The InfoSec Gender Divide: Practical Advice For Empowering Women

There is no one-size-fits-all approach for women to succeed in IT security. What you need is a roadmap and a little help from your friends.

Barbara Johnson, Senior Lead Certification Instructor & Courseware Developer, The Training Camp

December 17, 2015

5 Min Read

While stigmas and stereotypes suggest the industry is not welcoming toward women, speaking from my own experience, I believe more women can become empowered women by researching IT security opportunities, developing security credentials, and seizing security opportunities when they arise.

But before I share my game plan, let me share a little about myself.

I earned my B.S. in Engineering and Masters in Business Administration, becoming a senior security engineer and security manager. Along the way, I increased my competencies and certifications in information security and business continuity to establish myself as a senior security and compliance management consultant and as a senior instructor for security training and certification courses.

As a young professional, I received important advice from my manager (a retired Air Force Colonel) to advance my career to the next level by expanding my skillset and achieving independent recognition of my skills. As such, I built the business case for training courses with certification exams, earning my Certified Business Continuity Professional (CBCP) and my Certified Information Systems Security Professional (CISSP). In response to the evolving security profession, I added: Information Systems Security Management Professional (ISSMP), Member of the Business Continuity Institute (MBCI) and Certified Information Systems Auditor (CISA).

Despite the workforce statistics, through working hard, continuing education and carving my own career path, I did not encounter gender discrimination or lack of encouragement. Here’s what made the difference:   

Research IT Security Opportunities

As demand rises for IT security professionals of all stripes, so do opportunities for women. This is in response to regulatory and contractual compliance initiatives such as SOX, HIPAA, and PCI, scrutiny on the protection of personal information, and attention to cybersecurity threats and prevention. These trends are not showing signs of tapering.

Women should research and reach out to everyone they know – and don’t know --  who work in IT Security fields or knows someone who is a security practitioner. Pick their brains to identify field(s) that piques your interest. Areas include:

  • Governance, risk management, and compliance (GRC) program

  • Security architecture and security engineering

  • Information security auditing

  • Identity and access management

  • System and network security

  • Secure software development and security testing

  • Security operations, incident response, investigations and forensics

  • Security product development along with technical sales and application engineering

Develop Security Credentials

Educational opportunities are widespread. Starting in grade school, science, technology, engineering, and mathematics (STEM) courses can prepare and steer young women toward careers in engineering, finance, IT, and IT Security. Women can explore the newer IT security and information assurance concentrations and programs inside university computer science or the business departments. Pairing internships with coursework creates an even more powerful combination. Through internships, you apply coursework and develop practical qualifications. As students, women should attend their region’s ISC2 Chapter, ISSA Chapter or ISACA Chapter meetings to meet security professionals, receive mentorship, and connect for internship opportunities.

Another trend in developing qualifications is taking professional security training while in college or shortly after graduation. This past summer, a mid-20’s woman in my CISSP class mentioned to me that her father encouraged her to earn a Security+ Certification while studying for her B.S. in biology. In this way, she differentiated herself from other college graduate job applicants. She is now protecting healthcare intellectual property and healthcare personal information.

Firsthand, my own mid-20s daughter’s “Big Four” firm motivated her to earn a CPA in her first year; then I coached her to earn a CISA.  An interesting outcome is that she now leads an integrated assurance team. Now, we are discussing a CISSP certification to enhance her qualifications.

This advice also applies to women considering a career shift. Look for mentors at your current company or through one of the professional security organizations listed above. A mentor can guide your transition and suggest development points to enhance what you already offer. I often receive requests to meet for coffee from business analysts, infrastructure analysts or operators and financial analysts and auditors who want to learn how to transition into IT security and about applicable security certifications. I find this time productive and helpful in getting new ideas and expanding one’s network.

Seize Opportunities

In recent discussions with my CISSP and ISSMP students on the disparity between  men and women in IT security, security managers of both genders point out that more men than women apply for their open positions, which in and of itself was not surprising. What WAS surprising to me is that men would apply for positions even though they didn’t have the required skills listed in the job description. On the other hand, women would apply for a job only if they were qualified, and in many cases, over-qualified.

While this is certainly not a scientific study, it paints a curious portrait pertaining to confidence levels. My advice for women would be to apply even if you need to learn, develop and train. Be confident! You cannot receive an offer you didn’t apply for. Periodically review IT Security job postings along your career path (or shifted career path) and note skill and certification requirements.

You’ll also need to develop your plan of learning and development to seize those opportunities. As security is a dynamic and expanding field, to remain relevant, you must stay up to date on the latest threats, risk management techniques and industry innovations. This implies continued reading and attending webcasts and training courses that build upon current knowledge. Furthermore, earning certifications is vital because it is independent verification of competency. Not only does this secure a position, it enhances and builds confidence for future career advancement and opportunities.

About the Author(s)

Barbara Johnson

Senior Lead Certification Instructor & Courseware Developer, The Training Camp

Barbara Johnson is an authorized senior and lead certification instructor and courseware developer for The Training Camp, International Information Systems Security Certification Consortium (ISC)² and The Business Continuity Institute and is chairman of (ISC)² Common Body of Knowledge (CBK) Committee.

Barbara also provides information security and business continuity management consulting services to U.S. government agencies, defense contractors, entertainment, finance, healthcare, technology and travel information services. Her expertise includes developing governance and designing risk-based controls to protect corporate proprietary, personal privacy, and government information from fraud, misuse, intrusion and interruption. She strategizes enterprise-wide security architectures, establishes information protection and business continuity programs, devises information security policies, standardizes technologies and processes, and creates relevant education, training and awareness workshops and collateral.

Her risk and control frameworks include ISO 27001, COBIT, NIST SP 800-53, HIPAA-HITECH and PCI. Barbara's credentials include: BSIE (IIT), MBA (LMU), CISSP, ISSMP, CISA, CBCP, CBCI and MBCI.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights