Cybersecurity still has a gender diversity gap and a huge talent shortage, but the industry is making progress — albeit slowly. A recent study by Cybersecurity Ventures predicted that women in security will comprise 20 percent of the global workforce by the end of 2019. One in 5 security positions held by women isn’t equity, but it’s a significant improvement; in 2013, women made up only 11 percent of the cyber workforce.
Women are becoming more engaged in the security profession, but they’re still lagging behind the overall technology industry, which is made up of 26 percent women. By some measures, the industry hasn’t even reached the tipping point when it comes to females in executive security leadership roles. A Boston Consulting Group study found that innovation only improves when the workforce includes 20 percent or more women in management positions. Today, just 13 percent of chief information security officer (CISO) roles are held by women, according to Cybersecurity Ventures.
Conversations about women in security frequently focus on the talent pipeline issue, but the skills gap among job candidates doesn’t tell the full story. The industry needs to focus on more than job vacancies to understand systemic issues related to attracting, compensating and retaining female talent in cybersecurity and how a lack of equity is having a negative impact on the performance of security teams. This holistic perspective on the gender problem in security was a focus at RSA Conference 2019, and it’s a critical conversation for surviving the current threat vector.
“As an industry, we face unrelenting waves of new attacks and business challenges,” said IBM Security General Manager Mary O’Brien in Thursday’s keynote, “Change Your Approach to Get it Right.” “And a little better isn’t going to cut it. We need to be exponentially better.”
Women in Security Turn Out for RSAC 2019
Tech conferences are notorious for gender parity issues, including low participation among women professionals. In accordance with the conference theme of “better,” RSAC made several motions to address inclusion at the 2019 event. Prior to the show, conference organizer Sandra Toms predicted it would attract a 20 percent female attendance, or a projected 8,400 women in security according to last year’s totals.
In an interview with the San Francisco Chronicle, Toms expressed excitement around this record-breaking number of female participants.
“It’s nice to wait in line for a restroom,” she said.
RSAC 2018 drew criticism for a lack of gender parity among speakers, including just one female featured out of 20 keynote speakers. This year, the conference doubled the number of keynote spots to 40 and achieved nearly 50 percent gender parity in keynotes. It also ran a half-day training dubbed “She Speaks” to help women in cybersecurity become more effective at delivering conference keynotes and develop the confidence to reach for new opportunities in the workplace.
Conversations at RSAC 2019 have shifted from talent pipeline problems to the total employee experience, including issues of retention and managing diverse teams. According to Executive Women’s Forum Executive Director Lynn Terwoeds, as reported by the San Francisco Chronicle, women in security are four times less likely to be promoted to executive roles than their male peers — and they earn less when they are. The conference kicked off with a Monday mini-track titled “Solving our Cybersecurity Talent Shortage,” which directly addressed the industry’s gender gap throughout the talent pipeline, from candidacy to employee experience.
Define Your North Star for Diversity Efforts
Doing things differently means committing to new and agile models of working, including a diversity of talent and thought.
“The most successful teams I have witnessed started by defining their North Star — knowing where they are and where they want to go and communicating that to the entire organization,” said O’Brien in her keynote. Speaking to her experience working with the most effective and secure organizations, O’Brien noted that “agile security teams include more voices that offer different perspectives to target the real weaknesses.”
The bottom line is that organizations need to achieve inclusive hiring practices to create diverse teams, and they must establish equitable work environments to retain women in security. According to Equili CEO and founder Elaine Marino, 50 percent of women in technology careers leave their jobs within 12 years — twice the rate of male tech professionals. In her Monday presentation titled “Retain and Recruit a Diverse Talent Pool,” Marino called for organizations to rethink every step of the employee experience and create agile teams by:
- Creating gender-neutral job-postings and tapping new talent pools;
- Implementing bias-neutral methods of candidate screening;
- Adopting and refining new interview methodologies;
- Committing to equal pay and benefits in job offers;
- Establishing inclusive and safe onboarding practices; and
- Fostering a respectful culture and paying attention to employee signals.
