It seems that every security event I attend, I hear the stats - females occupy only 11% of the cyber security jobs in the US. There's a whole lot of talk about bridging this gap, and there are also some pretty smart folks who are trying to make a difference. Let's keep talking about this, and let's fortify the talk by taking some action to "move that needle"! How do we get more school girls interested in cyber security? How do we help more mid-career IT gals transition to cyber security career? I'd love to hear your thoughts!
Lisa Vaughan, CISSP, PMP
I think one of the big stigmas is that the IT/cybersecurity field is and always has been thought of as a field for geeks and nerds. I have 3 daughters and they constantly call me a nerd/geek even though they use almost as much technology as I do! I think most girls shy away from it because of this stigma. They are already bombarded with ads implying they have to be sexy to be anything in this world and IT is not considered "sexy". If you can find a way to break this stigma then you have a good start.
I think starting early and active mentoring in the workplace are a good start for any anti-discriminatory activities but they are only the tip of a very large iceberg.
There is a lot more that organisations can do to demonstrate their active commitment to equality and diversity, to raise awareness and to dispel the confusion about what D&E actually mean. Also, in some cases,to demonstrate compliance against their country's D&E legislation.
For instance,Senior Managers and HR departments can:
- Ensure there is a clear D&E 'owner' at executive level (and that staff know who that person is)
- Clearly understand and document the business risks that can arise from *not* being "equal and diverse"
- Introduce Diversity Champion roles
- Elicit staff feedback about Diversity & Equality in their annual staff surveys
- Routinely collect metrics on the demographic of their workforce and routinely monitor and refine those statistics (within the legislative and regulatory frameworks that apply of course, such as GDPR!).
- Introduce explicit D&E training and awareness materials that 'go beyond the headlines' (eg by 'exploding myths' ;emphasising that D&E are "all about inclusiveness", for men and women of all backgrounds; highlighting the benefits of a diverse workforce; providing organisation-specific generic examples that demonstrate types of acceptable/unacceptable behaviour,etc)
- Introduce D&E "workforce representation" working groups, aligned to output from the organisations' HR and governance forums. (A D&E sub-group would have a particular interest in annually reviewing the organisation's recruitment, appraisal, acceptable behaviour and complaints procedures)
- Routinely include 'Demonstrate an active commitment to D&E' in all JDs, with additional responsibilities at the higher grades.
- Ensure their complaints, grievance and "whistleblower" policies are fit for purpose. (A 'hot topic', following the Harvey Weinstein allegations.)
All staff groups can:
- Introduce Diversity & Equality as a standing item on relevant meeting Agendas (eg team meetings)
There are also some less obvious actions individuals and organisations can take. For instance:
- Everyone could encourage organisations (like ISC2!!) to sign up to the Diversity Charter:
"All too often we see conference and event lineups full of the same or similar people, we don’t want that anymore. We want diversity."
As you can probably tell, I was a Diversity Champion in a former (work)life and am passionate about this subject!
I agree that image and perceptions are very important. There is also still the stigma of choosing traditionally 'non-feminine' subjects such as science, maths and engineering at school.
Thankfully, 'Geeky' also has some positive connotations - there are some very rich and successful 'geeks' and it is good to see many confident 'geeky girls' at science fiction and fantasy conferences!
Thanks for sharing, more must be done in nurture. Sorry they were not championing you as well as they might.
Mulling it over there are parallels in what you are saying about empowering mothers in terms of a study that looked at getting the best ROI for aid in developing nations:
There is an quote here that could be pivoted to the Cybersecurity profession very easily:
'...eliminating remaining gender disadvantages in education; increasing women’s access to economic opportunity and thus earnings and productivity...'
It would be interesting to see what would happen if there was a systematic focus on this - It also makes a lot of sense to focus resources on underrepresented groups.
I would think that the ISC2 chapters and other organizations might be good places to start this. In addition perhaps an ISC2 Women's Chapter running parallel to others would make sense, and could fulfill some of the needs here. Not the same thing but I came into this profession from an unorthodox background, so having like minded individuals to sound off was very helpful.
In addition to all the great points I think CISOScott nails it in terms of the bigger picture - pointing out that most people get into Cyber Security from other feeder lines and that getting greater participation in IT, Coding etc is probably the way to have a larger pool of female representation in the group of people that will ultimately want to protect systems, information and people from those that would do them harm.
Newcomer III - I like your ideas! There is a new (ISC)2 chapter that has just been approved in my state (Mississippi), so I'm excited to be a part of getting it off the ground and having another platform to address the gender gap.
There are many targets when we're talking about "moving the needle" on this issue: single moms, mid-career women who are looking for a change, elementary through higher-ed young ladies. The often-overlooked under-served communities also need a chance to be exposed to the cyber security career options.
I am very intrigued by the idea of a Women's chapter or focus group. I'll reach out to my friends at (ISC)2 and see what they think of this. Since we didn't have a Women in Security track at this year's Security Congress, I want to provide all the support I can to see how we can get this started for next year's Congress in New Orleans. Anyone else interested in helping with this?