Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

08:00 PM
Connect Directly

Best Practices for Recruiting & Retaining Women in Security

Gender diversity can help fill the security talent gap, new Forrester Research report says.

The ongoing challenge to fill mass cybersecurity job vacancies amid the backdrop of a lack of diversity continues to haunt one of the world's hottest industries.

But there are some best practices organizations can adopt to help hack the talent gap by recruiting and then retaining more women in the cybersecurity field, according to a new report from Forrester Research. A lack of staff (25%) and lack of staff with the right skills (22%) are the biggest challenges today for IT security decision-makers, according to the report, which draws from interviews with more than 30 women in the security field as well as men in security leadership roles, and other survey data and research.

The best practices for recruiting and retaining women in security include where to recruit outside – and within – an organization, how to build a relationship with the HR department, and creating a more inclusive and less biased corporate culture that attracts and fosters more diversity.

Forrester analyst Stephanie Balaouras, who co-authored the report with fellow analyst Claire O'Malley, says there are a couple of best practices for recruiting and retention that are fairly simple to adopt right away. "I definitely think recruiting beyond traditional security conferences and [job] fairs … is an easy step" to broaden recruitment, she says. "And looking at internal [employees who are] career-changers is a really easy one to take on, too."

That means attending or sponsoring conferences like Women in Security and Privacy, or Grace Hopper, for example, and recruiting from colleges and universities that enroll more or mostly women. Look for existing employees with risk and technology, or business skills, who may be interested in a career change like an IT staffer or business staff with strong communications skills and creativity, Forrester recommends.

On the retention side, Balaouras recommends security mentoring programs for women on staff and advocating for cybersecurity events to become more inclusive and welcoming to women. "I myself personally benefited from mentoring, and a lot of people we interviewed for the report had mentors, [including] vendors outside of their job as part of their network, too," she says. "And being a part of cultural change at cybersecurity events" is another initial first step to help in the retention equation, she says.

Number Crunching

Forrester's report cites the widely reported 11% statistic that quantifies women's representation in the security industry worldwide, and the projected 1.8 million empty security positions worldwide by 2020, according to the Frost & Sullivan report from last year.

But initial data from an as-yet unpublished study by Cybersecurity Ventures shows the 11% number may be a bit on the low side. Steve Morgan, CEO and founder of Cybersecurity Ventures, says his firm's research finds the number of women in cybersecurity jobs worldwide is actually over 20%. That number takes into account security vendors, security service providers, small-to midsized enterprises, and security startups in Israel that include women in their ranks.

"We looked at dozens of different sources and tried to synthesize [the data] and did our own outreach," Morgan explains. Morgan says that while his firm's data appears to indicate a healthier representation of women in the industry, it's still not great news.

"Women are definitely underrepresented," he says.

Forrester's Balaouras says she believes women now represent somewhere between 15- and 20% of the industry when security vendors are included in the headcount, and other factors. "It depends on how you define security. If you include security and risk, and include privacy, compliance and audit functions, I could easily see that it gets to 15- to 20% women."

If the data is focused specifically on core security architecture and operations, including detection, threat hunting, forensics and incident response, the figure stays at about 11%, she says.

Meanwhile, Forrester's report also notes that diverse teams and companies tend to be more successful, so there's an obvious business benefit as well. "Studies show that diverse groups focus more on the facts, process these facts more carefully, and are more innovative — all outstanding attributes for a security team," the report says.

"Companies in the top quartile for ethnic and racial diversity in management were 35% more likely to have financial returns above their industry mean, and those in the top quartile for gender diversity were 15% more likely to see returns above the industry mean," Forrester said, citing data from a Harvard Business Review report.

Best Practices

Here are Forrester's Best Practices for recruiting women in security:

Connect women with cybersecurity early on
Outreach with free cybersecurity classes and certificate training for underrepresented populations, for example. Another example is Palo Alto Networks' partnership with the Girl Scouts' cybersecurity badge.

Recruit from academic institutions with a higher enrollment of women
Check out colleges such as the The University at Buffalo, Florida Institute of Technology, and the Massachusetts Institute of Technology (MIT), which partner with Women in Science and Engineering and the Graduate Consortium in Women’s Studies. Consider recruiting from women's colleges like Bryn Mawr, Smith, and Wellesley.

Look to internal career-changers
Existing employees with risk and technology or business chops who bring risk management skills as well as communications and creativity strengths.

Look beyond STEM backgrounds
Few of the women Forrester interviewed began their careers via a traditional path.

Join forces with HR
Human Resources plays a major role in selecting job candidates, so work with HR to be sure you're on the same page on diversity of hiring and the type of qualifications needed.

Sponsor, recruit from diverse security events
Think Grace Hopper, etc.

Mentoring programs
Encourage security staff to mentor women both inside and outside the organization.

Here are Forrester's Best Practices for retaining and promoting women in security:

Track data on your diversity in hiring, promotions
How many women are in technical security jobs? How many have applied for open security positions? "Work with your HR department to dig into behaviors that may be holding candidates or employees back, and be honest about what needs to change," the report says.

Provide training to deal with internal unconscious bias issues
DCI Consulting, Paradigm, and PDT, are examples of firms that offer unconscious-bias training services to help organizations set policies and procedures to remedy those problems.

Offer family-friendly benefits for all employees
Flexible maternity and paternity leave, breastfeeding rooms, and working remotely.

Formal mentoring programs
Professional support, career path assistance.

Culture improvements as a performance metric
Make employees accountable for helping foster a diversity culture.

Foster cultural change at cybersecurity events
Help encourage better harassment reporting, more representation of women speakers and panelists. 


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-24
The client API authentication mechanism in Pexip Infinity before 10 allows remote attackers to gain privileges via a crafted request.
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
PUBLISHED: 2020-09-24
An incomplete SSL server certification validation vulnerability in the Trend Micro Security 2019 (v15) consumer family of products could allow an attacker to combine this vulnerability with another attack to trick an affected client into downloading a malicious update instead of the expected one. CW...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. x86 PV guest kernels can experience denial of service via SYSENTER. The SYSENTER instruction leaves various state sanitization activities to software. One of Xen's sanitization paths injects a #GP fault, and incorrectly delivers it twice to the guest. T...
PUBLISHED: 2020-09-23
An issue was discovered in Xen through 4.14.x. There is mishandling of the constraint that once-valid event channels may not turn invalid. Logic in the handling of event channel operations in Xen assumes that an event channel, once valid, will not become invalid over the life time of a guest. Howeve...