Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

2/22/2018
08:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Best Practices for Recruiting & Retaining Women in Security

Gender diversity can help fill the security talent gap, new Forrester Research report says.

The ongoing challenge to fill mass cybersecurity job vacancies amid the backdrop of a lack of diversity continues to haunt one of the world's hottest industries.

But there are some best practices organizations can adopt to help hack the talent gap by recruiting and then retaining more women in the cybersecurity field, according to a new report from Forrester Research. A lack of staff (25%) and lack of staff with the right skills (22%) are the biggest challenges today for IT security decision-makers, according to the report, which draws from interviews with more than 30 women in the security field as well as men in security leadership roles, and other survey data and research.

The best practices for recruiting and retaining women in security include where to recruit outside – and within – an organization, how to build a relationship with the HR department, and creating a more inclusive and less biased corporate culture that attracts and fosters more diversity.

Forrester analyst Stephanie Balaouras, who co-authored the report with fellow analyst Claire O'Malley, says there are a couple of best practices for recruiting and retention that are fairly simple to adopt right away. "I definitely think recruiting beyond traditional security conferences and [job] fairs … is an easy step" to broaden recruitment, she says. "And looking at internal [employees who are] career-changers is a really easy one to take on, too."

That means attending or sponsoring conferences like Women in Security and Privacy, or Grace Hopper, for example, and recruiting from colleges and universities that enroll more or mostly women. Look for existing employees with risk and technology, or business skills, who may be interested in a career change like an IT staffer or business staff with strong communications skills and creativity, Forrester recommends.

On the retention side, Balaouras recommends security mentoring programs for women on staff and advocating for cybersecurity events to become more inclusive and welcoming to women. "I myself personally benefited from mentoring, and a lot of people we interviewed for the report had mentors, [including] vendors outside of their job as part of their network, too," she says. "And being a part of cultural change at cybersecurity events" is another initial first step to help in the retention equation, she says.

Number Crunching

Forrester's report cites the widely reported 11% statistic that quantifies women's representation in the security industry worldwide, and the projected 1.8 million empty security positions worldwide by 2020, according to the Frost & Sullivan report from last year.

But initial data from an as-yet unpublished study by Cybersecurity Ventures shows the 11% number may be a bit on the low side. Steve Morgan, CEO and founder of Cybersecurity Ventures, says his firm's research finds the number of women in cybersecurity jobs worldwide is actually over 20%. That number takes into account security vendors, security service providers, small-to midsized enterprises, and security startups in Israel that include women in their ranks.

"We looked at dozens of different sources and tried to synthesize [the data] and did our own outreach," Morgan explains. Morgan says that while his firm's data appears to indicate a healthier representation of women in the industry, it's still not great news.

"Women are definitely underrepresented," he says.

Forrester's Balaouras says she believes women now represent somewhere between 15- and 20% of the industry when security vendors are included in the headcount, and other factors. "It depends on how you define security. If you include security and risk, and include privacy, compliance and audit functions, I could easily see that it gets to 15- to 20% women."

If the data is focused specifically on core security architecture and operations, including detection, threat hunting, forensics and incident response, the figure stays at about 11%, she says.

Meanwhile, Forrester's report also notes that diverse teams and companies tend to be more successful, so there's an obvious business benefit as well. "Studies show that diverse groups focus more on the facts, process these facts more carefully, and are more innovative — all outstanding attributes for a security team," the report says.

"Companies in the top quartile for ethnic and racial diversity in management were 35% more likely to have financial returns above their industry mean, and those in the top quartile for gender diversity were 15% more likely to see returns above the industry mean," Forrester said, citing data from a Harvard Business Review report.

Best Practices

Here are Forrester's Best Practices for recruiting women in security:

Connect women with cybersecurity early on
Outreach with free cybersecurity classes and certificate training for underrepresented populations, for example. Another example is Palo Alto Networks' partnership with the Girl Scouts' cybersecurity badge.

Recruit from academic institutions with a higher enrollment of women
Check out colleges such as the The University at Buffalo, Florida Institute of Technology, and the Massachusetts Institute of Technology (MIT), which partner with Women in Science and Engineering and the Graduate Consortium in Women’s Studies. Consider recruiting from women's colleges like Bryn Mawr, Smith, and Wellesley.

Look to internal career-changers
Existing employees with risk and technology or business chops who bring risk management skills as well as communications and creativity strengths.

Look beyond STEM backgrounds
Few of the women Forrester interviewed began their careers via a traditional path.

Join forces with HR
Human Resources plays a major role in selecting job candidates, so work with HR to be sure you're on the same page on diversity of hiring and the type of qualifications needed.

Sponsor, recruit from diverse security events
Think Grace Hopper, etc.

Mentoring programs
Encourage security staff to mentor women both inside and outside the organization.

Here are Forrester's Best Practices for retaining and promoting women in security:

Track data on your diversity in hiring, promotions
How many women are in technical security jobs? How many have applied for open security positions? "Work with your HR department to dig into behaviors that may be holding candidates or employees back, and be honest about what needs to change," the report says.

Provide training to deal with internal unconscious bias issues
DCI Consulting, Paradigm, and PDT, are examples of firms that offer unconscious-bias training services to help organizations set policies and procedures to remedy those problems.

Offer family-friendly benefits for all employees
Flexible maternity and paternity leave, breastfeeding rooms, and working remotely.

Formal mentoring programs
Professional support, career path assistance.

Culture improvements as a performance metric
Make employees accountable for helping foster a diversity culture.

Foster cultural change at cybersecurity events
Help encourage better harassment reporting, more representation of women speakers and panelists. 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17424
PUBLISHED: 2019-10-22
A stack-based buffer overflow in the processPrivilage() function in IOS/process-general.c in nipper-ng 0.11.10 allows remote attackers (serving firewall configuration files) to achieve Remote Code Execution or Denial Of Service via a crafted file.
CVE-2019-16404
PUBLISHED: 2019-10-21
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data from the openemr database via a non-parameterized INSERT INTO statement, as demonstrated by the providerID parameter.
CVE-2019-17400
PUBLISHED: 2019-10-21
The unoconv package before 0.9 mishandles untrusted pathnames, leading to SSRF and local file inclusion.
CVE-2019-17498
PUBLISHED: 2019-10-21
In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a ...
CVE-2019-16969
PUBLISHED: 2019-10-21
In FusionPBX up to 4.5.7, the file app\fifo_list\fifo_interactive.php uses an unsanitized "c" variable coming from the URL, which is reflected in HTML, leading to XSS.