Women in cybersecurity need more than inspiration

Why are there so few women in cybersecurity? Here’s one big reason that hardly anyone talks about: caregiving responsibilities.

As a mother and 20-year veteran of the cybersecurity industry, I know firsthand the uphill battle women in cybersecurity face.

Shortly before I gave birth to my daughter, a well-known industry leader excitedly encouraged me to teach security courses, promising that I could easily move up the ranks if only I taught some regional classes, which ultimately would qualify me to travel to bigger conferences where I could teach to a wider audience and make the big bucks.

He didn't realize how insane this all sounded.

Spend weeks teaching at security conferences? Who would watch my baby? Where would I breastfeed?  Would I make enough money to pay a sitter to stay overnight with my children? Even if I did, how would my baby/toddler fare with me being on the road? It wasn't a realistic career choice for me then. Judging by how few women there are among the ranks of cybersecurity instructors today, it remains unrealistic career choice for many of us. This is not a coincidence, but a result of the skewed selection process and a work model that doesn't enable primary caregivers to participate. This gender gap extends throughout our profession.

The lack of diversity in cybersecurity is shocking. Merely 23% of cybersecurity professionals overall identify as female, according to the 2019 (ISC)² Cybersecurity Workforce Study (although there is a surprising lack of research on the topic). Similarly, research from jobs site Zippia finds that 22% of cybersecurity analysts are women (and they earn 5% less than their male counterparts). On the other end of the career spectrum, only one of the CISOs at the top 10 largest companies in the U.S. is female.

Why are there so few women in cybersecurity?

Here’s one big reason that hardly anyone talks about: caregiving responsibilities.

According to Catalyst Research, globally "women perform more than three-quarters (76.2%) of unpaid care work—including looking after children, spouses, partners, or other family members." In the United States, caregiving responsibilities are also disproportionately shouldered by ethnic minorities—a point I note because people of color are also historically underrepresented in cybersecurity.

The cost of caregiving

I have always been the primary caregiver for my children. Caregivers are not interchangeable: we cannot simply leave town for a conference or class and drop in a substitute without consequences. We have an intimate knowledge of our dependents and have built relationships with them. Our absence hurts those that rely on us.

In cybersecurity, the majority of advanced opportunities for learning, networking, and thought leadership have traditionally occurred at in-person conferences—from participating in capture-the-flag competitions (CTFs) to conducting presentations to attending industry roundtables.

These events are absolutely not caregiver-friendly. At the last in-person conference I attended, there were no formal events for participants with children. Flights and hotels were so exorbitantly expensive I couldn't imagine shelling out thousands of dollars to bring the kids.  And even if I did, there was no childcare provided or guidance for obtaining childcare in an unfamiliar city. (Amazingly, there was a breastfeeding booth placed near the room where I was scheduled to speak, but there was no fridge in which to store breast milk while attending talks.) I never saw a single baby. Babies at networking events would have been a major faux pas.  I couldn't imagine walking around with one.

It's not just childcare that we need to consider: Elder care is especially impactful for women near the top of their profession. In the United States, over 40 million Americans provide unpaid care to an older adult, with daughters providing over twice as many hours of care compared with sons. Unlike childcare responsibilities, elder care needs may strike unexpectedly and last for decades, derailing a woman’s career in middle-age, just as she becomes ready to step into a leadership role.

Tough choices; pandemic-inspired solutions

Ultimately, I’ve chosen to put my children first, declining countless speaking opportunities, learning opportunities, and job opportunities. Since they were born, I haven't been to a single conference unless I was speaking (and even then, only rarely).  The cost of alternate care for my children was too high and being apart from them for multiple days was stressful for all of us. CTF competitions? If only. Just taking a break to feed a child lunch or dinner will put you behind (and that's assuming you can compete virtually in the first place, which was unusual before COVID).

The rare occasions that I have traveled have been deeply stressful and required extensive planning: arranging overnight sitters and praying that everything would work out. Occasionally a sitter would call in sick at the last moment or oversleep, and I would scramble, devastated, trying desperately to find a backup solution.

COVID changed all that. Suddenly, for the first time, I could speak at major conferences virtually and still tuck my children in bed at night. I took a class—me!—on physical red team testing that I had wanted to take for years, and still made it home in time to feed the kids dinner. While COVID was deeply challenging for caregivers and families on many levels, it also spurred innovation and created remote learning, networking, and speaking opportunities which opened doors for caregivers.

That door is about to slam shut once again. Recently I received a request to speak on a panel at a major national conference. "Is it in-person or virtual?" I asked. In-person, came the response. I caught my breath. There was no opportunity for speakers to attend virtually. I would have to leave my children behind if I wanted to play in the big leagues. Worse yet, my children were too young to be vaccinated, which limited childcare options and meant my travel placed them at risk.

Women need more than inspiration

Today, there is a huge shortage of trained cybersecurity workers. Creating a path for women and other caregivers can help address that. More importantly, we need a variety of perspectives and backgrounds. "How innovative and creative can a company be if most of its workforce is homogeneous?" writes Gily Netzer, Forbes Councils Member. "Different people often bring different perspectives, and research suggests there is a correlation between gender diversity and innovation."

As in-person events begin to resume, millions of women and caregivers are being silently left out. Nowhere is that more apparent than in cybersecurity, where plum leadership and speaking opportunities are routinely designed with selection criteria that make them inaccessible to caregivers. We can host networking receptions and conferences for women and minorities in cybersecurity, but unless we provide options for childcare and remote attendance to support caregiving responsibilities, these are a cruel joke.

At one major conference I attended, the Women's Networking Party and the VIP Speakers' Party were literally scheduled at the same time. Presumably no one had considered that women speakers might want to attend both? Determined to do exactly that, I left the Women's Networking Event early and was on my way up the elevator to the VIP party when I bumped into SANS president Alan Paller on his way out. We chatted briefly, and he later texted to express his desire to inspire "the thousands of young women that we are finding who have a lot of aptitude but few models or pathways."

I was heartened by his outreach, but knew we had a lot of work to do. "Women need more than inspiration to get involved,” I texted back. “If you want to see more women in cybersecurity, you have to take the needs of women with children into account. That hasn't happened yet, and that means there's a lot of untapped opportunity." Alan sadly passed away before we saw each other again, but just a month before he died we connected and he let me know he had transferred the initiative to another executive who would carry it forward.

A call to action

We are at a turning point in cybersecurity. During the past year, we've deployed remote conference technology that can be used to include caregivers and others who are unable to attend in-person events for a whole host of reasons in speaking, learning, and networking opportunities ... but as the world slowly emerges from COVID, many cybersecurity events are dropping these important options.

Today more than ever we need to support diversity. While caregiving is not the only barrier for women in cybersecurity, it certainly contributes to the lack of women at conferences, training and networking events, and leadership positions. Women will continue to be underrepresented in cybersecurity—especially in leadership roles—unless we provide genuine support for caregivers and include them in industry events. 

This is a call to action for everyone in cybersecurity.  Conference organizers, I challenge you to continue to offer remote options and design in-person events that embrace and support family attendance. Educators, consider designing classes and competitions in a way that enables caregivers to take breaks and fulfil their responsibilities without falling behind. Participants, don't feel obliged to leave your families in order to move ahead. Push for remote options, childcare support, and flexible schedules. Choose to attend events that offer this support.

For all of the caregivers out there wanting to advance in cybersecurity: your needs are shared by countless others who have long been silent. It's time for us all to speak up.

Copyright © 2022 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)