the roles they want to fill and instead examine their corporate culture and benefits to better attract women to the cybersecurity workforce. I'd love to share my stage with you.