Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

12/17/2015
11:00 AM
Barbara Johnson
Barbara Johnson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

The InfoSec Gender Divide: Practical Advice For Empowering Women

There is no one-size-fits-all approach for women to succeed in IT security. What you need is a roadmap and a little help from your friends.

While stigmas and stereotypes suggest the industry is not welcoming toward women, speaking from my own experience, I believe more women can become empowered women by researching IT security opportunities, developing security credentials, and seizing security opportunities when they arise.

But before I share my game plan, let me share a little about myself.

I earned my B.S. in Engineering and Masters in Business Administration, becoming a senior security engineer and security manager. Along the way, I increased my competencies and certifications in information security and business continuity to establish myself as a senior security and compliance management consultant and as a senior instructor for security training and certification courses.

As a young professional, I received important advice from my manager (a retired Air Force Colonel) to advance my career to the next level by expanding my skillset and achieving independent recognition of my skills. As such, I built the business case for training courses with certification exams, earning my Certified Business Continuity Professional (CBCP) and my Certified Information Systems Security Professional (CISSP). In response to the evolving security profession, I added: Information Systems Security Management Professional (ISSMP), Member of the Business Continuity Institute (MBCI) and Certified Information Systems Auditor (CISA).

Despite the workforce statistics, through working hard, continuing education and carving my own career path, I did not encounter gender discrimination or lack of encouragement. Here’s what made the difference:   

Research IT Security Opportunities

As demand rises for IT security professionals of all stripes, so do opportunities for women. This is in response to regulatory and contractual compliance initiatives such as SOX, HIPAA, and PCI, scrutiny on the protection of personal information, and attention to cybersecurity threats and prevention. These trends are not showing signs of tapering.

Women should research and reach out to everyone they know – and don’t know --  who work in IT Security fields or knows someone who is a security practitioner. Pick their brains to identify field(s) that piques your interest. Areas include:

  • Governance, risk management, and compliance (GRC) program
  • Security architecture and security engineering
  • Information security auditing
  • Identity and access management
  • System and network security
  • Secure software development and security testing
  • Security operations, incident response, investigations and forensics
  • Security product development along with technical sales and application engineering

Develop Security Credentials

Educational opportunities are widespread. Starting in grade school, science, technology, engineering, and mathematics (STEM) courses can prepare and steer young women toward careers in engineering, finance, IT, and IT Security. Women can explore the newer IT security and information assurance concentrations and programs inside university computer science or the business departments. Pairing internships with coursework creates an even more powerful combination. Through internships, you apply coursework and develop practical qualifications. As students, women should attend their region’s ISC2 Chapter, ISSA Chapter or ISACA Chapter meetings to meet security professionals, receive mentorship, and connect for internship opportunities.

Another trend in developing qualifications is taking professional security training while in college or shortly after graduation. This past summer, a mid-20’s woman in my CISSP class mentioned to me that her father encouraged her to earn a Security+ Certification while studying for her B.S. in biology. In this way, she differentiated herself from other college graduate job applicants. She is now protecting healthcare intellectual property and healthcare personal information.

Firsthand, my own mid-20s daughter’s “Big Four” firm motivated her to earn a CPA in her first year; then I coached her to earn a CISA.  An interesting outcome is that she now leads an integrated assurance team. Now, we are discussing a CISSP certification to enhance her qualifications.

This advice also applies to women considering a career shift. Look for mentors at your current company or through one of the professional security organizations listed above. A mentor can guide your transition and suggest development points to enhance what you already offer. I often receive requests to meet for coffee from business analysts, infrastructure analysts or operators and financial analysts and auditors who want to learn how to transition into IT security and about applicable security certifications. I find this time productive and helpful in getting new ideas and expanding one’s network.

Seize Opportunities

In recent discussions with my CISSP and ISSMP students on the disparity between  men and women in IT security, security managers of both genders point out that more men than women apply for their open positions, which in and of itself was not surprising. What WAS surprising to me is that men would apply for positions even though they didn’t have the required skills listed in the job description. On the other hand, women would apply for a job only if they were qualified, and in many cases, over-qualified.

While this is certainly not a scientific study, it paints a curious portrait pertaining to confidence levels. My advice for women would be to apply even if you need to learn, develop and train. Be confident! You cannot receive an offer you didn’t apply for. Periodically review IT Security job postings along your career path (or shifted career path) and note skill and certification requirements.

You’ll also need to develop your plan of learning and development to seize those opportunities. As security is a dynamic and expanding field, to remain relevant, you must stay up to date on the latest threats, risk management techniques and industry innovations. This implies continued reading and attending webcasts and training courses that build upon current knowledge. Furthermore, earning certifications is vital because it is independent verification of competency. Not only does this secure a position, it enhances and builds confidence for future career advancement and opportunities.

Barbara Johnson is an authorized senior and lead certification instructor and courseware developer for The Training Camp, International Information Systems Security Certification Consortium (ISC)² and The Business Continuity Institute and is chairman of (ISC)² ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Florida Town Pays $600K to Ransomware Operators
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/20/2019
Pledges to Not Pay Ransomware Hit Reality
Robert Lemos, Contributing Writer,  6/21/2019
AWS CISO Talks Risk Reduction, Development, Recruitment
Kelly Sheridan, Staff Editor, Dark Reading,  6/25/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1619
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to bypass authentication and execute arbitrary actions with administrative privileges on an affected device. The vulnerability is due to improper session ...
CVE-2019-1620
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to upload arbitrary files on an affected device. The vulnerability is due to incorrect permission settings in affected DCNM software. An attacker could ex...
CVE-2019-1621
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to gain access to sensitive files on an affected device. The vulnerability is due to incorrect permissions settings on affected DCNM software. An attacker...
CVE-2019-1622
PUBLISHED: 2019-06-27
A vulnerability in the web-based management interface of Cisco Data Center Network Manager (DCNM) could allow an unauthenticated, remote attacker to retrieve sensitive information from an affected device. The vulnerability is due to improper access controls for certain URLs on affected DCNM software...
CVE-2019-10133
PUBLISHED: 2019-06-26
A flaw was found in Moodle before 3.7, 3.6.4, 3.5.6, 3.4.9 and 3.1.18. The form to upload cohorts contained a redirect field, which was not restricted to internal URLs.