Exploring Cybersecurity’s Diversity Problem
The latest report from the Center for Cyber Safety and Education and Executive Women’s Forum on Information Security, Risk Management & Privacy (EWF) on Women in Cybersecurity, sponsored by PricewaterhouseCoopers, Alta Associates, Veracode, IBM Security and (ISC)², confirms that cybersecurity is still a predominantly male, middle-aged profession that is failing to attract female recruits.
The Center’s Global Information Security Workforce Study, sponsored by Booz Allen Hamilton, a study of almost 20,000 cybersecurity professionals worldwide has revealed that the proportion of women in the workforce remains stubbornly low with women comprising only 8% of the UK cybersecurity profession and 11% of the global workforce; a proportion that remains virtually unchanged since 2004. This is despite the fact that the sector has seen double-digit growth over the same period, and a parallel growth in demand for new recruits. The projected cybersecurity skills shortage has soared by 20% in just the last two years, and will leave a staggering shortfall of 1.8 million cybersecurity professionals by 2022.
In this context, the lack of any real progress towards increasing the intake of women in the profession cries out for explanation. The Women in Cybersecurity report explores for the first time some of the barriers to women in the workforce.
The report is the first to uncover a widespread cybersecurity gender pay gap, with a male professional in Europe earning £9,100 more on average than his female counterpart. This is despite the fact that Europe’s female cybersecurity professionals tend to be better educated and a higher proportion of them occupy managerial positions. In the UK, for example, 50% of female cyber professionals hold postgraduate degrees compared to just 37% of men, and 64% of women are in managerial positions compared to 57% of men.
This warrants further investigation to see whether this is caused by women being concentrated in part-time or lower-paid cybersecurity roles, or whether we are witnessing genuine gender discrimination. Whatever the case, more transparency over pay and action towards closing the gap is called for to attract more women into cyber.
Other forms of discrimination may also form an invisible barrier to women entering the profession. In North America, the study found that women are far more likely to experience workplace discrimination in cybersecurity, ranging from unexplained delay in career advancement to verbal harassment.
A workplace where women are both paid less and more likely to be subject to discrimination can make it harder to promote the profession to women. The lack of women in the profession also creates a self-perpetuating cycle with few established female role models to encourage the new generation.
Other barriers can be found in hiring behaviour. Far fewer women than men study STEM or computing degrees, yet employers tend to prioritise people with computing or STEM degrees in this field. This is not only holding women back, but harming businesses because cybersecurity skills are often found in people outside traditional ‘techie’ fields and such people bring more diverse perspectives to the profession. The required skills for cybersecurity, such as lateral thinking, problem-solving skills and understanding of risk management can be found in disciplines as diverse as business or psychology, and such people can in some cases be more rounded and have greater managerial potential than those more narrowly focused on tech.
Since there are so few women already working in the industry, increasing the intake naturally means being prepared to take on younger people and women who do not have previous ‘experience’ in cyber. Yet 93% of employers in Europe demand previous ‘experience’ and only 12% of the UK workforce is under 35. Generally, with 53% of the UK workforce over the age of 45, the need to open more entry-level doors is growing in urgency.
There are clear steps that industry could take to attract more women into cyber as they address their growing need for more talent. The government has taken welcome measures to boost cybersecurity education, which now needs to be matched by a greater willingness by employers to reach out to inexperienced millennials and invest in developing talent rather than buying it off the shelf. Employers could also draw from a wider set of backgrounds and degrees, including humanities and arts degrees.
This is no longer just an issue of increasing workforce diversity, but an issue of economic and national security. The cybersecurity skills gap is growing wider every time we survey the workforce, while the UK government recently recognised that this gap represents a “national vulnerability that must be resolved.” Attracting more women into the industry would significantly help reduce the shortfall in skills. Ultimately, the under-representation of women in the workforce can be seen as a threat to our future economic security and making this link this will provide the necessary impetus for change.
These issues were explored in depth in a recent Global Information Security Workforce Study debate –Women in Cyber: Why can’t we Attract Them? – hosted by Frost & Sullivan and featuring industry leaders including Dr. Sue Black, the leading computer scientist who helped save Bletchley Park.