In March 2017, (ISC)2 published the results of its annual “Global Information Security Workforce Study,” a survey of 19,641 people working in the cybersecurity field across 170 different countries. Of the thousands of people surveyed, only 11 percent were women in cybersecurity.
That statistic, coupled with the report’s conclusion that by 2022, there would be 1.8 million more cybersecurity jobs than people to fill them, spawned a number of op-eds and articles about how crucial it would be to recruit more women to fill that gap.
In the following year, (ISC)2 published the 2018 edition of the same survey, the results of which revealed some good news: In just one year, women had gone from 11 percent of the information security workforce to more than double that figure at 24 percent! (ISC)2 attributed this jump partially to its new approach to finding survey participants, which took a “more holistic look at who is truly doing the work of cybersecurity” and reached out to employees at “organizations of all sizes across public and private sectors,” rather than just focusing on “traditional cybersecurity roles and sectors.”
The discrepancy between the 2017 and 2018 results speaks to how hard it can be to pin down exactly how many women work in STEM and how many women in cybersecurity are in the workforce when the field encompasses so many different roles at so many types of organizations. However we choose to count and classify cybersecurity workers, there’s no question that we need more of them — recruiting and retaining women and other underrepresented minorities remains an ongoing challenge for organizations around the world.
Existing Research on Recruiting and Retaining Women in Cybersecurity
There are currently several phenomenal organizations and networks helping to train and encourage women in the field. The annual Women in Cybersecurity (WiCyS) conference brings together more than 1,000 students, researchers and industry practitioners working in different areas of cybersecurity for a three-day marathon of talks and networking opportunities and a dedicated career fair. Other opportunities to recruit more women in STEM fields include the SANS Institute’s Women’s Immersion Academy, the Women’s Society of Cyberjutsu and many others.
Aside from engaging with these groups, what can organizations do to recruit and retain women in cybersecurity positions more effectively?
Much of the academic research done in this area relies on conducting interviews with cybersecurity professionals about what sorts of programs they think would be helpful, including internship programs, dedicated mentoring channels and corporate scholarship programs specifically for women. Other efforts have focused on identifying barriers and obstacles to women pursuing careers in cybersecurity.
For instance, women interviewing for STEM and cybersecurity roles often came across as lacking confidence compared to male applicants based on the survey, and the language and marketing images used for cybersecurity positions seemed more geared toward attracting men. The militaristic culture and language surrounding some cybersecurity workplaces can also be alienating to women, one study found.
Still, very little research has been done to identify the effectiveness of different strategies aimed at overcoming these obstacles.
9 Strategies to Improve Gender Diversity in the Security Workforce
In the absence of clear data about the most effective ways to recruit and retain women in STEM, here are some strategies that organizations should consider trying out.
1. Support Competitions and Scholarships Specifically for Women
Host a security-focused hack-a-thon or a capture the flag competition specifically for women that emphasizes hands-on security skills, teamwork and applications to real-world cybersecurity challenges. Alternatively, you could fund scholarships for female students to attend computer science or cybersecurity-related conferences and events.
2. Set Up Internship Opportunities
Provide cybersecurity internship opportunities specifically for female college and graduate students who are studying cybersecurity and related fields, such as computer science, risk management, digital forensics and software engineering.
3. Use Inclusive Language in Hiring Efforts
Advertise cybersecurity positions with language and images that are inclusive of all applicants. Do not reinforce preconceived notions about who the stereotypical hacker or engineer is.
4. Involve Women in Recruitment
Involve senior-level women directly in the interviewing and recruiting processes so applicants are aware early on that there are other women at the firm who work in this field as well as opportunities for advancement within the organization.
5. Provide Opportunities for Lateral Growth
Create professional development programs for new hires in cybersecurity that allow them to rotate through different areas of the company that deal with security. This can help them determine which areas they are most interested in and where they might find the best fit in the long term.
6. Enable Employees to Pursue External Certifications
Provide support for women to engage in external training and certification programs related to STEM and security, such as Certified Information Systems Security Professional (CISSP) training or Certified Information Security Manager (CISM) certification.
7. Consider Women Who Are Rejoining the Workforce
Design a program to recruit women who are re-entering the workforce or pursuing a change in career so they can receive the necessary training and start working in the field immediately.
8. Offer Fair and Equitable Compensation
Compare salaries across cybersecurity roles to ensure that women are not being paid less than men for the same job. On average, according to (ISC)2, women working in cybersecurity have higher levels of education than their male colleagues and are still paid lower salaries.
9. Organize Pathways for Advancement
Organize regular opportunities for women in cybersecurity to network with higher-level executives and managers within the organization to create pathways for advancement and promotion.
Keep Track of Recruitment and Retention Efforts to Establish Long-Term Diversity
It is important for organizations to diligently track the results of these efforts in order to figure out which initiatives are actually attracting more women to the field. Even as more women are entering the cybersecurity workforce, we’re still in the early days of figuring out which factors and initiatives are most important for recruitment and retention. There is still significant work to be done, not just in developing a more diverse workforce, but also in establishing how to sustain that diversity in the long term.
assistant professor of cybersecurity policy at the Tufts University Fletcher School of Law and Diplomacy