Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Levi Gundert
Levi Gundert
Connect Directly
E-Mail vvv

A Father’s Perspective On The Gender Gap In Cybersecurity

There are multiple reasons for the dearth of women in infosec when the field is so rich with opportunity. The big question is what the industry is going to do about it.

I recently received a phone call from a friend of a friend in New York. She is a successful marketing executive in Manhattan interested in changing careers to information security. We discussed graduate school options, required skill sets, and her particular interests. I explained the various emphases within “cybersecurity” and generally encouraged her to pursue her explicit passion, because security is a field rich with opportunity and demand is going to continue to surpass supply well into the future.

After hanging up, I began to ponder why there is such a dearth of female cybersecurity professionals.

The United States Department of Labor’s most recent data for 2014 of computer and information technology occupations lists female information security analysts at 18.1% of the total employed. This percentage is actually higher than I initially suspected because at every information security conference I attend, women anecdotally appear to comprise less than 5% of total attendees.

Women’s under-representation is not confined to information security or even information technology occupations; it is a well-documented issue in the larger domain of science, technology, engineering, and math (STEM). Women’s participation rate in STEM is a problem because research suggests, and I know from experience, that mixed gender teams outperform uniform gender teams. The long-term implications are especially significant for a cybersecurity industry that is immature and desperately needs every advantage to compete against modern threats.

Pinpointing cause without empirical data is difficult, but recent conversations with several of my female colleagues in various cybersecurity domains shed some light on likely culprits for women’s abysmal representation.

First, I believe that awareness of cybersecurity (and more broadly STEM) careers must increase in elementary school when children are first exposed to the many opportunities ahead of them. Currently, cybersecurity is not even on the radar of academic programs until at least late high school, at which point students have identified their strengths, and many have been guided towards a college career focused on those strengths.

The information is equally important for both genders, but the National Center for Education Statistics estimates that 11.5 million women and 8.7 million men will begin college this fall. This trend maintains itself for the next decade, which highlights the importance of educating girls about information security careers early on when their interests and proclivities are starting to form.

Lacking granular data for elementary school teachers’ undergraduate degree programs, I’m extrapolating (pure conjecture) from a sample size of two – my mother and mother-in-law, both retired elementary school teachers – that Bachelor of Arts degrees outpace Bachelor of Science degrees. Our teachers should certainly reflect diverse arts and sciences academic backgrounds, but smaller numbers of sciences graduates working in early education may be one reason that young students are not aware of potential careers in cybersecurity. We need to not only raise awareness, but also ensure that teachers champion information security careers the same way they encourage students to pursue traditional roles like teachers, firefighters, and doctors.

A perception problem

Information technology is not information security; they are two very separate professions. Elementary school administrators may believe that basic classroom computing availability and typing courses will expose children to “technology careers,” but this is the development stage during which children should be learning programming concepts, and more importantly, creative thinking about breaking and fixing technology (“hacking”). This is especially true for girls who need teachers to act as role models to encourage interest in these areas.

The second reason it is so important to foster interest in cybersecurity and STEM in early education is because attitudes and perceptions change as students enter middle school. Suddenly, topics that were once fun and interesting become dull and boring. Part of the enemy is cultural bias.

Consider my colleague. For many years she attended Space Camp every summer with a mixed gender group. At age 11 she began to notice that her female peers suddenly weren’t interested in aerospace. It was no longer “cool” due to the social attitudes communicated to her peer group before she was even a teen. Yes, it is “cool” for boys to pursue science and math (consider the Big Bang Theory characters), but girls are still receiving a signal (even subconsciously from the world at large) that their domain is liberal arts.

This is where organizations like the International Information Systems Security Certification Consortium (ISC²) can help by organizing career awareness campaigns within elementary schools so that teachers are knowledgeable about cybersecurity careers, and the skills students will need to be successful.

Within the security industry itself, gender role bias continues to plague the profession (skipping for brevity how many organizations can be downright hostile to women). In a former role, I needed to hire an information security analyst, and human resources sent me five qualified resumes. All five of the candidates were men. Soon after, I needed to hire a technical writer, and HR sent me five qualified resumes. Four of the five candidates were women.

