Why diversity of thought matters in cybersecurity
Introduction
The cybersecurity industry has long struggled with gender disparity. And while the number of women in cybersecurity is growing, the gap remains, just as the industry as a whole is facing a severe talent shortage.
According to the 2019 (ISC)2 “Women in Cybersecurity Report,” women comprise 24 percent of the industry. This is compared to the 10 percent that was estimated in 2015 by a Frost & Sullivan report co-sponsored by (ISC)2. While there seems to be a positive change, we should put things into context: women make up 47 percent of the labor force across all sectors in the United States.
What should you learn next?
According to Liz Mann, a 25-year industry veteran, one of the challenges is the fact that not as many young women pursue higher education in science, technology, engineering and math (STEM) fields in general.
Mann, who is the head of the Life Sciences and Health sectors for Americas Cybersecurity at EY Advisory, said in a recent Infosec podcast that things have changed since the early days of her career. More women are sitting at the table — but the gender gap remains.
“Part of the problem is that there are still so many fewer women in STEM- or STEAM-based programs in college that the number of women coming through with good-quality education in this area is still small,” Mann said. “So the women … come in still as a minority.”
Working through the ranks
On the positive side, there’s a higher percentage of women climbing the ladder in cybersecurity. The 2019 (ISC)2 report noted that more women than men are reaching some of the top management roles, such as chief technology officer (7 percent of women compared to 2 percent of men) and C-level executives (28 percent of women versus 19 percent of men), among others.
Mann said one obstacle is that young women at the beginning of a cybersecurity career are encouraged to seek other women mentors instead of men.
“I'd like to think that those of us who are senior women in this field are teaching some of our male colleagues to be better mentors to the young women who come in,” she said, “because if we limit women to only women, then by definition we're going to run out, and the equation isn't gonna get any better.”
But women also create barriers for themselves, Mann acknowledged. For example, men are more likely to apply for jobs when they don’t meet all the qualifications, while women won’t apply unless they meet all the criteria on a job description.
“Sometimes put we put ourselves at a disadvantage from the outset because we see things very comprehensively and genuinely and we're hard on ourselves a little bit,” she said. “It's important to get used to being in an environment where there will be a lot of … technically savvy men and we as women in the industry have to have both the competency and the willingness to push ourselves into a slightly less comfortable space.”
Encouraging cybersecurity careers
Women played a prominent role in science and technology during the middle of the last century, but that changed in the following decades. By 1991, the number of women in the IT industry overall peaked at 36 percent and has declined ever since, according to CompTIA.
CompTIA also found that girls have higher interest in IT careers in middle school, but by high school their interest wanes. Other research has also found that when adults (e.g., teachers and parents) encourage interest in STEM in kids at a young age, regardless of gender, those youngsters are more likely to pursue that path.
Mann, who has two daughters in high school, is involved with several organizations that mentor girls and young women. She’s noted a current macroeconomic trend among professionals who enter the workforce: They want immediate responsibilities, but they also understand they’re not going to have the same level as they would after a decade in the field. That’s why it’s important to continue to learn.
“(Young people) recognize the longevity that is in front of them and they're willing to do things and explore and experiment a little bit more than, you know, maybe generations prior,” she said.
Diversity of jobs and skills
As Mann noted, one misconception that young people have is that cybersecurity jobs are all about coding. But there’s a need for a diversity of skills, including for roles focused on compliance, governance and risk management. As long as someone has the technical aptitude and is willing to learn, she makes a strong case for entering the field with other degrees. And Mann speaks from experience, considering she came into risk management in one of those unconventional ways, after earning a master’s degree in romance languages and literature.
The diversity of backgrounds, including gender parity, also benefits the industry as a whole, ultimately making organizations more secure, Mann added.
“Diversity of thought is really what solves hard problems. Whenever you are sitting at a table and everyone thinks the same way and … agrees with everybody around the table, you're probably not bringing the best and most creative solutions to a given problem,” she said.
Final thoughts
Diversity is especially important because cybersecurity in general, and risk management in particular, is a complex problem. The good news, Mann said, is that organizations are looking at the problem with eyes wide open. She said it’s important to take a risk management approach of “trust by design” — enabling transformation by embedding risk controls from the beginning.
“We no longer can live by avoiding risk and cyber-risk is no different,” Mann said. “Cyber-risk is here to stay so the question is … what could go wrong and … what controls can we build to make sure that doesn't happen.”
To hear more of Mann’s thoughts on women in cybersecurity and on prioritizing risk management, check out the Infosec Cyber Work podcast.
Sources
- Women in Cybersecurity: An (ISC)2 Cybersecurity Workforce Report, (ISC)2
- Women in Security: Wisely Positioned for the Future in InfoSec, Frost & Sullivan
- Women in the Labor Force in 2010, U.S. Department of Labor
- Risk Management and Understanding What Matters Most, Cyber Work with Infosec
- Make Tech Her Story, CompTIA
- 12 pre-built training plans
- Employer-requested skills
- Personalized, hands-on training
In this Series
- Why diversity of thought matters in cybersecurity
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security