Q&A

Cybersecurity needs more women

A conversation with security and gender diversity expert Lisa Kearney

For decades, women have been underrepresented in IT and computer science. Women make up more than half of the total workers in the U.S., for example, but fill just 25% of computer science jobs, according to government estimates. Run those same numbers for leadership and management positions, and the slice of the pie represented by women shrinks even more.

Lisa Kearney spent two decades working in cybersecurity jobs in Canada, where the field is estimated to be 90% male. After a string of frustrating experiences, Kearney realized that change wouldn’t come on its own, so in 2018 she founded the Women CyberSecurity Society (WCS2), dedicated to helping girls and women join the security workforce and advance to leadership roles. We sat down with Kearney recently to discuss strategies to increase female participation in the security field.

What inspired you to create the Women CyberSecurity Society?

After talking to a few colleagues, I learned that they were facing challenges similar to ones I had experienced and that there was no one there to support them. I’ve volunteered as a cyber mentor for 11 years, but one-on-one mentorship can only go so far. We realized there was a need for an organization like this.

Your research shows that any group of workers start to feel like a community once they reach about 30% of the workforce. In Canada, women make up just 10% of security employees. How can they close that 20% gap?

It’s going to take government, enterprise, and academia working together to adopt common strategies. But it’s not just about hiring more women to reach a quota; it’s about putting women in a position to succeed.

Sometimes women feel like they’re not welcome, accepted or respected, and they drop out. One study showed that 50% of women in the tech sector in Canada will leave the field sometime during the first four years of their career. So even as the recruitment part seems to be working, the retention part is missing.

Every day, attacks are increasing in number and sophistication, and organizations that don’t hire more women are on the losing end.

If supporting women on the job requires more training or more of a one-on-one sponsorship strategy, then organizations need to put all that in place. Otherwise, women won’t feel like they’re making progress, and the likelihood of them dropping out only increases.

What can CISOs do to reverse the trends?

The importance of wording in job descriptions can’t be overlooked. CISOs should work to demasculinize job descriptions and ensure they’re written to attract women as well as men—for example, allowing employees to work remotely a certain number of days and create conditions for work-life balance.

When women who are primary caregivers see language like “must be able to work long hours” or see multiple roles defined in a job description, it can be a bit of a red flag and a deterrent to applying. And once you hire women, you have to back up what you’ve promised in the job description—that you do provide flex days and time off.

I also think organizations need diversity training to raise awareness about messages women often hear: “Oh, that’s technical. You don’t need to attend that meeting.” That’s very exclusionary and biased, whether it’s unconscious or conscious.

What can be done to give current women in the field more access to leadership roles?

Research shows that increased gender diversity in leadership and decision-making roles within the cybersecurity team increases profits, improves problem-solving and reduces risk. Organizations that predominantly hire and promote men as heads of cybersecurity are missing out on all of these benefits.

Better problem-solving is vital to addressing today’s cyber threat landscape. Every day, attacks are increasing in number and sophistication, and organizations that don’t hire more women are on the losing end. Hiring is just the first step. Women should receive equal pay for equal work, be respected, be listened to, and be offered the same assignments, training, and opportunities for promotion as men.

What new or emerging job opportunities in security do you think more women should pursue?

I’d like to see more women enter positions of authority in nontechnical roles, not just the technical ones. Opportunities exist on the regulatory and governance side by working in data privacy or auditing. If more women understood what opportunities exist out there, more would apply and would have more success.