Checking in: Are Women Advancing in Information Security?

VIEW THE ARTICLE HERE

It has been over one year since we put a focus on women in information security. In August of 2015, we learned that women make up just 11% of the IT security workforce, and fare only slightly better in IT in general – at 28%. This is the reality even as our industry battles with jobs we simply can’t fill, as openings in our industry outpace security professionals by more than 3 to 1. At the same time, women are now the majority sex in colleges. These three realities should be inter-related. We should be seeing more women entering the security industry.

But, sadly, one year later that’s not really the case industry-wide. Women have made small gains – up one percent in information security roles in 2016.

What are the challenges and barriers to women working in IT security? What can we do to encourage more female participation in our industry? We turned to the experts for advice:

Jim Routh, CISO, Aetna
Deborah Hurley, Creator of ISO 2700
Theresa Payton, Former CIO, White House & CEO, Fortalice Solutions

Women Find Success on Aetna’s Security Team

Jim Routh CISO Aetna

Jim Routh, the CISO at Aetna says that 41% of his team is female, including 60% of his direct reports.

Routh proudly reports, “My leader, Meg McCarthy, is the keynote speaker at the upcoming Executive Women’s Forum (EWF). Several of my direct reports regularly participate in women in security industry events.”

Routh states, “Several companies (Aetna, Facebook, Uber, etc.) have mature and sophisticated programs in place that enable them to greatly exceed industry norms in hiring and retaining women in cybersecurity. Sharing this information throughout the industry can do a lot to ultimately turn the 11% into 22%. Also preparing featured articles on profiling those women that have been successful as cyber leaders would be helpful.

Routh has suggestions for what we can do as an industry to increase the ranks of women on our teams.

Routh shares three ways to increase the ranks of women in our teams: 

1. IMPROVE RESOURCES SUPPORTING STEM
Primary policy focus is to improve resources supporting STEM- the more female students are interested in math and science the higher the probability of them gravitating toward computer science and ultimately security. 

2. MENTORING WOMEN
Next priority is mentoring for women once they choose a cyber security related curriculum. We need undergraduates and graduate programs to help find internship programs for them and guide them on curriculum choices.

3. INCREASE PROFESSIONAL MENTORING PROGRAMS
We need to increase professional mentoring programs (like those sponsored through EWF and Women in Security) to give women access to mentors from both genders.

More Gender Diversity in Cybersecurity Will Yield Big Payoffs for Organizations and Women

Deborah Hurley Creator of ISO 2700 Professor at Harvard University and Brown University

“From my point of view the situation for women in IT, including cybersecurity, is dire,” said Hurley. She cites three inter-related problems that combine to disadvantage women and to reduce opportunities and payoffs for organizations.

1. WOMEN AND GIRLS SELF-SELECT OUT OF MATH AND SCIENCE
“Although the new field of computer science stimulated an initial blip of interest from women, women’s participation in math and science since then has continued a precipitous decline. By middle school, girls are opting out of these important, interesting, growing areas of study and economic activity.”

2. MISSING OUT ON BIGGEST ENGINES OF WEALTH CREATION
“The situation assumes disastrous proportions when you consider that, by self-selecting out of science and technology, women have closed themselves off from the biggest engines of wealth creation in our era. Compounding this already shocking state, the number of single-parent families is growing in the United States. ‘Single-parent families’ is a euphemism for women raising their children by themselves. So, the women AND their children are excluded from wealth creation. That is a tragedy.”

3. WHILE WOMEN IN IT ENCOUNTER A CLIFF OF DISCRIMINATION
“The women who do go into science and technology fields encounter a virtually all-male environment or a cliff of discrimination. The percentage of women in Silicon Valley is miniscule, compared with the fact that women are 50% of the population. There are numerous other examples, such as Gamergate. Some women drop out. Others hang in there, but do not receive the same recognition, training or opportunities as their male colleagues.”

There are counterpoints to these dismal trends, such as the relatively new field of the Chief Privacy Officer. (A 2014 International Association of Privacy Professionals survey of 1000 Chief Privacy Officers found that 48 percent were women.) Hurley said, “This is an emerging field that has attracted women. They work on privacy and data protection and engage with many technology-related issues. The CPO often must work closely with the cybersecurity team.”

Hurley thinks that there are many opportunities to engage more women in information security, which is inherently interdisciplinary and multistakeholder. She would know. In 1990 Hurley wrote the first comprehensive report on information security. Prior to that, only technical manuals existed. “My report was the first time we looked at information security across disciplines, including technical, management, legal and other issues,” said Hurley.

