The needle has not moved: new data released today by (ISC)2 and Booz Allen Hamilton shows that the percentage of women in cybersecurity worldwide has remained static over the past two years, holding at an anemic 10%.
That finding from the new "Women in Security: Wisely Positioned for Future of InfoSec" report, reflects a long-perplexing issue for an industry that's scraping for talent to fill massive numbers of job vacancies every day. But the new findings don't technically mean that fewer women are joining the industry overall, according to the report, which was conducted by Frost & Sullivan on behalf of ISC(2) and Booz Allen: in fact, the overall number of women joining the industry is on the rise. Their numbers just aren't keeping pace with the overall security workforce.
Women now dominate the governance, risk and compliance (GRC) sector of security, however: the report found that one in five women in security hold a GRC position, while just one in eight men do. According to the report, women were ahead of men in taking GRC jobs, and the skillsets of collaborating with multiple groups and balancing business and risk issues are skills women are likely to have, according to a focus group of women infosec leaders in the report.
Gurdeep Kaur, a member of (ISC)2, says the GRC sector holds a solid career path for women with a combination of technical and business skills. "If I have the right balance of technical skills and business acumen, I may be in position to provide an advisory role, and gain confidence and move up [in a role] of the security ladder," she says.
Even as a minority demographic in the industry, women now hold higher advanced degrees in the field than men do, the study found. Of women in senior positions, 58% hold a Master's Degree or a Doctorate, whereas 47% of males in leadership positions do.
But the overall low representation of women in the industry remains problematic.
"We're not getting closer to general parity," says Julie Franz, (ISC)2 Foundation director. "If you [achieved] gender parity, it would wipe out the workforce gap."
Franz says one issue affecting the number of women is a language gap in how the industry describes the jobs and roles in security. It tends to lean toward the technical and abstract, rather than emphasize the real-world impact. "We talk too much about jobs being about things and technology … Women want to know they are securing the people who use the things."
Women's salaries still lag those of men in the industry. The (ISC)2 compared salaries of men and women in the GRC space specifically, and found that women make 4.7% less than men, with an average salary of $115,779. Their male counterparts make $121,513.
Three factors appear to contribute to the higher male GRC salaries, according to the report: men stay in the industry longer than women, on average 15.2 years versus 14.5 years for women; more women have security analyst job titles than men, a job that pays about $95,000; and men rate monetary compensation higher than women do statistically. Around 58% of women in GRC rate monetary compensation as a top incentive, while around 62% of men do. Women rate work schedule and location flexibility higher than men do.
Franz says the data shows that women are less likely to change jobs than men, and that also accounts for the lower salary since job changes typically come with higher pay.
[What not to ask a woman in the security field, where men make up 90% of the workforce: What's it like to be a woman in the security field? Read How To Empower Women In Security.]
Interestingly, the average starting age for both male and female infosec pros is 30 years old. There's a gap overall in attracting or hiring young talent.
The bottom line is that entry-level security jobs are few and far between. "The requirement for experience for most [jobs] is higher than one would normally require for any entry-level position," (ISC)2's Franz says. "The need is so acute in cyber that it the requirement for someone to hit the ground running is much higher."
Angela Messer, executive vice president at Booz Allen, says companies need to be more proactive in their training and recruiting. "The kind of skillsets we're seeing today have definitely evolved. They are not the same ones we needed five years ago," Messer says. "You have to be more proactive in taking nontraditional skillsets and repurposing and training them into these fields."
Frost & Sullivan surveyed some 14,000 security pros from around the globe for the report.