InfoSec Institute estimates there is a worldwide staffing shortage of nearly three million in the ranks of cybersecurity professionals, half a million in North America alone. And the problem is expected to get worse as demand for infosec resources is expected to grow dramatically for the foreseeable future.
Meanwhile, Cybercrime Magazine predicts that cybercrime will have an economic cost of $6 trillion annually by 2021, up from $3 trillion in 2015, evidencing the urgency and speed at which the industry must expand.
The shortfall in staffing is estimated to rise to 3.5 million people by 2021.
In 2013, a research study conducted by Frost and Sullivan stated that women represented just 11 percent of the worldwide cybersecurity workforce. While that study may have been somewhat limited in terms of the job positions and types of cybersecurity it included everyone still agrees that the female representation in cybersecurity was shockingly low.
In its March 28, 2019 research article, Cybercrime Magazine concludes that women now make up approximately 20 percent of the global infosec payrolls. This is, of course, an encouraging improvement from six years ago, but still woefully shy of the 50 percent range that would represent parity.
The cybersecurity unemployment rate is at zero and has been at that level since at least 2011, so the percentage gap in employment of women cannot be explained simply by an industry gender bias in hiring.
Women and STEM (science, technology, engineering, and mathematics)
It’s not just cybersecurity jobs that are being filled primarily by men. Most STEM professions are still suffering from a lack of women in their ranks, even after decades of equal gender rights initiatives.
On the surface, it seems like a scene right out the 1970s, but it’s still largely the case today. Young female students seem to shun STEM-related fields, which encompasses the broadly-defined areas of science, technology, engineering, and mathematics. The stereotype that STEM is better suited to men seems to still persist in many areas of the country, despite the fact that women consistently score as well or better in math and science-related tests.
While the recent trend seems to offer some optimism that young women are increasingly overlooking the stereotypes in careers, the shortfall will take a long time to overcome at this rate. And the persistent truth that women continue to be underpaid and under-recognized for their achievements will make it an even more difficult problem to alleviate.
A more enlightened generation of hiring managers and C-suite officers will need to take over in STEM before major gains can come to fruition. Recent anecdotal evidence, however, indicates that the move to equal treatment for women is now underway. There are apparently more women now being promoted to executive cybersecurity positions than ever before, so optimism is the rule of today. Even if this change in attitude is being prompted by the necessity of unfilled job positions, it is a positive trend for women.
Why are women underrepresented in cybersecurity?
To close this gap and bring female representation up close to 50 percent, it would help to know why the shortfall exists in the first place. It’s easy to paint the question with a broad brush of gender bias/discrimination, but adding some detail to our understanding of the problem should help in finding solutions.
Identifying simple gender bias as the root of the problem would lead to decades-old answers of educating employers about the contribution women bring to the job environment, and possibly enlightening males of the same from a young age. A few research articles have been published in recent years that shed some light on the issues: Forbes magazine published a recap of a study in January 2018 that appeared on Quora; Government Technology used some high school cybersecurity camps as an opportunity to gain insight into what teenagers think about their career prospects in the industry; A joint report by NBC and The Hechinger Report was published in April 2018.
To be sure, there is an abundance of anti-female mentality in many cybersecurity organizations. Interview any woman with experience in fighting cybercrime and they will undoubtedly recount a number of anecdotal examples of gender bias. Why is this still happening?
First, let’s not naively assume that ingrained gender bias has been erased by decades of equal rights initiatives. Male superiority mindsets are still very much present today in nearly all sectors of life and segments of the population. Still, many cybersecurity organizations hiring managers are quick to state that finding, hiring, and retaining high-functioning women is a top priority.
And, to be fair, male attitudinal problems in cybersecurity can often also be explained by the fact that there are typically very few women in any given workplace. Direct observations have a way of shaping human expectations, which here becomes a self-fulfilling prophecy.
Evidence suggests that young girls, often during or even before high school, form preconceptions about their place in the world. Despite the media’s focus on all the positive changes that have provided women with greater opportunities, teenage girls are still forming opinions that will later greatly limit their career choices. Parental influences in some families, as well as other societal notions seem to still be leaning girls away from technical professions.
