Some time ago, Dawn-Marie Hutchinson introduced the "Rule of Steve" to draw attention to the lack of diversity in cybersecurity. It goes like this: In a room (virtual or physical) full of cybersecurity professionals, there are usually more people named Steve than there are women.
Albeit tongue-in-cheek, it is a good indicator of how far the cybersecurity industry still has to go in terms of gender diversity. The situation has improved over recent years, but as we get to International Women's Day 2021, it is nowhere near parity. Everyone has a role to play in striving for parity this decade.
2020 Provided Opportunity to Change, but There Is Still a Long Way to Go
The (ISC)² Cybersecurity Workforce Study 2020 noted that the security workforce gap closed last year, and by a considerable margin: down from 4 million people to 3.1 million. This is little surprise in a global environment suffering from uncertainty and cost pressures. However, there is still a significant shortfall, and to build the cybersecurity workforce we need to encourage diversity.
To put it bluntly, we need more women, more ethnic diversity, and more neurodiversity. We need more men. We need more people from a whole range of "groups" who have the right aptitude and attitude to work in information and cybersecurity, regardless of location.
Does everyone who works in the industry need to be in an office? Most definitely, "no." The business challenges of COVID-19 brought about an opportunity for change and to encourage diversity by recruiting individuals away from traditional urban hubs. Remote working significantly expands the pool of candidates, which in turn brings access to a better and more diverse range of individuals.
A disparate and global workforce thinks more broadly, has different ideas, and can drive faster business outcomes than centrally located groups. For those naysayers who didn't believe it was possible to work remotely in cybersecurity, the COVID-19 crisis proved otherwise and has given organizations a new opportunity to break the Rule of Steve.
There are a range of statistics available for the number of women working in cybersecurity roles. The same (ISC)² study suggests around 28% of workers are female, but this is everyone with 25% or more of their role in cybersecurity. Other studies report percentages of females in the cybersecurity workforce at 21%, 20%, 14%, 11%. Omdia estimates the percentage to be around one-fifth, or 20%. Study after study shows that diverse teams — board level and others — deliver better results, but the Rule of Steve persists.
International Women's Day Is Not the Only Time We Should Focus on Improving Diversity in the Cybersecurity Workforce
As the mother of two daughters, I see every day as an opportunity to further the cause of women in the workforce. My children are not yet fully in the workforce, but when they do join, irrespective of their choice of profession, they will not regard their gender as any kind of impediment to what they want to achieve.
Everyone working in the cybersecurity industry today has a role to play. Many organizations recognize the lack of diversity in their workforce and have programs in place to improve the situation, but these programs take time to manifest. Every individual’s day-to-day attitude is an important component. We must challenge casual sexism in the workplace: letting it go unchallenged means it is acceptable. We must encourage diversity in job applications: gender language de-coders for job advertisements are free and can significantly improve diversity in applications. We must highlight diverse role models for others to aspire to — not only leaders but also experts in their field. We must constantly challenge ourselves with our own subconscious biases: Have we really addressed our own preconceptions?
There is much to do to break the "Rule of Steve" in cybersecurity, and if everyone plays their part, then we have a chance of achieving parity this decade. International Women's Day presents an opportunity for headlining the discussion, but the actions should take place 365 days a year.