Careers & People

11:00 AM
Barbara Johnson
Barbara Johnson
Connect Directly
E-Mail vvv

The InfoSec Gender Divide: Practical Advice For Empowering Women

There is no one-size-fits-all approach for women to succeed in IT security. What you need is a roadmap and a little help from your friends.

While stigmas and stereotypes suggest the industry is not welcoming toward women, speaking from my own experience, I believe more women can become empowered women by researching IT security opportunities, developing security credentials, and seizing security opportunities when they arise.

But before I share my game plan, let me share a little about myself.

I earned my B.S. in Engineering and Masters in Business Administration, becoming a senior security engineer and security manager. Along the way, I increased my competencies and certifications in information security and business continuity to establish myself as a senior security and compliance management consultant and as a senior instructor for security training and certification courses.

As a young professional, I received important advice from my manager (a retired Air Force Colonel) to advance my career to the next level by expanding my skillset and achieving independent recognition of my skills. As such, I built the business case for training courses with certification exams, earning my Certified Business Continuity Professional (CBCP) and my Certified Information Systems Security Professional (CISSP). In response to the evolving security profession, I added: Information Systems Security Management Professional (ISSMP), Member of the Business Continuity Institute (MBCI) and Certified Information Systems Auditor (CISA).

Despite the workforce statistics, through working hard, continuing education and carving my own career path, I did not encounter gender discrimination or lack of encouragement. Here’s what made the difference:   

Research IT Security Opportunities

As demand rises for IT security professionals of all stripes, so do opportunities for women. This is in response to regulatory and contractual compliance initiatives such as SOX, HIPAA, and PCI, scrutiny on the protection of personal information, and attention to cybersecurity threats and prevention. These trends are not showing signs of tapering.

Women should research and reach out to everyone they know – and don’t know --  who work in IT Security fields or knows someone who is a security practitioner. Pick their brains to identify field(s) that piques your interest. Areas include:

  • Governance, risk management, and compliance (GRC) program
  • Security architecture and security engineering
  • Information security auditing
  • Identity and access management
  • System and network security
  • Secure software development and security testing
  • Security operations, incident response, investigations and forensics
  • Security product development along with technical sales and application engineering

Develop Security Credentials

Educational opportunities are widespread. Starting in grade school, science, technology, engineering, and mathematics (STEM) courses can prepare and steer young women toward careers in engineering, finance, IT, and IT Security. Women can explore the newer IT security and information assurance concentrations and programs inside university computer science or the business departments. Pairing internships with coursework creates an even more powerful combination. Through internships, you apply coursework and develop practical qualifications. As students, women should attend their region’s ISC2 Chapter, ISSA Chapter or ISACA Chapter meetings to meet security professionals, receive mentorship, and connect for internship opportunities.

Another trend in developing qualifications is taking professional security training while in college or shortly after graduation. This past summer, a mid-20’s woman in my CISSP class mentioned to me that her father encouraged her to earn a Security+ Certification while studying for her B.S. in biology. In this way, she differentiated herself from other college graduate job applicants. She is now protecting healthcare intellectual property and healthcare personal information.

Firsthand, my own mid-20s daughter’s “Big Four” firm motivated her to earn a CPA in her first year; then I coached her to earn a CISA.  An interesting outcome is that she now leads an integrated assurance team. Now, we are discussing a CISSP certification to enhance her qualifications.

This advice also applies to women considering a career shift. Look for mentors at your current company or through one of the professional security organizations listed above. A mentor can guide your transition and suggest development points to enhance what you already offer. I often receive requests to meet for coffee from business analysts, infrastructure analysts or operators and financial analysts and auditors who want to learn how to transition into IT security and about applicable security certifications. I find this time productive and helpful in getting new ideas and expanding one’s network.

Seize Opportunities

In recent discussions with my CISSP and ISSMP students on the disparity between  men and women in IT security, security managers of both genders point out that more men than women apply for their open positions, which in and of itself was not surprising. What WAS surprising to me is that men would apply for positions even though they didn’t have the required skills listed in the job description. On the other hand, women would apply for a job only if they were qualified, and in many cases, over-qualified.

While this is certainly not a scientific study, it paints a curious portrait pertaining to confidence levels. My advice for women would be to apply even if you need to learn, develop and train. Be confident! You cannot receive an offer you didn’t apply for. Periodically review IT Security job postings along your career path (or shifted career path) and note skill and certification requirements.

You’ll also need to develop your plan of learning and development to seize those opportunities. As security is a dynamic and expanding field, to remain relevant, you must stay up to date on the latest threats, risk management techniques and industry innovations. This implies continued reading and attending webcasts and training courses that build upon current knowledge. Furthermore, earning certifications is vital because it is independent verification of competency. Not only does this secure a position, it enhances and builds confidence for future career advancement and opportunities.

Barbara Johnson is an authorized senior and lead certification instructor and courseware developer for The Training Camp, International Information Systems Security Certification Consortium (ISC)² and The Business Continuity Institute and is chairman of (ISC)² ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-23
Zoho ManageEngine Applications Manager 12 through 14 allows FaultTemplateOptions.jsp resourceid SQL injection. Subsequently, an unauthenticated user can gain the authority of SYSTEM on the server by uploading a malicious file via the "Execute Program Action(s)" feature.
PUBLISHED: 2019-04-23
cipso_v4_validate in include/net/cipso_ipv4.h in the Linux kernel before 3.11.7, when CONFIG_NETLABEL is disabled, allows attackers to cause a denial of service (infinite loop and crash), as demonstrated by icmpsic, a different vulnerability than CVE-2013-0310.
PUBLISHED: 2019-04-23
A memory leak in archive_read_format_zip_cleanup in archive_read_support_format_zip.c in libarchive through 3.3.3 allows remote attackers to cause a denial of service via a crafted ZIP file because of a HAVE_LZMA_H typo.
PUBLISHED: 2019-04-22
A vulnerability was discovered wherein a specially crafted URL could enable reflected XSS via JavaScript in the pony mail interface.
PUBLISHED: 2019-04-22
An issue was discovered in the Medha WiFi FTP Server application 1.8.3 for Android. An attacker can read the username/password of a valid user via /data/data/com.medhaapps.wififtpserver/shared_prefs/com.medhaapps.wififtpserver_preferences.xml