It’s Time for Change

Roughly 70 years ago, the U.S. civilian labor force was just 29% female. Huge strides have been made in education and workforce participation since, driving the share of employed women to nearly 47% of the workforce. They also now hold more than half of bachelor’s degrees, master’s degrees and doctorate degrees. Yet, still, women bring home 20% less than their male counterparts and fill just 21% of board seats at S&P 500 companies. While significant progress has been made in the past century, it’s obvious we still have some work to do to eradicate gender bias in the workforce.

Some industries, cybersecurity in particular, are especially plagued by this issue. Similar to national-level workforce statistics, women in security also make less than their male counterparts and hold fewer senior positions, despite their higher levels of education. Data from the 2017 Global Information Security Workforce Study reports women make up just 11% of the cybersecurity workforce. This statistic has not changed since 2013, suggesting the industry needs to take a new approach to recruiting female cybersecurity practitioners if it intends to fill today’s 300,000+ vacant cybersecurity positions.

Are Women Cybersecurity Professionals Less Capable Than Their Male Counterparts?

No academic research supports the claim women are less likely to succeed in cybersecurity roles than their male peers. Writers at Recode have studied gender bias in STEM fields for over 25 years and have found no evidence “women’s biology makes them incapable of performing at the highest levels in any STEM fields.” They cite several interesting studies to support their claim, including:  

  • A team of eight neuroscientists, headed by Professor Diane Halpern of Claremont McKenna College, found “few sex differences in children’s brains beyond the larger volume of boys’ brains and the earlier completion of girls’ brain growth, neither of which is known to relate to learning.”
  • Psychology professor Janet Hyde of the University of Wisconsin–Madison found “no meaningful differences in math performance among more than seven million boys and girls in grades 2 through 12.”

Countless studies, however, do confirm workforce diversity will improve business productivity and profitability. Researchers from Catalyst found companies with more women in the C-Suite bring a 34% higher return to shareholders. A study from Credit Suisse echoes this, finding large-cap companies with at least one women on their board outperform similar companies with no female leadership by 26%. And finally, Harvard Business Review reports diverse teams are more innovative, objective and collaborative.

So, Why Isn’t the Industry Recruiting & Retaining Women Candidates?

Profitability and innovation are at the heart of cybersecurity, so why isn’t the industry recruiting and retaining women to fill its 300,000+ vacant positions? A 2017 study from Kaspersky Lab points to industry misperceptions and stigmas, as well as systemic issues in early education. Consider these key findings from the study:

  • Most young women in the U.S., Israel and Europe have decided against a career in cybersecurity before they turn 16
  • Terms like “hacker” carry a negative connotation and have little appeal to young women
  • A third of young women view cybersecurity professionals as “geeks”; another 25% think they are “nerds”
  • 78% of young women have never considered a career in cybersecurity
  • 42% of young people agree gender role models in the workplace are important

If female students commit to a career in cybersecurity, they then face a variety of new challenges once in the workplace. These include discrimination, bias and disenfranchisement. The 2017 Global Information Security Workforce Study found a shockingly large percentage (51%) of female practitioners experience multiple forms of discrimination on the job, and another 28% reported their opinions were not valued by their organization. This bias and discrimination persists into senior roles as well: The study found men are nine times more likely to be promoted into a managerial position, and four times more likely to become executives.

The Problem Persists at Nearly Every Seniority & Certification Level

Unfortunately, gender discrepancies in cybersecurity reach women in nearly all roles and levels, regardless of the credentials they hold. Beyond traditional college degrees, IT and security certifications are designed to prove candidates have the skills needed to fill a variety of essential roles. While certifications are not a measure of an employee’s total potential or “value” to an employer, they are a strong indicator of a candidate’s ability to become a productive member of an IT or cybersecurity team. So much so that 96% of HR managers use certifications as hiring criteria during recruitment.

To analyze how much gender bias impacts women practitioners at a variety of certification levels, we pulled compensation and demographic data for 15 various IT and security certifications. Here’s what we found:

Certification Level % Women Women Salary Men Salary % Difference
CompTIA Security+ Entry 10% $86,946 $88,559 -2%
CompTIA A+ Entry 8% $67,888 $71,926 -6%
Certified Ethical Hacker (CEH) Entry 8% $103,815 $112,929 -9%
Microsoft Certified Systems Administrator (MCSA) Entry 6% $80,301 $89,474 -11%
Cisco Certified Network Associate (CCNA) Mid 6% $91,596 $94,435 -3%
Cisco Certified Network Professional (CCNP) Mid 4% $107,672 $110,555 -3%
Information Technology Infrastructure Library (ITIL) Foundation Mid 22% $110,745 $119,486 -8%
Microsoft Certified Solution Developer (MCSD) Mid 7% $107,863 $122,705 -14%
VMware Certified Professional (VCP) Mid 3% $95,799 $103,920 -8%
Certified Information Systems Security Professional (CISSP) Senior 10% $123,293 $131,092 -6%
Certified Information Systems Auditor (CISA) Senior 23% $118,252 $124,214 -5%
Microsoft Certified Systems Engineer (MCSE) Senior 6% $101,515 $111,331 -10%
AWS Certified Solutions Architect – Associate Senior 9% $109,189 $128,426 -18%
Certified Information Security Manager (CISM) Senior 13% $137,853 $147,508 -7%
Averages 10% $103,052 $111,183 -8%

*Data pulled 7/3/2018 from PayScale.com

The Bad News

The data above reinforces what several studies have uncovered about the industry’s workforce demographics: women security practitioners are vastly outnumbered by men and earn less, despite holding similar credentials. We found women make up just 10% of the cybersecurity workforce, coming in slightly under figures reported in the 2017 Global Information Security Workforce Study. The data also reinforces study findings regarding gender participation and pay gaps at nearly every role and seniority level.

While the gender pay gap in cybersecurity (8%) is lower than the national average for all industries (20%), this pay gap magnifies when considering the average salary for a U.S.-based cybersecurity practitioner exceeds $100,000.

The Good News

While the gender discrimination issues in cybersecurity remain widespread, the industry still holds significant potential for women candidates. Women in cybersecurity have the potential to earn far higher salaries than in other roles — doubling, or sometimes tripling the national average for women in other industries. And with 300,000+ open cybersecurity positions today and another 2 million projected openings by 2019, the industry shouldn’t just consider more female candidates — it needs them. Desperately.

Several influential organizations like Cisco, Symantec and ISACA have launched initiatives to promote and support women pursuing a career in cybersecurity. Here at InfoSec Institute, we also launched our own Women in Cybersecurity Scholarship Program designed to give aspiring female practitioners the skills, credentials and experience needed to secure a professional-level role in the cybersecurity industry. As these efforts take hold and more women enter the industry, change will follow. As the data shows, businesses with a diverse workforce are more innovative and make more money. Filling the growing cybersecurity skills gap with a diverse pool of qualified candidates is just good business sense.

Sources: