Breaking into the boys club: Career advice for aspiring female cybersecurity pros
When it comes to recruiting new talent, the cybersecurity industry is facing a big challenge. The supply of qualified candidates is far short of demand: data shows there are 300,000+ open cybersecurity positions in the U.S. right now — a number ISACA predicts will grow to 2 million openings by as early as next year.
With the average cybersecurity salary double — sometimes triple — the national average across all other sectors, why does the industry struggle to recruit and retain talent? The data suggests it might be marketing problem.
Should you pay the ransom?
Of the 768,000 employed cybersecurity pros in the U.S., just 11% are women. Yet overall, women make up nearly 47% of the workforce. And, according to Kaspersky Lab, most women decide against a career in cybersecurity before age 16.
Simply put, women are not buying what the cybersecurity job market is selling.
So, what does lead women to pursue a career in cybersecurity, and what can we do eliminate the stigma that’s driving women away from one of the highest-paying careers in the country? To help bring light to the challenges and obstacles women face when entering the cybersecurity workforce, we asked Cisco Systems Security Systems Engineer Tina Caldarone and Technical Director and Head of R&D at Avoco Secure Susan Morrow for insights on what it’s like being one of the 11%. Like many security professionals, Tina and Susan entered the industry after first pursuing careers outside of cybersecurity. In the following Q&A, they share why they chose a career in cybersecurity and helpful tips for other women looking to break into the industry.
What Drove You to Pursue a Career In Cybersecurity?
Tina: After grad school, I worked at a couple of startups in San Francisco. I first worked in sales for an ecommerce site, and then shifted to a QA testing role at another company. As a QA tester, clients would constantly ask me about Internet security services. I started exploring Internet security at this time and stumbled across a startup called OpenDNS. No one in the industry was doing DNS-based security at the time and I thought it was very interesting. I reached out to the CEO, applied for a technical account manager role at the company and spent about two years there until they were acquired by Cisco in 2015.
Susan: I started my career as an analytical chemist and eventually went into teaching — I taught science and chemistry. My partner, Steve, was also in education at the time and we were both very interested in computing. We decided to start a software company together in the early 1990s while still teaching full time. Our first major product was called Cerberus — it was an encryption and file-protection software. Since then, we’ve worked together on a variety of projects, including developing digital rights management software and identity access management tools.
Were You Encouraged to Pursue a Career in Cybersecurity or Tech?
Tina: Being an engineer was never presented to me as a viable career option. I was pushed to explore careers that were more “standard” roles for women like education, business and nursing. Becoming an engineer was something I wanted for myself, but it was never recommended to me. I felt the same way in college. I was always interested in technology, but as a woman, didn’t feel like I quite fit the role. I had so many different interests than what I thought engineers would have. There are now many great education programs in place to help fight this stigma, but we still have a lot of work to do — we’re obviously not quite there yet.
Susan: My grandmother advised me not to do “exams” because it’d be a waste of time as I’d “only get married anyway.” Even the head of my sixth form (final years of high school in the UK) advised me to find a job and not pursue a STEM career. Fortunately, I did have people in my life who supported me both at home and in school. I was always interested in science, technology came later; I’ve had experiences of sexism in both careers and it’s felt like a struggle at times to fit in and be taken seriously. My granddaughter, who is still very young, wants to be a geologist when she grows up — there is a lot of STEM support for girls in schools now compared to when I was younger, but it is still evident there are attitudes in society that need to be broken down.
You Didn’t Attend School for Computer Science. Has This Impacted Your Career?
Tina: My English and communications background gave me professional skills most technical engineers don't have. Many engineers can talk to computers, but they often struggle when it comes to communicating with other people. Technical acumen is essential in cybersecurity, but being successful in the industry requires so much more than just technical skills. I’m often called in to help with technical writing and presentations because I have both the ability to understand technical subjects and communicate them clearly. Regardless of what you major in, you can use the soft skills you learn along the way in whatever career you choose.
Susan: You don't have to have a background in development or computing to go into cybersecurity, because cybersecurity is as much about human beings as it is about technology. As an analytical chemist, I was trained to break things down and look for evidence, and then take that evidence and build it back up into a profile. You learn to use a reductionist approach to solve challenges, and I've used that training in pretty much everything I do now as a cybersecurity professional.
Being successful in cybersecurity is about much more than a computer science degree. We need a community of multidisciplinary persons coming together to fight cybercrime. We need to have developers working alongside of psychologists and psychologists working alongside business people. Cybercriminals are so successful because they circumvent technology with “soft skills.” We need to have details people, big-picture people and everybody in between. Otherwise, we’re in trouble. We’re going to have to switch the Internet off.
Did the Cybersecurity Gender Gap Intimidate You?
Tina: I knew going in the industry was heavily male-dominated — that stigma is what stopped me from going right into technology after high school. When I first told my family and coworkers I was changing roles, they were pretty shocked. Not because they didn't think I could do it, but because it's no easy feat and there's a lot to learn. My family and friends were behind me, but they were a little concerned about the depth of knowledge I would have to obtain to be successful.
Susan: When I first came into this industry in the early 1990s, it was very, very technical. That image of the kid sitting in his bedroom in a hoodie, furiously typing at his computer, was very real. And it wasn't just the hacker that looked like that, it was professionals in the industry as well. For at least the first five years of my career, I was the only woman in every meeting I ever went to.
What Challenges Have You Faced as a Woman in Cybersecurity?