The technical writer candidate we hired was so over-qualified that it was beyond ridiculous. She quickly became the team lead. She later told me that she almost refrained from applying for the position because she did not meet every requirement listed on the job description. I almost fell over. It is well known that men are likely to apply for any position regardless of qualification. Women will often look at a job description and pass on applying because they lack 20% of the skills/experience even though they are a match for 80% of the job. This problem affects all industries, but it’s particularly detrimental to cybersecurity, where demand for qualified professionals is growing so rapidly;  when women hesitate to apply for open jobs, it compounds the problem enormously.

Finally, parents and teachers need to be the role models for girls in cybersecurity careers. I have a young daughter and I hope to instill in her the confidence to pursue her interests throughout her educational journey and into her professional career. She may emulate family members who were teachers, or she may emulate family members who are engineers, but I hope to present a compelling case for considering information security.

[Read more on the cybersecurity gender gap in New Data Finds Women Still Only 10% Of Security Workforce]


Levi Gundert is the vice president of intelligence and risk at Recorded Future where he leads the continuous effort to measurably decrease operational risk for customers. Levi has spent the past 20 years in both government and the private sector, defending networks, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
User Rank: Guru
10/11/2015 | 3:48:47 AM
Re: I don't know anymore
I'm not determined to succeed anymore. I've given up. 

In the words of Walt Disney ""If you can dream it, you can do it."

I can't anymore. I've been on my own since I was 14 and now I am 24 with no formal education. I struggle to make ends meet and I have no support. I have to do everything on my own and I've reached out to so many people to help me but I get turned away.

There is only so many no's/you can't that a kid can deal with and I've reached the end of my rope. I've given up on my career, on my life really. You'll probably read my obituary before you read that I've succeeded in getting into CyberSec
User Rank: Strategist
10/9/2015 | 1:16:26 PM
Re: No reason to drag feet on gender bias
First of all there is a lot of evidence that the apparent career preferences of the two genders are actually biological in nature.  Studies on children as young as 1 day old have shown that when presented with 2 images, one of a human moving and the other of a mechanical object, males will stare at the mechanical object far longer than female infants will.  Moreover studies conducted on juvenile primates have shown that male primates prefer to play with "traditional male toys" such as toy trucks and female primates prefer to play with "traditionally female toys" such as dolls.  These studies clearly indicate that the perceived "cultural gender norms" are more likely biological in nature.  We know there are differences in the ways that male and female brains function so why would we not expect these differences to manifest themselves in our career choices.  It quite probable that male preferences for STEM fields and female "aversion" to them is a consequence of biological underpinnings. 


Secondly why is a dearth of females in STEM fields even considered a "problem" to begin with?  The "gender gap" in STEM fields is no more a problem then the gender gap in nursing or education where women hold the majority of positions.  Nor is it any more of a problem then the lack of women in professions such as sanitation, auto mechanics, coal miners, ect.  We don't "need" more female STEM majors any more than we "need" more female coal miners or male nurses.  The only thing society needs is enough individuals to fill the required number of positions that are competent at their jobs.  Indeed pressuring females into fields where they may be less naturally inclined to excel in or be less content it could in fact be harmful to society as a whole as it would waste resources training somebody who will eventually drop out of the field or be less effective then another individual who would have otherwise received the position.  
User Rank: Strategist
10/5/2015 | 11:21:47 AM
STEM has little to do with gender bias

"Author Robert Charette quotes CEO after CEO claiming an engineering shortage, all the way back to 1934. ... " :

The real problem is that those jobs don't pay enough or are in constant danger of being outsourced to places or people with cheaper labor rates.  If the shortage was real wages in those jobs would rise which is not happening and qualified people would not have given up looking for tech jobs they they kept getting passed over for.

Children are not stupid. They don't get to see one of their parents for 60 to 100 hours a week while they listen to the complaints about being paid for 40 in those few moments of time they do get to see their tired worn-out parent. Why would they want to do the same?

See the 400+ comments on "The STEM Crisis Is a Myth" on the ture problems:


Bottom line is that the people that do the hiring only want fresh young *exploitable* labor...



User Rank: Apprentice
10/5/2015 | 10:08:29 AM
Re: Inherent Value in Diversity? Really?
I'm more inclinded to think the real issue has more to do with popular culture and perception, as the author put it: "It was no longer "cool" due to the social attitudes communicated to her peer group before she was even a teen."

