Where are all the women in cybersecurity?


The news that BT has announced it is going to recruit 900 additional people into its security business during the course of this year is welcome indeed. Some 170 of these will be heading to graduates that have trained at the BT Security Academy, which is equally good news. Less so is that, statistically speaking, it’s likely that less than 100 of the total will be women.

According to the Women’s Society of Cyberjutsu only 11 per cent of those working in the cybersecurity industry worldwide are women. That is, frankly, a shocking statistic and one that shames us all as an industry.

The Symantec CEO, Michael Brown, recently told Forbes that global demand for cybersecurity skills will outstrip supply by a million and a half people in the next three years. Which maybe suggests that the gender gap could be playing a part in the shortfall, and drives us here at IT Security Thing to ponder why there’s such a gender gap in the IT security business at all?

A hint can possibly be found in an interesting article called ‘How myth of meritocracy stymies women in infosec’ in which Carole Fennelly, a security veteran of more than 30 years standing, says she has been reluctantly complaining about gender discrimination for years despite just wanting to be considered for her work record. A total of 11 female infosec professionals were interviewed for that end of 2015 piece, and they all shared a similar belief that the infosec industry simply isn’t a meritocracy.

So ITST decided we’d ask the great and the good of the industry whether they felt the gender gap was acceptable and what can be done to shrink it? We also asked our women contributors if they had encountered any gender-specific problems in their cybersecurity career. The responses were numerous, and sadly not all that surprising.

“Most of the essential skills needed for this job are not gender specific, you really need a sense of humour, an inherent sense of fairness, and curiosity.”

Some were, however, truly saddening. Take, for example, Jennifer Arcuri who is the CEO and founder of Hacker House that describes itself as being ‘London’s Google Campus for Next Generation Cyber Elites.’ Jennifer explained how she has worked in the cyber field for three years now, and while insisting that “women in cyber are here, and those of us that are love our work,” also admits it can be a hard place to be. “I taught myself to be technical,” she says, “and then went on to get all there certifications for it because I knew as a woman I wouldn’t be taken seriously.”

Jennifer reckons that the little letters at the end of your name make people feel better, especially as a woman. “If women simply were able to come join us in cyber to help drive innovation,” Jennifer told us, “I am certain the industry would benefit.” Unfortunately, she has experienced many of the things that act as a barrier to women in cybersecurity including the pretty much misogynist attitude of some men. These are genuine things that she has been told:

“You’re lucky you’re pretty,” and, “Oh, look someone knows how to memorise big words,” and, “did you seduce your truth or was there any technical knowledge there?”

Vickie Miller, CISO at FICO (formerly Fair Isaac), also knows what it means to be a woman in the male-heavy security industry. She’s been at FICO for over 15 years and watches over the firm’s security and privacy, but argues that while there is an imbalance in gender within cybersecurity it’s not necessarily a man’s world.

“Most of the essential skills needed for this job are not gender specific,” Vickie told ITST, “you really need a sense of humour, an inherent sense of fairness, and curiosity.”

If there is a difference, it might be answered in the way boys and girls play and eventually how they work according to Vickie. “Girls are encouraged to play and work in a collaborative way, so I’ve seen women generally build and cultivate strong, successful teams. Men tend to be individual contributors who drive forward with less collaboration. Women have as much influence to come up with a plan, solution, or product and be autonomous, but see value in sharing their success and bolstering the team.”

Then there’s the confrontational nature of the job, which may lead many to think it is better suited to men. “I think this is where many women come into their own,” Vickie counters, “as the ability to communicate and understand all aspects of a problem – all stakeholders, all perspectives – is key to successfully implementing cyber security measures, and I’d say that a fundamental female strength is this kind of understanding.”

She is also sure that more can be done to gain traction in schools in order to attract more women into the industry. “If more women were aware of what the role of CISO entailed,” Vickie concludes, “they may find it a more attractive route of profession. Rather than becoming interested in one area of IT, cyber security allows you to have variety as you have to know a bit about all of it, so it’s great for multitaskers and anyone who is interested in the psychology of why people do things.”

