Info sec industry still struggles to attract women

Many barriers still stop women from considering info sec as a profession. But both companies and women would benefit in an increase in the numbers, and many firms are now stepping up efforts to recruit them

Even as women have made dramatic advances in medicine, law, and other fields, the proportion of women pursuing undergraduate degrees in the computer sciences has actually been dropping, from around 30 percent in 1990 to 18 percent in 2010, according to the latest data from the National Science Foundation. As a result, according to the Census Bureau, women accounted for just 27 percent of computer science professionals — down from 34 percent in 1990.

[10 ways to prep for – and ace – a security job interview]

And it's even worse in the information security field. According to latest research, such as the 2013 (ISC)2 Global Information Security Workforce Study, only 11 percent of infosec professionals are female.

There are a number of barriers preventing women from entering or staying in the field, but both companies and women would benefit in an increase in the numbers, and companies and industry groups are working to turn things around.

Barriers to entry, barriers to retention

According to Julie Peeler, foundation director of the International Information Systems Security Certification Consortium – (ISC)2 – there's a perception that women aren't good at math, science or technology, and it is this perception that is steering girls away from entering these fields. At least, in some countries.

"When I talk to women in Africa or Asia, this is not an issue at all," said Peeler. "There is something going on culturally in Western culture that we need to get our finger on and address as a community."

This is unfortunate, she said, because the U.S. information security industry currently has 30,000 open positions with nobody to fill those jobs. "And the gap is growing wider and wider," she said, explaining that 300,000 new jobs will be created next year.

Doubling the number of women in the field from 11 to 22 percent would complely close the gap, she added.

Increasing the number of women studying computer science would help. So would more exposure to job possibilities in information security.

For Jewel Tempe, who now manages two security research teams at HP, the main barrier to entry was her lack of awareness of the field.

[Building the security bridge to the Millennials]

"I didn't set out to get into security," she said, explaining that her background was in IT. "I got into security about eight years ago by accident. A job opportunity was available at a previous employer, I took it, and I haven't left security since."

The shortage of women in the field creates a vicious cycle. The profession is seen as unwelcoming by women first choosing a career. And women who are already in the profession can find themselves singled out and stereotyped. That, in turn, makes women feel devalued and passed over for promotions, and means that they are more likely to leave their companies, according to a recent report from the Anita Borg Institute.

"Being a woman in security has certainly been a unique experience," said Caroline Wong, security initiatives director at Dulles, Virginia-based Cigital Inc., the world's largest software security-focused consulting firm. "I'll go to RSA and I'm a panel speaker, a technical consultant, and people meet me and say, 'You must be in sales and marketing.' I'll be in a meeting, and someone will say to me, bring me a chair or a cup of coffee, because I'm mistaken for an administrator."

How women in InfoSec help business performance

According to McKinsey, companies with a critical mass of female executives perform better than those without women in leaderships positions, because women are more likely to engage in people development, participative decision making, and other leadership behaviors that help companies succeed.

While this is true of all professions, the information security field is particularly in need of more diverse styles and backgrounds.

[High CISO employment rates means shortage for security industry]

"Some of the skill sets that are becoming important for security professionals are the communication and analytical skills," said Julie Talbot-Hubbard, chief security officer at Symantec. "I've been trying to pull from other teams within Symantec to train on the cyber security side."

Diversity also helps build creativity. According to research from Center of Talent Innovation, employees at companies with diversity in management are 45 percent more likely to report growing market share for their companies, and 70 percent likelier to report that their companies captured a new market.

"The reason that diversity is so important to a technology company is that we're all about innovation," said Cecily Joseph, vice president of corporate responsibility at Symantec. "That's the most important thign we do. The more differnt types of people you have at the table, the more innovative and creative you are and the more competitive you are as a company."

Symantec has made a concerted push to expand the number of women in the company, especially in management positions. For example, the company recently tripled the number of women on its board of directors.

How InfoSec jobs can be great for women

What many women might not realize is that jobs in information security have the potential to offer significant advantages. High pay, promotion opportunities, and flexible work schedules are just some of the befits of today's information security career.

[HOCO CISO program breaking ground with virtual CISOs]

Joy Forsythe, manager for software security research at HP's Enterprise Security Products division, has a young daughter, and arranges her work schedule around her family needs.

"I can schedule my non-working time during my child's waking hours, and I can come back online after my child goes to bed," she said.

The flexible schedule, and the hours spent working from home, hasn't derailed her career, she added.

"I'm running the research team I initially joined as a researcher," she said. "It hasn't been a detriment."

In fact, given the high demand for people in the security field, the ability to have flexible schedule is helpful in attracting and retaining talent, she added.

Other reasons why women should take a second look at information security is job security and advancement opportunities.

"I knew this type of position was never going to be outsourced or sent overseas," said Sarah Isaacs, CEO of security consulting firm Conventus, when explaining the reasons she first decided to go into information security as a career. "There are two areas that companies always want to have in-house — data security and networking. And those fields are still growing very strong."

When security consultant Tanya Baccam was first choosing her field, there weren't many women around and information security seemed like a boy's club. But, for Baccam, that was sometimes an advantage.

For example, many men who go into information security don't want management positions, she said. They're happy just doing the work. "So for women who want to manage, who want a leadership position, that's a great opportunity."

Baccam herself has served as the manager of infrastructure security for a healthcare organization, and a manager at Deloitte & Touche's security services practice. In addition to security consulting, she now also is a senior instructor and a courseware author at SANS.

Industry efforts

Some companies are looking beyond traditional places to find talented women professionals.

[Does your title match your authority?]

"Information security is an enterprise-wide issue, and requires more skill sets than just engineering and IT," said (ISC) 2's Peeler. "More and more, people are being brought in and trained in security with backgrounds in law, analytics, social sciences, or auditing."

One example of an information security professional with a non-traditional background is Maria Horton, founder and CEO of security consulting firm EmeSec, who originally started out as an emergency room nurse and then joined the Navy and became the CIO of what is now the Water Reed Medical Center.

"I went to work with the Army, Navy and Air Force in implementing teleradiology systems," she said. These machines, which sent X-ray scans electronically, replaced the earlier generation of film-based machines. "Everything related to those digital images required a network, and everything related to the network required security. That's how I got into it."

She said that her medical background is a plus when it comes to security.

"When I look at a security issue that goes across the enteprise, I'm thinking about immunity factors, self-healing, all the things that relate to health care," she said.

[State of the CSO in 2013 shows an improved outlook]

Another approach is to get to women early, before they branch off into other fields in the first place. Many tech vendors are lining up to support educational outreach programs, trying to reach girls before they make a decision not to go into computer science.

"Our own experience has taught us that security practices are best achieved through diverse teams, since diversity enables the necessary different viewpoints on the security issues," said Marisa Viveros, IBM's vice president of security services.

As a result, IBM is helping support programs like Distinguished Lectures in STEM, the IBM "Girls Go TechKnow" summer camp, and Pathways in Technology Early College High School. IBM is also sponsoring the first National Women in Cybersecurity Conference this April, along with Google, Microsoft, Facebook, Lockheed Martin, and other organizations.

"Everything we're about as a society today is tied to technology," said Symantec's Joseph. "More women need to be a part of of this industry because we're defining the future of society."

And the information security profession is protecting that future.

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)