Cybersecurity is often viewed by young women as a career requiring females to be much more accomplished than men in order to get equal treatment. Even some schoolgirls have already come to the conclusion that technical careers are best suited to boys. In fact, current data suggests this is often painfully true.
Statistically, women are paid less and promoted more slowly in cybersecurity than their male counterparts. So even though cybersecurity managers say all the right things about valuing women, in many cases their actions tell a different story.
Deserved or not, cybersecurity has a bit of an image problem. Media representations would lead most reasonable people to believe cybersecurity occupations are performed in highly intense war room type atmospheres by shadowy young guys in hoodies.
Some of the industry’s own terminology, like cyberattacks for instance, give an impression that cybersecurity work takes place in military war rooms. This perception is not entirely wrong in some aspects of cybersecurity, like ethical hacking. But many segments of the rapidly expanding industry are performed in environs far removed from a war room.
There is also evidence to suggest that among women who do choose entry into cybersecurity, a surprisingly high proportion tend to leave the field in relatively short order. Some suggest this is because of the relative intensity of the field, and others because of the boys club atmosphere they have to endure.
But there is also the reality that cybersecurity women, like many other fields, tend to be paid less and promoted more slowly than men. Where these explanations hold true, it is a failure of the employer to ensure females feel comfortable in cybersecurity.
Today, in part because of the personnel shortage in cybersecurity, managers are increasingly hiring candidates with degrees and experience in fields other than infosec.
But women are also woefully underrepresented in STEM professions, so that pool is also male-dominated and cannot be relied upon to shrink the gender gap in cybersecurity. The lack of women in STEM will not be cured overnight, so the recruiting pool will have to be extended to new fields of interest if the gap is to be closed quickly.
What can be done to increase women in cybersecurity?
With this stark reality as a backdrop, what is being done to attract more women to cybersecurity? And what other initiatives or adjustments to procedural and behavioral shortcomings can also be adopted? Much is already being done, with real, but varied impact that is finally starting to move the needle. More can be done and needs to be done if the shortage in the cybersecurity workforce is to be meaningfully diminished.
Some signs emerging in the last few years have already begun to show the initiatives in place are having the desired effect.
First, adopt a policy of diversity in work teams, not just women, but all ethnicities and backgrounds. An article published by helpnetsecurity.com in 2017 entitled “What leads women to cybersecurity, and what makes them stay?” discussed a survey by app security company, Cobalt. One respondent to the survey, Andrea Little Limbago, Principal Social Scientist at Endgame stated: “A team that integrates diversity of all kinds – disciplines, genders, backgrounds, ethnicities, etc. – ensures fresh perspectives, prompting innovation and creativity.”
There is also an issue with many hiring managers and human resource departments taking a far too focused view of the potential hiring pool for cybersecurity.
Many companies view STEM fields as the most fruitful source of cybersecurity candidates, almost completely ignoring other career paths.
This means that cybersecurity organizations that haven’t already done so must broaden their horizons of backgrounds when looking for new employees. Women in such wide-ranging fields as compliance, auditing, psychology, and sales have all found success in cybersecurity.
Retaining valued employees should be a priority of any organization, but with the shortage in cybersecurity, it has become an even more critical focus. Fostering more inclusive work environments is a must-have for consistent satisfaction of employees, particularly women and minorities.
Organizations must train all employees what true inclusiveness is all about, and make sure that everyone knows anything less will not be tolerated.
The goal should not be simply to eliminate sexual harassment but to make women feel comfortable, respected and valued in the workplace. And of course, inclusiveness means real equality in pay scale and opportunities for advancement.
These organizations serve a positive role for women, helping to make them feel included and supported by other women. Generally speaking, though, such organizations are only necessary in industries where women are not already afforded equal treatment.
What’s really needed in cybersecurity is for other professional organizations to give equal opportunity to women, like keynote speaker roles, and other signs of respect. The trend in these organizations is positive, though, so hopefully they are headed in the right direction.
Recent conventions have seen a noticeable increase in female participation, as well as keynote speaker appointments.
