Why is cybersecurity such a hard industry for women to break into?
After spending hours vetting and interviewing top cybersecurity talent, tech recruiter Katie Owston finally found a perfect candidate. And yet, she was startled when after seven rounds of interviews her chosen applicant had to be coaxed into accepting the role. Not because she didn’t want it, but because she felt intimidated by the thought of joining an almost entirely male-dominated industry.
“I had to literally talk her off a ledge of like ‘you can do this job, you do deserve this job, you wouldn’t be at this stage of the interview if you were not an impressive person,’” said Owston, who is vp of security operations, threat intelligence and information security at technology recruitment agency Glocomms. “It opened my eyes to the fact there are a whole lot of women who haven’t had the support from organizations to be built up and know and feel confident about the value they have.”
It wasn’t Owston’s first experience helping a woman in the industry battle imposter syndrome and it won’t be her last. The cybersecurity industry is growing and has over 775,000 open positions in the U.S. alone today and Google searches for “what are entry level cyber security jobs?” have increased by 1,300%, according to online analytics platform Semrush. Yet, women feel shut out of the industry.
“That number of open positions to me is scary,” said Jeremy Ventura, director, security strategy and field chief information security officer (CISO) at API security company, ThreatX. “We have so many applicants, but why aren’t we filling them? Is it because the industry is not giving people breaking or transitioning into the industry the opportunity to be successful? The answer is yes. We do it to ourselves.”
Cybersecurity has long been male dominated, which means women today are left to question if they are welcomed there, especially when they don’t see any other women in executive roles. Some 75% of today’s cybersecurity workers are men, according to the World Economic Forum. The latest report from the Accenture Cybersecurity Forum Women’s Council found that women comprised only 17% of Fortune 500 CISO positions. And once they are in that role, it may be short lived. The average tenure of a CISO is just 18 months.
The difficulty of attracting women into the industry isn’t necessarily new. However, with the rise of new technology and artificial intelligence, which will require additional cybersecurity, there is a need for more people in the field.
And the women who do decide to take on leadership positions have to carry the burden of paving the way for others that follow. “There is stress of like ‘oh my gosh, can I be this person? Can I take on this burden that will be beneficial in the long term?’” said Owston.
So what are the solutions to both filling these roles and improving gender diversity in the industry? We talked to experts to see where work needs to be done.
Attract talent as early as middle and high school
When it comes to science, technology, engineering and mathematics, aka STEM, curriculums, most people think it leads to predominantly a career as a scientist or mathematician. Few young women know that it expands to roles like cybersecurity because our education systems haven’t promoted the many different paths available. However, it’s incredibly important to engage girls in STEM early.
Boston Consulting Group undertook a global survey of 2,000 female STEM undergraduate students in 26 countries spanning six regions and found that 78% of them had first developed their interest in the field in middle or high school. Owston says that waiting until college might be too late.
There are groups that are set out to help build awareness, like the Forte Group, made up of over 90 leaders in the cybersecurity industry, and Advancing Women in Tech, a non-profit that helps accelerate careers and addresses diversity gaps.
“Women are amazing at paving a path and then being like ‘here’s what I did, here’s how I learned, let me go and spread the good word of this because it was hard for me but I don’t want it to be hard for everyone else,’” said Owston.
If there are a small number of women in the field, it’s harder for that awareness to be built out in a way that spreads quickly. That’s why it helps when men step up and support women in the field as well.
“I got a text this morning where someone was like ‘this woman is opening a cybersecurity division, would you have a call with her?” said Ventura. “I have no idea who she is, but I’m like absolutely. It’s on us and our responsibility to be an ally. It’s absolutely more difficult for women in this male-dominated industry.”
When he attended the RSA conference at the end of April for security leaders, he said at least 80% of the people who came to ThreatX’s booth were male.
“For women, it’s more challenging,” said Ventura. “We need to do our part as cybersecurity leaders. These folks are superwomen and all try to be great mentors.”
But even if someone learns about the field early, Owston said one of the main challenges is that women might pivot to a management role, away from technical.
“The natural progression for women within the space, tends to be if they start technical, there aren’t many that stay technical,” said Owston. “One of the areas for opportunity I’ve seen, especially for younger women, is giving them the training and resources around encouraging them to stay technical if that’s what they want to do.”
Nancy Wang, founder of Advancing Women in Tech and the director of product at AWS, says that there are even instances where a woman has the title of CISO but then isn’t invited to regular board meetings and instead given responsibilities like public speaking and front facing duties.
“Do you really have the influence at the end of the day?,” said Wang. “Or, is your role narrowly scoped? There is opportunity to better scope it into a role that is in the C-suite and boardrooms. The feedback from my community of women CISOs is generally that it’s [the role] not seen as a traditional board member.”
Support and structural changes can have a serious impact
Owston says it’s crucial for women in cybersecurity to have a female mentor or buddy who can be an ally and resource for everything.
“One of the easiest wins is just giving a lifeline of someone who is like ‘I’ve got your back, we are in this together,’” said Owton. “It’s the worst when you go into a situation and it’s like what am I allowed to say? How far can I push? What is acceptable here? What rules can I bend? Having someone you trust, and women obviously trust women, it goes a long way.”
Dr. Cynthia Sutherland, emerging industries lead for security assurance at AWS, and member of Forte, said that having the “wounds from breaking through the glass ceiling” can lead to women keeping their guards up because of what they faced from male peers. Having the resources to open up about those wounds with other women can go a long way.
For companies looking to fill cybersecurity roles, having women on the hiring panels to interview candidates is vital, stressed Owston.
“Then it’s asking questions like ‘what are your career goals? where do you see yourself growing in this position?’ Women are automatically thinking about how they can continue to achieve goals for themselves and the company. Having it upfront can help,” added Owston.
Another small example is that one of her clients announced a new hire during a company town hall, which meant that when the woman joined people already knew her name. It sounds obvious, but those things don’t always happen. Beyond this, though, there are opportunities to create employee resource groups, provide work benefits that specifically attract women, like flexible hours if they are a mother, and continuous sponsorship to ensure their ideas are heard.
Then, there’s also the reality of not having women coworkers, who tend to handle things differently than men. One CISO, who preferred to remain anonymous, told WorkLife that sitting in a room with all men can be a challenge too. She’s had experiences where she would pitch an idea that wouldn’t be considered until a man brought it up himself again weeks down the road.
“Similar to any other role that is not given proper representation is the fact that they’re not able to adequately advocate for themselves,” said Wang.
But ultimately, diversity of all kinds, is key for a team’s success. If that balance of viewpoints and backgrounds is missing, it can have a detrimental effect on a business’ competitiveness. Having additional perspectives can help a team be more innovative. According to a new study by AWS and ESG, companies with mature DEI programs were two times more likely to lead over industry competitors to market by over a fiscal quarter and three times as likely to report beating fiscal year revenue expectations by 10%.
“Diversity drives business value,” said Sutherland. “I was lost in finding a profession that made me feel welcomed. When I realized that women and Black people can be smart, I left that culture looking for what ‘right’ looked like. I found what ‘right’ looked like when I saw other people who looked like me being successful in this profession.”