The ongoing challenge to fill mass cybersecurity job vacancies amid the backdrop of a lack of diversity continues to haunt one of the world's hottest industries.
But there are some best practices organizations can adopt to help hack the talent gap by recruiting and then retaining more women in the cybersecurity field, according to a new report from Forrester Research. A lack of staff (25%) and lack of staff with the right skills (22%) are the biggest challenges today for IT security decision-makers, according to the report, which draws from interviews with more than 30 women in the security field as well as men in security leadership roles, and other survey data and research.
The best practices for recruiting and retaining women in security include where to recruit outside – and within – an organization, how to build a relationship with the HR department, and creating a more inclusive and less biased corporate culture that attracts and fosters more diversity.
Forrester analyst Stephanie Balaouras, who co-authored the report with fellow analyst Claire O'Malley, says there are a couple of best practices for recruiting and retention that are fairly simple to adopt right away. "I definitely think recruiting beyond traditional security conferences and [job] fairs … is an easy step" to broaden recruitment, she says. "And looking at internal [employees who are] career-changers is a really easy one to take on, too."
That means attending or sponsoring conferences like Women in Security and Privacy, or Grace Hopper, for example, and recruiting from colleges and universities that enroll more or mostly women. Look for existing employees with risk and technology, or business skills, who may be interested in a career change like an IT staffer or business staff with strong communications skills and creativity, Forrester recommends.
On the retention side, Balaouras recommends security mentoring programs for women on staff and advocating for cybersecurity events to become more inclusive and welcoming to women. "I myself personally benefited from mentoring, and a lot of people we interviewed for the report had mentors, [including] vendors outside of their job as part of their network, too," she says. "And being a part of cultural change at cybersecurity events" is another initial first step to help in the retention equation, she says.
Forrester's report cites the widely reported 11% statistic that quantifies women's representation in the security industry worldwide, and the projected 1.8 million empty security positions worldwide by 2020, according to the Frost & Sullivan report from last year.
But initial data from an as-yet unpublished study by Cybersecurity Ventures shows the 11% number may be a bit on the low side. Steve Morgan, CEO and founder of Cybersecurity Ventures, says his firm's research finds the number of women in cybersecurity jobs worldwide is actually over 20%. That number takes into account security vendors, security service providers, small-to midsized enterprises, and security startups in Israel that include women in their ranks.
"We looked at dozens of different sources and tried to synthesize [the data] and did our own outreach," Morgan explains. Morgan says that while his firm's data appears to indicate a healthier representation of women in the industry, it's still not great news.
"Women are definitely underrepresented," he says.
Forrester's Balaouras says she believes women now represent somewhere between 15- and 20% of the industry when security vendors are included in the headcount, and other factors. "It depends on how you define security. If you include security and risk, and include privacy, compliance and audit functions, I could easily see that it gets to 15- to 20% women."
If the data is focused specifically on core security architecture and operations, including detection, threat hunting, forensics and incident response, the figure stays at about 11%, she says.
Meanwhile, Forrester's report also notes that diverse teams and companies tend to be more successful, so there's an obvious business benefit as well. "Studies show that diverse groups focus more on the facts, process these facts more carefully, and are more innovative — all outstanding attributes for a security team," the report says.
"Companies in the top quartile for ethnic and racial diversity in management were 35% more likely to have financial returns above their industry mean, and those in the top quartile for gender diversity were 15% more likely to see returns above the industry mean," Forrester said, citing data from a Harvard Business Review report.
Here are Forrester's Best Practices for recruiting women in security:
Connect women with cybersecurity early on
Outreach with free cybersecurity classes and certificate training for underrepresented populations, for example. Another example is Palo Alto Networks' partnership with the Girl Scouts' cybersecurity badge.
Recruit from academic institutions with a higher enrollment of women
Check out colleges such as the The University at Buffalo, Florida Institute of Technology, and the Massachusetts Institute of Technology (MIT), which partner with Women in Science and Engineering and the Graduate Consortium in Women’s Studies. Consider recruiting from women's colleges like Bryn Mawr, Smith, and Wellesley.
Look to internal career-changers
Existing employees with risk and technology or business chops who bring risk management skills as well as communications and creativity strengths.
Look beyond STEM backgrounds
Few of the women Forrester interviewed began their careers via a traditional path.
Join forces with HR
Human Resources plays a major role in selecting job candidates, so work with HR to be sure you're on the same page on diversity of hiring and the type of qualifications needed.
Sponsor, recruit from diverse security events
Think Grace Hopper, etc.
Encourage security staff to mentor women both inside and outside the organization.
Here are Forrester's Best Practices for retaining and promoting women in security:
Track data on your diversity in hiring, promotions
How many women are in technical security jobs? How many have applied for open security positions? "Work with your HR department to dig into behaviors that may be holding candidates or employees back, and be honest about what needs to change," the report says.
Provide training to deal with internal unconscious bias issues
DCI Consulting, Paradigm, and PDT, are examples of firms that offer unconscious-bias training services to help organizations set policies and procedures to remedy those problems.
Offer family-friendly benefits for all employees
Flexible maternity and paternity leave, breastfeeding rooms, and working remotely.
Formal mentoring programs
Professional support, career path assistance.
Culture improvements as a performance metric
Make employees accountable for helping foster a diversity culture.
Foster cultural change at cybersecurity events
Help encourage better harassment reporting, more representation of women speakers and panelists.
Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.