She continued, “I n order to address cybersecurity problems in a robust, sustainable manner, it is essential to confront them in an interdisciplinary way, pulling what’s best and the needed tools from the entire arsenal, whether they be technical, legal, management or other, and to use them in combination to meet the security challenge. People from diverse backgrounds have to come together to solve cybersecurity problems. The ability to get along with, bring together, supervise, and get results from a broad range of people is a vital skill. Further, it is useful to be able to understand and manage human and social behavior among employees, customers and clients, and the public at large.”
Hurley pointed out that many cybersecurity problems have little to no technical component. She said, “The biggest cybersecurity problems come from human beings. The effective management and training of people is essential. When we talk about human vulnerabilities, the popular imagination runs to malicious hackers and cybercriminals. They exist and are a problem. But, in fact, the biggest cybersecurity issues come from employees, not the disgruntled ones, but employees who are well-intentioned but are fatigued, negligent or insufficiently trained.”

Cybersecurity is a growing field with lots of jobs and opportunities. Hurley strongly encourages women to take a look. Whatever a woman’s talents – with people, administration, management, education, technology or law – there is likely an aspect of cybersecurity for which her skills and expertise are needed. In addressing cybersecurity issues and in working with colleagues from many disciplines, which will be a daily part of life, these women will grow in knowledge and experience, thereby making themselves more expert and more able to contribute to their workplace, the economy, and society.

See our recent profile of Deborah:
https://www.klogixsecurity.com/blog/mother-iso-27000

Q&A with Theresa Payton

Theresa Payton Former CIO, White House CEO, Fortalice Solutions

Previously, we featured Theresa Payton, Former Chief Information Officer of the White House, in our Profiles in Confidence. Payton shared insight about the current state of information security, the lack of talent, and the importance of including more women, minorities, and veterans in the industry. We recently checked in with Theresa Payton again to hear what changes she has witnessed for women in security. She shares her thoughts with us:

Q: What is the current state of women in cybersecurity?
A: According to Womenscyberjutsu.org, women account for only 11% of information security profession. Overall, I think the industry can do more to help women understand the crucial role that cybersecurity professionals play that make a difference in our everyday lives. Unfortunately, ethical or unethical hackers are often pictured as men dressed in hoodies, and women cannot picture themselves in that role as a possible career choice. These kind of images tend to make women think they may have nothing in common with hackers. Studies show that women want to work in professions that help people, where they are making a difference. When you stop a hacker from stealing someone’s identity, you made a difference. At the end of the day, the victims of hackers are people and women can make a tremendous difference in this field. This is something the industry needs to do a better job of showing women.

Q: How can organizations start hiring more women?
A: The industry tells us there is a talent shortage in cybersecurity. There is a perception that if a person doesn’t have specific certifications after their name, a degree from a certain university, or a career path ‘punch card’, then they are not qualified candidates. Hiring managers that only look for the resume qualifications and are unwilling to recognize life experiences, creative problem solving, and a “go-getter“ attitude as qualifications are going to miss out on the most successful cybersecurity professionals. Many times, women may be going through a career change and trying to enter the cyber industry yet they feel their certain certifications or work experiences are lacking. Yet they do possess fundamental critical thinking, problem solving and analytical skills that would enable them to be very successful in cybersecurity.

My biggest piece of advice to executives everywhere is to be creative, innovative, open, purposeful, and mindful about how a candidate looks beyond their appearance on paper. Hiring managers should look for women, minorities, and veterans who may not be the exact “type” of candidate they are looking for, but if they invest the time to be a coach and mentor, they can get them up to speed. This, in turn, creates loyal, creative, problem solvers who are more likely to stay at their organization.

Much of this starts with the executive suite making a concerted effort to take a stand and ask themselves and their organization why they don’t have more women on their teams. I was recently at a global healthcare organization and the CISO said women account for almost 50% of his team. I asked him what he thought the key to success was and he said he focused on recruiting and retaining women and going outside of the health care industry and security business to get team members with different backgrounds.

Q: How can organizations attract and retain more women?
A: Organizations should run focus groups for women to give them a place to talk and grow. Providing a platform shouldn’t be about men vs. women, it should give women a place to flourish and thrive by supporting one another.

If there’s someone on my team that impresses me and I appreciate their work ethic, I ask them if they have any friends they would recommend. We also pay employees a referral bonus as they are our best recruiters. This is a great way to gain qualified, loyal employees.

For recruiting, women on cybersecurity teams should go to college campuses to attract other young women interested in the industry. Female college students love seeing women who are already in an exciting career field. The industry does not place enough emphasis on the importance of personal connections like this.

Organizations should make networking tools available to women, such as the Grace Hopper event or RSA Conference, to meet other female colleagues and share stories and growth.

Q: What can the industry do?
A: Last year, the RSA conference started a Security Scholars program that was open to both males and females. I noticed that they had a significantly higher percentage of females and minorities involved than I typically see at companies. I found this very impressive. When I asked about RSA’s new focus, they said they were deliberate about making sure there was a good mix of not only genders, but different socioeconomic statuses as well.
As more security conferences look to create “hackathons” for middle and high school students, as well as scholar programs for college students, they must make sure they deliberately foster diversity.

Something very positive happening now at many conferences is women “get-togethers” such as social hours and dedicated tracks of networking. Again, we don’t want to create a separation of men vs. women, but I highly recommend taking advantage of these events to gain valuable career growth and participate in networking.