The cybersecurity industry is still facing a serious numbers problem as too many jobs go unfilled. A recent ESG study found that more than half of companies surveyed (53 percent) reported a significant shortage of cybersecurity skills within their organizations, and 63 percent of organizations aren’t able to provide adequate training for their cybersecurity professionals.

While these numbers are alarming, one has to wonder: What if many of the industry’s most troubling issues could be improved with more women in cybersecurity?

There’s certainly room. In the U.S., women make up only about 20 percent of the cybersecurity workforce. In Canada, the numbers are even worse, with women representing approximately 10 percent of the workforce.

I entered the cybersecurity world 20 years ago, and since then the numbers haven’t improved. What is preventing more women from entering the field? Surely there must be steps that can be taken to improve the numbers and, by doing so, improve cybersecurity in general.

Raising Awareness to Bridge the Skills Gap

Lisa Kearney, founder of the Women Cybersecurity Society, has been in the industry for 24 years, and in that time she has only worked with “a handful” of other women. Last year, Kearney founded the nonprofit to help women and girls interested in the cybersecurity field find good careers and support them so they can remain in the field.

“The impetus for starting the Women Cybersecurity Society was to raise awareness of the challenges for women in the industry and the high exit rate,” Kearney said. “My colleagues, including myself, considered leaving because of bullying, harassment, a lack of recognition, the lack of support, sexism … all those things.”

So in 2018, she decided that instead of complaining about the situation, she would create a support network to further awareness.

“We need to have more resources in place to really not just build the cybersecurity workforce, but also close the gender gap that’s there,” Kearney explained. “Here in Canada, it’s a male-dominated industry with 90 percent men. When you have such a huge gap, our main research has shown a person needs about a 30 percent ratio to feel supported within the industry. So we have a long ways to go when it comes to women.”

Fighting Stacked Odds

If you observe the attendance at any C-suite cybersecurity conference, the gender imbalance is indisputable. When Kearney attended a CSO security conference in New York last year, this reality set in — she found that she was the only woman in a room of more than 100 people.

“The higher you go up the chain, the higher the ratio of men to women,” she said.

According to Kearney, there’s a persistent perception that cybersecurity is for men, that it’s all technical, and that an IT background is required. But this is only the beginning of the problem. Even for women already in the cybersecurity industry, remaining there is an issue.

“Based on a two-year study, 50 percent of women in Canada will drop out of an ICT (information communications technology) in the first four years,” Kearney said. “In my extensive research, it’s largely in part due to a lack of support and inherent bias within the industry. A lot of women and young girls that initially start off interested don’t get the support.”

Kearney is cautiously optimistic. Through the Society, she believes there is huge potential to close the skills gap and bring the community together on these issues.

Enterprise Tips: From Recruitment to Retention

For the enterprise to create positive change, engagement from all departments is required, and it all starts with the hiring process. According to Kearney, groups of women should be recruited because research indicates that this could lead to increased rates of success.

“You need to have policies in place in which HR hires a high percentage of women and builds the workforce that way,” she said. “When you have that, you’ll have a support community in place.”

To accomplish this goal, the Women Cybersecurity Society is helping organizations focus on building a diverse and inclusive workforce. While the tools and techniques an enterprise uses are important, the policies, procedures and practices that need to be enforced are especially critical. Organizations need to look beyond procedures and policies that dictate hiring 30 percent women for the cybersecurity team, for example.

“It has to be enforceable, it has to be practiced, and it has to be carried out,” Kearney advised.

But in today’s wildly permutating landscape, most HR departments and people at the top making hiring decisions lack the understanding of what cybersecurity entails and the demands cybersecurity professionals are facing. So before they put out cybersecurity job descriptions, organizations should ensure that they have a clear understanding of the roles and responsibilities required.

Organizations should also be innovative in their recruitment practices. For example, offering a better work-life balance, flex days and industry training can work wonders in drastically reducing the dropout rate, as Kearney noted.

The Clear Case for a More Diverse Workforce

When it comes to getting hired for cybersecurity roles, success isn’t solely predicated on whether you possess a degree in the field. According to an (ISC)² study, relevant work experience, knowledge of advanced cybersecurity concepts and cybersecurity certifications are the top three qualifications for hiring managers. Furthermore, of the top eight areas that over half of cybersecurity pros surveyed deemed most critical to the field, skill in security awareness was among the top areas of expertise — tied with risk assessment, analysis and management.

It’s apparent that hard tech skills are not always the most valued skills in this field. When I look back on my own cybersecurity experience, it was the “softer” skills that advanced my career. I think we need to get the message across — loudly — that cybersecurity is about so much more than just coding, intrusion detection, security engineering and advanced network monitoring.

The cybersecurity industry needs more women, full stop. It also needs more diversity of thought — more people from different backgrounds with unconventional skills and unique experiences to draw from. With more diverse people in the room, you can serve your diverse customer base much better.

The stats prove this. Given that women CEOs in the Fortune 1000 drove three times the returns of S&P 500 enterprises run predominantly by men, it seems likely that having more women in cybersecurity would bear positive returns as well.

“Women are great multitaskers, they’re great investigators, and they pay great attention to detail,” Kearney said. “Let’s include women and let’s provide support. Let’s become aware of the issues, have a conversation and discuss the difficult things that need to be discussed and acknowledged. Then, let’s build a solution. It is the only way forward.”

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read