This is a really important question as women comprise roughly 10% of the cybersecurity workforce and that number doesn’t show any signs of improving. Clearly, women are not a homogenous group, so the answer varies based on each individual, but I can provide some general thoughts based on my own experience and research on this topic. I tend to look at this as a pipeline problem (i.e., why women aren’t entering) as well as one of retention (i.e., why women leave).
Let’s address the pipeline issue first. There are more and more programs aimed at getting girls and women into security, and these must continue andin the field, so that is positive progress. At the same time, media portrayals and popular culture have left cybersecurity with a horrible branding problem. When I speak to high school and college students, and ask what comes to mind when they think of cybersecurity, inevitably the response is a shady, socially inept young guy in a hoodie. That’s not quite the image to attract a more diverse pipeline. This media portrayal began in the mid-80s – when girls in computer science peeked – and since then has helped trigger a decline which has generally bottomed-out to the current state. This has also helped prompt the brogramming culture. Even for companies and academic programs that have avoided this issue, the perception that it exists and that the field is hostile toward women deters many girls and women from entering.
Retention is another issue. Last year I completed aon retention in cybersecurity. The key reasons people leave the field are burnout, lack of career advancement, and the industry culture. Similar to across the tech industry writ large, most efforts to address greater inclusion and diversity extend little beyond PR pitches and lack any substantive bite. Women are often still paid less, promoted less, and deal with discrimination and harassment, prompting the pursuit of other career paths. Importantly, this doesn’t just extend to the workplace, but also professional conferences (cons), each of which has its own culture and vary in their degree of inclusivity. Bad experiences at these conferences, coupled with limited professional growth, can have broader impact and may discourage women from attending these professional events or staying in the industry.
So more importantly, what can be done? First, we need MUCH greater visual and written representation of underrepresented groups in cybersecurity across all aspects of media and society. There are very strong female role models in cybersecurity whose voices must be amplified: news outlets should stop citing only male experts; industry conferences should include more female speakers and demonstrate their commitment to inclusive codes of conduct; and talk shows should reach out to more female experts. As I’ve been told by many of these organizations aimed at getting more girls into cybersecurity, if they don’t see it, they won’t be it. Women must be visible and seen as experts. Unfortunately, when women are contacted for their insights, often it is on gender issues and not their technical capabilities, so when girls see female role models, they only hear about the dire statistics and not the cool work women are doing in cybersecurity.
Next, there are wonderful events for women in cybersecurity – such as, , and – that are great for networking and supporting women entering the field. These can help both with retention and recruitment and should be supported. In addition, college courses and job descriptions tend to be geared toward ‘brogramming’ verbiage. This is changing, and schools and corporations should put more effort into ensuring their descriptions appeal to a larger segment of the population. Finally, way too often the workload of diversity and inclusion efforts are placed on women and underrepresented groups. This is a gender tax and quite frankly not fair or sufficient to change the status quo. Men must become more active – as allies, as proponents, and as sponsors for underrepresented groups. Until that happens, very little is likely to change and half the population will not be included in solving one of the greatest national and economic security threats of our time.