Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Levi Gundert
Levi Gundert
Connect Directly
E-Mail vvv

A Father’s Perspective On The Gender Gap In Cybersecurity

There are multiple reasons for the dearth of women in infosec when the field is so rich with opportunity. The big question is what the industry is going to do about it.

I recently received a phone call from a friend of a friend in New York. She is a successful marketing executive in Manhattan interested in changing careers to information security. We discussed graduate school options, required skill sets, and her particular interests. I explained the various emphases within “cybersecurity” and generally encouraged her to pursue her explicit passion, because security is a field rich with opportunity and demand is going to continue to surpass supply well into the future.

After hanging up, I began to ponder why there is such a dearth of female cybersecurity professionals.

The United States Department of Labor’s most recent data for 2014 of computer and information technology occupations lists female information security analysts at 18.1% of the total employed. This percentage is actually higher than I initially suspected because at every information security conference I attend, women anecdotally appear to comprise less than 5% of total attendees.

Women’s under-representation is not confined to information security or even information technology occupations; it is a well-documented issue in the larger domain of science, technology, engineering, and math (STEM). Women’s participation rate in STEM is a problem because research suggests, and I know from experience, that mixed gender teams outperform uniform gender teams. The long-term implications are especially significant for a cybersecurity industry that is immature and desperately needs every advantage to compete against modern threats.

Pinpointing cause without empirical data is difficult, but recent conversations with several of my female colleagues in various cybersecurity domains shed some light on likely culprits for women’s abysmal representation.

First, I believe that awareness of cybersecurity (and more broadly STEM) careers must increase in elementary school when children are first exposed to the many opportunities ahead of them. Currently, cybersecurity is not even on the radar of academic programs until at least late high school, at which point students have identified their strengths, and many have been guided towards a college career focused on those strengths.

The information is equally important for both genders, but the National Center for Education Statistics estimates that 11.5 million women and 8.7 million men will begin college this fall. This trend maintains itself for the next decade, which highlights the importance of educating girls about information security careers early on when their interests and proclivities are starting to form.

Lacking granular data for elementary school teachers’ undergraduate degree programs, I’m extrapolating (pure conjecture) from a sample size of two – my mother and mother-in-law, both retired elementary school teachers – that Bachelor of Arts degrees outpace Bachelor of Science degrees. Our teachers should certainly reflect diverse arts and sciences academic backgrounds, but smaller numbers of sciences graduates working in early education may be one reason that young students are not aware of potential careers in cybersecurity. We need to not only raise awareness, but also ensure that teachers champion information security careers the same way they encourage students to pursue traditional roles like teachers, firefighters, and doctors.

A perception problem

Information technology is not information security; they are two very separate professions. Elementary school administrators may believe that basic classroom computing availability and typing courses will expose children to “technology careers,” but this is the development stage during which children should be learning programming concepts, and more importantly, creative thinking about breaking and fixing technology (“hacking”). This is especially true for girls who need teachers to act as role models to encourage interest in these areas.

The second reason it is so important to foster interest in cybersecurity and STEM in early education is because attitudes and perceptions change as students enter middle school. Suddenly, topics that were once fun and interesting become dull and boring. Part of the enemy is cultural bias.

Consider my colleague. For many years she attended Space Camp every summer with a mixed gender group. At age 11 she began to notice that her female peers suddenly weren’t interested in aerospace. It was no longer “cool” due to the social attitudes communicated to her peer group before she was even a teen. Yes, it is “cool” for boys to pursue science and math (consider the Big Bang Theory characters), but girls are still receiving a signal (even subconsciously from the world at large) that their domain is liberal arts.

This is where organizations like the International Information Systems Security Certification Consortium (ISC²) can help by organizing career awareness campaigns within elementary schools so that teachers are knowledgeable about cybersecurity careers, and the skills students will need to be successful.

