Outmoded stereotypes, not enough female execs — there are many reasons for the low numbers of women in cybersecurity. Most (but not all) are easily fixed.

Even among technical fields, cybersecurity is known for having few women — in entry-level positions and up through the ranks. A recent study from Gartner Research on women in cybersecurity found that male security executives outnumbered female executives by 2.8 to one.

The lack of women in the field has become more of a concern for companies as mounting research, including the Gartner study, indicates that diverse teams tend to “make better decisions and generate more revenue.”

So, what is holding cybersecurity back from bringing in more women and, perhaps more importantly, from elevating more women to leadership positions?

SearchCIO interviews with women in cybersecurity show that factors range from lack of education and mentoring to unfriendly working conditions. Indeed, there is no one story that holds true for the career of every single female cybersecurity professional or woman hoping to enter the field. However, women who’ve forged careers in cybersecurity indicate there are some common problems that can be addressed to help bring in and retain females.

Hacker in a hoodie

One reason for the gender disparity in the field is the common image of the cybersecurity professional in the popular imagination — the hoodie-wearing male hacker working alone at his computer. While there are no doubt some women who identify with that stereotype, many others are put off by it, said Sandra Carielli, cybersecurity evangelist and project leader at Entrust Datacard Corp., a security technology company. Moreover, the reality of the job frequently doesn’t match up to the stereotype.

“A person who is in a corner hacking all day and isn’t able to communicate isn’t necessarily as valuable” to employers as someone who can talk to people about security issues, Carielli said. “A lot of cybersecurity is being able to communicate.”

The security work itself has a social aspect, because cybersecurity professionals usually work closely together in teams, said Sarah Miller, incident response consultant at FireEye Inc. “Work is emotionally intense and intellectually intense. You really end up bonding with [your teammates.]”

Rebranding cybersecurity

For Theresa Payton, CEO of Fortalice Solutions and co-founder of Dark Cubed, the cybersecurity profession isn’t about the lone hacker, but the white knight — someone who views technology as a way to improve people’s lives and keep them safe.

“I always knew I wanted to take care of people,” she said. Payton comes from a family with ties to the armed forces and grew up with the motto, “Protect and defend.” Cybersecurity is one way she can do that and she’s built that ethos into her company, Fortalice. She explained that women love working for Fortalice because the company ties everything it does back to, “How does this make a difference to the individual, company or government entity we’re protecting?”

Women in cybersecurity stress that education and transparency are key to revealing cybersecurity’s more social and helpful side. This includes mentorship and classes for women and girls, along with a public relations effort to combat the media stereotypes.

Abigail Hertz, security operations center analyst at Carbon Black Inc., taught cybersecurity at Artemis Project, a five-week summer program at Boston University for ninth-grade girls interested in science and technology.

The course made a point of giving female students more education on what the job entails and “showing people what the job is versus what they show on TV and movies,” Hertz said.

Payton agreed that communicating directly with women who are interested in cybersecurity is a good way to change the image. “Cybersecurity is a cool and hip field, and every day you’ll go home knowing that you helped people.” she said.

However, it’s important not to jump to conclusions about all women or to assume that the idea of being helpful is the only motivator. FireEye’s Miller, for instance, moved away from jobs in teaching and caretaking to start her career in cybersecurity.

“When I sit down at my desk, I’m not thinking about helping people. I’m thinking about how I have all of these interesting problems to solve,” she said. It’s important not to generalize women’s experiences or motivations when recruiting them. “Some women are really service-oriented and so this may pull them in, but if you present [cybersecurity] this way, you may lose out on women with other motivations.”

Expanding the talent pool

A frequent response to attempts to increase the number of women in cybersecurity is that the pool of diverse talent just doesn’t exist. Payton sees the issue differently. “We’re still using yesterday’s solutions, and if you’re still using yesterday’s solutions, you’re still looking at yesterday’s candidates,” she said.

Instead of looking only at people with standard computer science backgrounds, where men outnumber women, companies can find solid female candidates by looking in some less traditional places. Payton frequently answers questions on LinkedIn from women looking to switch careers from noncomputer science fields into cybersecurity.

“The technical skills are becoming less and less important,” agreed Roberta Witty, research vice president at Gartner Research. According to her research on what skills cybersecurity professionals valued for the future, the top capabilities weren’t technical, but social or business-focused: innovation, collaboration, adaptability, creativity and business acumen. These are skills that can be found among women from all different backgrounds, not just computer science, and that opens up a huge talent pool. “You can always teach the technical skills, but you can’t always teach collaboration or business acumen.”

Payton didn’t start her career with the intention of becoming a cybersecurity professional. “The career found me,” she said. She started working in banking while her husband was stationed in Jacksonville, Fla., and took a job at tech-savvy Barnett Bank. When the new CEO created Barnett Technologies, Payton started working there, volunteering for every cutting-edge customer service technology project the company had.

Untraditional paths to cybersecurity

Payton’s introduction to cybersecurity was born out of concerns specific to banks. She said, “When you’re on the cutting edge [of technology,] you tend to be on the cutting edge of money launderers.” Payton hated seeing fraudsters move from real life to online and decided to focus on stopping them.

Payton has seen both success and recognition from her nontraditional path to a career in cybersecurity. On top of being the CEO of Fortalice and co-founder of Dark Cubed, she was one of the cybersecurity professionals tapped by the White House to advise on threats following the events of 9/11. Payton believes that her experience in financial services was a major help to her work in cybersecurity.

FireEye’s Miller is part of the most recent generation of cybersecurity professionals who have taken a nontraditional path to a security career. Miller graduated from Bard College at Simon’s Rock in 2008 with a double major in psychology and linguistics. After college, she didn’t immediately move toward a technical field. Instead, she worked as an English Second Language Teacher until 2013, when she noticed a number of her friends going into IT. She researched the subject and discovered an unexpected affinity for cybersecurity.

Miller’s interest in cybersecurity didn’t stem from a sudden love of technology, but from her longstanding fascination with psychology. “[Cybersecurity] is all about looking at psychology and the human brain. That seemed really cool to me.” She explained, “All of the flaws or the loopholes that security uses are relying on the fact that computers are programmed and used by people.

“Understanding how people think helps you understand how malware works because it’s trying to fool the human brain,” she said.

Miller explained that her colleagues are occasionally surprised she doesn’t know certain basic things about computers, but she has always been able to pick up what she needs to know on the job. “I’ve never gotten anyone saying, ‘You’re not smart enough to do this,'” she said.

Cultivating respect for so-called women skills

Carielli sees stories like Miller’s as an important positive shift for women in cybersecurity. She wants to see people from fields like psychology, communications and public policy entering the field.

Unfortunately, Carielli isn’t seeing a lot of respect for the so-called soft skills women coming in with diverse backgrounds can bring to the table. “I think one of the things that really hurts us in cybersecurity is that there is a lack of appreciation for certain types of skills,” she said.

These tend to be skills that, while not necessarily more prevalent among women, are often associated with women in people’s minds. “If a lot of the skills that are stereotypically aligned with women aren’t respected, that’s going to cause problems.”


Written by: Jessica Sirkin

11th November 2017