Why Aren't Women Working in Cybersecurity?

Industry professionals say companies can close the gender gap in the cybersecurity field by working with schools to educate girls, marketing cybersecurity career opportunities to women and promoting women to high-level cybersecurity jobs to provide role models for these new workers.

"The technology industry has done a historically poor job in recruiting women, whether the job is in cybersecurity or some other area of tech," said Steven Ostrowski, director of corporate communications at the Computing Technology Industry Association (CompTIA) in Chicago, representing the IT industry. "Among women that do join the [field], they've often been stymied in their career progression by the lack of a defined, clear path for advancement and promotion."

Women make up just 11 percent of the world's information security workforce, according to the Women's Society of Cyberjutsu, a Washington, D.C.-area nonprofit focused on empowering women to succeed in cybersecurity. (ISC)², a nonprofit that specializes in information security education and certifications, puts the global share of women in cyber roles at 10 percent.

This untapped labor pool has a huge opportunity to enter a field that is in the throes of a severe labor shortage. "The gap remains wide between the number of technology workers employers need and the number of candidates for those jobs," Ostrowski said.

[SHRM members-only toolkit: Staffing Technology Professionals]

More than 209,000 cybersecurity jobs in the U.S. went unfilled in 2015, and postings are up 74 percent over the past five years, according to a 2015 analysis from the Bureau of Labor Statistics.

Demand for cybersecurity talent is expected to rise to 6 million jobs globally by 2019, with a projected 1.5 million of those cybersecurity job openings expected to be left unfilled, according to the most recent projections forecast by Cybersecurity Ventures, a Menlo Park, Calif.-based research and reporting firm.

"Increasing the number of women in cybersecurity is not simply for diversity's sake but for the sake of the industry," said Ian Glover, president of CREST, a Berkshire, England-based not-for-profit accreditation and certification body representing the IT security industry. "The first step is to work out why women are not entering the industry. Although most [women working in cyber] agree that cybersecurity is welcoming to women, the perception from outside the industry is much the opposite. It is clear that this is one of the major challenges we face."

What's Putting Women Off

Attendees at CREST's 2016 Diversity Workshop agreed that great opportunity exists for women in cybersecurity and that working in the industry is a positive experience for women. Women's perception of the industry is the main reason for the lack of female applicants, they said.

"Despite the perception of the industry being sexist or inhospitable to women, [workshop participants] had never experienced any such issues," read a report CREST released after the event. But attendees lamented the language used to describe the security industry, which could be considered "too opaque, too intimidating and full of male connotations." They discussed the perception that the industry is boring, overly technical or "geeky," though some attendees said a "geeky" connotation can be appealing to both men and women and shouldn't be viewed as a negative concept.

Several attendees expressed concern that the industry is too quick to broadcast the idea that you have to be a "techie" to work in cybersecurity and suggested that the sector puts "technical skills on a pedestal, overlooking the fact that other skills are equally as important."

Dana Simberkoff, a veteran of both the data privacy and information security fields, said the real challenge is in education and skills. Currently the chief compliance and risk officer at AvePoint, a software vendor and manufacturer headquartered in Jersey City, N.J., she agreed that "companies need to work on their diversity programs and proactively recruit women for the field, but I think ultimately qualified candidates are just few and far between." She added, "The gender gap exists not because there are tons of qualified women who don't want to do the job. They are just hard to find. Employers need to do a much better job encouraging women to get the skills that will make them great candidates for those jobs."

That being said, Simberkoff said she has witnessed inappropriate behavior: As one of the few women attending industry conferences, she's seen "some blatantly sexist activities" on the expo floor. For example, a panel of male speakers had women in wet T-shirts standing behind them at one memorable event. "That behavior reminds me of the '90s when the dot-com trade shows were full of Playboy models working in booths. That's just not a way to attract women into a profession. It shouldn't deter women from entering the field, but the security industry as a whole has to consider that perception."

Education Is Critical

Industry leaders and educators recognize that attracting women to the field and filling the pipeline for a qualified information security workforce depends on encouraging girls to tackle technology subjects and careers, Ostrowski said.

"Most security professionals grow up in a background in science, technology, engineering and mathematics [STEM]," Simberkoff said.

Parents and primary educators are key to introducing these subjects to young girls, as research has found that girls' interest in technology lessens as they get older. Twenty-seven percent of middle-school girls consider a career in technology, but this figure drops to 18 percent by high school, according to CompTIA.

"The cyber gap needs to be closed with education," said Tara O'Sullivan, chief creative officer at Nashua, N.H.-based e-learning provider Skillsoft. In recent years, there has been a groundswell movement to get girls involved in IT, and more schools are introducing STEM into their curriculum, she added.

A variety of organizations provide education and certifications, including CompTIA, (ISC)², the National Cybersecurity Institute, and many colleges and universities.

"All of these efforts are being supported by a top-down movement from organizations like the New York Academy of Sciences' 1000 Girls—1000 Futures, The Scientista Foundation and Million Women Mentors," O'Sullivan said. "The Girls Scouts of the USA have even started to introduce their members to STEM in their weekly meetings. Access to education and training and encouragement from parents, peers, the media, and the IT establishment will change the current female participation rate."

But programming classes alone aren't enough, Ostrowski said. Less than half of girls who've taken technology courses in high school are confident in their skills, and many young women lack awareness about career opportunities, according to CompTIA research. "Of women who have not considered an IT career, 69 percent attribute this to not knowing what opportunities are available to them. More than half (53 percent) say additional information about career options would encourage them to consider a job in IT," Ostrowski said.

Attendees of the CREST event suggested that employers should have stronger connections with schools, "running initiatives to engage schoolchildren in workshops, classes and demonstrations to inspire them to strive for cybersecurity careers."

Another important lesson learned through research is the importance of role models in the process of choosing a career. According to CompTIA, just 37 percent of girls know of someone with an IT job. Among girls who have considered an IT career, 60 percent know an IT professional.

How Employers Can Make a Difference

The CREST workshop participants asserted that promoting cybersecurity careers and opportunities available to women and portraying the industry in "an accurate, positive way" is crucial to increasing the number of women in cybersecurity. "The marketing of the cybersecurity industry needs a lot of further consideration, particularly relating to ensuring its messaging is gender-neutral and thus attracting both sexes," the group concluded.

"Companies seeking to become more inclusive in their hiring should examine their own assumptions and unintentional biases in their hiring process," Ostrowski said. "Employers need to look beyond traditional job boards and want ads to find a broader pool." Community colleges, community groups and local workforce boards can all yield workers with interest, aptitude and skills who otherwise may be overlooked through traditional hiring practices.

Keeping an eye on women's career progression within the cybersecurity field is also key. Experts advise that HR commit to helping new hires by offering support, mentorship and training and working with them to chart out a career path.

"Finally, as a company builds a more diverse workforce, they can use employee referral programs to help identify more individuals from within a community using existing employees as their role models," Ostrowski said.

CompTIA's Advancing Women in Technology Community recently updated its Career Resource Center, with new information on the tech industry, career options, profiles of women working in tech, and other free resources and references.

Was this article useful? SHRM offers thousands of tools, templates and other exclusive member benefits, including compliance updates, sample policies, HR expert advice, education discounts, a growing online member community and much more. Join/Renew Now and let SHRM help you work smarter.