Within the security industry itself, gender role bias continues to plague the profession (skipping for brevity how many organizations can be downright hostile to women). In a former role, I needed to hire an information security analyst, and human resources sent me five qualified resumes. All five of the candidates were men. Soon after, I needed to hire a technical writer, and HR sent me five qualified resumes. Four of the five candidates were women.

The technical writer candidate we hired was so over-qualified that it was beyond ridiculous. She quickly became the team lead. She later told me that she almost refrained from applying for the position because she did not meet every requirement listed on the job description. I almost fell over. It is well known that men are likely to apply for any position regardless of qualification. Women will often look at a job description and pass on applying because they lack 20% of the skills/experience even though they are a match for 80% of the job. This problem affects all industries, but it’s particularly detrimental to cybersecurity, where demand for qualified professionals is growing so rapidly;  when women hesitate to apply for open jobs, it compounds the problem enormously.

Finally, parents and teachers need to be the role models for girls in cybersecurity careers. I have a young daughter and I hope to instill in her the confidence to pursue her interests throughout her educational journey and into her professional career. She may emulate family members who were teachers, or she may emulate family members who are engineers, but I hope to present a compelling case for considering information security.

[Read more on the cybersecurity gender gap in New Data Finds Women Still Only 10% Of Security Workforce]


Levi Gundert is the vice president of intelligence and risk at Recorded Future where he leads the continuous effort to measurably decrease operational risk for customers. Levi has spent the past 20 years in both government and the private sector, defending networks, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
User Rank: Guru
10/1/2015 | 1:36:16 PM
No reason to drag feet on gender bias
Computing in general is an old boys club with the attendant male priviledge that keeps it that way. There is a bias and as long as we don't acknowledge it clearly and do what we each can do to break stereotype driven personnel decisions it will remain.

Sure there may be some inherent gender differences, but looking at the way things are today tells you nothing clearly. Social historical baggage clouds the view.

I could go on, but there is no reason to be satisfied with gradual change. That's just lazy thinking and reminds me of the excuses regarding civil rights.

I went to school with some bright girls who went on to engineering careers. It was clear they were expected to produce excellent results always or be dismissed as serious students.

Is that how you want life to go for your daughter?
User Rank: Guru
10/1/2015 | 1:33:33 PM
Re: Gradual Change will come if meritted
Stratustician, I couldn't agree more about the need for role models, and "Lisbeth" is a fantastic example of a stereotype that isn't necessarily productive if the goal is increased participation in information security domains. Fortunately we do have some strong role models like yourself and hopefully over time the perceived "Lisbeth" character requirements cease to exist.

Thank you for commenting.  
User Rank: Guru
10/1/2015 | 1:24:04 PM
Re: Gradual Change will come if meritted
RyanSepe, thank you for commenting. I agree that the goal should be to raise awareness of the career potential in information security. The goal isn't perfect parity between genders, but rather a growth trend in female participation over time which will elevate the long term performance of operational defense teams. 
[email protected],
User Rank: Apprentice
10/1/2015 | 11:22:30 AM
The gender gap in infosec
I agree with Levi in that the US government's numbers for females in the information security field (at almost 20%) is far higher than I've experienced personally.  5% is much closer to the number I see at conferences and seminars, if you disregard IT Audit related personnel.

That said, I'm not convinced this is a real problem unless there are some sort of artificial barriers to women entering this industry.  As we're always looking for more qualified practicioners women entering in higher numbers would certainly be welcomed, but how would one go about nudging females into the career, and why exactly should we do that?  

I agree the issue is larger than the narrow slice of infosec, but it seems that society is saying "follow your dreams" or "pursue your interests" and then turning around and saying "but more of you females should be interested in STEM careers."  As a father of male and female teenagers and an infosec practicioner myself, I've always presented my career positively and would welcome their interest in pursuing it, but I don't think either of them will end up in infosec.  At the local high school they have some great STEM-oriented classes that the school administration is really marketing to the female students, and yet the classes are still 80% male.

When I want help repairing my lawn mower or working on my car my daughter will turn me down almost every time, while my son will want to try to do the job by himself.  My son hates the one required foreign language class he has to take, while my daughter buys books and programs to teach herself 3 additional languages.

