Cybersecurity has a way to go before the gender scales are balanced. Today, women represent about a quarter of the industry, according to an (ISC)² study last October, and 17% of Fortune 500 chief information security officers (CISOs), up from 14% just two years ago.
The issue is not just about parity. As Jen Easterly, the first woman to lead the nation’s powerful Cybersecurity and Infrastructure Security Agency (CISA), told Endpoint, “The gender gap that exists today in the cybersecurity workforce contributes to the overall cyber workforce shortage that persists in the United States and globally, which ultimately makes us less secure as a nation.”
That should concern everyone.
A wave of cyberattacks on hospitals, meatpacking plants, water supply systems, and gas pipelines shows how U.S. critical infrastructure remains vulnerable. That’s not to mention the cost to government agencies and to enterprises both large and small. In just the first half of last year, CEOs and their boards of directors reported a suspected $590 million in ransomware payments, according to the most recent figures by the U.S. Treasury.
Hiring women in cybersecurity could decrease those losses and make us all more secure. To help CEOs, CIOs, and CISOs narrow the gap, and to mark the celebration of International Women’s Day (March 8), the editors of Endpoint have assembled advice from our experts over the past year. We’ve also spotlighted the industry’s leading role models (like @CISAJen), who have taken it on themselves to lead the way for others and offer guidance on how they got there.
Overcoming sexism, pay disparities, and brogrammer culture in cybersecurity
The cybersecurity industry has rapidly expanded over the past 20 years. But its gender mix has remained relatively flat, and support for women is wanting. A 2017 (ISC)² study found that 51% of women in cybersecurity faced unconscious bias, unexplained delay in career advancement, tokenism, and overt discrimination. That’s been the experience of Lauren Bean Buitta, who created the nonprofit Girl Security. Its goal is to help girls, women, and gender minorities advance in cybersecurity and give them a voice in an industry where their opinions are often overlooked.
If you are not seeing any women leaders, you are not going to identify with that pathway.Buitta cites a major disincentive to women engaging in the field of cybersecurity: the lack of role models. “If you are not seeing any women leaders, you are not going to identify with that pathway,” says Buitta. Finally, that is beginning to change and in a very public way
Since becoming director of CISA in July 2021, Jen Easterly has become the face of national cybersecurity. She fought hard to get where she is (a graduate of West Point, a Rhodes Scholar, the recipient of two Bronze Stars, special assistant to President Obama, and senior director of counterterrorism). Her agency is both spearheading a recruitment drive to bring in fresh cybersecurity talent and overseeing a security crackdown at federal agencies—two strategies central to the Biden administration’s effort to strengthen the nation’s digital security defenses.
An inspiration to young women entering the cybersecurity field or considering it, Easterly is committed to her mission of recruiting more women for federal cybersecurity roles: “We’re leaning in hard on this,” she says, “and excited to make some real progress in closing the gender gap.”
Filling the cybersecurity gender gap in state and local governments
In 2020, at least 79 ransomware attacks targeted state, local, and tribal entities. The attacks led to downtime in 30 states and affected 71 million citizens, according to a report by the consumer security site Comparitech. The problem?
State and local governments are understaffed, often to a shocking degree. There’s a worker shortage across the board in cybersecurity. Many governments simply don’t have the resources or the people to do the work. When they have people, they often don’t even know how many.
When I was in Arizona, we started a college internship program to attract talent.That situation, while dire, is an opportunity, says Jennifer Pittman-Leeper. She was previously in charge of setting cybersecurity strategy for the state of Arizona. From her perspective, state-level cybersecurity jobs are an excellent opportunity for women to make an impact in the industry.
“When I was in Arizona, we started a college internship program to attract talent,” says Pittman-Leeper, who is now customer engagement manager at Tanium. “We placed interns in our Cyber Command Center and also rotated them around different cybersecurity teams to give them a well-rounded experience. We also talked to students at high schools about going into cybersecurity and gave them tours of Cyber Command. And while we were doing that, we worked to close the gender gap in IT by talking to girls about their career options in the field.”
