• United States




A change in wording could attract more women to infosec

Nov 17, 20154 mins

Information security is an endeavor that is frequently described in terms of war. What can we learn from history and from other industries about what a change in verbiage might do to affect the gender balance of this industry?

Information security is an endeavor that is frequently described in terms of war: Red team. Blue team. White hat. Black hat. Battle plan. Kill chain. Command and Control. Trojan horse. Payload. Demilitarized zone. Reconnaissance. Infiltration. Adversary. But what would the gender balance of this industry be like if we used more terms from other disciplines?

At the recent National Initiative for Cybersecurity Education (NICE) conference, I found myself in several discussions about the possibility that battlefield verbiage caused girls to avoid pursuing InfoSec careers. Answering the question above is not a simple task, but we may take some clues from history, as well as other industries, to view the possibilities.

The biggest reason we use so many battle-related security phrases is probably because the military has long been an incubator for new technology. Protecting that machinery and knowledge from prying eyes is no small feat; the military trains and employs a great number of people to secure its systems. As a result, many people involved in cybersecurity started their careers in military or government organizations.

As far as gender imbalances go, the military is nearly as lopsided as the InfoSec industry: 14.5 percent of the active duty force as of 2013 was comprised of women, with only 7.1 percent of the top ranks being held by women. In cybersecurity specialties 14 percent of personnel are female. Though, as is described in the previous link, many of those women have gone on to high-ranking positions in government and private sector organizations.

[ ALSO ON CSO: 7 tips to becoming a successful CISO ]

This imbalance within the armed forces is historical as well as cultural; Women could not hold permanent positions in the regular and Reserve forces until 1948, and there was a 2 percent cap on the number of women in the military until 1967. A ban on women in combat was lifted in 2013, though there are many specialties – particularly those in Special Operations units – where women are still not allowed to serve. While obviously this has not stopped women from participating and flourishing in military and intelligence environments, these are still largely considered masculine vocations.

Exposure still lags

According to a recent report by Raytheon and the National Cyber Security Alliance (NCSA), the majority of women and men are not being introduced to InfoSec careers. Among the findings, the authors of the report found that in the U.S., 67 percent of men and 77 percent of women said no high school teacher or career counselor ever mentioned the idea of a cybersecurity career. Globally, the picture was not much better: 62 percent of men and 75 percent of women said no secondary or high school computer classes offered the skills to help them pursue a career in cybersecurity.

With the dearth of computer education in K-12 schools in the U.S., this is hardly surprising. But it does show a clear pattern of this industry being perceived as a masculine profession rather than a feminine one.

If the task of protecting systems or analyzing malware had historically fallen (due to whatever bizarre set of hypothetical circumstances) primarily to biologists or mathematicians, our vocabulary would sound very different. And perhaps it might be viewed as a more enticing career path for young women.

A few months ago I attended a herpetology conference: I was shocked at how many women were there, discussing stereotypical “un-girly” critters with such gusto. As of 2011, women earn 60 percent of bachelor-level biology degrees. Women also earn between 40 and 50 percent of chemistry, mathematics and statistics, and Earth sciences undergraduate degrees. Women are well represented in the science and mathematics areas of STEM, but not in technology and engineering. 

Perhaps the reason for the facts above is best explained by a comment that stuck with me from the NICE conference, from someone who had taught a GenCyber camp for girls. He found that one effective way to get girls to feel passionate about security was to create an emotional connection with the subject: e.g. the shock and distress of seeing your drone hacked or your password exposed.

It may be hard to imagine that people would develop attachments to creepy critters and perplexing puzzles. But it’s not hard to see how security is every bit as much about caring and advocacy as it is about battle. Perhaps a lexical shift would help girls, as well as the teachers and career counselors who advise them, to understand how much women can contribute to managing our security quandaries.


Lysa Myers began her tenure in malware research labs in the weeks before the Melissa virus outbreak in 1999. She has watched both the malware landscape and the security technologies used to prevent threats from growing and changing dramatically. Because keeping up with all this change can be difficult for even the most tech-savvy users, she enjoys explaining security issues in an approachable manner for companies and consumers alike. Over the years, Myers has worked both within antivirus research labs, finding and analyzing new malware, and within the third-party testing industry to evaluate the effectiveness of security products. As a security researcher for ESET, she focuses on providing practical analysis and advice of security trends and events.

The opinions expressed in this blog are those of Lysa Myers and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.