Guest Blog: Attracting & Retaining Women in Security - Part One

According to estimates, there will be a shortage of 2 million cybersecurity professionals worldwide by 2022.  At least 500,000 of these jobs are projected to be in the U.S.  The U.S. Bureau of Labor Statistics estimated that over 200,000 cybersecurity jobs went unfilled in the U.S in 2016.  If you talk to almost any company today, they will probably tell you that they are already having difficulty filling critical cybersecurity positions. This situation is likely to only get worse. When it comes to cybersecurity talent, it’s a “seller’s market,” and it looks like this will be the case into the foreseeable future.   

If you look at the demographic composition of the global cybersecurity workforce today, one thing immediately stands out – the scarcity of women.  The 2017 Global Information Security Workforce Study: Women in Cybersecurity puts the number of women in the field at just 11% globally.  The number for the U.S. is slightly better at 14%, but that number hasn’t changed significantly since the 2015 GISWS study.  That’s discouraging, even though the 2017 survey found that the salary gap between men and women seems to be narrowing, and that there has been a modest uptick in the percentage of women in senior positions.    

Aside from the fact that there’s a lot of cybersecurity work that needs to be done and not enough people to do it, why does under-representation of women in cybersecurity matter?  Well, it’s not just about making your organization’s EEO/AA “numbers” look good…or it shouldn’t be.  It matters because cybersecurity teams need a healthy mix of skills and diversity of thinking in order to be effective and to perform at a high level.  Let’s face it….women think, collaborate, and solve problems differently than men and a workforce comprised predominantly of men can create “blind spots.”  And, blind spots can get you into trouble and keep you from reaching your full potential.

Think about it.  Doesn’t it make sense that the people who build, implement, and administer cybersecurity technologies and processes should mirror the people who need to interact with and who are impacted by them? Stated differently, why would we exclude the intelligence, creativity, and innovative thinking of half the population in our efforts to develop, implement and administer the security products and processes that protect our organization’s information assets and our customers’ data?  Doing so seems counter-intuitive.    

The confluence of these two factors – the large and growing need for diverse and qualified cybersecurity professionals and the scarcity of women in the field – creates unprecedented career opportunities for women.   And, it challenges recruiters and cybersecurity leaders to find ways to attract more women to the field.  The significant growth in the number of colleges and universities offering cybersecurity majors and degrees, or offering security “minors” within traditional computer science and computer engineering programs, is promising and will help eventually.  But, the growth in these degree programs needs to be coupled with both formal and informal recruitment efforts that target women of all ages.  In other words, the “pipeline” isn’t going to just get filled naturally…it needs to be “primed.” 

I believe that cybersecurity recruitment efforts targeting girls need to start in the middle and high schools.  Statistics show that fifth and sixth grade girls outperform boys in both math and science on most standardized tests.  But, by the time girls are juniors or seniors in high school, the statistics are reversed.  There is no consensus on why this happens and it’s been the subject of much study and debate.  Suffice it to say that there are a number of cultural and socialization factors involved.  I won’t get into those here.  I’ll simply suggest, as have others, that we need to change how we raise and socialize girls in our society if we want more of them to pursue technology careers. (To learn more about this point-of-view, check out the TED talk by Reshma Saujani, the founder of a wonderful organization called Girls Who Code.)

So, where do we start to get more girls interested in security?  It can be as simple as cybersecurity professionals, both men and women, talking with our daughters, nieces, neighbors, and other young girls who we know about careers in the field. We can, and should, try to cultivate any expressed interest in math, science, and technology by encouraging these young girls to enroll in STEM programs that are offered in many schools today.  And, we can encourage young girls to participate in organizations like Girls Who Code, Good Girls Write Code, and others like them.  These organizations offer a variety of courses, workshops, and summer experiences for girls interested in technology, some of which are free. And, they create powerful peer groups that support and empower their members. 

Another approach is to reach out to the guidance department in our local high school and offer to lead a “lunch and learn” session or to speak to computer technology classes about careers in cybersecurity. You can do this on your own, or you can work with your local ISSA, ISACA, or ISC2 chapter leadership to create a speakers’ bureau to perform this type of outreach.   One caveat here is that if you’re a man doing this, it’s a good idea to team up with a female colleague to deliver the presentation.  Role models are important at this age, and girls need to both see and hear from women who have been successful in the field.  Seeing is believing, as they say.

I’ve always believed that we have two core obligations as cybersecurity professionals.  The first is to perform our jobs to the best of our ability to reduce security risk and protect our organization’s information assets.  The second is to make a meaningful contribution to the growth, development, and maturation of the profession, i.e., to “pay it forward.”  Consider paying it forward by doing something to attract more girls and young women to our profession. We desperately need them and the talents and perspectives that they bring to our workplaces.

In my next post, I’ll discuss recruitment efforts focusing on college-aged women, as well as how to recruit high potential women into the field from within your organization.