Is there something wrong that my daughter gravitates to linguistics while my son tends toward mechanical engineering when they both had virtually the same exposure and opportunities?  Does that represent a problem that needs resolved?  Isn't there a possiblity that the sexes have some inherent differences in their outlook on life, and shouldn't we allow that to happen?
User Rank: Apprentice
9/30/2015 | 10:34:36 PM
Re: Gradual Change will come if meritted
These are all fascinating personal stories, shared after a great post. All around one of the best things I've read on this site. That said, I am hoping for a little clarification. Is part of the problem that tech in general -- whether IT or security --- is more sexist a field than, say, marketing or consulting?
User Rank: Guru
9/30/2015 | 5:46:12 PM
I don't know anymore
I've dreamt of being in CyberSec for a really long time. Pretty much since I was an awkward teen in the early 2000's. I read, research, talk about joining the industry. Heck, I even tried to get into uni so I could study it. But all I hear is no, or your not good/smart enough. I'm used to those remarks. I have 8 years of solid work experience in a number of IT roles. I currently work in a high school and have contact with students. staff and administration and I understand the need for people in CyberSec. I give them the best information I can but as for possibly advancing into the industry, I doubt I will get this opportunity. I've applied for scholarships, loans, credit in order to go to training courses and bootcamps but I always get denied. With no family support and in a job where I barely make ends meat, I cannot afford to get the training. I've looked for mentoring. I've looked for jobs but you just get to the point where you've just got to let the dream go.

Good luck ladies.
User Rank: Moderator
9/30/2015 | 2:26:43 PM
Re: Gradual Change will come if meritted
Great point. I think right now the interest in cybersecurity in particular is a bit funny for girls due to the strange role model disparancy that exists.  For example, if you look at more recent pop culture, it's natural for many girls to think that you need a bit of a tougher edge much like Lisbeth from the Girl with the Dragon Tattoo.  Seems a little funny, but as a woman working in the field, I do get lots of people trying to draw a connection between what I do (help organizations put together security strategies) and the type of character from that book.  In reality, when I got interested in cybersecurity, it was because of all the books I read on the history of cryptography and the work that many women did, especially in WWII.  These are the role models I think many girls need, but sadly they don't get as much recognition as it's more popular to focus on hacker culture which might scare many girls off as being too harsh or too technical of a career path.

Either way, we definitely need more role models, and while we are nowhere near there yet (In my experience I am a perfect example of a women sitting on all male IT security teams), we just need some more strong role models from all points of history to show girls that women have historically helped with great progress in cybersecurity, we just often get overlooked by the sheer number of our male peers.
User Rank: Ninja
9/30/2015 | 11:03:05 AM
Gradual Change will come if meritted
As I said in the previous article referenced there is disparity everywhere. Its our moral fabric as a society not to prohibit a person from pursuing a field that interests them. I do believe that more education around information technology and information security needs to become more prevalent within schools. But I doubt that this will result in closing the gender gap within these fields. My evidence is that even though education has been barren in this type of education it would result in a disparity of all genders from these fields as all genders/races/ethinicitys are schooled collectively. As someone who believes that people should do what they have interest in, I support women and men trying to attain any goal that they have. But from a early guidance point the first question should be "What are you interested in?" From that, positions and fields should be explained to compliment those interests. There should be no steering in any which way from those interests.

At this point, no one is restricted from attaining a job due to these physical data sets. It has been this way for a long time. Because of this if more women become interested in infosec and IT the change will come but will be gradual. But I think trying to invoke change because there is a disparity of this type is foolish and in the end may detract from what the persons true interests are. In the end, the quest to not steer an individual from a cause they are truly interested in may be violated as a result of trying to close the disparity. In essence, the ideal end goal may be riddled with hypocrisy. 
<<   <   Page 2 / 2
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. The salt-api's ssh client is vulnerable to a shell injection by including ProxyCommand in an argument, or via ssh_options provided in an API request.