A cultural shift needs to occur in not only recognizing the value that women bring to information security, but in taking substantial actions to encourage their development and advancement. Companies that are successful in attracting and retaining women in IT security have elevated their awareness of conscious and unconscious bias from the time a woman is hired and continuing throughout her career. Techniques deployed include re-evaluating how job descriptions are written, removing applicant names from résumés, and ensuring that there are women on interview panels.
But companies need to go further. Once hired, women in information security often feel like an outsider, unsupported or not respected by their male colleagues. At the RSA Conference, for example, a CISO told me that he just lost a woman engineer who he had “mentored” and was one of the best on his team. When I asked him what it was that she excelled at, he said “She could bat her eyelashes and smile and get information that nobody else could.” How effective of a mentor was he if that's what he highlighted as her greatest strength?
Even those companies that are successfully hiring women in information security are having difficulty retaining them. Some of the clients at my recruiting agency have as high as 46 percent of women with five to 10 years of experience opting out of IT security. I believe that's because many companies are just checking the boxes by dong the basics – forming a women's employee resource group or hosting women's leadership webinars, but very few are taking a good hard look at evaluating whether their efforts are really moving the needle forward and investing in conscious leadership development programs early enough in a woman's career to help her build the competencies and resilience she needs to succeed in this male-dominated field.
It's ironic that companies are willing to invest in hiring information security professionals much more than they are in advancing and retaining them. In a single conversation, I can come to terms on a six-figure retained search fee to fill one IT security role, but ask a company to invest that same amount in a year-long women's leadership development program for a dozen women and the response is, “We don't have that kind of money.” Until this shortsightedness changes and companies begin intentionally providing their high potential women with comprehensive leadership development programs, they will never develop and retain a bench of readily promotable female executives.
Finally and most importantly, these women can't promote themselves. It's like a star athlete sitting on the bench raising her hand asking the coach to put her in and having the coach look over her head. Women need sponsors, other men and women within their organization who will have their backs, ensure other executives know their potential for promotions and stretch assignments, and are willing to use their own political capital to further their careers. Sponsorship is the responsibility of every manager.
Whether you are a man or woman in this field, it's a great time to be an information security professional. The demand has never been higher for your skills, budgets and salaries are increasing, and now, more than ever, you have the potential to make a real difference in our industry. If we just stop complaining about only having 10 percent of women in our industry and actually invest in and sponsor the amazing, talented women we have, we'd see that number hit new heights and the industry as a whole would greatly benefit from it. I'm passionate and committed to achieving this goal. How about joining me?
Joyce Brocaglia is CEO of Alta Associates and founder of the Executive Women's Forum.