To top it off, the salaries are gender biased in most other companies. Many of us don’t want to apply to the position where we’re not equally treated in terms of benefits

When Megan Goldik, a fraud data analyst at NuData Security, started on her career path in 1998, she says she had no idea about cyber anything. “In the last 10 years or so,” Megan told ITST, “the impetus to belong to this huge up-and-coming sector has shifted for women, and has little to do with talent or opportunity. Keep in mind that in the US, according to a 2013 study, there are twice as many men in science and technology fields as there are women, however, women have been proven to be better at critical, analytic and intuitive thinking.”

Megan has only worked with women analysts over the last 18 years, however, she has always worked in manual PII and PCI or e-comm fraud security – not technically “cyber” security if you are leaning towards “cyber” being part of IT and not part of Risk management.

“I have only now moved towards more of an IT aspect of security; and my boss is a woman,” Megan says. As for gender problems, Megan insists that she has “never encountered any friction by peers or others as a result of my gender/race/age – or if I did, I did not notice it.”

Then again, she admits that female analysts may not be the prime target of gender bias, as she has only encountered other women working with me. “I think that when you get closer to data science and tech, or cyber security fields that are filled with STEM graduates,” Megan concludes, “the ratio could give the impression that women are under-represented due to gender. There are, I am sure, several reasons for women not going in to science fields as much as men, however, I am not in any position to argue those points. Maybe the next 10 years will be different?”

Qurat Anwer also works at NuData Security, as head of data science. She reckons that “the lack of women in this space is clearly a function of the minority of women in technology jobs in general. But as a woman who gets just as excited about the ever-extending frontiers of cybersecurity as the next guy, it is sad for me to see that this trend is not going away any time soon.”

Running the data science team for NuData Security, and having been in the field for almost 10 years, Qurat has seen that not many women are welcomed in the interview process at the onset – not that many actually apply to these positions in CS.

“There could be several reasons for that,” Qurat told us, continuing, “the requirements are getting tougher for these positions. You should have the knowledge and education and then you must have participated in hackathons, which are not very female-friendly to start with. Then, to top it off, the salaries are gender biased in most other companies. Many of us don’t want to apply to the position where we’re not equally treated in terms of benefits, in particular, when we are equal in experience and capabilities.”

And, of course, the hacker culture is prevalent in the cybersecurity world that demands exceptionally long hours, late nights, and highly focused and almost obsessive behaviour, which could be another of the reasons as well.

“Also, women face difficulty in building and belonging to a network of like-minded peers in such jobs,” Qurat says, “and without the proper and supportive network, it is highly unlikely that women who come in this field can stay long. This makes me so very thankful to be with a supportive, and edgy company where I am leading a team of incredible data scientists.”

Stacia Topping, engineering programme manager at HPE Security, is concerned that recent studies (by the NICCS and ISC2 for example) actually show a slight decline in the number of women in cyber security. “The question shouldn’t be whether there are, or aren’t, enough women in cyber security,” Stacia insists, but rather “should be focused on how to attract more minorities overall to the field. In a field that is rapidly expanding, the number of qualified professionals, women and minorities included, is not keeping pace with the growth in the industry.”

“In many cases professional experience is based on past military experience, which means fewer women participate, even compared to technology in other domains.”

So what can be done to increase the appeal of a cybersecurity career for women? “There are numerous points to be addressed in resolving the gender/minority gap in cyber security and IT too,” Stacia told IT Security Thing, continuing, “the gender/minority gap cannot be resolved without commitment to driving and funding initiatives to attract women and minorities to the field. Greater commitment to and investment in educational programs, such as STEM programs, for girls and minorities is needed.” Of course, many of these programs and initiatives are relatively new and will require continued commitment, funding and exposure to yield effective results.

“Commitment to women and minority leadership initiatives within organisations is also another point to be addressed,” Stacia says, “much has been published in the media within the past few years about the topic of women’s leadership and the number of women in upper management, and yet the statistics for women and minorities in those positions still reflect lower numbers and slower growth than would be expected.”

