March 10, 2020 By Justin Youngblood 3 min read

The cybersecurity industry has a problem: In 2019, women made up only 20 percent of the cybersecurity workforce. This statistic would be alarming in any industry given the amount of research that espouses the benefits of more balanced, diverse workforces. But it is especially troublesome in cybersecurity, where we already face a serious skills shortage.

So, if we know we stand to gain so much from a more inclusive workforce, what can we do about it? At the end of last year, I made a commitment to myself and my team that we would take focused action to help combat the gender gap in cybersecurity in three areas: representation, promotion and mentorship.

1. Tackle Representation

We are taking a critical look at who we hire and how we hire. I have no doubt that when hiring someone for a job in cybersecurity, candidates who apply are fairly evaluated. But what about those who didn’t apply? You may know the finding from a 2014 Hewlett Packard report: Men will apply for a job if they meet 60 percent of the qualifications, while women will only apply if they meet 100 percent.

While progress might have happened since then, it’s still likely that there are great, qualified and talented women who aren’t applying for a position on my team, or your team. Widen your aperture when looking for candidates internally and externally, think about how you write job requirements, encourage women to go for stretch opportunities and remember the research when a stack of resumes comes across your desk — there are likely talented, qualified female candidates who aren’t in that pile.

2. Help Women Progress in the Organization

My team is committed not only to hiring qualified women in cybersecurity, but also to reviewing all candidates fairly when it comes to promotion. We are committed to looking at the pipeline for success and providing an opportunity to create a diverse slate for review. In addition, we are committed not only to reviewing those who are coming forward, but also prompting others based on their skills, performance and expertise. And we’re using data to do it.

Our leaders are reviewing progression and promotion data and asking the right questions, encouraging women to consider roles that they don’t feel 100 percent qualified for. Remember the Hewlett Packard research mentioned above — women may be less likely to raise their hand for a promotion, so look beyond those who are asking.

3. Become a Mentor

This is a commitment our leadership team made: Every executive, including myself, must commit to mentoring. This is particularly important for upcoming women. Mentors should be both men and women. Sometimes, we focus on finding women mentors for talented women, and that’s great. But as Aarti Borkar, vice president of IBM Security Offering Management, shared with me, “Female mentors taught me I had it in me to fight to win. Male mentors made me realize that I belong.” Both male and female mentors can help women progress in their careers through coaching, support and guidance.

Being a sponsor for women in cybersecurity is also important, though different. Sponsors should be senior leaders who advocate on behalf of their sponsee, helping to advance their career. Anyone and everyone can be a mentor in the organization, starting today. If you’re more senior, up the ante and take on both mentor and sponsor roles for women and men in your organization. You could also benefit hugely from this investment of time — I’ve learned so much from my mentees. Being a mentor can broaden your network and increase your access to information across your organization, so there’s no reason not to get started today.

There are many ways to combat the gender gap in cybersecurity. Business resource groups and diversity and inclusion programs are making great strides to move the needle. But I’m also taking personal ownership for the things that I can do for my team and organization, and doing them today. And you can too — our industry, and the businesses we protect, need it.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today