I’ve been busy recently writing a book pertaining to the information security industry and, as you might imagine, writing a book takes a significant amount of research.
During this time, I’ve come across thousands of different statistics about our industry. It was while I was researching the talent shortage problem that I came across two very troubling statistics:
Women make up only 11% of the information security workforce, and this percentage has been steady since 2013. Also, as many much as 85% of women have experienced some level of discrimination at professional security conferences, and over half have experienced harassment at the same events.
Both statistics shocked me when I came across them, and they’ve been spinning around in my mind ever since. I’ve been in this industry for a long time, so why didn’t I know these statistics? I still don’t think that I’ve come to terms with the numbers. I’m also trying to imagine what it must feel like to be a woman in information security. This is a problem that we can’t ignore.
How did we get here?
I don’t know the answer to this question. I guess it just always been a male-dominated industry. Seems like an easy answer, but it’s not an answer at all: we got here because of our culture in this industry.
The fact of the matter is that we have a culture in our industry that isn’t inclusive of women. Isn’t this obvious from the fact that roughly 85% of the women who are in this industry are discriminated against? We have a “bro culture“ which excludes almost half of the population from contributing creative solutions to very challenging problems.
Why didn’t I know?
This answer takes some serious self-reflection. I’m a man who’s been working in the information security industry since the early 1990s. I’ve worked with 100s of different companies, big and small. How could I have not noticed that only 11% of the industry is made up of women, and how could I have not noticed that men in our industry discriminate against women?
If I’m going to be honest with you, I didn’t pay attention. Maybe it’s because I didn’t really think it was a problem, or maybe I just assumed that this is just the way it is. Did I think that it’s just normal?
I’ve always kept up with the latest news related to information security, and I’ve worked hard to maintain my skills. I have no good excuse for not realizing this problem until recently. The fact is, this problem isn’t new, I just didn’t notice for some reason.
In doing the research for the book, I think that I’m just starting to feel some of the weight of what the gender inequity problem means in our industry. Now we can’t claim we don’t know, so the real question is, what are we going to do about it? Here are some suggestions:
Educate yourself about the problem. There are numerous resources available, including Jane Frankland’s recently released book titled, “InSecurity: Why a Failure to Attract and Retain Women in Cybersecurity is Making Us All Less Safe.” Jane does extensive research into the issue and presents some viable solutions for our industry.
Hire more women. Women bring a different perspective to information security. Research shows that more diverse work groups function better and produce better results.
Mentor more women. Any industry that’s dominated by one group of people can be intimidating for someone from another group to enter. Mentorship is an inviting way to get an introduction to information security and make it a little less intimidating.
Support financially, or volunteer with, the people and groups who are committed to making these things better. Women's Society of Cyberjutsu (WSC), Women in Cyber Project, and Women in Cyber Security (WiCyS) are all dedicated to the cause.
Encourage the girls and women that you know. Encourage them to explore information security opportunities.
Let’s get to work and make this better.