Look at how society portrays people involved in this field in pop culture. The "STEM" guys and gals are almost always overly nerdy, uncool, quirty and have terrible fashion sense! Of course very few women are attracted to it! To be attracted to STEM is to be "unattractive" by the standard of Hollywood and pop culture.
User Rank: Strategist
10/2/2015 | 7:41:10 PM
The Why of Gender Bias
This is actually a topic I can speak to with the authority of actual research (all my generalizations can be supported by real numbers). My Thesis topic in grad school asked if there was an inherent gender bias in SW design (and yes, there is but that's another post).

It starts in grammer school, where feelings about STEM are first formed. The testosterone boys typically have at that age makes them aggressive in the classroom; they tend to dominate the teacher's attention and the classroom respources. (i.e. computers)

To compete with this, girls typically memorize subjects (better than boys) to please the teacher. However, by the time they get to college, this game has lost its charm. Consequently, the numbers for women who choose STEM majors are dwarfed by similar choices made by men.

This is because girls don't learn how fun STEM is, they simply learn by rote for approval. Boys learn that STEM is like a toy or game. This preloads their enthusiasm for STEM and the hard work it takes to be good at it. 

We need to provide is the same opportunities for growth to women, and this effort reaches way back to grammer school. Teachers need to (be better paid and) understand the biological classroom dynamic, so they can cultivate the enthusiuasm for STEM and infosec.


User Rank: Moderator
10/1/2015 | 3:45:23 PM
Inherent Value in Diversity? Really?
>> "Women's participation rate in STEM is a problem because research suggests, and I know from experience, that mixed gender teams outperform uniform gender teams. The long-term implications are especially significant for a cybersecurity industry that is immature and desperately needs every advantage to compete against modern threats."

Using that logic, malicious actors have learned to employ mixed gender teams to achieve their present position of far outpacing the cybersecurity defense industry. What other explanation could there be?

It's religious-type uninformed statements like the above that obfuscate the reality of this non-issue. Has anyone considered the possibility that more women don't get involved in these careers for one simple reason - they don't want to - and there may be nothing at all wrong about that?

Let's also chuck the myth that there is inherent value in gender diversity. If that were true, that would mean that a relationship between a male and a female is inherently more valuable than a same-gender relationship.

See where you wind up when you leave the path of common sense?
User Rank: Guru
10/1/2015 | 2:35:16 PM
Re: No reason to drag feet on gender bias
Mwalker871, thanks for commenting. This article was focusing on the dearth of information security career awareness in our education system, but I agree that there are multiple issues affecting the female participation rate in information security (and STEM more generally). Conscious and unconscious gender bias is certainly a core issue and personal responsibility for bias identification and removal is something that we should all be advocating. 

User Rank: Guru
10/1/2015 | 2:23:00 PM
Re: The gender gap in infosec
Rookiewilliams99, I completely agree that we shouldn't be forcing our daughters into STEM paths in order to achieve gender parity. You're absolutely correct that children should pursue their inherent academic interests.

I think the problem that needs solving is increasing awareness about information security careers at an earlier age. Obviously your children are well aware of the possibilities and career path, but generally I believe there is a shortage of information in schools about information security. Given the higher female collegiate graduation rates, if as an industry we can raise awareness, perhaps more women will naturally choose INFOSEC careers.

Thank you for commenting.
User Rank: Guru
10/1/2015 | 2:06:26 PM
Re: Gradual Change will come if meritted
Broadway0474, thanks for the feedback. Related to your question, everyone's experience is different and it's difficult to make broad generalizations about sexism in the industry. In my experience, the male dominated technology industry has produced regrettable bits of culture (as mentioned in the article) that are counterproductive to increasing the perception that information security is a desirable venue for women.
User Rank: Guru
10/1/2015 | 1:57:30 PM
Re: I don't know anymore
Nemocraig, I'm sorry to hear that people are providing such negative feedback. I don't think you should let the dream go. In the words of Walt Disney ""If you can dream it, you can do it."

I don't know your exact situation, but I do know that there are a lot of employers who need qualified candidates with a strong portfolio of work. Forget about the classes and certifications and focus on building your skills. If you're determined to succeed here are two suggestions:

1. Start a blog and regularly chronicle your journey which will help publicly demonstrate your security knowledge and skills. For inspiration and a testament to the power of patience and persistence check out the Year of Python project.

2. Network within open security communities. Start with your local OWASP chapter. These types of forums are invaluable resources to meet like minded people who share your passion across the full spectrum of skill levels.

Thank you for your comment.
Page 1 / 2   >   >>
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...