Break the bias and create a more diverse cybersecurity workforce

Barbara Maigret, Global Head of Sustainability & CSR at Fortinet, talks about breaking the bias and creating a more inclusive cybersecurity workforce.

This year, on International Women’s Day, governments, organizations, and individuals worldwide were asked to help envision and create a gender-equal world. A world free of bias, stereotypes, and discrimination. A world that is diverse, equitable, and inclusive. A world where difference is valued and celebrated. That is this year’s theme: #BreakTheBias.

One of the industries struggling with significant bias and gender stereotypes is cybersecurity. This field plays an increasingly crucial role in our digital world and, as a result, offers many fulfilling career paths and opportunities. However, there are still significant barriers and misperceptions driving the belief that a career in cybersecurity is not for women.

Women are underrepresented in cybersecurity
While women have been disproportionately impacted by pandemic-driven unemployment (for example, one in four women reported job loss due to a lack of childcare—twice the rate of men), the technology sector was less affected. This was mainly due to their being better prepared to pivot to remote work and flexible work models. As a result, according to a report by Deloitte Global, large global technology firms still managed to achieve “nearly 33% overall female representation in their workforces in 2022, up slightly more than two percentage points from 2019.”

While such progress is good, the technology sector still has a long way to go compared to other industries. Outside of the high-tech sector, women account for 47.7% of the global workforce. And they also make up 50.2% of the college-educated workforce.

And the gender gap is even wider within the cybersecurity industry where, according to the (ISC)² Cybersecurity Workforce Study, women only make up 25% of the global cybersecurity workforce. This gap is certainly not because there aren’t any jobs. According to that same study, the cybersecurity industry urgently needs 2.72 million more professionals. And while 700,000 cybersecurity professionals entered the workforce in the past year, the global workforce gap was only reduced by 400,000, indicating that global demand continues to outpace supply. Women are just generally not applying for or being recruited to fill these positions.

This lack of gender equity has also directly contributed to the low percentage of women who hold cybersecurity leadership roles. In 2021, for example, only 17% of Fortune 500 CISO positions were held by women, with only one female CISO in the top ten US companies.

Stereotypes and misconceptions persist
There are three main reasons why women continue to be underrepresented in the cybersecurity industry:

Problem #1: Cybersecurity is seen as a man’s career
Many women don’t consider cybersecurity a career path because it’s primarily seen as a male profession. This image is reinforced by popular media, such as Eliot Alderson in the Mr. Robot TV series, where cyber activities are performed by young geeks in hoodies working late at night in a dark room lit only by their computer screen. While it may make for compelling TV, this stereotype is inaccurate and off-putting for many women, inadvertently contributing to gender disparity in the workforce.

While cybersecurity certainly has its technical aspects, it is not just a technical industry. Like any growing industry, there are a wide variety of job opportunities that require human skills. These include analytical, communication, management, and interpersonal skills that are equally important to the organization’s success and positively impact the industry.

Problem #2: Young women are underrepresented in STEM programs
One reason why so few women apply for cybersecurity positions is they are less represented in STEM-based programs. But there is no reason why the technical aspects of a career in cybersecurity should be off-putting for women. The fact is, standardized math tests for fourth, eighth, and 12th graders show little gap in the scores between female and male students. But according to MIT WIM (Women in Mathematics), one of the drivers of the gender gap in technology fields is not ability but “stereotype threat.” This happens when an individual worries about confirming negative stereotypes, leading women to conform to gender expectations by performing worse on assessments and decreasing their interest and persistence in STEM fields.

Pervasive gender biases, few female role models, mistaken beliefs about technology being a male-oriented industry, and, sadly, teachers and parents who steer girls away from technology studies have combined to break the confidence of many young women otherwise suited to pursue a STEM-related degree. This is a global issue, with women generally earning less than 20% of all STEM degrees. According to Yale University, US women only earned 18.7% of computer science degrees. In the UK and across 35 European countries, fewer than 1 in 5 computer science graduates are women. And women hold only 18.5 percent of STEM positions in South and West Asia and 23.4 percent in East Asia and the Pacific. This bias starts early in their college careers. 49.2% of women intending to major in science and engineering switch to a non-STEM major during their first year.