One woman who has found a leadership position in cybersecurity is Sharon Trachtman, Radware’s CMO. She wonders if the gender gap may have a military basis? “In many cases professional experience is based on past military experience,” Sharon says, “which means fewer women participate, even compared to technology in other domains. But in technology, in general, there isn’t an equal participation of men and women.” As for what can be done to redress the balance beyond the general awareness and importance thing, Sharon says “creating more opportunities for women to develop their expertise through specialised courses in universities and as professional development courses” is key along with the creation of “cybersecurity groups for women in which they can network and share knowledge.”

Kitty Shih, VP of Engineering for Centrify also looks towards university courses, but wonders if the shortage of women in cybersec is down to “a lack of women enrolling in computer science and math programs, which are a prerequisite for a career in cybersecurity?” Kitty hopes this can be addressed by such things as “programming bootcamps for female teenagers, as well as special programs to encourage women to pursue a career in computer science and engineering. All these will help to grow the number of women to further develop interests in cybersecurity.” Kitty admits, however, that to achieve this “we need to start early – from girlhood onwards. We need to combat the stereotype that girls cannot excel in hard science like boys. It is much harder to combat this self-image later in life.”

Next we spoke to Lise Feng, Director of Corporate Communication at CipherCloud who told us that whether there are enough women in cybersecurity rather depends upon how you measure participation. “The industry is tone deaf to only consider women in technical roles for measurement,” Lise says, “women in sales, legal, marketing and other non-technical roles make other necessary contributions to their companies.”

According to transparency data from tech firms, women account for closer to 40 per cent of the workforce. In addition, we can expect that number to grow as the technology sector, particularly in the last couple years, has been pushing diversity inclusion aggressively. As for what can be done to increase the appeal of a cybersecurity career for women, Lise says that “cloud, big data, mobile/IoT technologies are creating privacy challenges that present huge opportunities for cybersecurity to address. It’s exciting and fulfilling to contribute to this growing field. Additionally, the financial compensation of working in cybersecurity is enticing, especially for those with the right technical skills. Because most cybersecurity firms are privately held, even non-tech employees stand to make a decent to excellent windfall if their companies make a successful exit.”

“While sometimes you do need to get past the preconceptions of others, my experience has been that if you do good work, your colleagues will respect you.”

As for working in the industry as a woman, Lise says that she’s had a great experience working in cybersecurity. “I’ve met many smart, passionate people,” Lise told ITST, adding “over a 10 year career, you’re bound to have some awkward moments, but these don’t add up to a problem. I once had a boss who thought I would have fun dressing up for a conference and pitching to male attendees on our social campaign. He reasoned that I had open time and was single. Uncomfortable as the moment was, it was one instance.”

Emma Whittemore, Project Manager at MWR InfoSecurity, thinks the problem is very much not the lack of women in the industry overall, but the lack of women in technical roles. “Then again, there aren’t enough men or women in cyber security full stop” Emma insists, continuing “I believe that a lack of awareness of the cybersecurity industry and the career opportunities within it, results in fewer people considering a career in cybersecurity.” Running events such as HackFu has been a good way of getting people in graduate positions or those in adjacent industries interested in cybersecurity according to Emma. “This is because it displays the fun and nurturing side of the industry which is appealing, but it also provides the environment to have a go at learning skills in a supported environment.”

Jennifer Steffens, CEO at IOActive, reckons there has been a lot of growth in the number of women working in cybersec, at least within her personal experience. “I work with significantly more women now than I did even five years ago,” Jennifer told IT Security Thing. “The numbers are still low as a percentage though and it’s really a shame that still more women don’t choose to apply their talents and skills in cybersecurity.” You don’t have to look far to see the disparity, just go to any security conference. “I’ve had women confide in me how intimidating the myriad of conferences can be because we are so overwhelmingly in the minority,” Jennifer agrees.

This is not a unique problem to cybersecurity of course, as we see a similar gender gap across all STEM fields, where it’s crucial for women to get engaged at early ages to compete and be successful. “Like other STEM fields, cybersecurity hasn’t been overwhelmingly or inherently appealing to young woman in general, in fact it has, arguably, been an even steeper uphill climb because of all of the bad press that comes out of the space.” Jenifer concludes “we as an industry need to do a better job shining light on the many positive, important, and rewarding aspects of cybersecurity for more young women to identify it as a viable and compelling field and explore it early on. Fortunately, cybersecurity is a rapidly growing, yet still relatively young field, and I believe as it continues to expand and increase in importance across a wider spectrum of products (IoT anyone?), the more we’ll see exposure and interest amongst young women on the rise.”

