In March 2017, (ISC)2 published the results of its annual “Global Information Security Workforce Study,” a survey of 19,641 people working in the cybersecurity field across 170 different countries. Of the thousands of people surveyed, only 11 percent were women in cybersecurity.

That statistic, coupled with the report’s conclusion that by 2022, there would be 1.8 million more cybersecurity jobs than people to fill them, spawned a number of op-eds and articles about how crucial it would be to recruit more women to fill that gap.

In the following year, (ISC)2 published the 2018 edition of the same survey, the results of which revealed some good news: In just one year, women had gone from 11 percent of the information security workforce to more than double that figure at 24 percent! (ISC)2 attributed this jump partially to its new approach to finding survey participants, which took a “more holistic look at who is truly doing the work of cybersecurity” and reached out to employees at “organizations of all sizes across public and private sectors,” rather than just focusing on “traditional cybersecurity roles and sectors.”

The discrepancy between the 2017 and 2018 results speaks to how hard it can be to pin down exactly how many women work in STEM and how many women in cybersecurity are in the workforce when the field encompasses so many different roles at so many types of organizations. However we choose to count and classify cybersecurity workers, there’s no question that we need more of them — recruiting and retaining women and other underrepresented minorities remains an ongoing challenge for organizations around the world.

Existing Research on Recruiting and Retaining Women in Cybersecurity

There are currently several phenomenal organizations and networks helping to train and encourage women in the field. The annual Women in Cybersecurity (WiCyS) conference brings together more than 1,000 students, researchers and industry practitioners working in different areas of cybersecurity for a three-day marathon of talks and networking opportunities and a dedicated career fair. Other opportunities to recruit more women in STEM fields include the SANS Institute’s Women’s Immersion Academy, the Women’s Society of Cyberjutsu and many others.

Aside from engaging with these groups, what can organizations do to recruit and retain women in cybersecurity positions more effectively?

Much of the academic research done in this area relies on conducting interviews with cybersecurity professionals about what sorts of programs they think would be helpful, including internship programs, dedicated mentoring channels and corporate scholarship programs specifically for women. Other efforts have focused on identifying barriers and obstacles to women pursuing careers in cybersecurity.

For instance, women interviewing for STEM and cybersecurity roles often came across as lacking confidence compared to male applicants based on the survey, and the language and marketing images used for cybersecurity positions seemed more geared toward attracting men. The militaristic culture and language surrounding some cybersecurity workplaces can also be alienating to women, one study found.

Still, very little research has been done to identify the effectiveness of different strategies aimed at overcoming these obstacles.

9 Strategies to Improve Gender Diversity in the Security Workforce

In the absence of clear data about the most effective ways to recruit and retain women in STEM, here are some strategies that organizations should consider trying out.

1. Support Competitions and Scholarships Specifically for Women

Host a security-focused hack-a-thon or a capture the flag competition specifically for women that emphasizes hands-on security skills, teamwork and applications to real-world cybersecurity challenges. Alternatively, you could fund scholarships for female students to attend computer science or cybersecurity-related conferences and events.

2. Set Up Internship Opportunities

Provide cybersecurity internship opportunities specifically for female college and graduate students who are studying cybersecurity and related fields, such as computer science, risk management, digital forensics and software engineering.

3. Use Inclusive Language in Hiring Efforts

Advertise cybersecurity positions with language and images that are inclusive of all applicants. Do not reinforce preconceived notions about who the stereotypical hacker or engineer is.

4. Involve Women in Recruitment

Involve senior-level women directly in the interviewing and recruiting processes so applicants are aware early on that there are other women at the firm who work in this field as well as opportunities for advancement within the organization.

5. Provide Opportunities for Lateral Growth

Create professional development programs for new hires in cybersecurity that allow them to rotate through different areas of the company that deal with security. This can help them determine which areas they are most interested in and where they might find the best fit in the long term.

6. Enable Employees to Pursue External Certifications

Provide support for women to engage in external training and certification programs related to STEM and security, such as Certified Information Systems Security Professional (CISSP) training or Certified Information Security Manager (CISM) certification.

7. Consider Women Who Are Rejoining the Workforce

Design a program to recruit women who are re-entering the workforce or pursuing a change in career so they can receive the necessary training and start working in the field immediately.

8. Offer Fair and Equitable Compensation

Compare salaries across cybersecurity roles to ensure that women are not being paid less than men for the same job. On average, according to (ISC)2, women working in cybersecurity have higher levels of education than their male colleagues and are still paid lower salaries.

9. Organize Pathways for Advancement

Organize regular opportunities for women in cybersecurity to network with higher-level executives and managers within the organization to create pathways for advancement and promotion.

Keep Track of Recruitment and Retention Efforts to Establish Long-Term Diversity

It is important for organizations to diligently track the results of these efforts in order to figure out which initiatives are actually attracting more women to the field. Even as more women are entering the cybersecurity workforce, we’re still in the early days of figuring out which factors and initiatives are most important for recruitment and retention. There is still significant work to be done, not just in developing a more diverse workforce, but also in establishing how to sustain that diversity in the long term.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…