Guest Blog: Attracting & Retaining Women in Security - Part Three
In my last two posts, I talked about how the shortage of security professionals and the fact that women make up only 14% of the U. S. cybersecurity workforce have combined to create unprecedented career opportunities for women. I suggested that in order to attract more females to the security profession, we need to start in the middle and high schools. I went on to talk about the importance of recruiting college-aged women to the field, as well as looking within our own organizations for high potential women who might be attracted to security work. Today, I’m going to talk about retention. That’s because getting more women into the cybersecurity “pipeline” is only half the challenge. We need to recognize that the pipeline is “leaking,” and we need to do something about that, too.
According to Catalyst, a global nonprofit organization that works with companies to build workplaces that work for women, women leave the security profession at much higher rate (53%) than do men (31%). That suggests to me that, even if we are able to attract more women to pursue security careers, we can’t hire our way out of the problem of under-representation of women – we also need to fix our retention issues. In order to do that, we first need to understand why women leave.
There have been many studies on this topic. While their conclusions vary somewhat, there seems to be some consensus that the top reasons women leave an organization or profession are: 1) no or poorly defined career paths; 2) “burnout” and home/work balance issues; 3) discrimination and harassment; 4) lack of challenging work assignments; and 5) lack of training and development opportunities. When I look at this list, my conclusion is that there are two major ‘influencers” at work here. Some of the reasons that women leave are influenced by organizational policies & culture, while others are primarily influenced by the “boss.”
Cybersecurity leaders need to partner with their human resources colleagues to create clearly-defined career paths and promotion criteria for security professionals. This will improve retention for both men and women. This should include the creation of both managerial and technical career “ladders.” Over my career, I’ve seen many instances where an excellent technical resource was promoted into a management role because it was the only way for him/her to advance within the company, only to subsequently fail miserably as a “people manager.” As a result, I’ve become a strong believer that there should be a parallel path for technical staff to advance their careers without having to become a people manager. That includes having director or VP-equivalent roles on the technical ladder. Let’s face it, some people are just not cut out to be people managers. That’s not a bad thing, and a person’s career advancement opportunities shouldn’t be limited because of it.
Despite enlightened practices around marriage equality and parenthood that have developed over the last generation, the primary responsibility for childcare and child-rearing still falls heavily on the woman in many families. And, in the large number of single-parent households, it’s the woman who has physical custody of the children most of the time. Both of these factors, coupled with the high demands placed on security professionals (e.g., long and irregular hours, 24/7 availability, etc.), create a lot of pressure for women in cybersecurity roles. This often leads to “burnout.” To counter this and to increase the likelihood that women will stay, organizations need to offer more flexible work arrangements (e.g., flexible hours, job sharing, the opportunity to work remotely, etc.). Further, since access to and cost of childcare is a big issue for many families, organizations that offer benefits, like on-site daycare and childcare subsidies, will be more attractive to women and will contribute to higher retention rates.
A number of high profile cases over the past year and the resulting “Me Too” movement have shined a bright light on the problem of sexual harassment and sexual assault in the workplace. It should go without saying that organizations should have a “zero tolerance” policy for this kind of behavior. But, the issue of workplace discrimination and harassment is often more subtle. This is rooted in the fact that technology has historically been a male-dominated sector characterized by long standing traditions and “habits” that, albeit unintentional, often create a work environment where many women feel unwelcome. Some refer to this as the “bro culture.” In too many organizations, that culture shrugs off bad behavior by men with excuses like “boys will be boys.” Truthfully, that never should have been an acceptable excuse for bad behavior. It most certainly has no place in today’s workplace. Further, this same culture often praises and rewards confident and assertive behavior by men, yet women who exhibit the same behavior are criticized, or even punished, for being too aggressive and “bitchy.” That’s what I mean by “subtle” discrimination.
Many organizations need to acknowledge that this culture still exists and need to develop and implement diversity and inclusion strategies and programs that will lead to meaningful cultural change and the gradual elimination of this “bro culture.” Technology leaders, including cybersecurity leaders, need to make this cultural change a top priority. They need to start by personally modeling the behavior that they wish to see, rather than perpetuating old behaviors that work against creating a diverse, inclusive environment where everyone can thrive.
It’s sometimes said that when a person leaves a company, he/she often isn’t leaving a job, he/she is leaving a “boss.” I can personally attest to the truth of this statement. Over the course of my 35-year security career, I’ve changed jobs six times. In two-thirds of those cases, I left because of my boss. Let’s be honest, a bad boss can “ruin” a good employee, and the boss is often the most important influencer when it comes to retention. I think that this is particularly true when it comes to retaining women.
Many women in security report that they are often not given challenging work assignments by the boss. Despite being qualified, they are often not assigned to high-profile, high-priority projects and often see those roles go to less-qualified male colleagues. Instead, women are often given “supporting” roles or assigned to “back room” functions where they are less visible beyond the immediate team. This is very demoralizing and often leads a woman to conclude that her opportunities for advancement are limited. Eventually, she may leave for the opportunity to be in a more visible role in another organization that is more interested in her abilities than in making assumptions based on her gender.
Similarly, many women report that they are not afforded the same training and development opportunities as their male colleagues. Sometimes, this is because the boss assumes that a woman will eventually leave the organization to start or raise a family, or to follow a spouse who has changed jobs. This assumption sometimes makes the boss reluctant to invest time and money in the employee’s development. This is demoralizing because most employees view the opportunity to attend educational courses and conferences as affirmation that the organization values her contributions and has a positive view of her long-term potential.
To summarize, cybersecurity leaders (the ‘bosses”) need to look closely at their personal behavior and ensure that they not discriminating, whether overtly or subtly, in making work assignments or approving training and development activities. Fairness and equity require that men and women on the security team be given the same opportunities for challenging and meaningful work, as well as for career development.
In my final installment of this series, I will talk about how a strong mentoring program can greatly improve the retention of women in security. And, I’ll offer some suggestions on how women in security can increase their engagement and become more visible within their organization, thereby reducing the likelihood of becoming a “leaver.”
Dave Stacy, CISSP, (http://dwstacyandassociates.com) is a semi-retired cybersecurity professional with over 34 years of experience in the field. He is currently an independent consultant and advisor.