Have we doubled the number of women in infosec?

If you’ve been watching trends in cybersecurity staffing for the last decade or so, you may be accustomed to panicky headlines about how everything is forever getting worse, and how this will “inevitably” cause some impending cyber-apocalypse.

Within a recent (ISC)² report states that states the worldwide talent shortfall is already nearing 3 million unfilled positions, there was one bit of news that would seem like a massive step in the right direction: women now represent 24% of the cybersecurity workforce, compared with 11% in previous reports.

So how is it that in two years we’ve apparently managed to more than double the percentage of women in security, while still seeing significant increases in the total talent shortfall? There’s one sentence in the report that clarifies an important point: “Women represent 24% of the cybersecurity workforce overall — a stronger representation than shown in our previous studies, thanks to our broader view of who works in the field.”

In short, the 11% and 24% figures represent a different subset of people, because their definition of who qualifies as a “cybersecurity worker” has changed.

I’ve already seen some people interpret this change of percentage as “look at what huge progress we’ve made while no one was looking!” And I’m sure there are those who say that this change of methodology is an attempt to redefine the problem out of existence. I don’t feel we have enough information to take either position.

At this point, comparing results from previous years to the ones in this report is simply comparing apples to oranges. And without further information about what this methodology change entails, we can’t tell if this is a “good” change or a “bad” one.

What is a cybersecurity position?

There are many possible explanations for what this change could entail. The possibility that I most hope is the case is that these new data are saying that there are 24% of women working in positions that interact directly with cybersecurity functions. And that the old data indicate that women comprise 11% of positions that are more traditionally or narrowly considered cybersecurity roles. As this industry has matured, both the number and types of positions have naturally expanded.

This shift could indicate a more realistic view of who “counts” as a security practitioner. I’m far from alone in saying that there are a lot of different kinds of positions available to those who are interested in helping people secure computers, not all of which fit the stereotype of someone sitting in a dark room in a hoodie while staring at a computer all day. Eschewing certain positions as “non-technical” and thus “not infosec” is arbitrary and nonsensical.  That said, it is useful to break down information more granularly to see if there are areas within cybersecurity that have a particularly skewed gender representation.

The first step in doing this is to have consistent definitions of what a cybersecurity position actually entails. I’m sure we’ve all had the experience of meeting people working in infosec who have the same title, but whose job functions are radically different. Because this is such a new industry, it can be difficult to pin down specific positions in order to compare apples to apples. 

This is something the National Initiative for Cybersecurity Education (NICE) National Cybersecurity Workforce Framework, which my colleague Stephen Cobb has described is intended to address. I hope that in future reports, survey organizers work with this framework to gather data specific to positions so that we can get granularity about specific, problematic areas while still acknowledging that cybersecurity has grown to include a wide variety of different career paths.

Beyond specific job titles, there are also notable discrepancies between different specialties within cybersecurity. In a previous report, (ISC)² highlighted Governance, Risk and Compliance (GRC) as an area that has a more balanced representation of men and women. At the time the survey was taken, the percentage of women in GRC was twice that in security as a whole. This sort of specificity is valuable because it allows us to ask important questions: why is it that women find this area more suitable, or why is it that people are more inclined to hire women for these positions?

Commentary from women in GRC positions seems to point to these being jobs that they volunteered to take when no one else would. This is a theme that has been repeated since the beginning of computing. Sometimes women and minorities are able to “sneak” past gatekeepers into more technical positions because the role is incorrectly viewed as unskilled, or that is initially considered “low-prestige.”

Necessary changes

There are a lot of areas where we lack data that could be very helpful in determining why there is such a dismal proportion of women in cybersecurity. We need to clarify what positions and job specialties are included in surveys. And with standardized, consistent job titles, we could better ensure that we’re comparing things that are actually alike.  

These data could be used to eschew past biases, to provide a broader and more accurate view of which jobs are truly security-related, while shining a light into the dark corners where problems still exist.