Working backward down the recruitment pipeline, the focus moves to higher education. Placement and career counseling efforts within colleges and universities must introduce cybersecurity as a desirable career option for students in a broad range of undergraduate and graduate majors.
Again, it’s not just IT and computer science students that make good infosec candidates. Promoting and providing access to industry training and certifications would also offer students a leg up in finding their way into cybersecurity.
Expanding course offerings and choices of majors within cybersecurity will help all students find their way into the industry, not just women. And opening the student bodies to professional organizations, particularly those serving women, will give students access to women already in the field.
Teenage women in high school, or younger, should be exposed to cybersecurity as a viable and desirable career option. Such efforts should also work to diminish the impact of the conditioning that societal gender biases place on the choices of our children.
There are several initiatives around the country designed to open the eyes of students to see the attractiveness of cybersecurity.
The National Security Agency and the National Science Foundation co-fund GenCyber, a program that provides summer cybersecurity camps for students and teachers in the K-12 grades.
The program is free to all, and designed to teach safe online practices and the nature of cybersecurity.
GirlsGoCyberStart is designed to be a fun and interactive online program to introduce high school girls to cybersecurity. Topics such as cryptography, password cracking, digital forensics and open-source intelligence gathering are taught to young females to promote interest in the field. Free to students, over 10,000 girls have taken part thus far, and feedback has been overwhelmingly positive.
GirlsWhoCode is focused primarily on young students looking to programming as a potential career path, but it is working toward addressing the shortage of women in technology fields in general. The group promotes after-school clubs, summer courses, and summer immersion programs. It also helps alumni of the program to succeed in college and interact with other women in technology fields.
Recently, the Girl Scouts of America has begun offering a cybersecurity merit badge to incentivize young girls to expose themselves to and excel at cybersecurity. The Girl Scouts Research Institute published a report in 2019 called “Decoding the Digital Girl: Defining and Supporting Girls’ Digital Leadership.” It discusses “how girls are using their digital experiences to improve their lives, their communities, and the world.”
Scholarships and other assistance available to women
Assistance programs, financial and otherwise, are on the rise for women wishing to enter the cybersecurity field, or other STEM professions.
These opportunities are related to college and professional training and certification. InfoSec, Inc. and CompTIA have combined to offer substantial financial assistance to women pursuing careers in cybersecurity through scholarship grants providing free enrollment in cybersecurity boot camps. The US Navy offers a scholarship-for-service opportunity called the Information Assurance Scholarship Program for men and women.
Along with (ISC)² the Center for Cyber Safety and Education offers a $40,000 scholarship for women studying for either a bachelor’s degree or master’s degree in a cybersecurity field. Scholarships for Women Studying Information Security (SWSIS), a partnership between Applied Computer Security Associates (ACSA) and CRA-WP, is a scholarship program for women studying for their bachelor’s or master’s degree in a cybersecurity discipline.
Raytheon also provides an $8,000 scholarship for women studying cybersecurity. The National Security Agency (NSA) sponsors the Scopes Educational Scholarship Program for high school seniors who have demonstrated skills in the critical areas of computer science and electrical engineering and are planning to major in one, including cybersecurity. The CIA offers several internships that provide tuition assistance to successful candidates, in addition to summer employment. The focus is on intelligence fields, including cybersecurity.
Women as role models in cybersecurity
Today, there are plenty of successful women in cybersecurity that can be viewed as positive role models and possibly even mentors by women hoping to break into and succeed in the field.
These roll models know what it’s like to overcome the barriers to success, and should be held up to young women to show that it can be done. Successful women can be found at industry conventions that provide keynote speaker opportunities to women, or online video interviews featuring female cybersecurity executives. WiCyS offers a few such female infosec pros as role models.
The future of women in cybersecurity
STEM in general, and cybersecurity in particular, have long experienced a debilitating shortage of female participants. But the dramatic rise in cybersecurity demands and the general shortfall in the available talent pool are now shedding a bright light on the lack of women in the field.
Working to draw more women into infosec, there are many initiatives now being promoted by government agencies, industry participants, high school and middle school educators, and colleges.