We Live Progress
Global Diversity Awareness Month is a timely occasion to reflect on the steps required to remove the obstacles to women’s participation in the security industry, as well as to consider the value of inclusion and diversity in the security workforce.
31 Oct 2023
7 min. read
While our digital age is progressing by leaps and bounds and technology-related roles will remain in high demand in the future, the cybersecurity industry continues to grapple with persistent human capital challenges. These include a general workforce gap (of 3.4 million workers at the last count) along with a related imbalance between the industry’s needs and barriers to entry.
It’s probably no surprise then that gender, racial and ethnic diversity also remains lacking, and that’s despite the fact that a diverse and inclusive workforce is known to foster innovation and growth, not to mention its contribution to a more equitable society. Women, for example, hold just a quarter of security roles worldwide, as gender diversity in security remains a stubborn challenge and, unsurprisingly, as such mirrors the reality in computer sciences.
All in all, it would then seem like a no-brainer that increasing diversity in security would widen the talent pool and help bridge the overall skills gap. As we wrap up October, which is also Global Diversity Awareness Month, this is an opportune moment to reflect on the actions needed to break down the biases and barriers that are hindering the participation of women in security, as well as to consider the value of inclusion in the security workforce.
Why is gender inequality so high in cybersecurity?
The latest figures from industry group ISC2 do not make for pleasant reading. Despite the huge shortage of workers, and the shortfall of women in particular, just 57% of firms say they’re invested in diversity, equity and inclusion (DEI) initiatives. The figure only rises to 67% for those experiencing staff shortages.
This may help explain why more women aren’t choosing a career in security even though it offers competitive salaries, diverse roles, and a fast-moving culture of near-continuous technological innovation. Several reasons stand out:
security has a reputation of being a male-dominated, jargon-heavy and elitist sector which is hard to break into without the right qualifications,
- discrimination: 30% of female security professionals say they feel discriminated against at work,
- a perception that jobs don’t offer sufficient flexible working options,
- employers failing to encourage new mothers back into the workplace,
- a bias from employers towards screening applicants by qualifications/certifications rather than experience or transferable skills, which may mean that new mothers returning from a break who may be looking for a career change are ruled out,
- a perception that security is just about technical skills, when there are varied roles that require creativity, flexibility, good communication, problem solving and other skills
- relatively low numbers of girls studying STEM subjects at school/university
- a vicious circle in that the security sector lacks female mentors and role models to encourage the next generation into the industry
Are things improving?
There may be signs that things are changing for the better. The ISC2 study claims women account for 14% of those aged 60+ in the security workplace, but 30% of those under the age of 30. Younger women are also rising to managerial positions in greater numbers. The report claims that they make up only 10% of C-level execs aged 50 or older, but 35% of all execs in their 30s.
That said, there’s still some way to go. Women comprise just 17% of cybersecurity professionals in “advanced, non-managerial positions,” the report claims.
7 ways to increase gender diversity in cybersecurity
This is a wasted opportunity. Improving gender diversity is not simply a moral imperative for employers. It could genuinely improve the performance of teams. That’s especially important in scenarios where diversity of thought is required: in everything from marketing campaigns to unpicking threat actor activity. Encouraging more women into security roles should eventually create a virtuous circle where the brightest and best talent wants to come and join the company in the future – especially younger workers who tend to value DEI more.
So how do you get there? Let’s take a look at eight ways to improve gender diversity in cybersecurity:
1. Foster a culture of respect
The need to make the industry welcoming cannot be overstated, and people who already work in the field can play a significant role in this by putting in effort in various ways. These include actively working to change the culture, addressing biases and barriers, and supporting a healthy work-life balance. These can be done, for example, via flexible work arrangements and supportive policies, including for new mothers seeking to re-enter the workplace.
Also needed is a zero-tolerance policy to sexism, harassment and discrimination, both blatant and subtle, as well as mechanisms for reporting and addressing inappropriate behavior. Building a culture of respect, open communication and collaboration benefits everyone. It can also help female talent navigate the often male-dominated culture, contribute to building their confidence and skills, and ensure they avoid both blatant and subtle discrimination and other inappropriate behavior.
2. Spark an interest in cybersecurity early on
Competitions like hackathons and Capture the Flag (CTF) contests are a great way to get girls into security from an early age. The hope is that more will then choose to go on to study the subject formally and potentially follow a career in it. Governments have a big role to play here in creating schemes like the UK National Cyber Security Centre’s CyberFirst Girls.
But businesses can also help by providing funding, sponsorship and even expertise through efforts aimed at supporting a more diverse talent pipeline (ESET’s very own Women in Cybersecurity Scholarship is an example).
3. Build more pathways to a career in cybersecurity
What happens once young women develop an interest in security? Not everyone will want to spend several years at university. This is where internships and apprenticeships can help, by offering a stepping stone to a career that enables participants to learn real-world skills on the job. For the provider, it can help to build a steady stream of talent ready to hit the ground running from day one if they have what it takes to progress to full-time employment.
4. Create mentorship programs
As discussed, a lack of role models in the industry can create a vicious circle, where it’s hard to attract women into security because of the apparent lack of representation. So it’s vital to provide formal, structured mentorship programs, so those who join the company feel supported and can develop to become senior leaders. They in turn can become role models to others.
5. Ensure pay is equitable
Women earn just 72% of their male counterparts, according to one estimate. That’s a significant and untenable sum, especially for an industry that promises high wages as one of its key benefits. Women should feel their contribution is valued as much as their male peers. There should be no gender pay gap in cyber, or any industry.
6. Improve career development
Women need to feel like a career in cybersecurity will enable them to progress to senior levels. So alongside greater representation of women as managers and executives, organizations need to offer support for career development, taking into account the needs of those who may want to pause their career to have children.
7. Broaden your hiring criteria as well as look internally
HR and hiring managers must look beyond accreditations and certifications to spot the transferrable skills, experience and/or aptitude that can indicate a suitable candidate. Too many are filtered out at the first stage. Job descriptions should also be reworded to be less exclusive.
Also, some of your best candidates may already work for the company. So reach out to employees in adjacent areas of IT such as data analytics who may be looking for a career change. They’ll be highly motivated and already know the business and culture inside out.
Moving the diversity needle
Many organizations realize the magnitude of the problem and are making strides towards a more diverse and inclusive cybersecurity workforce. There are no excuses for gender inequality in the workplace and it’s incumbent on each of us to question and challenge biases, dismantle barriers, advocate for inclusivity and create spaces where everyone can thrive. These efforts are needed not just for the sake of fairness but also for the progress and innovation that diversity brings.
We’ll leave you with some of the many findings of ESET’s 2022 DEI Survey, where its female employees rated “equal treatment in daily work” and “acceptance of the person in the workplace” as the best DEI-related aspects of their working lives at ESET, a sentiment also echoed by their male colleagues. Meanwhile, the survey also showed that women have more confidence in that they have a better understanding of DEI-related issues than men, as well as that these issues should be part of the company’s value system and that pursuing DEI contributes to the company’s success.
RELATED READING: Women in tech: Unique insights from a lifelong pursuit of innovation