Exclusionary practices in the cybersecurity workplace are keeping women from being recruited, hired, retained, and advanced at the same rate as men.
Inferior recognition and disparities in career advancement opportunities are creating a “boys club” culture that is making it harder for CISOs to hire and retain women on their cybersecurity staff.
Corporate culture, business leaders and hiring managers are all contributing to the problem, according to a new study commissioned by industry campaign group Women in CyberSecurity (WiCyS).
Compared to other industries, “The disparity in career advancement opportunities for women in cybersecurity is much more significant,” Lynn Dohm, executive director at WiCyS, told CSOonline via email. “There seems to be a strong sense of a dominant masculinity and a reluctance to accept women as equals, which is reflected in a large number of examples of situations of women being treated with disrespect. The problem of being assumed to be incompetent or less qualified than their male peers seems particularly common.”
State of play
WiCyS, a non-profit that campaigns for the recruitment, retention, and advancement of women in cybersecurity, surveyed 1,000 employees (35% men and 65% women) in more than 20 organisations for its 2023 State of Inclusion Benchmark in Cybersecurity.
Getting more women into cybersecurity is widely seen as a key component in addressing the growing cybersecurity skills gap but outdated attitudes and exclusionary behavior are undermining these efforts.
The data showed a glass ceiling effect, with almost half (48%) of women experiencing issues related to career growth, such as getting passed over for promotion, significantly more than the 26% of men who reported similar problems.
Women typically hit a glass ceiling blocking them from further promotion 6-10 years into their careers.
Respect
The study identified a lack of respect as the primary source of exclusion.
“After introducing myself, I have had individuals ask to speak to a ‘guy who works in IT’ instead of me,” said one study participant, illustrating the forms such disrespect can take.
Other issues highlighted by the study include women being disproportionately assigned menial tasks, inadequate compensation, failure to recognise women’s contributions to the success of projects, ignoring women’s suggestions in meetings, excluding women from informal meeting (for example during lunch times) and tokenism.
Respect came out as the biggest single category of exclusion followed by “career & growth”, access and recognition. Other aspects of work including compensation, work-life balance and communication were far less problematic.
Both men and women can be excluded at work, but women experience discrimination across various categories more than twice as frequently as men.
“Women encounter exclusion at twice the rate of men, signalling a pressing need for industry-wide cultural and procedural changes to enhance inclusivity,” WiCyS concluded.
Women are five times more likely to report exclusion from direct managers and peers.
The study also looked at exclusion through other lenses and found that those with a disability faced levels of workplace exclusion comparable to those related to gender. And the more workers differed from the majority (based on identity traits such as race, gender, sexuality, disability), the greater the level of exclusion, according to the WiCyS report.
Root cause analysis
The study aimed to present the root cause for the underrepresentation of women in the cybersecurity marketplace alongside action plans to improve inclusion by dismantling systematic barriers that have existed for years.
Inclusive practices increase employee satisfaction, productivity, engagement, and loyalty – all factors that can improve worker productivity and therefore boost an organisation’s revenues and staff retention.
There’s a cost to all this, and not just to the women whose careers are stalled, said Paolo Gaudiano, chief scientist of Aleria, the firm that carried out the study. “Our analysis suggests that a company with $1 billion in revenue could be losing approximately $23 million annually due to differential treatment of women and people of color.”
The study looked not only at the causes of exclusion, but also their source. Respondents said they had faced exclusion by corporate leadership (58%), direct managers (50%), peers (39%) and corporate policy (10%).
WiCyS hopes its study will act as a wake-up call and encourage more organisation to adopt more inclusive employment practices, beginning with the steps it details in its report.
Skills gap
The WiCyS report falls against the backdrop of an increasingly severe cybersecurity skills gap. The latest cybersecurity workforce survey from industry training and certification body ISC2 reports that 92% of cybersecurity professionals report skills gaps at their organisation.
Cloud computing security (35%), artificial intelligence/machine learning (32%), zero trust implementation (29%) were identified as the technology areas with the most acute unfulfilled demands.
Women make up only 26% of cybersecurity professionals under the age of 30, according to ISC2, suggesting that the industry is overlooking — or turning away — a rich source of experience.