Operations

9/28/2015
06:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

New Data Finds Women Still Only 10% Of Security Workforce

But more women hold governance, risk and compliance (GRC) roles than men, new (ISC)2 report finds.

The needle has not moved: new data released today by (ISC)2 and Booz Allen Hamilton shows that the percentage of women in cybersecurity worldwide has remained static over the past two years, holding at an anemic 10%.

That finding from the new "Women in Security: Wisely Positioned for Future of InfoSec" report, reflects a long-perplexing issue for an industry that's scraping for talent to fill massive numbers of job vacancies every day. But the new findings don't technically mean that fewer women are joining the industry overall, according to the report, which was conducted by Frost & Sullivan on behalf of ISC(2) and Booz Allen: in fact, the overall number of women joining the industry is on the rise. Their numbers just aren't keeping pace with the overall security workforce.

Women now dominate the governance, risk and compliance (GRC) sector of security, however: the report found that one in five women in security hold a GRC position, while just one in eight men do. According to the report, women were ahead of men in taking GRC jobs, and the skillsets of collaborating with multiple groups and balancing business and risk issues are skills women are likely to have, according to a focus group of women infosec leaders in the report.

Gurdeep Kaur, a member of (ISC)2, says the GRC sector holds a solid career path for women with a combination of technical and business skills. "If I have the right balance of technical skills and business acumen, I may be in position to provide an advisory role, and gain confidence and move up [in a role] of the security ladder," she says.

Even as a minority demographic in the industry, women now hold higher advanced degrees in the field than men do, the study found. Of women in senior positions, 58% hold a Master's Degree or a Doctorate, whereas 47% of males in leadership positions do.

But the overall low representation of women in the industry remains problematic. 

"We're not getting closer to general parity," says Julie Franz, (ISC)2 Foundation director. "If you [achieved] gender parity, it would wipe out the workforce gap."

Franz says one issue affecting the number of women is a language gap in how the industry describes the jobs and roles in security. It tends to lean toward the technical and abstract, rather than emphasize the real-world impact. "We talk too much about jobs being about things and technology … Women want to know they are securing the people who use the things."

Women's salaries still lag those of men in the industry. The (ISC)2 compared salaries of men and women in the GRC space specifically, and found that women make 4.7% less than men, with an average salary of $115,779. Their male counterparts make $121,513.

Three factors appear to contribute to the higher male GRC salaries, according to the report: men stay in the industry longer than women, on average 15.2 years versus 14.5 years for women; more women have security analyst job titles than men, a job that pays about $95,000; and men rate monetary compensation higher than women do statistically. Around 58% of women in GRC rate monetary compensation as a top incentive, while around 62% of men do. Women rate work schedule and location flexibility higher than men do.

Franz says the data shows that women are less likely to change jobs than men, and that also accounts for the lower salary since job changes typically come with higher pay.

[What not to ask a woman in the security field, where men make up 90% of the workforce: What's it like to be a woman in the security field? Read How To Empower Women In Security.]

Interestingly, the average starting age for both male and female infosec pros is 30 years old. There's a gap overall in attracting or hiring young talent.

The bottom line is that entry-level security jobs are few and far between. "The requirement for experience for most [jobs] is higher than one would normally require for any entry-level position," (ISC)2's Franz says. "The need is so acute in cyber that it the requirement for someone to hit the ground running is much higher."

Angela Messer, executive vice president at Booz Allen, says companies need to be more proactive in their training and recruiting. "The kind of skillsets we're seeing today have definitely evolved. They are not the same ones we needed five years ago," Messer says. "You have to be more proactive in taking nontraditional skillsets and repurposing and training them into these fields."

Frost & Sullivan surveyed some 14,000 security pros from around the globe for the report.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/29/2015 | 12:23:20 PM
Re: Global Disparity
The question is...is it social fabric or interest? Are women being detracted from these positions because of they way they deem they will be seen(societal views) or do the majority not have an interest and would prefer to pursue other fields? My thoughts are the latter.


I would hope that no one is steered away from a field due to a reason such as gender, race, ethinicity, etc.

It is a case by case basis, not an appeal to the masses campaign as everyone has different interests. As I said before I think that trying to close the disparity is not the right idea. What happens if you were to reach the goal of closing the gap or even eclipse the gap...do you then reverse your track and deter those you helped to close the reverse disparity. Its a never ending cycle.


Like I said before, if you are not prohibited from a field and are treated with respect it is not an issue.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/29/2015 | 10:54:51 AM
Re: Global Disparity
Agree. 50/50 is not achievable. There will always be some people do not like certain types of roles. This should happen in a natural way, 50/50 sounds like we somehow arranged it which is not practice. :--))
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/29/2015 | 10:52:49 AM
Re: Global Disparity
I agree, however when you start paying attention what gender goes with what role better that is where diversity goes away. Everybody should get opportunity in all roles in my view.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/29/2015 | 10:50:46 AM
Re: Global Disparity
I think this starts with education, we should provide more reasons to attract female students to technical branches. That is where we start failing.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/29/2015 | 10:48:47 AM
Re: Global Disparity
Agree, they may be high on governance but they are low in there rest of areas so they could not make any impact in IT.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
9/29/2015 | 10:46:49 AM
This number sounds high
Where are these women in security? I do not see any in whole IT? I am not sure source of these numbers and they may very well be correct but it seems 10% is high to me.
KeithG863
50%
50%
KeithG863,
User Rank: Apprentice
9/29/2015 | 9:39:36 AM
Not seeing this "Problem" in the real world.
This is mentioning that it is a problem that there are not more women in the Security field. But from what I have seen working in a few SOCs in the public and Private sectors for many years is that they hire the PERSON who can answer the technical interview questions the best. I do not see any bias towards any race nor sex, simply "can this person perform the job duties?"

Most women have no interest in this type of work. The only way it will increase is if somehow women take more of an interest in the field. Half of the women I know who have been in the field have left for other positions they are more comfortable with. Several I have seen have done well in the field but wanted a more social type of a job and moved into positions such as account managers. For the ones that moved into positions like that they had some great experience with some technical background and did very well with that background in their new positions. The other half of the women were really into learning more and more about Network Security and have done very well in the field and I have seen no restrictions ever put on women that are not on men as well.

I believe, from my expereince, the only problem is that most women are just not interested in the field and nothing more than that. If a female wants to get into the field there is nothing stopping them that would not also stop a male (of course there are some jerks who are sexists, but there are always exceptions and those often end up in the news nowadays).
folkertschmidt
100%
0%
folkertschmidt,
User Rank: Apprentice
9/28/2015 | 2:34:09 PM
Re: Global Disparity
Ryan

 

I agree: no field of endeavor has ever been equally represented by gender, race or religion in accord with population percentages. It is absurd to try to change what will be changed and need not be changed.

Should the NBA recurit more white men?

Should women demand parity in the garbage collection workforce?

Should more non-jews hold leadership positions in the film and finance industries?

Should there be fewer German generals in the military?

Should the security industry's GRC sector recruit more men?


And on and on.

 

Folkert Schmidt

 

 
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
9/28/2015 | 11:18:50 AM
Global Disparity
There is a global disparity in all industries. InfoSec, Nursing, Teaching, Finance, etc. It will never be 50/50. I still don't understand the need for 50/50 when it comes to representation of gender in the job market. I am not offended in any which way that women are more heavily represented in governance. This needs to be looked at more on a statistical basis rather than metrics that require change/action items. We need to look at this more holistically. Male or female, everyone is a person and as long as you are treated with respect and not prohibited from achieving your goals I do not see an issue.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.