Cybersecurity Has a Staffing Problem, and the Solution Is Women
In this article
According to Gartner, women currently represent about 20 percent of people working in the field of cybersecurity. If my math is correct, this means 80 percent of the cybersecurity workforce are men. Though this is a drastic delta, this is by no means surprising as a woman in cybersecurity.
The majority of security industry veterans are men, as are my security colleagues and our customers. Women are definitely represented in the industry, but if we're going to fill all of the current and future roles we must entice women in the workforce to join cybersecurity in drastically higher numbers. The question is, how?
The Department of Labor released data showing 2019 as the first time women held more jobs in the workforce than men. If women have a greater presence in the workforce than ever before, why don't we see a more even distribution between men and women in cybersecurity?
I've identified three key area where changes should be made in order to show the majority of the workforce (women) that not only is cybersecurity an option, but that it should be their first choice.
Messaging
How is cybersecurity portrayed?
When you think of a hacker, what comes to mind? Do you think of a woman wearing a black hat, driven to bring the world to its knees? If you answered no, you are not alone. Hackers, or adversaries, are almost always portrayed as men. There are women hackers out there but the messaging to the world — be it in commercials or movies — is that hackers are bad guys. When you think of someone coming to investigate a cybercrime, inexorably do you think of the "men in suits"?
If it's intentional because the majority of cyber professionals are men, or if it's subconscious — cybersecurity has historically depicted itself as a male-dominated space. This messaging isn't lost on people who aren't as familiar with the industry.
If you asked someone on the street what "cybersecurity" was, you would get "hackers" or something that looks and feels very technical. In actuality, there are many different cybersecurity opportunities that don't need a deep technical background, but that is not the message our industry is giving the workforce.
Cybersecurity impacts all of us, man or woman, and with around 3.5 million current job openings, it needs a deep pool of qualified resources now more than ever. With cybersecurity being a major factor in all we do — eating, sleeping (think smart mattresses that record your sleep patterns in an application), traveling, shopping — communicating a broad message to a diverse audience is a must.
If we want to bridge this gap, we need to take a look at not only how we are messaging cyber to the world, but how we are messaging cyber to the workforce.
Recruiting
From STEM to stern
When fighting a battle at sea, ships require more than just deckhands. There are engineers, cooks, doctors, chaplains — the list goes on. These are critical components required to ensuring success of the battle at hand. Why would cyber be any different?
The trend that I'm seeing is an industry focused on recruiting an engineer to do the job of a doctor. We should look at recruiting BOTH, not just one, and then squeezing where they're needed. If they're kind of a doctor, is that good enough?
A 2018 Nature article points out: "Although both female and male employees train extensively in computer science, information and engineering, women's degrees are more likely to come from fields such as business, mathematics and social science."
I've personally seen when recruiting for positions that the marketing of those roles is aimed at candidates strictly with technical backgrounds and degrees.
Non-technical specialties like risk analysis, policy and governance are fundamental to a strong, successful cyber program — one could argue that these are the foundation of cybersecurity.
If we are portraying cyber as a field for only those with technical backgrounds, we are immediately drastically narrowing our pool of candidates and doing our cyber programs a disservice. If we are then looking at those candidates with non-technical degrees almost as an afterthought, we are emptying the pool even more. If things like risk analysis, and governance are truly foundational in a cybersecurity posture, candidates that come from business or liberal arts backgrounds are likely the best possible choices.
I'm not saying that a technical background is not imperative when it comes to security, or that those pursuing technical backgrounds are less important. Analysts, engineers and architects are also foundational to the success of any program, but not exclusively. We need to couple the technical human capital with those that have a strong background in governance, administration and critical analysis.
This balance is what we should be striving towards, and it's vital to the industry's success moving into the future. The marriage of the two is how an organization builds true cyber resilience.
Education and mentorship
Finding "the right seat on the bus"
Among our many great mottos, we often remind team members about "finding the right seat on the bus." This means we find the right people first, and if we're correct in hiring them, they will then find a position where they can excel and thrive. Cybersecurity needs to adopt this motto, and it's particularly true when it comes to education.
Don't think of it in the traditional mode of, "you need a degree from this school, in this field." If our goal is to show women that cyber is for them, the education has to start early and often. WWT is a leader in the tech space, and our goal isn't to alienate girls when they're in high school. Rather, it is imperative to show that cyber isn't all coding and computers.
Educating young women on the myriad of opportunities that cyber has to offer empowers them to consider a career in cyber even if they're not entering into a traditional IT program at college.
When you find the right person, don't stop encouraging them to grow and to train. Once you remove the barrier to entry, everything gets easier. If you told me that when I got out of college I would know what it takes to monitor endpoints or I would be able to discuss an application stack and its dependencies, I would have laughed.
Here I am today, and I do have that knowledge. It's not because I went to school to learn this expertise, it's because I had great leaders who encouraged me to grow.
Mentorship, especially if there is an opportunity to match a woman with another woman, is something that should almost be mandated. I work with and mentor young women on my team, and it's unbelievably rewarding. Talking to them on a regular basis and helping to guide them through a field where they will almost always be outnumbered is critical to their development. I receive feedback that this approach has helped tremendously, and they will almost certainly continue the tradition as they find young women to mentor themselves.
Cybersecurity does indeed have a staffing problem, and it's only going to get worse. If we want to close the gap, we need to see more women entering the industry in greater numbers than at present.
We need to look at how we message our industry and expand how cybersecurity is portrayed to the world around us, including how and who we are recruiting and for what roles. Our ship has many different roles to fill, and we need to take a hard look at how we are currently approaching it and what we can do to expand our resource pool.
Finally, we need to be talking about it with anyone who will listen. Cyber needs to be a leader in growing awareness, inclusivity and representation through programs targeting the next generation of women professionals.
Additional resources:
Advice from a Recovering Hacker During the Pandemic, Alyssa Knight - CEO at Brier & Thorn, Partner at Knight Ink