In recent years, the topic of the lack of women in the cybersecurity workforce has been somewhat of a cause célèbre, but the results of efforts to promote progress have been mixed at best.
Anyone who has walked around the annual RSA Conference or any other large security gathering surely has noticed that, while there are more women in the crowd every year, it is still mostly men. At these events, there are almost always panel discussions about getting more women in the field, but the audiences at these sessions tend to be almost all female, severely limiting the potential impact that would come with having more male decision-makers involved in the conversation.
Meanwhile, the five-year-old Women in Cybersecurity (WiCyS) Conference has emerged as the go-to event for women in the field, yet it still only attracts 1,000 attendees. It's not that this number is discouraging or that the event is anything less than an absolute necessity; WiCyS is destined to grow in power in the coming years. But it can still be viewed through an admittedly cynical lens as a larger version of those women in security panels. Without larger numbers of men from the field there to offer support and call for more female hires, the potential impact of the conference is minimized.
Elsewhere, authors writing about the field often cite numbers to back their cases, but there's a general lack of agreement about how many women there are in the field. And perhaps most frustrating, despite the well-documented need for more security professionals, young women aren't being encouraged to take advantage of that opportunity.
“When I walk into a high school Cisco Networking class, I’ll see 30 boys and one girl," Allen Paller, director of research for the SANS Institute, told the Hechinger Report earlier this year. "Girls are being told loudly: ‘You are not invited.’”
A big part of the problem is how the conversation gets framed. Too often it's presented as a gender issue (which it is), or worse, it turns into a morality debate (which it can be considered, as well). Both of these contexts sell women short by categorizing them as something other than qualified workers.
In a recent Forbes report exploring why cybersecurity needs more women, Priscilla Moriuchi, director of strategic threat development at threat intelligence vendor Recorded Future, suggested that hiring qualified women cybersecurity workers is simply good business.
"We need people with disparate backgrounds because the people we are pursuing also have a wide variety of backgrounds and experiences," said Moriuchi. "The wider variety of people and experience we have defending our networks, the better our chances of success."
Lest this all suggest there hasn't been progress, let's look at how the picture has brightened for female cybersecurity professionals. To begin with, after years of reports (such as this one from 2015) that women made up just 10 or 11 percent of the cybersecurity workforce, new research from Cybersecurity Ventures https://cybersecurityventures.com/women-in-cybersecurity/ suggests that the figure is now 20 percent. That's still an absurdly small number, but it clearly represents real improvement.
There also is plenty of emerging evidence of the impact women are having on the field. Take this recent piece in Dark Reading that highlighted five women who are playing huge roles in determining Microsoft's security strategy. Women such as Ann Johnson, corporate VP of Microsoft's cybersecurity solutions group, or Diana Kelley, a former global executive security advisor at IBM who now serves as Microsoft's cybersecurity CTO, are trailblazers carving out a template for other women in the field to follow. There were no women in roles like these 20 years ago.
And it's obviously not just Microsoft where women are making a difference in cybersecurity. EIN Newsdesk recently published a list of 30 "Badass Cybersecurity Women" whose careers we all should be following. It's an impressive list of CISOs, security vendor execs and analysts that could easily be much longer.
But again, even trumpeting the accomplishments of the top women in the field underscores the uphill struggle women in cybersecurity face. Until we stop seeing lists of women in the field and instead start seeing lists of cybersecurity influencers that include relatively even numbers of men and women, minus the need to distinguish between them, we'll know there's still a problem.