Katie Price, principal consultant at ECS Security, thinks the immediate questions we should be asking are “what skills and traits are immediately transferable to cyber security roles?” and “how can we get people with these skills and traits interested in a move to our field?” This will help us in getting talented people, and also ensure that we have new ideas and fresh perspective, which is also very important. Why women are under-represented in science, technology, engineering and mathematics fields is a separate, and very valid question. “The answer to this question is not simple, and research has highlighted multiple theories as to why this is, and what can be done to address it,” Katie says.

“I think a better understanding of how the security industry works is critical in attracting new people to it: men, women, minorities.”

“I’m no expert here, but from what I’ve read, most are longer term initiatives.” Although Katie says she hasn’t encountered problems as such, there have been times when she admits she has felt the pressure “to do more to have others accept my credentials than male counterparts.” Even then, Katie says this wasn’t problematical as “while sometimes you do need to get past the preconceptions of others, my experience has been that if you do good work, your colleagues will respect you.”

When Limor Ostrowski, CISO at Varonis, managed a team at a top professional services company at its ICT center of excellence in the Netherlands, she recounts that she was the only women in a team of over 80 infosec professionals. “At the time, the security teams for many of our customers, which were global companies across all industries, were also comprised mostly of men,” Limor tells us. “I, of course, wanted to hire and manage a diverse team, but unfortunately female applicants, at least in Israel and the Netherlands, were few and far between.” Prior to that role, Limor headed up the firm’s infosec practice in Israel where she was also the only woman, and she puts this down to:

“The cybersecurity arena is unpredictable. If you are working in the first line of defence, one needs to be able to respond to challenges 24/7. When I didn’t have kids and it was much easier to travel extensively, respond 24/7 and work 100 hours a week. Some women with a family, especially small children, may find that challenging as work life balance is not an option.

“In our industry, I don’t see many men who have families compromising their careers to be more available for their kids. This is about the traditional role of the women in the family, and it exists even if you are educated, secular, and career driven. However, in the last year or so, after giving birth to twins, I knew I needed to be in a more family-friendly environment, and Varonis has proven to be a good fit. In Israel some of the most successful women I’ve met are army veterans. They’re very familiar with the technical jargon and culture, which in the infosec space originated in the military. If you don’t have that level of experience and understand the culture, some may consider it difficult to fit in.”

In order to keep the gender balance in our own reporting, we also asked a couple of blokes in the business for their opinions. Steve Brown, Programme Manager of the Next Tech Girls initiative told us that while there are multiple reasons for under-representation of women in cybersecurity one of the key barriers is the misconception of what the role involves. “In discussions that I have had with girls studying ICT and computing at GCSE level, I found that the majority believe that tech was limed to coding and simply didn’t understand the breadth of opportunities in this area,” Steve says, continuing “if we are to encourage more women to pursue a career in IT risk management we need to engage with young females at an early stage, before they have made a decision on further education or employment routes.”

Adrian Sanabria, Senior Security Analyst at 451 Research, isn’t generally in favour of approaching issues like discrimination from an arbitrary point of view. “While I think the perception is overwhelmingly that there’s an issue with women feeling unwelcome across most tech careers,” Adrian says, “my nature is to immediately try to separate emotionally-driven perception from reality.” His personal experiences suggest that there is an issue to address, but to address it, it has to be investigated and have some way of being properly quantified. “The most visible issue I’ve seen is the stereotypical assumption that a woman wouldn’t be in a deeply technical role,” Adrian told ITST recounting how women researchers at conferences are often mistaken for marketing folk.

Due to the fact that security is generally not an entry-level career, but an option to choose mid-career, the problem ultimately lies in the careers that people come to security from. Overwhelmingly, those are tech careers. “In conclusion, I believe that focusing on issues with women entering or leaving tech and IT fields must be addressed to have a significant effect on any issues in security,” Adrian insists, “the fate of most security jobs are married to the tech fields they aim to protect and the issues in those fields. I think a better understanding of how the security industry works is critical in attracting new people to it: men, women, minorities.”