March 6, 2020 By Josephine Wolff 4 min read

In March 2017, (ISC)2 published the results of its annual “Global Information Security Workforce Study,” a survey of 19,641 people working in the cybersecurity field across 170 different countries. Of the thousands of people surveyed, only 11 percent were women in cybersecurity.

That statistic, coupled with the report’s conclusion that by 2022, there would be 1.8 million more cybersecurity jobs than people to fill them, spawned a number of op-eds and articles about how crucial it would be to recruit more women to fill that gap.

In the following year, (ISC)2 published the 2018 edition of the same survey, the results of which revealed some good news: In just one year, women had gone from 11 percent of the information security workforce to more than double that figure at 24 percent! (ISC)2 attributed this jump partially to its new approach to finding survey participants, which took a “more holistic look at who is truly doing the work of cybersecurity” and reached out to employees at “organizations of all sizes across public and private sectors,” rather than just focusing on “traditional cybersecurity roles and sectors.”

The discrepancy between the 2017 and 2018 results speaks to how hard it can be to pin down exactly how many women work in STEM and how many women in cybersecurity are in the workforce when the field encompasses so many different roles at so many types of organizations. However we choose to count and classify cybersecurity workers, there’s no question that we need more of them — recruiting and retaining women and other underrepresented minorities remains an ongoing challenge for organizations around the world.

Existing Research on Recruiting and Retaining Women in Cybersecurity

There are currently several phenomenal organizations and networks helping to train and encourage women in the field. The annual Women in Cybersecurity (WiCyS) conference brings together more than 1,000 students, researchers and industry practitioners working in different areas of cybersecurity for a three-day marathon of talks and networking opportunities and a dedicated career fair. Other opportunities to recruit more women in STEM fields include the SANS Institute’s Women’s Immersion Academy, the Women’s Society of Cyberjutsu and many others.

Aside from engaging with these groups, what can organizations do to recruit and retain women in cybersecurity positions more effectively?

Much of the academic research done in this area relies on conducting interviews with cybersecurity professionals about what sorts of programs they think would be helpful, including internship programs, dedicated mentoring channels and corporate scholarship programs specifically for women. Other efforts have focused on identifying barriers and obstacles to women pursuing careers in cybersecurity.

For instance, women interviewing for STEM and cybersecurity roles often came across as lacking confidence compared to male applicants based on the survey, and the language and marketing images used for cybersecurity positions seemed more geared toward attracting men. The militaristic culture and language surrounding some cybersecurity workplaces can also be alienating to women, one study found.

Still, very little research has been done to identify the effectiveness of different strategies aimed at overcoming these obstacles.

9 Strategies to Improve Gender Diversity in the Security Workforce

In the absence of clear data about the most effective ways to recruit and retain women in STEM, here are some strategies that organizations should consider trying out.

1. Support Competitions and Scholarships Specifically for Women

Host a security-focused hack-a-thon or a capture the flag competition specifically for women that emphasizes hands-on security skills, teamwork and applications to real-world cybersecurity challenges. Alternatively, you could fund scholarships for female students to attend computer science or cybersecurity-related conferences and events.

2. Set Up Internship Opportunities

Provide cybersecurity internship opportunities specifically for female college and graduate students who are studying cybersecurity and related fields, such as computer science, risk management, digital forensics and software engineering.

3. Use Inclusive Language in Hiring Efforts

Advertise cybersecurity positions with language and images that are inclusive of all applicants. Do not reinforce preconceived notions about who the stereotypical hacker or engineer is.

4. Involve Women in Recruitment

Involve senior-level women directly in the interviewing and recruiting processes so applicants are aware early on that there are other women at the firm who work in this field as well as opportunities for advancement within the organization.

5. Provide Opportunities for Lateral Growth

Create professional development programs for new hires in cybersecurity that allow them to rotate through different areas of the company that deal with security. This can help them determine which areas they are most interested in and where they might find the best fit in the long term.

6. Enable Employees to Pursue External Certifications

Provide support for women to engage in external training and certification programs related to STEM and security, such as Certified Information Systems Security Professional (CISSP) training or Certified Information Security Manager (CISM) certification.

7. Consider Women Who Are Rejoining the Workforce

Design a program to recruit women who are re-entering the workforce or pursuing a change in career so they can receive the necessary training and start working in the field immediately.

8. Offer Fair and Equitable Compensation

Compare salaries across cybersecurity roles to ensure that women are not being paid less than men for the same job. On average, according to (ISC)2, women working in cybersecurity have higher levels of education than their male colleagues and are still paid lower salaries.

9. Organize Pathways for Advancement

Organize regular opportunities for women in cybersecurity to network with higher-level executives and managers within the organization to create pathways for advancement and promotion.

Keep Track of Recruitment and Retention Efforts to Establish Long-Term Diversity

It is important for organizations to diligently track the results of these efforts in order to figure out which initiatives are actually attracting more women to the field. Even as more women are entering the cybersecurity workforce, we’re still in the early days of figuring out which factors and initiatives are most important for recruitment and retention. There is still significant work to be done, not just in developing a more diverse workforce, but also in establishing how to sustain that diversity in the long term.

More from CISO

CISO vs. CEO: Making a case for cybersecurity investments

4 min read - Ask CISOs why they think there is a cyber skills shortage in their organization, what keeps them up at night or what the most important issue facing the industry is — at some point, even if not the first response, they will bring up budgets.For example, at RSA Conference 2024, a roundtable discussion about issues facing the cybersecurity industry, one CISO stated bluntly that budgets — or lack thereof — are the biggest problem. At a time when everything is…

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today