The usual stock image for any cyber security story is notorious. The picture of a male, hood raised, leaning over a computer to signify a hacker has appeared on thousands of articles, profiles, events and so on, it is a meme. But the stock image also highlights a major problem in the cyber security sector – a lack of diversity.
In its latest reports, (ISC)² took a new approach to surveying the cyber security workforce, including those IT professionals who spend at least a quarter of their time on security tasks. This new approach found that the percentage of women in cyber security sits at 24% – though this is changing.
Even though men outnumber women in cyber security by three to one, more women are joining the field, ISC found, buoyed by higher levels of education and more certifications than their male counterparts.
Compared to men, higher percentages of women cybersecurity professionals are reaching positions such as chief technology officer (7% of women vs. 2% of men), vice president of IT (9% vs. 5%), IT director (18% vs. 14%) and C-level/ executive (28% vs.19%), based on findings in the 2018 (ISC)2 Cybersecurity Workforce Study. The figures show that women are forging a path to management.
Heather Hinton, CISO at cloud-based communication services provider RingCentral, claims the perception that cyber security is a very technically intensive area with “antisocial individuals” is off-putting to a wider talent pool, especially women.
She said: “In my experience, cyber security is too often siloed and perceived to be about responding to the bad guys (attackers). So, if you’re looking for a role or career where you are working with people or part of a team, you can easily dismiss cybersecurity as not fitting that requirement. However, cybersecurity is so much more, but as a sector we are not doing a good job of explaining how broad the industry really is.”
To solve this problem, the speakers within cyber security need to refresh the language and move away from default terms such as “attackers,” “ransomware” or “encryption.”
Hinton added: “We need to lift the lid and show how broad and interesting cybersecurity really is – that it covers product development, technology architecture, people’s behaviour, business impact, risk management and trade-offs, and situation management. When we teach cybersecurity, we need to highlight this entire big picture – the entire elephant, not just the left leg or the trunk or the tail. We also need to highlight that to address all these different elements, we need a diverse set of skills.”
The wider tech problem
The lack of gender diversity isn’t just limited to cyber security. Figures from the American Association of University Women (AAUW) found females make up only 28% of the workforce in science, technology, engineering and math subjects (STEM), and are systematically tracked away from these subjects throughout their studies.
Tracking this closer to cyber security, women currently remain highly underrepresented in software engineering (14% of total workforce) and computer science-related jobs (25% of total workforce). In fact, women software engineer hires have only increased 2% over the last 21 years.
A survey from BuiltIn found that progression in this sector is even more difficult for women, with 66% of women reporting that there is no path of progression for them in their career at their current tech companies.
“Having a diverse workforce allows there to be a balance of input, more creativity, new perspectives, and fresh ideas. From different learning paths to ways of approaching problems, and bringing in wider viewpoints, women bring an array of different skills, attributes, and experience to cybersecurity roles,” explains Andrea Babbs, head of sales UK & Ireland at VIPRE Security.
“Working in an industry like cybersecurity where everyone is impacted, and everyone is a target – we need everyone to be involved in developing solutions which work to solve the problem. This is not just limited to gender, but also includes age, culture, race and religion. To truly mitigate the risk of cybercrime, we need a solution relevant to all the people impacted by the problem.”
Securing entry
This means offering varied entry pathways into the industry or making it easier to return after a break – two key issues that are harming equality in cyber security roles, Babbs adds.
This can include governmental intervention. For example, the UK government launched the Cyber Security Skills Strategy in 2018 which aimed to invest in people and skills to make the UK into a leading player in infosec. This became part of the 2021 National Cyber Strategy which sets out the UK’s commitment to ‘strengthening the UK cyber ecosystem, investing in people and skills and deepening the partnership between government, academia and industry.’
To this end, the UK Cyber Security Council has partnered with Women in Cyber Security (WiCyS UK) for an event on 8th March 2022 which will explore sector diversity and barriers to entry.
Dr. Claudia Natanson, The UK Cyber Security Council’s Chair, said: “We want the sector to be truly representative of all sections of society, and for every employee, contractor or supplier to feel acknowledged, respected and able to be their best.
“In addition to worsening the sector’s skills gap, a less diverse workforce can stifle innovation and can lead to intrinsic biases within organisations, which cyber criminals can – and will – take full advantage of.”
Babbs concludes: “The cyber security industry remains an attractive and lucrative career path, but more should be done to direct female students in the right way to pursue a job role within STEM and to support those who are returning to work.”
“There is more of a need than ever before for more diverse teams, as cyber security threats become more varied. Becoming part of a gender-balanced cyber workforce is an efficient way to avoid unconscious bias and build a range of solutions to complex problems.”
Share
