Guest Blog: Attracting & Retaining Women in Security - Part Two
In my last post, I talked about how the shortage of security professionals and the fact that women make up only 14% of the U. S. cybersecurity workforce have combined to create unprecedented career opportunities for women. I went on to suggest that in order to attract more females to the security profession, we need to start in the middle and high schools. And, I made some suggestions about ways we might do that. In this installment, I’m going to talk about recruiting college-aged women into the field, as well as recruiting high- potential women from other areas within our organizations.
Over the past 5-10 years, there has been a significant growth in the number of colleges and universities offering cybersecurity majors and degrees, or offering cybersecurity “minors” within traditional computer science and computer engineering programs. This includes both two-year and four-year programs leading to an associate or bachelor’s degree, and a growing number of graduate programs. Some of these programs are traditional on-campus programs, while others are mostly online. Most of these programs have an experiential component, such as practicums or internships, which gives students “hands on” experience. And, thanks to funding from government agencies and corporations, there are now many scholarships and grants available for students pursuing cybersecurity studies.
Government agencies, like the National Security Agency (NSA) and law enforcement, have been aggressively recruiting students from programs like those described above for many years. However, my observation is that the private sector has been slower to recruit from this growing pool of talent. This is despite the fact that many, if not most, private sector organizations have open security positions. I think that some of this reluctance is because some organizations are clinging to the belief that even entry-level cybersecurity jobs require previous full-time work experience in the field. Not only do I think that this is a fallacy, but neither do I believe that it is a sustainable hiring strategy in the face of market demographics. Fortunately, some organizations are starting to understand this, and are modifying their talent acquisition strategies accordingly to better align with the realities of the job market. One of those realities is that, for cybersecurity, it’s a “seller’s market,” and will be well into the foreseeable future.
There are two things that I think security leaders in organizations can do to tackle this challenge. First, they should establish formal relationships with colleges and universities in their community or region that offer cybersecurity degrees. This means establishing strong relationships with professors and bringing them onsite to meet with their teams to observe how cybersecurity is being practiced in the “real world.” This will enable these professors to go back and be more effective teachers. On the flip side, security professionals can offer to advice on curriculum content and visit college campuses regularly to teach a class or lead a seminar discussion on a particular cybersecurity topic.
Second, organizations need to create more internships for students enrolled in cybersecurity programs. Typically, we think of “summer internships.” But, regardless of when they’re offered, it’s my belief that organizations should only offer internships if there is a reasonably good chance that they will be able to offer a high-performing intern a full-time job after he/she earns his/her degree. Further, I think that internships need to be carefully structured to provide a challenging and meaningful experience to a student. Unfortunately, I’ve seen cases where a company viewed interns as “cheap labor” and hired them to do “grunt work” that no one else wanted to do. This is counter to what internships should be about. An internship should be an opportunity for a young person to do meaningful work, such as having a key role on a high visibility project. The objective of an internship isn’t just to get some extra work done…it’s to help a young person decide whether he/she wants to pursue a career in the field. Assigning an intern “grunt work” will most likely ensure that they won’t.
What does all of this his have to do with attracting women to cybersecurity? To put it simply, organizations should make an extra effort to target and recruit women enrolled in college cybersecurity programs for the internships they are offering. Further, when selecting mentors for female interns, organizations should try to match the intern with a woman on the cybersecurity team, if possible. It’s not that men can’t be good mentors for young women, but asking a woman to fulfill that role is much preferred. Young women need female role models. For the same reason, college outreach efforts should include successful female security professionals interacting with professors and students.
In addition to looking to college programs for potential female security professionals, organizations should also look internally. A good place to start is within the broader IT organization where the percentage of women is typically higher than on the security team. If given the right opportunity, some of these women might decide to change direction and pursue a security career. In one organization where I worked, we sometimes recruited a high-performing individual from another IT team who was looking for a new challenge to fill a key role on a cybersecurity project team, instead of hiring a contractor for that role. We then used project funds to pay for a contractor to backfill the person we were “borrowing.” In several cases, we ended up hiring the person we “borrowed” as a permanent member of the security team at the conclusion of the project. Some of these hires were women.
When looking for high-performing, high-potential women for cybersecurity roles, an organization should also look beyond IT. According to the 2017 Global Information Security Workforce Study (GISWS), less than one-third of women in director-level, or above, security positions have a computer science or technology backgrounds. As we know, not all security jobs are highly technical. There are many roles in security organizations where a person with a non-technical background can learn about the technology on the job. These include roles in governance, risk, and compliance (GRC), security awareness, and consulting, to name a few.
In conclusion, there are many creative ways for organizations to proactively attract women to cybersecurity as a career. The operative word here is proactive. The cybersecurity “pipeline” is not going to be automatically, or organically, filled with women just because it exists and the opportunities are great….it needs to be “primed” via planned and deliberate actions.
In my next post, I’ll discuss retaining women who are already in the security profession. This is an important topic because studies have shown that women leave our profession at a much higher rate than do men. In other words, we can’t just focus on filling the “pipeline” with capable women while the pipeline is “leaking.” We need to better understand why women leave the profession and put programs in place to reduce that attrition.
Dave Stacy, CISSP, (http://dwstacyandassociates.com) is a semi-retired cybersecurity professional with over 34 years of experience in the field. He is currently an independent consultant and advisor.