When it comes to recruiting new talent, the cybersecurity industry is facing a big challenge. The supply of qualified candidates is far short of demand: data shows there are 300,000+ open cybersecurity positions in the U.S. right now — a number ISACA predicts will grow to 2 million openings by as early as next year.

With the average cybersecurity salary double — sometimes triple — the national average across all other sectors, why does the industry struggle to recruit and retain talent? The data suggests it might be marketing problem.

Of the 768,000 employed cybersecurity pros in the U.S., just 11% are women. Yet overall, women make up nearly 47% of the workforce. And, according to Kaspersky Lab, most women decide against a career in cybersecurity before age 16.

Simply put, women are not buying what the cybersecurity job market is selling.

So, what does lead women to pursue a career in cybersecurity, and what can we do eliminate the stigma that’s driving women away from one of the highest-paying careers in the country? To help bring light to the challenges and obstacles women face when entering the cybersecurity workforce, we asked Cisco Systems Security Systems Engineer Tina Caldarone and Technical Director and Head of R&D at Avoco Secure Susan Morrow for insights on what it’s like being one of the 11%. Like many security professionals, Tina and Susan entered the industry after first pursuing careers outside of cybersecurity. In the following Q&A, they share why they chose a career in cybersecurity and helpful tips for other women looking to break into the industry.

What Drove You to Pursue a Career In Cybersecurity?

Tina: After grad school, I worked at a couple of startups in San Francisco. I first worked in sales for an ecommerce site, and then shifted to a QA testing role at another company. As a QA tester, clients would constantly ask me about Internet security services. I started exploring Internet security at this time and stumbled across a startup called OpenDNS. No one in the industry was doing DNS-based security at the time and I thought it was very interesting. I reached out to the CEO, applied for a technical account manager role at the company and spent about two years there until they were acquired by Cisco in 2015.  

Susan: I started my career as an analytical chemist and eventually went into teaching — I taught science and chemistry. My partner, Steve, was also in education at the time and we were both very interested in computing. We decided to start a software company together in the early 1990s while still teaching full time. Our first major product was called Cerberus — it was an encryption and file-protection software. Since then, we’ve worked together on a variety of projects, including developing digital rights management software and identity access management tools.

Were You Encouraged to Pursue a Career in Cybersecurity or Tech?

Tina: Being an engineer was never presented to me as a viable career option. I was pushed to explore careers that were more “standard” roles for women like education, business and nursing. Becoming an engineer was something I wanted for myself, but it was never recommended to me. I felt the same way in college. I was always interested in technology, but as a woman, didn’t feel like I quite fit the role. I had so many different interests than what I thought engineers would have. There are now many great education programs in place to help fight this stigma, but we still have a lot of work to do — we’re obviously not quite there yet.

Susan: My grandmother advised me not to do “exams” because it’d be a waste of time as I’d “only get married anyway.” Even the head of my sixth form (final years of high school in the UK) advised me to find a job and not pursue a STEM career. Fortunately, I did have people in my life who supported me both at home and in school. I was always interested in science, technology came later; I’ve had experiences of sexism in both careers and it’s felt like a struggle at times to fit in and be taken seriously. My granddaughter, who is still very young, wants to be a geologist when she grows up — there is a lot of STEM support for girls in schools now compared to when I was younger, but it is still evident there are attitudes in society that need to be broken down.

You Didn’t Attend School for Computer Science. Has This Impacted Your Career?

Tina: My English and communications background gave me professional skills most technical engineers don’t have. Many engineers can talk to computers, but they often struggle when it comes to communicating with other people. Technical acumen is essential in cybersecurity, but being successful in the industry requires so much more than just technical skills. I’m often called in to help with technical writing and presentations because I have both the ability to understand technical subjects and communicate them clearly. Regardless of what you major in, you can use the soft skills you learn along the way in whatever career you choose.