When Engaging With Youth, It’s Not All About the Money
The key to nurturing tomorrow’s cybersecurity talent pool is continuous engagement with middle school students, said Mandy Galante, director of the Information Technology Institute at Mater Dei Prep High School and the SANS Institute. In Thursday’s talk, “Women in Cybersecurity: Finding, Attracting, and Cultivating Talent,” Galante identified key barriers to engagement when working with youth, stating that young female students are statistically less motivated by money and job security. While money is appealing, it’s not enough for students to gravitate toward a career field, and few teenagers have the wherewithal to track future career choices to job market availability.
Instead, Galante said, young female teens are motivated by the concept of making a difference in the world and earning recognition. Galante and her co-speaker, Michele Guel, distinguished engineer at Cisco, challenged women in security to foster tomorrow’s talent and support workplace equity by:
- Forming a visible connection with young students to encourage future careers;
- Maintaining the connection through college with career fairs and workshops;
- Fostering interest with technical trainings, boot camps and technology conferences;
- Creating internal and external career opportunities for women; and
- Offering flexible working arrangements to both women and men.
Youth outreach and education doesn’t need to be confined to the classroom. In her keynote titled “(Girl) Scouting for Talent: The Solution for the Next Generation,” Girl Scouts of America CEO Sylvia Acevedo described what her iconic organization is doing to expose young girls to technology skills, including partnering with technology companies to develop science, technology, engineering and mathematics (STEM) badges and programs designed to prepare girls for careers in cybersecurity.
“Cybersecurity is our voting systems and our water,” Acevedo asserted. “When someone says ‘We can’t recode that sensor,’ we want women in the room who are able to say ‘Yes we can. I did that in middle school.'”
To build confidence and critical thinking skills that transfer across disciplines, the Girl Scouts’ STEM exercises are primarily hands-on activities that require minimal devices.
“I break problems into little pieces, try different solutions. There’s more to it than just numbers,” stated one Girl Scout in a video shown by Acevedo. “Maybe I’ll be a rocket scientist one day. Or a cybersecurity engineer.”
Women Bear the Brunt of Cybersecurity’s Burnout Problem
The issues described in “Cybersecurity’s Dirty Little Secret” don’t apply strictly to women, but they may have a disproportionate impact on women in security. According to Karen Worstell, CEO of the Risk Group, and Selena Worstell, executive editor of ISTP Magazine, burnout is the real industry crisis, and the cost to organizations is staggering. Statistics shared during their presentation revealed that:
- More than half (57.16 percent) of cybersecurity professionals identify as “burned out”;
- Forty-one percent of security workers say “crisis management” is “normal”; and
- One-fifth of cyber professionals have stress-related health problems.
The solution is to initiate a cultural change and create an environment that contributes to growth and self-care. CISOs must work to understand how the workplace culture and job responsibilities impact employees of all backgrounds and demographics. For many organizations, this could include creating more flexible workplace arrangements, offering new benefit structures or pursuing cultural change to support better work-life balance.
It’s Time to Remove Invisible Barriers to Gender Equity
While RSAC 2019 organizers have yet to confirm whether the 28th annual conference indeed hosted the predicted 8,400 women, the eyeball test found participation among female cybersecurity professionals to be at a record high. The keynote speaker agenda featured more women technology experts than ever before. The conversation has shifted to addressing security’s gender problem holistically by creating a better overall employment experience for women in security. Progress has been made toward creating gender parity in the security industry, but there’s still a long way to go.
When Symantec Chief Information Officer (CIO) Sheila Jordan asked a predominantly female room of attendees if they’d ever experienced gender bias in the workplace, nearly every hand went up. The attendees shared stories about how women felt compelled to “self-edit” before speaking, faced invisible barriers to progress and perceived a lack of support.
Hiring and retaining diverse talent, including women in security, is imperative to a better and more secure future. Incremental progress is no longer acceptable. It’s time for leaders and organizations to recognize gender parity as a North Star and collaborate around workplace equity.