Not too long ago, I spoke on a panel about the scarcity of women in information security positions. During the session, an attendee spoke up, “I really support the need to bring more women into IT security roles, but when I review resumes, I don’t even find women among the applicants. How can we feed more women into the pool of candidates, when they’re not even showing up in our hiring searches?”
A fair question, and one that encapsulates an ongoing challenge in the IT security space. According to a 2012 study by the National Center for Women and Information Technology, women make up only 18 percent of undergraduate computer and information science degrees. (As an aside, I tried to find more recent national data on women with these degrees, but to no avail. If anyone has more up-to-date information to show this issue is being tracked more recently, I look forward to your comments.) While this ratio may sound low, it’s significantly higher than the 10 percent representation of women in information security positions today. What’s more, if you broaden the scope of qualified candidates for entry level positions to include those with any STEM-related degree and technical aptitude, the percentage of women that could start on the IT career path surges to approximately 40 percent.
With data supporting that there exists an untapped pool of qualified women that could help fill the workforce shortfall in IT security, recruiting these women should be a top priority among leaders in this industry, which is facing a 1.5 million-strong deficit in professionals by 2020. A successful effort to attract (and retain) top female talent to this field involves a steady commitment to a long-term vision of gender diversity in the industry and application of best practices such as these:
Don’t overstate the job qualifications. Research shows that women tend to apply for jobs only when they believe they meet 100 percent of the stated requirements, while men submit their resumes if they believe that they meet 60 percent of the requirements. Essentially, this means that if 10 equally qualified candidates meeting 80 percent of the stated requirements see your job post, all of the men will apply, and none of the women.
A typical scenario of how this plays out: You believe that your ideal candidate should have a computer science degree along with five years’ IT experience, even though someone with an alternative degree and three years’ experience could do the job. You may think that by basing your job description on the ideal candidate, you’ll filter out less desirable resumes and reduce your workload. I’ll confess to having done this myself.
However, the unintended consequences may be that you turn women candidates away before they can be considered, because women are more likely to “follow the rules” in applying for the job. If a position absolutely requires a certain certification, by all means include it in the posting, but don’t create unnecessary prerequisites.
Work the networks. It’s a promising sign thatgender-focused security forums are springing up all around us. Look to industry associations like ISACA® and ISSA which offer webinars, networking events and special interest groups targeted to women. Organizations such as Women in Technology International (WITI) and Executive Women’s Forum also provide popular meeting places for female leaders in the industry. Forwarding your job posting to executives in these groups and telling them that you want to increase the pool of qualified women candidates is an effective way to get the position you want to fill seen. Another valuable resource to consult is the National Initiative for Cybersecurity Careers and Studies (NICCS).
Reinvent the hackathon (and give it a new name, please). Hackathons — those marathon coding events that attract so much press — may spotlight bright software engineers and technologists, but they tend to appeal to men. And, dare I say it, often repel women who are put off by the ultra-competitive environment and the bravado culture that pervades them. Slate Magazine provides compelling insight on this topic. The good news is that some groups are working to change this image, and are even creating new women-focused hackathons that emphasize collaboration, cooperation and mentoring, with positive results.
Make women in cybersecurity visible. Women in cybersecurity draw in other women in cybersecurity. If you are a woman security professional, be active! Encouraging women to share new job postings to their social networks, interview new candidates, write security blog posts and articles, participate in online group and industry events and so on, will go far to bring about a more gender-diverse group of new applicants.
As one of the fastest-growing industries with the critical, strategic focus of defending businesses against advanced attacks on their increasingly large and complex networks, information security has an acute need to fill its shortage of skilled labor with talented female professionals. Organizations that seek to achieve greater representation of women in their IT security teams should maintain a steady, multi-faceted approach to recruitment — and continually evaluate their performance in terms of the advancement and retention of women in this area.
About the author: Michelle Johnson Cobb is the Vice President of worldwide marketing for Skybox Security