March 6, 2020 By Josephine Wolff 4 min read

In March 2017, (ISC)2 published the results of its annual “Global Information Security Workforce Study,” a survey of 19,641 people working in the cybersecurity field across 170 different countries. Of the thousands of people surveyed, only 11 percent were women in cybersecurity.

That statistic, coupled with the report’s conclusion that by 2022, there would be 1.8 million more cybersecurity jobs than people to fill them, spawned a number of op-eds and articles about how crucial it would be to recruit more women to fill that gap.

In the following year, (ISC)2 published the 2018 edition of the same survey, the results of which revealed some good news: In just one year, women had gone from 11 percent of the information security workforce to more than double that figure at 24 percent! (ISC)2 attributed this jump partially to its new approach to finding survey participants, which took a “more holistic look at who is truly doing the work of cybersecurity” and reached out to employees at “organizations of all sizes across public and private sectors,” rather than just focusing on “traditional cybersecurity roles and sectors.”

The discrepancy between the 2017 and 2018 results speaks to how hard it can be to pin down exactly how many women work in STEM and how many women in cybersecurity are in the workforce when the field encompasses so many different roles at so many types of organizations. However we choose to count and classify cybersecurity workers, there’s no question that we need more of them — recruiting and retaining women and other underrepresented minorities remains an ongoing challenge for organizations around the world.

Existing Research on Recruiting and Retaining Women in Cybersecurity

There are currently several phenomenal organizations and networks helping to train and encourage women in the field. The annual Women in Cybersecurity (WiCyS) conference brings together more than 1,000 students, researchers and industry practitioners working in different areas of cybersecurity for a three-day marathon of talks and networking opportunities and a dedicated career fair. Other opportunities to recruit more women in STEM fields include the SANS Institute’s Women’s Immersion Academy, the Women’s Society of Cyberjutsu and many others.

Aside from engaging with these groups, what can organizations do to recruit and retain women in cybersecurity positions more effectively?

Much of the academic research done in this area relies on conducting interviews with cybersecurity professionals about what sorts of programs they think would be helpful, including internship programs, dedicated mentoring channels and corporate scholarship programs specifically for women. Other efforts have focused on identifying barriers and obstacles to women pursuing careers in cybersecurity.

For instance, women interviewing for STEM and cybersecurity roles often came across as lacking confidence compared to male applicants based on the survey, and the language and marketing images used for cybersecurity positions seemed more geared toward attracting men. The militaristic culture and language surrounding some cybersecurity workplaces can also be alienating to women, one study found.

Still, very little research has been done to identify the effectiveness of different strategies aimed at overcoming these obstacles.

9 Strategies to Improve Gender Diversity in the Security Workforce

In the absence of clear data about the most effective ways to recruit and retain women in STEM, here are some strategies that organizations should consider trying out.

1. Support Competitions and Scholarships Specifically for Women

Host a security-focused hack-a-thon or a capture the flag competition specifically for women that emphasizes hands-on security skills, teamwork and applications to real-world cybersecurity challenges. Alternatively, you could fund scholarships for female students to attend computer science or cybersecurity-related conferences and events.

2. Set Up Internship Opportunities

Provide cybersecurity internship opportunities specifically for female college and graduate students who are studying cybersecurity and related fields, such as computer science, risk management, digital forensics and software engineering.

3. Use Inclusive Language in Hiring Efforts

Advertise cybersecurity positions with language and images that are inclusive of all applicants. Do not reinforce preconceived notions about who the stereotypical hacker or engineer is.

4. Involve Women in Recruitment

Involve senior-level women directly in the interviewing and recruiting processes so applicants are aware early on that there are other women at the firm who work in this field as well as opportunities for advancement within the organization.

5. Provide Opportunities for Lateral Growth

Create professional development programs for new hires in cybersecurity that allow them to rotate through different areas of the company that deal with security. This can help them determine which areas they are most interested in and where they might find the best fit in the long term.

6. Enable Employees to Pursue External Certifications

Provide support for women to engage in external training and certification programs related to STEM and security, such as Certified Information Systems Security Professional (CISSP) training or Certified Information Security Manager (CISM) certification.

7. Consider Women Who Are Rejoining the Workforce

Design a program to recruit women who are re-entering the workforce or pursuing a change in career so they can receive the necessary training and start working in the field immediately.

8. Offer Fair and Equitable Compensation

Compare salaries across cybersecurity roles to ensure that women are not being paid less than men for the same job. On average, according to (ISC)2, women working in cybersecurity have higher levels of education than their male colleagues and are still paid lower salaries.

9. Organize Pathways for Advancement

Organize regular opportunities for women in cybersecurity to network with higher-level executives and managers within the organization to create pathways for advancement and promotion.

Keep Track of Recruitment and Retention Efforts to Establish Long-Term Diversity

It is important for organizations to diligently track the results of these efforts in order to figure out which initiatives are actually attracting more women to the field. Even as more women are entering the cybersecurity workforce, we’re still in the early days of figuring out which factors and initiatives are most important for recruitment and retention. There is still significant work to be done, not just in developing a more diverse workforce, but also in establishing how to sustain that diversity in the long term.

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today