March 8, 2023 By Zuzana Babicova 5 min read

It is a well-known fact that the cybersecurity industry lacks people and is in need of more skilled cyber professionals every day. In 2022, the industry was short of more than 3 million people. This is in the context of workforce growth by almost half a million in 2021 year over year per recent research. Stemming from the lack of professionals, diversity — or as the UN says, “leaving nobody behind” — becomes difficult to realize. In 2021, women made up 24% of the global cybersecurity industry. Do we need to be concerned with the gender diversity gap?

Yes — simply, it is the right thing to do.

Cyber includes “people, processes and technology,” wherein the first two involve the human aspect significantly, as IBM Vice President Dimple Ahluwalia points out. To expand on people as an example, female internet users experience more cybercrime than their male counterparts. This begs the question how do we create a safe space with women in mind?

Having more women in cyber as in other parts of society will help continue an unfinished journey toward the equality of women. It will take another four to five generations to reach equality. Almost 132 years, according to research from the World Economic Forum.

The industry continues to address the skills and gender gap by:

Illustration by Maria Bradovkova

How can cybersecurity attract more women?

To answer this question, the industry shall consider the following:

  • Do we have enough female graduates from STEM? Are there other STEM-related disciplines that we are not looking at?
  • Are we assessing the necessity for technical skills?
  • What is the perception of the industry?

What is the percentage of women with STEM and related degrees?

The cyber profession is viewed as suitable for those who graduate from IT. There are nowadays programs to avoid expensive or lengthy degrees. A university education in the right discipline is preferred though. Some have created an assessment, like ISC2. The ISC 2022 report concludes, “broadening your team’s recruiting efforts beyond just those with IT experience is an opportunity to improve your risk mitigation strategy.”

According to the UNESCO data collection, only 31% of global female students choose STEM. This predicts the problem if STEM education is our must. Globally, business, administration and law were at the point of 27% for women. Here we have an untapped potential for women to embark from their degree to a cyber career.

STEM graduates in 2020 were almost twice as often men as women in the EU. There were almost four times more men than women graduates in information and communication technologies (ICT). Women in the EU either equaled or outnumbered men among graduates in business, administration, law, natural sciences, mathematics and statistics.

  • Short-term and mid-term strategy: Attracting female entry-level cyber professionals can start with the industry becoming open to non-ICT graduates. Degrees that predispose women to a cyber career include natural sciences, mathematics or also statistics, law and business administration as well as psychology and criminology. This can show the young generation a career in a relevant industry. This trend has already started. Half of the people under 30 who moved into cybersecurity came from outside of IT.
  • Long-term strategy: Industry and governments need to work to increase the workforce. This is happening in some countries, with good examples shown by the US government, UK government and others.

Beyond trainable technical skills

The cyber profession was, is and will remain for the right reasons typically the field of IT — for people with technical skills. These skills “can be taught with time and effort,” as Dimple Ahluwalia points out. Yet, there are also other skills that may not be gained that easily, if at all.

A group of professionals with military backgrounds highlights in the paper, “The Future Cybersecurity Workforce: Going Beyond Technical Skills for Successful Cyber Performance,” the need for the “combination of technical skills, domain-specific knowledge, and social intelligence to be successful”. The social aspect of human behavior on the network is a critical component. There is a need — as former military personnel highlight — for system thinkers, team players, motivated learners, communicators, those with a deep sense of duty, and a blend of technical and social skills. There is a call for the inclusion of categories such as:

  • Organizational type: Those who will be a good fit within the organization
  • Key personality traits: Extraversion, agreeableness, conscientiousness, emotional stability, and openness to experience
  • Personality aspects: Mental agility and cognitive flexibility

All of this raises the question: How are we assessing new entry or transition career-level professionals? Can we attract more people and women with this view in the field?

Cyber perception

Now the question is why women do not enter the cyber career path, even if they can. Some reasons include:

  • Perception of the industry
  • Lack of awareness of the cyber path
  • Not knowing a role model

As Ian Glover, former president of a UK-based body representing the IT security industry, says, “Although most agree that cybersecurity is welcoming to women (those already inside), the perception from outside the industry is much the opposite. It is clear that this is one of the major challenges we face.”

Another insight tells us that society looks at internet security as a male job. Based on answers, it indicates that both society and the industry regard the job more as a male job.

A highly experienced industry professional Dana Simberkoff posits that the “gender gap exists not because there are tons of qualified women who don’t want to do the job.” Simberkoff says the industry needs to consider the perception it makes.

The industry still needs change makers. We need more men who will own this change.

“Well begun is half done.” ~ English proverb.

Now, the situation is that “women are in!” But this is not working — yet. National Centre for Women & Information Technology (NCWIT) produced in 2016 a robust report “Women in Tech: Facts.”

Three factors why women drop out or do not progress in the field include:

  1. Workplace experiences: Flexibility, managerial relations, isolation, performance evaluations
  2. Lack of access to key creative technical roles (creator versus executors)
  3. Dissatisfaction with career prospects and growth, especially for women of color

Many current workplace conditions do not help women to progress. Yet, women are interested in career progression. How can this be addressed? I advise it shall start with awareness raising and discussion. This can lead to potential policy making and programs set up to support women’s career opportunities in the space.

The issues relating to workplace culture are vast. Everyone knows a story of progression success as well as pain in the workplace. At the event “Women in Cyber,” women discussed reasons for quitting their cybersecurity career: “I was the only woman on the team; I had no clear career path, it’s a bro culture, I had no mentors, I was bullied and isolated, the workplace wasn’t flexible or family-friendly, I didn’t feel valued, I wasn’t supported by leadership.”

What can we do?

Empowering women

  • Already at high schools raising awareness and inspiring young women to study STEM subjects
  • Connecting with high schools and offering workshops for women
  • Providing mentorship to women, as Microsoft does as one example
  • Improving the industry image through more publicizing of women, like Accenture and Deloitte do
  • Choosing marketing images that feature both men and women

Managing the accountability

  • Asking women about their workplace experience
  • Policy and guidance to managers to create a culture that includes women.
  • Accountability for mapping career progression for women
  • Men and women in the workplace can be encouraged to have conversations about biases — having a conversation is the beginning

Job criteria evaluation

  • Gauging where technical skills aren’t needed
  • Creating assessments, in addition to lists of skills for a particular role — always calling out where skills can be learned

Women and men with untapped potential and talents can mitigate and get better at removing the cyber challenges our generation faces. With perseverance, we can get ahead of cyber adversaries. I am one example that empowering had a positive impact on my professional life in this industry. Thanks to men and women who did it consciously or unconsciously. We may not see results the next morning, yet picking one solution from the above and getting ready with a half-marathon mindset will get us further.

Will you join?

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today