Johanna Vazzana knew the job she’d applied for was a stretch. Vazzana, now a cybersecurity strategist working at Mitre, was interviewing early in her career for a technical cybersecurity position with a Fortune 500 company. Though she lacked a computer science degree, she’d taught herself relevant skills and racked up certifications that she hoped would fill in the educational and experiential gaps.
But during the interview, the hiring manager didn’t harp on her inadequate skillset.
Instead, he told her: “I’m surprised to be interviewing a mom.”
The experience served as an introduction to a discriminatory dynamic she’s continued to observe in the industry. “It was the first time I remember being aware that there was some correlation between my being a mother (or a woman, or a parent, or something personal) and my being considered for a job,” Vazzana wrote in New America’s publication Humans of Cybersecurity.
Although Vazzana’s interview was nearly a decade ago (and, spoiler alert, she didn’t get that job), there’s plenty of evidence that overt and covert gender discrimination endures, and that it’s part of what’s suppressing the numbers of women in cybersecurity. The “2017 Global Information Security Workforce Study: Women in Cybersecurity,” published Wednesday, reports that the cybersecurity industry is composed of only 11 percent women globally and 14 percent in North America. (The survey was conducted by Frost & Sullivan and ISC2, and the report was sponsored by PricewaterhouseCoopers and Alta Associates.) That number hasn’t budged since the same survey was conducted in 2013. Far from just a “women’s issue,” this is a problem for any business that’s thinking about how to respond to cybersecurity threats, for governments bolstering their own defenses to attacks, and for anyone who cares about their safety both on and offline.
There are two simultaneous trends that make this particularly dangerous. The first is that workforce demand is outpacing supply—the report projects that the gap between cyber professionals and unfilled positions will expand to 1.8 million globally by 2022. The second trend is that cybersecurity threats and attacks are becoming more complex and prevalent across all kinds of businesses. The industry needs more smart people to fill positions—preferably people who have fresh ideas for how to address ever-evolving problems.
“Diversity of thought isn’t something the cybersecurity industry can be successful without,” says Joyce Brocaglia, one of the study’s authors, the CEO of the cyber executive search firm Alta Associates, and the founder of the Executive Women’s Forum, an organization that promotes, connects, and helps develop the skills of female leaders in cybersecurity. “Why would you eliminate the brilliance of 50 percent of the population?”
Indeed, research shows that diverse teams produce more innovative ideas and smarter solutions, and are better for a company’s bottom line. But in cybersecurity, diversity could be an even more essential condition. As New America president Anne-Marie Slaughter and I wrote last year, the gender gap in cybersecurity is a national security risk because it means the people who are designing cybersecurity products and solutions aren’t representative of the population using them. Gender, race, socio-economic status, and other identities can influence the way people respond to cybersecurity interventions.
For instance, some research suggests that women may react to potential cyberthreats differently from men: They are more likely to set up stricter privacy settings on social media accounts, more likely to change online behavior after a breach, less likely to disclose personal information than men, and tend to feel less confident that their information is protected online than men do. And given that it only takes one person falling prey to a scam or attack to compromise an entire business or government, it’s a problem when those who are designing cybersecurity products or interventions aren’t representative, especially because, as FireEye senior cyber analyst Sarah Geary pointed out recently, individuals are becoming a more attractive target for foreign governments.
Solving this particular problem requires first that we know what’s preventing women from entering the industry in the first place and what’s making them feel less welcome there. For the first time, the new study asked nearly 20,000 information security professionals around the world about discrimination and inclusion, and the answers back up what my colleague Megan Garcia and I found in our own research.
The study found that 51 percent of women (and 15 percent of men) had experienced one or more forms of discrimination (like unexplained denial or delay in career advancement, exaggerated highlighting of mistakes or errors, and tokenism). As women rise through the cybersecurity industry ranks, so too does their perceived level of discrimination. It also found that 28 percent of women don’t feel that their opinions are valued. (For comparison, 13 percent of men felt the same.) Perhaps unsurprisingly, it uncovered a gender pay gap at every level, ranging from women receiving 3 percent less pay than men at the director level to 6 percent less at the nonmanagerial level. That might not seem like much (after all, the national gap is roughly 20 percent, and more if you’re a racial minority). But given that the average chief information security officer’s salary in the U.S. is more than $200,000, according to some estimates, it could add up to a significant loss in earnings over time. And more broadly, research shows that the gender pay gap can have negative effects on women’s mental health and could help explain why depression and anxiety are more prevalent conditions in women than in men.
For the most part, we know how to address most of these problems, and the authors include an extensive set of best practices for employers that want to recruit and retain more women. Examples include making sure women have access to mentorship and leadership development opportunities; encouraging companies to be transparent about their efforts to close the gender gap; and linking gender parity outcomes to financial incentives like compensation. Why not give employees a bonus if they’re able to increase the number of women that they hire to a team? Why shouldn’t employees be evaluated on the way that they treat people from underrepresented populations in the organization?
But many of the important changes necessary to close the gap can’t be reduced to measurable indicators and metrics—especially those more closely related to culture and mindset change. One of the biggest challenges has to do with the way that we define who can and should work in cybersecurity, and what people in the field actually do. Vazzana points out that many of us have a narrow definition of who can work in cyber, based in part by media portrayals of hackers and computer scientists. The prototypical image: a pallid guy in a hoodie, chugging Mountain Dew in a basement while he pounds away at a keyboard and lights up the screen with code.
Companies can expand this image by changing the way they portray cybersecurity analysts on their websites (who do they feature in recruitment pamphlet photos?) and how they describe the expertise necessary for positions in job descriptions (are they using tools that help to root out inadvertently biased or discriminatory phrases?). Since cybersecurity problems are so complex—often requiring expertise in law, privacy, compliance, governance, psychology, and regulation, to name a few subjects—this isn’t just a diversity imperative. There’s a real need for a much wider variety of backgrounds than most people considering a career in tech might think.
But even if we assume that employers will continue to demand both technical and nontechnical skills and credentials, there’s reason for hope: Though only 42 percent of all women in the field have a computer science undergraduate degree, 52 percent of millennial women younger than 29 have one, which the study authors suggest could help women more easily slide into traditionally male-dominated roles in the future. It could also mean that companies will face increasing pressure to close the pay gap, as women will demand equal pay for the same educational credentials (and degrees can no longer be used as a rationale to discriminate). “Women coming into the field are going to have a completely different set of expectations than women who came in 15 years ago, and were just happy to be part of the team,” Brocaglia says. “These women are going to expect to be peers, as they should be.”