Don't get me wrong; I love that there's never a line for the ladies room at security conferences. Nevertheless, there is a gender problem in IT and it's particularly bad in security. And I'll tell you something: all the STEM education programs in the world aren't going to solve the problem.

The InformationWeek IT Salary Survey released this week shows the problem in rather stark terms. In security, only 14 percent of the staff and 10 percent of the managers are women. This is consistent with other figures. ISC(2)'s most recent figures show that only 11 percent of the security workforce is female.

An industry that claims to have a shortage of personnel can't afford to repel half the world's population. As Julie Peeler, head of the ISC(2) Foundation, told me a few months ago, "If we doubled the number of women in security tomorrow, it would eliminate the shortage for a full year. It's not just a cultural issue. It's an economic issue."

Not only are there far fewer women in security, there is a significant salary gap, according to the InformationWeek survey. Although the gap is rather narrow between male and female staff -- men’s base pay is $3,000 greater -- the story in security management is very different. Male security managers brought home $27,000 more than female security managers this year. Men reported receiving a base pay of $127,000 plus an additional $14,000 in bonuses; women reported a base salary of $109,000 and $5,000 in bonuses.

So there are two issues: There aren't enough women in security; and women still get paid less for the same work. The question, of course, is why?

One reason may be that girls are still not adequately encouraged to go into STEM fields. Kerstyn Clover, staff consultant for SecureState and a Dark Reading contributor, noted this in a post she wrote in January. Although Clover herself is only 21 years old, and therefore was raised in a rather enlightened era, she writes: "The amount of times that I tried to venture in and explore something and got pushed or scared off, or was made to feel ashamed because they weren't what I was 'supposed' to like, is astounding."

However, getting young women interested in IT fields is not the biggest problem. According to a February report released by the Center for Talent Innovation, roughly 50 percent of people graduating with STEM degrees are women, yet women working in high-tech fields are 45 percent more likely than their male peers to leave the industry within a year of entering it.

The research indicates that the reason they leave is not that they don't like the work. Eighty percent of American women in science, engineering, and technology jobs said they loved their work -- plus 87 percent of Brazilian women, 90 percent of Chinese women, and 93 percent of Indian women. Among the reasons they give for leaving are, rather, an exclusionary macho culture and a lack of executive sponsorship. Women's ideas were less likely to get green-lit, they were less likely to obtain management positions, and they struggled with being labeled "too emotional" or "too edgy" for management positions.

Ladies, gentlemen: We must all accept some of the responsibility for this.

Last month The Atlantic published a cover story titled "The Confidence Gap." The story shows evidence that "success, it turns out, correlates just as closely with confidence as it does with competence," and that women's success is inhibited by the fact that we have far less confidence than men. Among the pieces of research the authors reference:

Linda Babcock, a professor of economics at Carnegie Mellon University and the author of Women Don’t Ask, has found, in studies of business-school students, that men initiate salary negotiations four times as often as women do, and that when women do negotiate, they ask for 30 percent less money than men do.

This article hit me so close to home that I couldn't read the whole thing the first time. I am no shrinking violet, but I have never once asked for a pay raise. I asked for a promotion only once in my career, and did so with the caveat "but you don't need to pay me more." (I got the promotion, without the raise, as I foolishly requested.)

I'm also sorry to say that the security field has not always been particularly welcoming. I will never forget the first and only time I went to DEF CON (in 2005). The fact that I only saw two other women at the event for the entire time I was there was not the problem for me. The problem was that none of the men would speak to me -- not about security, not about anything. They weren't being cruel; they just didn't want me around. Finally, an hour before I was about to leave for the airport after a very lonely two days, a man spoke to me. He said:

"I gotta tell ya, you've got great legs."

In his defense, I did have great legs, but that's not what I'd gone to DEF CON to discuss. That was nine years ago, and I do believe the industry has evolved a bit since that time, but research shows that we still have a long way to go. That's the bad news. The good news is that these are fixable problems.

Ladies, we need to work on our confidence. We need to ask for raises and promotions. We need to speak up in meetings.

Everyone, we need to call out our colleagues -- male and female alike -- when they exhibit behavior that makes us feel that there is something wrong with being a woman in the workplace. Not just the outrageous acts of sexual harassment that require a trip to the HR department, but the small digs that undermine a female co-worker's authority and professionalism. Sexism isn't just a woman's problem. It's an everybody problem, especially in IT.