Educating a generation of women cybersecurity leaders
The past year’s ransomware attacks on businesses, infrastructure, and federal agencies have intensified the need to hire tech-savvy professionals from an expanded and nontraditional talent pool. In fact, information-security and engineering jobs are expected to grow by nearly a third between 2020 and the end of this decade, according to the Bureau of Labor Statistics. This year alone, 500,000 info-security jobs in the U.S. will go unfilled, according to estimates by the Aspen Institute’s Cybersecurity Group.
One program reaching women, minorities, and other underrepresented communities is NPower. The 12-year-old nonprofit, with backing from heavyweights in banking (like Citi) and cybersecurity (like Tanium), has trained more than 6,000 students so far. Its goal is to create pathways to prosperity, to move low-income people to the middle class through tech training.
NPower is tuition-free, with half-day courses offered in the spring and fall. Applicants do not have to pass an entrance exam, but undergo a screening interview to assess their aptitude for the program. Students start by enrolling in the baseline Tech Fundamentals class, after which they can advance to CompTIA cybersecurity and cloud-computing certification training.
“What we’re doing is helping students get certifications that are relevant to the market,” says Matt Velez, a self-described “man of color” and director of strategic partnerships at NPower. “We wanted to create opportunities for individuals like myself who come from underserved communities and want to work—to learn—and have a passion for technology.”
Teaching the tech teachers
One hurdle to bringing more women into the field of cybersecurity is that, overall, computer science is not treated with the same level of importance as other primary school subjects in the U.S.
For example, most U.S. high schools have “departments” for math, English, social studies, and science. But there is often only one person who teaches computer science, which is fast becoming one the most essential subjects—if not the most essential—that today’s children need to learn.
I wouldn’t have found my calling in this rewarding field if it weren’t for my high school computer science teacher.Early instruction, says Jake Baskin, executive director of the Computer Science Teachers Association (CSTA), is critical to filling tech and cybersecurity jobs and far from where it needs to be.
Baskin’s CSTA provides resources for K–12 teaching levels. These include classroom materials, professional development resources, and certification opportunities. The nonprofit’s work reaches far beyond district-level issues: It supports a platform of nine CS education policies it hopes to see enacted in every state.
“Introducing young students to cybersecurity principles can tremendously increase their knowledge and drive their interest in pursuing cybersecurity careers as adults,” says Charles Ross, chief customer officer at Tanium. “I am certain I wouldn’t have found my calling in this rewarding field if it weren’t for my high school computer science teacher.”
Kode With Klossy—If anything can dispel the stereotype of the geeky IT guy, it’s this nonprofit founded by (yes) supermodel Karlie Kloss. The group hosts free coding camps across the country for girls and nonbinary individuals ages 13 to 18.
Women CyberSecurity Society—Canada’s first and only women-in-cybersecurity nonprofit, providing coaching and guidance for the code curious.
Women in Cybersecurity (WiCys)—Launched in 2021, this global organization helps aspiring and established cybersecurity professionals share knowledge, network, and mentor. It has chapters across the U.S.
The Women in Cyber Mentorship Programme—This project of the International Telecommunications Union (ITU, a specialized agency of the United Nations) connects cybersecurity role models with talented women in Africa, Asia, and the Middle East. Interested mentees may have two to three years junior-level experience in cybersecurity, or be seeking to enter the cyber workforce from another field. Interested mentors should have senior or managerial experience in the field. Application deadline for 2022: March 31.
Women Know Cyber: The Documentary—This 50-minute film is inspired by the book Women Know Cyber: 100 Fascinating Females Fighting Cybercrime, by Steve Morgan, founder of Cybersecurity Ventures. It features leaders in the field, including Deneen DeFiore, VP and CISO at United Airlines; Emily Mossburg, Deloitte global cyber leader; Alissa “Dr Jay” Abdullah, SVP and deputy CSO at Mastercard; and Diane Janosek, training director of the National Cryptologic School at the National Security Agency, among others.