• United States




Despite the gender barriers, women must persist in cyber

Mar 21, 20177 mins
CareersIT Strategy

Why women still only represent 11 percent of the global information security workforce

glass ceiling executive
Credit: Thinkstock

During my years as a high school teacher, I was pregnant twice. I remember having a conversation with my former principal during one of those pregnancies. While I don’t recall many of the details of our exchange, there was one statement that will forever be branded in my memory.

“I know you’re really emotional right now because you are pregnant,” he said. Needless to say, there was definitely a culture of gender bias at the school, as there is in so many other workplaces. The information security space is no different.

Joyce Brocaglia, CEO and founder, Executive Women’s Forum on Information Security, Risk Management & Privacy (EWF) and Lynn Terwoerds executive director, EWF co-authored the 2017 Global Information Security Workforce Study: Women in Cybersecurity. What they found is that the statistics around gender are quite slow to change.

Women still only comprise 11 percent of the global information security workforce, said the EWF study. They also found that 51 percent of women in the cybersecurity industry in North America, Latin America and the UK have experienced some form of discrimination.

Yet, when I talk with women in the industry, most acknowledge they know it’s out there, but it’s never happened to them personally.

According to a recent ISACA report, “Breaking Gender Barriers“, workplace bias is both real and endemic. “Bias against women can be insidious. It can take subtle forms—from being overlooked in meetings, to having ideas dismissed only to be usurped by male colleagues later, to inexplicably being passed over for promotions.”

Moreover, “Only 8 percent of women surveyed by ISACA say they’ve never experienced gender bias in the workplace.” Yet, the individual stories of having experienced these tendencies of bias toward women remain largely untold.

Who would want to publicly admit that she works at a particular company and then go on to share her negative experiences about her employer? 

Deidre Diamond, founder and CEO at CYBERSN said, “I’ve been in tech since my first job out of college, but my story is rare, and it’s not what I hear from a lot of women.”

Having had a positive experience, Diamond said that for many women the biases in the work place are very much unconscious and they begin during the interviewing.

“Even for executive-level women who have done amazing things, in their interviews, they hear things like, ‘Wow, your resume is so impressive. What level did you contribute?'”

Though seemingly innocuous, the question itself can have biased undertones, particularly if one were to record two interviews side by side.

“If it were a man who had been VP of products, they might say, ‘You guys accomplished a lot. Tell me how you guys did it.’ The question is how did you do it? What models did you follow?” Diamond said.

Women who are highly qualified and well educated still deal with having to prove themselves. “More than men have to prove themselves,” Diamond said. “They will speak up in a meeting. What they said doesn’t get recognized, but when a man says it, the top person applauds.”

And there are additional inequities. Both the EWF and the ISACA reports found that wage parity remains an issue as women in the information security industry earn a lower annual salary than their male counterparts at every level. 

Forty-three percent of the respondents in the ISACA report said they were being paid less than those with equal skills and experiences. Diamond said, “What my gut and experience tells me is that the disparity exists because women start out making less than what men earn.”

It’s not that a company offers a lower salary simply because they are hiring a woman instead of a man. Rather, “Women in general are not good negotiators, especially if they are just starting out. We’re not good risk takers,” said Diamond.

It’s far more likely that during the compensation negotiations, women accept a lower offer. Where a woman might accept a $60,000 salary, a man might negotiate $65,000 to $70,000, so the compensation is higher through the life of those two careers.

The key for women is to demonstrate confidence in their abilities from the initial interview. The reality in cyber is that it is very typical for there to be one woman in a room of 30 men, said Liz Maida, co-founder and CEO of Uplevel Security.

Though often the only woman in the room, Maida said she never felt like gender bias inhibited her in her day-to-day life. 

“What I do think is really interesting is the different level of comfort that men and women have in expressing confidence in their abilities. That plays a role in the numbers we see,” Maida said.

Those who work in technology possess a natural technical aptitude, but the ability to be successful is based on experience, Maida said. “There can be this difference where women who don’t happen to have that particular knowledge are hesitant to express confidence that they have the ability to solve that problem.”

Women don’t want to overstate their ability, but men often take a different approach. “If a man doesn’t have a particular knowledge, he is more likely to say, ‘I may not know how to do it, but I’m sure I’ll figure it out,'” said Maida. 

Because they don’t want to be braggarts, women are less comfortable tooting their own horns. But, if women unconsciously and subtly exude a lack of self-confidence, how will they ever persist and advance?

One tactic, Maida said, is to say things like, ‘I know I have strengths and weaknesses, but these are the things that I am really good at.’ 

In addition to women playing up their own strengths, “The extent to which the rest of the industry can be aware and understand that when women are talking about their abilities, they may be understating them is also important,” Maida said.

Still there are antiquated cultural biases that impact women on issues that really have more to do with working men and women. “There was the assumption when I was about to have kids, that I didn’t care about working anymore,” said Maida.

True, there’s been a lot of talk about how women care about a work/life balance, but resources for child care are things that families need. Having a family while working impacts both men and women. “The solution,” said Maida, “isn’t that women need a better work/life balance.” 

As men do, women also want professional responsibility, challenges, and opportunity to grow and learn from role models. Men, however, have had no dearth of role models to emulate.

Female mentors and role models, notwithstanding, women can prevail in cyber. “It’s not unlike any other career where women face challenges. They have to take ownership of their own careers,” said Heather Ricciuto, academic initiative leader, IBM Security.

Women also need to, “Build a network, find sponsors. If they really want to advance their careers, sponsorship is key–and it doesn’t have to be a female. It’s also important to have men in their corner,” Ricciuto said.

Because managers, in general, assume that a woman — especially if she has a family — doesn’t want to be in the C-suite, said Ricciuto, “Women need to find their voice; otherwise, other people are going to make assumptions for them.”


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author