Tina: I’m a woman in a male-dominated industry, and often younger than my counterparts, so I have to make a point to be assertive in meetings — even in meetings with clients. I work closely with a male colleague from our sales team and clients often assume he’s the engineer and I’m the salesperson. I’ve learned to lead conversations with my title to help get ahead of these assumptions and set the stage for a more productive meeting.
Susan: Earlier in my career, I’ve dealt with very direct and aggressive sexism. I’ve had men refuse to work with me because of my gender and what I wore to work. It’s gotten better since the early 1990s, but the gender bias in cybersecurity is still apparent. The industry is very male-dominated and it’s hard to overcome imposter syndrome. Today, I mostly deal with what I call “everyday sexism” — the kind that just drip-drip-drips away. I’ve learned to address this sort of thing directly, but it’s still difficult because you have to be authoritative without being aggressive.
What Advice Do You Have for Other Aspiring Female Security Practitioners?
Tina: It’s important that you put yourself on the same playing field as the other guys in the room. That’s why I decided to get certified, and it’s been really helpful. I also recommend you brush up on your soft skills. Good communication and business skills can help you go really far in cybersecurity. People will take you seriously and respect you if you can speak clearly and professionally about technical topics.
I also recommend you make time for networking with other industry professionals. Go to your local tech meetups or conferences and make connections with other people in security.
Susan: Cybersecurity is a wide industry, and there’s room for many different types of people with different mindsets and backgrounds. If you’re looking to get into the industry, find a mentor who can help you navigate challenges along the way. You need to find someone who can reinforce your confidence and tell you you’re doing good work.
If your background isn’t in technology, I recommend taking a few security courses to familiarize yourself with the technical skills you’ll need on the job. Once you’ve gotten a foundational understanding, get a few certifications under your belt. If you have the right perspective and are willing to learn, you will be able to find a job in the industry.
Phishing simulations & training
About Tina Caldarone
Tina Caldarone studied communications and English in college. After spending four years as a technical account manager at several cybersecurity startup companies in San Francisco, she accepted a role as a Security Systems Engineer at Cisco Systems. Now CCNA Security certified, Tina works out of the Cisco Chicago office where she advises partner engineers on Cisco security products and helps drive strategic initiatives at the company.
About Susan Morrow
Susan Morrow spent the first years of her professional career as an analytical chemist and science teacher. She later co-founded security solutions provider, HM Software, and has spent the past 21 years in the cybersecurity industry. Susan is now Technical Director and Head of R&D at Avoco Secure and a contributing author at Resources.InfoSecInstitute.com.
Sources
In this Series
- Breaking into the boys club: Career advice for aspiring female cybersecurity pros
- Digital identity management: Balancing usability, security and privacy
- Why aren’t more women in cybersecurity, and how can we fix it?
- ChatGPT and the strengths and limitations of cognitive AI
- Cybersecurity automation: Tips to do it right in your organization
- Advancements in online safety: Combating cyberbullying and protecting vulnerable communities
- How small and medium businesses (SMBs) can fast-track a disaster recovery plan
- What it takes to qualify for the US Cyber Games team
- The changing role of a ransomware negotiator
- Protecting K-12 schools from cyber threats: The case of Vice Society
- A deep dive into GitHub's security strategies
- Data storage security isn't working: Here are 5 ways to improve
- Protect your data with zero-trust networks
- 3 cybersecurity automation tools that your IT department needs now
- One phishing attack could expose your entire hospitality network
- Privacy compliance and security: Are you collecting too much data?
- API security best practices: What you need to know
- Considerations when using open source to build an identity system
- Security as a service: 11 categories you should know
- The impact of open source on cybersecurity
- Cybersecurity jobs are in demand. C-level IT executives needed!
- 6 cybersecurity truisms the industry needs to rethink
- 2022 cybersecurity spending trends: Where are organizations investing?
- Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
- Twitter’s cybersecurity whistleblower: What it means for the community
- Top 5 cybersecurity questions for small businesses answered
- What Is zero-trust security, and should your business adopt it?
- What’s next in cybersecurity: Predictions from Andrew Howard
- How training employees about ransomware can mitigate cyber risk
- Today’s IT job market: Beyond fear, uncertainty and doubt
- Third-party authentication (OAuth): Good or bad for security?
- Two basic actions that reduce enterprise cyber risk by 60%
- 4 key takeaways from the 2022 Verizon DBIR report
- Four examples of human error in cybersecurity — and how to fix them
- Five ethical decisions cybersecurity pros face: What would you do?
- How to become an ethical hacker: Tips from Offensive Security CEO Ning Wang
- Shaking up security awareness: How one organization is building a culture of security
- Security Culture: TikTok CISO says this trend is here to stay
- IT skills advice from IDC's IT education and certifications expert
- Managing a security awareness program: Carrots, sticks, and repeat offenders
- Reducing IT’s carbon footprint: Good for business as well as the environment
- How Booz Allen Hamilton keeps their security team secure and compliant in a hybrid world
- 5 tactics to improve cybersecurity hiring results
- Top 9 effective vulnerability management tips and tricks
- SOC integration: Creating a well-built portfolio vs. a frankenstack
- Cybersecurity hiring: Why employer and higher ed collaboration is key
- After certification: Investing in employees' cybersecurity career pathways
- Where do ransomware, cyber education and cyber insurance intersect?
- Could psychology be the key to cybersecurity awareness? Research points to yes
- How IT pros can keep their organization on the cutting edge
- Cyber talent diversity: It's time to redefine the face of security
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Industry insights
Digital identity management: Balancing usability, security and privacy
Industry insights
Why aren’t more women in cybersecurity, and how can we fix it?
Industry insights
Industry insights
Cybersecurity automation: Tips to do it right in your organization