In the growing and increasingly important field of cybersecurity, only 10% of professionals are women, according to a report released in September by IT Certification and Security Experts (ISC2). Worse yet, the number actually fell from 11% two years earlier.
"We have a huge workforce shortage," said ISC2 official Elise Yacobellis. "If we brought more women into this field, I believe that gap would lessen."
CIO Dive recently spoke with two female cybersecurity leaders to get their perspective on this issue and what might be done to address it.
"Every time I’m introduced to a female CISO from another industry, such as marketing or finance, I’m reminded of the lack of gender diversity that exists in cybersecurity," said Shanna Gordon, client services director at BrandProtect and a cyber risk and threat expert. "This is no doubt a male-dominated field (and it) always has been."
But there is less evidence of why the numbers are so low. Is it a lack of interest, a discriminatory environment or something else entirely that prevents more women from going into cybersecurity?
"There are discriminatory environments that exist, but it’s certainly also possible to find teams and organizations that are welcoming and comfortable for women in security," said Sherrod DeGrippo, director of emerging threats at Proofpoint. "I do not think it is a lack of interest by any means."
Gordon said the challenge of getting women into cybersecurity begins very early.
"I would argue that the problem actually starts as early as grade school," Gordon said. "The reality is boys tend to be more interested in STEM subjects and professions. The question is: Why? Could it be because girls simply haven’t been pushed as hard to get involved with science and math?"
Colleges only recently started to add coursework designed for careers in cybersecurity. Now that such coursework is offered at the university level, the barrier for entry is becoming much lower for women.
"But we have to begin educating women even earlier—at the high school, even the elementary level," said Gordon. "I think that’s really important. Increasing academic focus on cybersecurity early on will absolutely open doors to women in the future."
Gordon added that girls are now being exposed to STEM professions much earlier than previous generations, which she sees as valuable for the future.
"LEGO recently added a lineup of female scientists to their character collection, which helps give young girls a role model to identify with," she said. "It makes it cool for girls to create and build and I think that type of thing will go a long way in driving more women to the field."
The good news is the field of cybersecurity is growing rapidly, which should help draw a wide array of professionals.
"I believe more opportunities for women will grow organically as the industry evolves and expands to include new areas of focus," said Gordon. "In the past, cybersecurity used to be internal and limited to issues inside the firewall. It was very specialized. Today, thanks to the growth of the digital economy, the areas of risk have expanded exponentially."
Today, cybersecurity is no longer just an IT issue—it’s a major priority and challenge with a diverse set of problems that reach far beyond the firewall, into mobile, the internet and even social media, Gordon said.
"I think that makes security more interesting and accessible, which will ultimately draw more female executives to the field," she said.
What can CIOs do?
While CIOs, human resources and other executives can actively recruit a diverse range of candidates and provide women equal opportunity for positions, there are other actions they can take to help change the trajectory of women in cybersecurity.
DeGrippo suggests CIOs highlight and promote outstanding female employees.
"Infosec is a very socially connected industry," she said. "We know our peers at other organizations and companies quickly build distinct reputations. When an organization is a friendly and supportive environment for women, the word gets out. Promoting that internally leads to external recognition within the infosec community."
Executive leaders make it clear that hiring and retaining women in cybersecurity positions is a priority, DeGrippo said.
"Sending that message from all aspects of the business is key and does have impact to the wider talent pool in the community," she added.
Women interested in cybersecurity can also take steps to help themselves feel more comfortable in a male-dominated field.
"Networking with other women in infosec has been immensely helpful for me," said DeGrippo. "Having that network of support is a huge asset for knowing you aren’t alone out there and being able to have colleagues to lean on. Even if it’s just an acquaintance or other women in close friendships within the industry, knowing there are other women in the industry is a great feeling."
Gordon said she believes change is in the works.
"I think recently security experts have come to realize the benefit and importance of having a diverse team with both male and female perspectives," Gordon said. "I think the tide is starting to turn and that tremendous opportunity exists for women in the security field."