Problem #3: Bias in cybersecurity hiring
We cannot cure the lack of women in STEM overnight. So, organizations need to think differently about the composition of their cybersecurity staff. Many hiring managers—and HR—view individuals with backgrounds in computer science, engineering, and other STEM fields as the most qualified cybersecurity candidates, often ignoring those with degrees in other areas. But if they want to build successful cybersecurity teams, they need to broaden the scope of backgrounds they consider when looking for new employees.

But the challenge goes beyond hiring. The reality is that women in cybersecurity roles also tend to be promoted more slowly than men—something known as the “first rung” problem. According to Fortinet CISO Renee Tarun, “Men are four times more likely to hold executive roles than their female counterparts, they’re nine times more likely to have managerial roles than women, and [on average] they’re paid 6% more than women.” In addition, women tend to leave the field at twice the rate of men, citing gender bias, discrimination, and harassment as their reasons for leaving.

Five steps for creating a more diverse and inclusive cybersecurity workforce
In addition to the primary objectives of the UN’s Sustainable Development Goals that call for equality and equity for women (goals four and five), organizations need to seriously consider how to merge their DEI (Diversity, Equity, and Inclusion) objectives into their equally important digital innovation strategies. Because the evidence is clear: businesses that employ gender equality practices across their organization report increased profitability and productivity.

Given the rate at which digital innovation is transforming organizations (and the efforts of cybercriminals to exploit those digital acceleration efforts), now is the time to break our cybersecurity stereotypes. We must work together to remove the bias that cybersecurity is a gender-specific field and change the perception that it is purely a computer science discipline. In cybersecurity, technology is only one of the silver bullets required to eliminate cyberattacks. The three critical elements of an effective cybersecurity strategy are People, Products, and Processes. But when we continue to recruit the same people—same gender, same educational background, same perspective—we are unlikely to develop strategies that allow us to get out ahead of our cyber adversaries. For example, it is not a stretch to say that the failure to rethink security strategies—starting with who makes up our cybersecurity teams—played a part in the nearly 1100% increase in ransomware attacks organizations worldwide experienced last year.

To change this perception and get out ahead of the cybercrime crisis we all face, we must bring more voices, perspectives, and diversity to our cybersecurity teams. Here are five basic principles we need to adopt as we work to refine our cybersecurity teams and strategies:

• Highlight the contributions of women in cybersecurity in our classrooms and businesses, identify and promote positive role models and examples, and actively encourage diverse career paths, experiences, and job functions to our young women.

• Encourage young women to pursue STEM-based degrees and careers at a young age.

• Create and/or be part of mentorship programs at all levels, beginning with basic technology classes in elementary schools that model success in technology for girls that continues throughout their higher education and professional careers.

• Implement more inclusive work environments by identifying and breaking bias in hiring practices, training all employees (not just executives) about true inclusiveness, and actively making every employee feel involved, valued, and respected. And we need to ensure that women, especially women of color, are treated fairly and are fully embedded in the workplace.

• Eliminate “first rung” barriers by actively promoting more women to leadership at every level of the organization, beginning with roles as project and team leads and first-tier managers.

This must be a commitment we are all willing to make. On this day, we reaffirm our commitment to promoting gender diversity, equity, and inclusion inside Fortinet by helping engage more women in the cybersecurity sector through concrete action across the above strategies.

Final Thoughts
Cybersecurity plays an essential role in our modern society. However, a variety of skills and experiences must come together to guarantee the cyber industry’s success. And as with any other industry, diversity is crucial. By bringing greater awareness to the diverse skills and backgrounds cybersecurity requires, we can help shrink both the gender and skills gaps while making strides in our battle with our cyber adversaries.

Cybersecurity offers many fulfilling career paths and opportunities for women. Because technology—and cyberthreats—continue to accelerate, it is an industry in constant evolution, making the field of cybersecurity very stimulating intellectually. And because there are so many open jobs to fill, this sector is also attractive financially. But joining the cybersecurity industry also means having a significant impact on society. We live in a digital world where protecting data and individual privacy has become a critical sustainability issue. And as always, women play a vital role in making this possible.