Cybersecurity has been a male-dominated area and the reasons behind this include fewer women pursuing STEM careers and conscious or unconscious bias when hiring and promoting. The number of women taking on the CISO job is increasing and CSO spoke to four women who shared their experiences and tips to become a CISO.
It’s important to gauge the size of the challenge first. Women are estimated to make up just 11% to 24% of the profession globally, according to Women in Cyber Exploring the Barriers, Redesigning the Profession report from the University of Queensland, Australia.
It’s a misconception that only technically educated and skilled people are employed in cybersecurity, yet this directly impacts the perceived competency (and hiring) of women in the profession. Added to this, there’s also a misplaced perception of women in cybersecurity as technically inferior. When it comes to hiring practices, unconscious bias in the selection process in an industry regarded as male dominated means women are less likely to be hired, regardless of experience and qualifications,
A ‘boys club’ mentality reportedly operates in workplaces and extends into seminars and professional retreats and is even adopted by some women who self-identify as technically skilled, creating a distinction from other women who they consider non-technical, although this may be a self-preservation technique in a traditionally technical, male-dominated industry, according to the report.
Across their schooling and in general society, there’s few role models and limited encouragement for women to enter the profession, not helped by the industry’s reported long hours, unfriendly work environments, and male dominated teams.
Breaking down barriers for women in cybersecurity
‘I fell into cybersecurity’ is a phrase more women than men will say when discussing their careers. It’s no surprise given their under-representation in STEM subjects at school and university courses.
“The proportion of women in those courses is low,” says Kate Raulings, CISO with the Environmental Protection Authority in Melbourne, Australia. It feeds into one of the major barriers to women breaking into the field — prioritizing candidates with the typical computer science degree and not placing more value on other qualifications, professional accreditation and workplace experience. “I don’t have an IT background, and that’s common with a lot of women, and it’s one of the challenges for this type of a role,” she says.
Requiring a degree or post-graduate degree in computer science can lead to an institutional bias. “If you’re asking for a qualification that has a bias built in, that’s one of the barriers to entry,” Raulings says.
Regarded as a highly technical, specialized profession, one that’s male dominated, can put women off from entering cybersecurity, especially those with a non-technical background. “It’s like they speak their own language,” says Raulings, of the perception the role is only suitable for those with an undergrad or postgrad computer science degree. “Working in highly technical environments hasn’t bothered me, but if you don’t have that background, it can be a challenge. It’s easier to dismiss people,” she says.
Raulings believes a broader range of skills need to be valued, including technical, governance, risk and communications, given it’s increasingly important for CISOs to effectively convey technical information to management and staff. “We need to promote alternative pathways and skill sets, but it’s one of the challenges we haven’t quite overcome,” she says.
This idea cybersecurity is a purely technical profession has led to a kind of “institutional blindness,” where roles have been stereotypically defined, with limited recognition of diverse career pathways. “Security has been a very clandestine world, but as more women are entering the field, it’s opening up and you don’t need to only have a networking background,” says Clea Ostendorf, field CISO at Code42. “As the scope broadens in how we’re trying to solve problems, more women and diverse opinions are going to be welcomed.”
She says that hiring people who have the skill sets needed is one way to get around this historical in-built bias and expand the types of people who are qualified for interviewing and hiring. “If you need somebody who does investigations, find somebody who’s curious. If you’re building a program around education and adult learning, why not look to educators,” she says.
Reframing the technical vs non-technical division between CISOs
A distinction is often made between the “technical” and “non-technical” women CISOs. Depending on their background, women may define themselves as one or the other. However, it could be hurting them by diminishing the range of skills and expertise they hold across different areas. Women who haven’t come through the traditional pathways have had to overcome this bias, but it can be a stigma that lingers, stemming from an idea that they’re not adequately qualified or have to prove their bona fides for the CISO role.
A better demarcation could be made, there are more technical CISOs and other more strategic, risk and governance CISOs, something women are very good at and needs to be valued, according to Olivia Rose, faculty at IANS Research, CISO and founder of Rose CISO Group. With more demands on the CISO’s role, there’s a greater breadth of skills and expertise needed beyond the purely technical. “Technical CISOs have been learning they don’t always have those skills for translating technical concepts into strategy and presenting this to the board, and they need to learn these skills,” Rose tells CSO.
Adhering to a division between technical and non-technical may also come from a fear that if there’s a breach, it will become an issue. A case in point is the Equifax breach where much was made of the fact the woman CISO had a non-traditional background. “It was blown up and become the story, but it had nothing to do with it,” says Rose. “If that was a man, there’s no way it would have even been seen as a blip.”
The challenge of balancing family with the CISO role
CISO burnout is real and with budgets and headcount constrained, it’s not getting any easier. Women CISOs who are also parents face the additional challenge of juggling family life with an oftentimes highly stressful, demanding, and even 24/7, role.
When someone takes on the CISO role, they go into it knowing the demands of the job. Even so, the overwhelming responsibilities of a CISO may not comfortably align with the responsibilities of having a family. “You can hire good people who can give you some time off at night, for example, or a security operation center that can respond to some events. However, the problem comes into play when you don’t have the resources or your budgets are cut to afford these,” says Rose.