Susan: You don’t have to have a background in development or computing to go into cybersecurity, because cybersecurity is as much about human beings as it is about technology. As an analytical chemist, I was trained to break things down and look for evidence, and then take that evidence and build it back up into a profile. You learn to use a reductionist approach to solve challenges, and I’ve used that training in pretty much everything I do now as a cybersecurity professional.

Being successful in cybersecurity is about much more than a computer science degree. We need a community of multidisciplinary persons coming together to fight cybercrime. We need to have developers working alongside of psychologists and psychologists working alongside business people. Cybercriminals are so successful because they circumvent technology with “soft skills.” We need to have details people, big-picture people and everybody in between. Otherwise, we’re in trouble. We’re going to have to switch the Internet off.

Did the Cybersecurity Gender Gap Intimidate You?

Tina: I knew going in the industry was heavily male-dominated — that stigma is what stopped me from going right into technology after high school. When I first told my family and coworkers I was changing roles, they were pretty shocked. Not because they didn’t think I could do it, but because it’s no easy feat and there’s a lot to learn. My family and friends were behind me, but they were a little concerned about the depth of knowledge I would have to obtain to be successful.

Susan: When I first came into this industry in the early 1990s, it was very, very technical. That image of the kid sitting in his bedroom in a hoodie, furiously typing at his computer, was very real. And it wasn’t just the hacker that looked like that, it was professionals in the industry as well. For at least the first five years of my career, I was the only woman in every meeting I ever went to.

What Challenges Have You Faced as a Woman in Cybersecurity?

Tina: I’m a woman in a male-dominated industry, and often younger than my counterparts, so I have to make a point to be assertive in meetings — even in meetings with clients. I work closely with a male colleague from our sales team and clients often assume he’s the engineer and I’m the salesperson. I’ve learned to lead conversations with my title to help get ahead of these assumptions and set the stage for a more productive meeting.

Susan: Earlier in my career, I’ve dealt with very direct and aggressive sexism. I’ve had men refuse to work with me because of my gender and what I wore to work. It’s gotten better since the early 1990s, but the gender bias in cybersecurity is still apparent. The industry is very male-dominated and it’s hard to overcome imposter syndrome. Today, I mostly deal with what I call “everyday sexism” — the kind that just drip-drip-drips away. I’ve learned to address this sort of thing directly, but it’s still difficult because you have to be authoritative without being aggressive.

What Advice Do You Have for Other Aspiring Female Security Practitioners?

Tina: It’s important that you put yourself on the same playing field as the other guys in the room. That’s why I decided to get certified, and it’s been really helpful. I also recommend you brush up on your soft skills. Good communication and business skills can help you go really far in cybersecurity. People will take you seriously and respect you if you can speak clearly and professionally about technical topics.

I also recommend you make time for networking with other industry professionals. Go to your local tech meetups or conferences and make connections with other people in security.

Susan: Cybersecurity is a wide industry, and there’s room for many different types of people with different mindsets and backgrounds. If you’re looking to get into the industry, find a mentor who can help you navigate challenges along the way. You need to find someone who can reinforce your confidence and tell you you’re doing good work.

If your background isn’t in technology, I recommend taking a few security courses to familiarize yourself with the technical skills you’ll need on the job. Once you’ve gotten a foundational understanding, get a few certifications under your belt. If you have the right perspective and are willing to learn, you will be able to find a job in the industry.

 

About Tina Caldarone

Tina Caldarone studied communications and English in college. After spending four years as a technical account manager at several cybersecurity startup companies in San Francisco, she accepted a role as a Security Systems Engineer at Cisco Systems. Now CCNA Security certified, Tina works out of the Cisco Chicago office where she advises partner engineers on Cisco security products and helps drive strategic initiatives at the company.

About Susan Morrow

Susan Morrow spent the first years of her professional career as an analytical chemist and science teacher. She later co-founded security solutions provider, HM Software, and has spent the past 21 years in the cybersecurity industry. Susan is now Technical Director and Head of R&D at Avoco Secure and a contributing author at Resources.InfoSecInstitute.com.

 

Sources: