March 8, 2023 By Zuzana Babicova 5 min read

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made up 24% of the global cybersecurity industry. Do we need to be concerned with the gender diversity gap?

Yes — simply, it is the right thing to do.

Cyber includes “people, processes and technology,” wherein the first two involve the human aspect significantly, as IBM Vice President Dimple Ahluwalia points out. To expand on people as an example, female internet users experience more cybercrime than their male counterparts. This begs the question how do we create a safe space with women in mind?

Having more women in cyber as in other parts of society will help continue an unfinished journey toward the equality of women. It will take another four to five generations to reach equality. Almost 132 years, according to research from the World Economic Forum.

The industry continues to address the skills and gender gap by:

Illustration by Maria Bradovkova

How can cybersecurity attract more women?

To answer this question, the industry shall consider the following:

  • Do we have enough female graduates from STEM? Are there other STEM-related disciplines that we are not looking at?
  • Are we assessing the necessity for technical skills?
  • What is the perception of the industry?

What is the percentage of women with STEM and related degrees?

The cyber profession is viewed as suitable for those who graduate from IT. There are nowadays programs to avoid expensive or lengthy degrees. A university education in the right discipline is preferred though. Some have created an assessment, like ISC2. The ISC 2022 report concludes, “broadening your team’s recruiting efforts beyond just those with IT experience is an opportunity to improve your risk mitigation strategy.”

According to the UNESCO data collection, only 31% of global female students choose STEM. This predicts the problem if STEM education is our must. Globally, business, administration and law were at the point of 27% for women. Here we have an untapped potential for women to embark from their degree to a cyber career.

STEM graduates in 2020 were almost twice as often men as women in the EU. There were almost four times more men than women graduates in information and communication technologies (ICT). Women in the EU either equaled or outnumbered men among graduates in business, administration, law, natural sciences, mathematics and statistics.

  • Short-term and mid-term strategy: Attracting female entry-level cyber professionals can start with the industry becoming open to non-ICT graduates. Degrees that predispose women to a cyber career include natural sciences, mathematics or also statistics, law and business administration as well as psychology and criminology. This can show the young generation a career in a relevant industry. This trend has already started. Half of the people under 30 who moved into cybersecurity came from outside of IT.
  • Long-term strategy: Industry and governments need to work to increase the workforce. This is happening in some countries, with good examples shown by the US government, UK government and others.

Beyond trainable technical skills

The cyber profession was, is and will remain for the right reasons typically the field of IT — for people with technical skills. These skills “can be taught with time and effort,” as Dimple Ahluwalia points out. Yet, there are also other skills that may not be gained that easily, if at all.

A group of professionals with military backgrounds highlights in the paper, “The Future Cybersecurity Workforce: Going Beyond Technical Skills for Successful Cyber Performance,” the need for the “combination of technical skills, domain-specific knowledge, and social intelligence to be successful”. The social aspect of human behavior on the network is a critical component. There is a need — as former military personnel highlight — for system thinkers, team players, motivated learners, communicators, those with a deep sense of duty, and a blend of technical and social skills. There is a call for the inclusion of categories such as:

  • Organizational type: Those who will be a good fit within the organization
  • Key personality traits: Extraversion, agreeableness, conscientiousness, emotional stability, and openness to experience
  • Personality aspects: Mental agility and cognitive flexibility

All of this raises the question: How are we assessing new entry or transition career-level professionals? Can we attract more people and women with this view in the field?

Cyber perception

Now the question is why women do not enter the cyber career path, even if they can. Some reasons include:

  • Perception of the industry
  • Lack of awareness of the cyber path
  • Not knowing a role model

As Ian Glover, former president of a UK-based body representing the IT security industry, says, “Although most agree that cybersecurity is welcoming to women (those already inside), the perception from outside the industry is much the opposite. It is clear that this is one of the major challenges we face.”

Another insight tells us that society looks at internet security as a male job. Based on answers, it indicates that both society and the industry regard the job more as a male job.

A highly experienced industry professional Dana Simberkoff posits that the “gender gap exists not because there are tons of qualified women who don’t want to do the job.” Simberkoff says the industry needs to consider the perception it makes.

The industry still needs change makers. We need more men who will own this change.

“Well begun is half done.” ~ English proverb.

Now, the situation is that “women are in!” But this is not working — yet. National Centre for Women & Information Technology (NCWIT) produced in 2016 a robust report “Women in Tech: Facts.”

Three factors why women drop out or do not progress in the field include:

  1. Workplace experiences: Flexibility, managerial relations, isolation, performance evaluations
  2. Lack of access to key creative technical roles (creator versus executors)
  3. Dissatisfaction with career prospects and growth, especially for women of color

Many current workplace conditions do not help women to progress. Yet, women are interested in career progression. How can this be addressed? I advise it shall start with awareness raising and discussion. This can lead to potential policy making and programs set up to support women’s career opportunities in the space.

The issues relating to workplace culture are vast. Everyone knows a story of progression success as well as pain in the workplace. At the event “Women in Cyber,” women discussed reasons for quitting their cybersecurity career: “I was the only woman on the team; I had no clear career path, it’s a bro culture, I had no mentors, I was bullied and isolated, the workplace wasn’t flexible or family-friendly, I didn’t feel valued, I wasn’t supported by leadership.”

What can we do?

Empowering women

  • Already at high schools raising awareness and inspiring young women to study STEM subjects
  • Connecting with high schools and offering workshops for women
  • Providing mentorship to women, as Microsoft does as one example
  • Improving the industry image through more publicizing of women, like Accenture and Deloitte do
  • Choosing marketing images that feature both men and women

Managing the accountability

  • Asking women about their workplace experience
  • Policy and guidance to managers to create a culture that includes women.
  • Accountability for mapping career progression for women
  • Men and women in the workplace can be encouraged to have conversations about biases — having a conversation is the beginning

Job criteria evaluation

  • Gauging where technical skills aren’t needed
  • Creating assessments, in addition to lists of skills for a particular role — always calling out where skills can be learned

Women and men with untapped potential and talents can mitigate and get better at removing the cyber challenges our generation faces. With perseverance, we can get ahead of cyber adversaries. I am one example that empowering had a positive impact on my professional life in this industry. Thanks to men and women who did it consciously or unconsciously. We may not see results the next morning, yet picking one solution from the above and getting ready with a half-marathon mindset will get us further.

Will you join?

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today