On a practical level, industry events that are scheduled in the mornings when school drop-off happens or after work when children need to be collected from daycare, or after school care and then fed and looked after in the evening make it logistically difficult for working mothers to attend. “Dads can be parents too, but as a rule, women tend to be the ones with the family duties or caretaking for elderly parents,” she says.
To help make it easier, event organizers need to consider the timing and whether the kinds of events, such as boozy dinners or extreme team bonding experiences, sit comfortably with everyone’s schedules and interests. Rose, who is connected to many women in the profession, is often asked by organizers about the lack of women in attendance. She tells them why the timing of events in the mornings or after work overlooks that working mothers have responsibilities at home. “If you’re a working mother, you usually can’t just show up at an event at 5.30 pm,” she says.
Rose moved into consulting and founded her own practice to create a balance that better suited her situation. “The CISO has ultimate responsibility. It can be a difficult field, especially for women.”
Tackling the obstacles to women’s participation
Unconscious bias can be one of those things that makes it harder for women to become CISOs because it can impact their perceived competency and promotion. Daniela Fernandez, head of information security with PayPal Australia, has taken the technical path and as such hasn’t faced challenges in relation to technology knowledge and qualifications. But in progressing her career through leadership, she’s faced some unconscious biases due to her “identity as a Latino woman and the fact that English is not my native language,” Fernandez tells CSO.
Fernandez has tried to take her unique perspective and background to propel her career. She encourages other women to create a network, advocate for diversity and inclusion and for her own part, she has worked to be visible by putting herself out there for other women to see, even if it feels unfamiliar or like taking a risk. “There is a lack of representation, and the absence of women role models make it difficult, especially for young women, to envision themselves succeeding in the field,” Fernandez says.
She’d like to see programs across primary, high school and universities to encourage women into the profession as well as support for women already in the field who may want to advance to a leadership role with mentors and others who can help them.
Facing stereotypes, biases and lack of representation are the main challenges that women face, says Fernandez. Improving diversity and equity extends beyond being a women’s problem, it requires everyone working together, including the many men who are supportive of these initiatives. “By connecting with allies who can help turn the dial on making changes and getting involved with groups that promote diversity and inclusion and provide support to others who may be facing similar challenges,” Fernandez says.
Organizations need to support efforts to improve gender participation as part of their wider efforts to improve diversity, according to Raulings. “If you’re trying to promote innovation, you actually want diversity of thought.” It’s the people who come at a problem from different, unique perspectives and backgrounds that together will collectively help to find an outcome or a path through that you wouldn’t necessarily do otherwise, Raulings says.
However, it requires organizations to execute this at every layer, at every opportunity, across every process and every individual. “The organizations doing that well are the high-performing ones that outstrip their competitors, when it comes to key indicators, from financial performance to satisfaction,” Raulings adds.
Code 42’s Ostendorf concurs, and with many different types of users who interact with technology, it makes sense and is vital to have different input when it comes to security. “You’re missing an opportunity to bring into the fold these different points of view, if you are only focusing on what you’ve always done,” Ostendorf says.
How to improve women’s participation in cybersecurity
Fernandez wants women entering or considering the profession to believe in themselves and their abilities from the outset. Then look at courses, training or books to strengthen other areas such as public speaking or presenting and build confidence. “Connect with others who are also in the field through networking events, online forums or courses, because you will find support and opportunities for advancement through those networks. Leverage networks to help find a good mentor who can provide guidance and encouragement,” she says.
Raulings suggests achieving certifications and leveraging adjacent roles to build cybersecurity knowledge and relevant experience. “Start with relevant cybersecurity certifications and go from there. Seek out women who may be at a point in their career where you aspire to be and seek advice, insights or even mentoring,” Raulings says. “It’s also important to build your confidence and your support networks, especially when aiming for leadership roles.”
Ostendorf wants more women to know there are different ways into cybersecurity and opportunities for women are improving. “There are more security influencers who are females elevating their voices on different platforms. It’s still male dominated, but it is changing and people are aware of the disparities between genders, and they’re trying to elevate other voices,” she says.
Rose encourages women not to restrict themselves to only women’s networking or mentoring or other events. “Mentorship and education are great, but you’ve got to learn how to play with the majority. You can’t segregate yourself out or you’re not going to go up the career ladder,” she says.
Rose would like to see women’s voices and contributions heard more, whether it’s in online discussions, panels, meetings or networking events. Even if it means taking a risk to be more visible, something men are more comfortable with. “We have this fear of being seen as stupid or not knowledgeable. Men say things with such conviction and women need to get that confidence,” Rose says.
The University of Queensland report also suggested solutions from individual action through to industry-wide and governmental involvement to encourage more girls and women to consider careers in cybersecurity. The report makes the following recommendations:
- Individual: Women currently in the industry need to be encouraged and supported with opportunities for self-learning, upskilling, and developing networks, along with greater male advocacy and education around unconscious bias for males and hiring managers.
- Organizational: Workplaces and industry need to develop partnerships, mentoring programs, marketing campaigns, leaderships pipelines and training and development programs. In addition, positive discrimination hiring in practices and diversity, inclusion and equity programs are needed. There also needs to be policies to support women in the workplace, women returning to the workforce, and working mothers.
- Government: Changes to primary and secondary schooling curricula are needed to include data and security topics, critical thinking development, and confidence building for young girls. There also needs to be future workforce planning, policies, and cultural workplace and industry practices that encourage more diversity within cybersecurity.