I recently received a phone call from a friend of a friend in New York. She is a successful marketing executive in Manhattan interested in changing careers to information security. We discussed graduate school options, required skill sets, and her particular interests. I explained the various emphases within “cybersecurity” and generally encouraged her to pursue her explicit passion, because security is a field rich with opportunity and demand is going to continue to surpass supply well into the future.
After hanging up, I began to ponder why there is such a dearth of female cybersecurity professionals.
The United States Department of Labor’s most recent data for 2014 of computer and information technology occupations lists female information security analysts at 18.1% of the total employed. This percentage is actually higher than I initially suspected because at every information security conference I attend, women anecdotally appear to comprise less than 5% of total attendees.
Women’s under-representation is not confined to information security or even information technology occupations; it is a well-documented issue in the larger domain of science, technology, engineering, and math (STEM). Women’s participation rate in STEM is a problem because research suggests, and I know from experience, that mixed gender teams outperform uniform gender teams. The long-term implications are especially significant for a cybersecurity industry that is immature and desperately needs every advantage to compete against modern threats.
Pinpointing cause without empirical data is difficult, but recent conversations with several of my female colleagues in various cybersecurity domains shed some light on likely culprits for women’s abysmal representation.
First, I believe that awareness of cybersecurity (and more broadly STEM) careers must increase in elementary school when children are first exposed to the many opportunities ahead of them. Currently, cybersecurity is not even on the radar of academic programs until at least late high school, at which point students have identified their strengths, and many have been guided towards a college career focused on those strengths.
The information is equally important for both genders, but the National Center for Education Statistics estimates that 11.5 million women and 8.7 million men will begin college this fall. This trend maintains itself for the next decade, which highlights the importance of educating girls about information security careers early on when their interests and proclivities are starting to form.
Lacking granular data for elementary school teachers’ undergraduate degree programs, I’m extrapolating (pure conjecture) from a sample size of two – my mother and mother-in-law, both retired elementary school teachers – that Bachelor of Arts degrees outpace Bachelor of Science degrees. Our teachers should certainly reflect diverse arts and sciences academic backgrounds, but smaller numbers of sciences graduates working in early education may be one reason that young students are not aware of potential careers in cybersecurity. We need to not only raise awareness, but also ensure that teachers champion information security careers the same way they encourage students to pursue traditional roles like teachers, firefighters, and doctors.
A perception problem
Information technology is not information security; they are two very separate professions. Elementary school administrators may believe that basic classroom computing availability and typing courses will expose children to “technology careers,” but this is the development stage during which children should be learning programming concepts, and more importantly, creative thinking about breaking and fixing technology (“hacking”). This is especially true for girls who need teachers to act as role models to encourage interest in these areas.
The second reason it is so important to foster interest in cybersecurity and STEM in early education is because attitudes and perceptions change as students enter middle school. Suddenly, topics that were once fun and interesting become dull and boring. Part of the enemy is cultural bias.
Consider my colleague. For many years she attended Space Camp every summer with a mixed gender group. At age 11 she began to notice that her female peers suddenly weren’t interested in aerospace. It was no longer “cool” due to the social attitudes communicated to her peer group before she was even a teen. Yes, it is “cool” for boys to pursue science and math (consider the Big Bang Theory characters), but girls are still receiving a signal (even subconsciously from the world at large) that their domain is liberal arts.
This is where organizations like the International Information Systems Security Certification Consortium (ISC²) can help by organizing career awareness campaigns within elementary schools so that teachers are knowledgeable about cybersecurity careers, and the skills students will need to be successful.
Within the security industry itself, gender role bias continues to plague the profession (skipping for brevity how many organizations can be downright hostile to women). In a former role, I needed to hire an information security analyst, and human resources sent me five qualified resumes. All five of the candidates were men. Soon after, I needed to hire a technical writer, and HR sent me five qualified resumes. Four of the five candidates were women.
The technical writer candidate we hired was so over-qualified that it was beyond ridiculous. She quickly became the team lead. She later told me that she almost refrained from applying for the position because she did not meet every requirement listed on the job description. I almost fell over. It is well known that men are likely to apply for any position regardless of qualification. Women will often look at a job description and pass on applying because they lack 20% of the skills/experience even though they are a match for 80% of the job. This problem affects all industries, but it’s particularly detrimental to cybersecurity, where demand for qualified professionals is growing so rapidly; when women hesitate to apply for open jobs, it compounds the problem enormously.
Finally, parents and teachers need to be the role models for girls in cybersecurity careers. I have a young daughter and I hope to instill in her the confidence to pursue her interests throughout her educational journey and into her professional career. She may emulate family members who were teachers, or she may emulate family members who are engineers, but I hope to present a compelling case for considering information security.
[Read more on the cybersecurity gender gap in New Data Finds Women Still Only 10% Of Security Workforce]