It’s no secret that women have been overwhelmingly underrepresented in the cybersecurity industry for a number of years. In fact, recent research put forward by (ISC)2 suggests women make up just 10% of the information security profession worldwide, a statistic that remains unchanged from 2013.
In February, non-for-profit organization CREST assembled a workshop, moderated by Infosecurity editor Eleanor Dallaway, designed to discuss the gender gap across the industry, with attendees questioned about the importance of diversity in the STEM workforce. The firm’s aim was to get to the bottom of why women still only represent a tenth of the profession, what’s putting them off and ultimately, what needs to be done to put things right. A whitepaper titled 'Closing the Gender Gap in Cybersecurity' detailing the outcomes from the workshop has since been published.
When you consider that, according to the American Association of University Women, 26% of IT professionals across the globe are female and 9% of engineering professionals in the UK are women (Women’s Engineering Society), it’s clear that security is lagging behind. Whilst there is no lack of opportunity for women in cybersecurity and that the reality of being a woman working in the industry is extremely positive, there just aren’t enough female security professionals – but why?
Speaking to Infosecurity independent cybersecurity consultant Dr Jessica Barker suggested the reasons why there are so few women in the industry are complex.
“It includes what we expect of boys and girls growing up (the toys manufacturers make and market to them, for example) to the subjects parents suggest their teenagers should study and what their peer-groups deem as 'cool', 'weird' or 'geeky'. The fact that the industry is so male-dominated perhaps means the issue is self-perpetuating: when you join a team or attend an event as the only woman, it can feel intimidating or give the impression that you don't belong,” she said.
Options, Misconceptions and Silos
A noticeable finding from the workshop was that many respondents voiced frustration about the lack of computer science options within the education system.
“I was told that there was not enough interest to run such a class at secondary school,” said a Mathematics graduate who has since taken a pen-testing role in an information security company. “But when you don’t know that something is an option, how can you express interest?” she added.
The fact that the industry is so male-dominated perhaps means the issue is self-perpetuatingDr Jessica Barker
Another talking point that cropped up was the simple reality that the number of females who apply for cybersecurity roles is incredibly low, mainly due to the fact that although the industry has changed, perceptions have not evolved at the same rate. “It’s crucial that we portray IT as being ‘normal’, and not geeky and weird,” one participant argued.
Perhaps most concerning was the comment from one attendee that “the cybersecurity environment is not poisonous to women, it just looks like that sometimes,” again highlighting that there are some serious misunderstandings about what the industry is today and what it has to offer women – something that absolutely needs to be addressed.
“I think to some extent there are misconceptions about the industry, one being that it is purely and deeply a technical discipline,” Barker added. “This probably stops women (and men) from considering it as a career choice. If you don't have a technical background, you may question what value your skills will have, you might feel alienated by language and jargon that you are not used to and you might feel blocked by pathways into the industry, which are not at all clear or accessible.”
What’s more, general consensus was that whilst credit should be given to the various initiatives that support women working in cybersecurity, they all operate in silos, thus have little impact on the cause.
The Why and the How
Moving on to discuss exactly why diversity is so important in security, the attendees identified three key categories:
For the industry’s sake: given the huge skills gap, a wider talent pool to choose from can only be a good thing, whilst a diverse workforce is more productive. “We need more people, so we need more women,” one attendee pointed out.
Because of what women bring to the party: it was argued women bring a different mind-set and set of skills to the workplace, including attention to detail, analytical ability and problem solving.
For diversity’s sake: lastly, attendees felt “women can, so they should”, and agreed that diversity is important in any industry.
It’s crucial that we portray IT as being ‘normal’, and not geeky and weirdCREST workshop participant
When it comes to getting to the heart of the issue, one word springs to mind: change. This was the main reason for CREST’s workshop; to establish and discuss ways to actually make a difference. The collective ideas of how to go about this were:
Educate
Raise Awareness
Change Industry Perception
Offer Support
Inspire (Promote Role Models and Ambassadors)
Removing Barriers for Entry
Getting the Message?
To conclude, the group pondered what messaging should be used to effectively target women, and one thing that unanimously stood out was that any messaging must validate a young girl’s interest in STEM.
A particularly popular strategy was the use of well-known/celebrity role models and ambassadors to engage girls – particularly at the secondary school and graduate level.
Likewise, TV and radio campaigns, print advertising, social media campaigns, and online adverts were all put forward as ideas for getting the message out there, whilst the value of intimate networking and face-to-face time was also not overlooked.
“We need to tell girls what they can bring to the party and contextualize why this industry is so suited to women,” one attendee said, who argued that the language used to convey this message is crucial. “The key is telling girls they can do whatever they want to do.”
Selling the purpose of the industry is also important, the group agreed. “It’s about fighting cybercrime, it’s innovative, it’s interesting, and let’s not forget to point out that it’s well paid, and a career for life.”