If you\u2019ve been watching trends in cybersecurity staffing for the last decade or so, you may be accustomed to panicky headlines about how everything is forever getting worse, and how this will \u201cinevitably\u201d cause some impending cyber-apocalypse.Within a recent (ISC)2 report states that states the worldwide talent shortfall is already nearing 3 million unfilled positions, there was one bit of news that would seem like a massive step in the right direction: women now represent 24% of the cybersecurity workforce, compared with 11% in previous reports.So how is it that in two years we\u2019ve apparently managed to more than double the percentage of women in security, while still seeing significant increases in the total talent shortfall? There\u2019s one sentence in the report that clarifies an important point: \u201cWomen represent 24% of the cybersecurity workforce overall \u2014 a stronger representation than shown in our previous studies, thanks to our broader view of who works in the field.\u201dIn short, the 11% and 24% figures represent a different subset of people, because their definition of who qualifies as a \u201ccybersecurity worker\u201d has changed.I\u2019ve already seen some people interpret this change of percentage as \u201clook at what huge progress we\u2019ve made while no one was looking!\u201d And I\u2019m sure there are those who say that this change of methodology is an attempt to redefine the problem out of existence. I don\u2019t feel we have enough information to take either position.At this point, comparing results from previous years to the ones in this report is simply comparing apples to oranges. And without further information about what this methodology change entails, we can\u2019t tell if this is a \u201cgood\u201d change or a \u201cbad\u201d one.What is a cybersecurity position?There are many possible explanations for what this change could entail. The possibility that I most hope is the case is that these new data are saying that there are 24% of women working in positions that interact directly with cybersecurity functions. And that the old data indicate that women comprise 11% of positions that are more traditionally or narrowly considered cybersecurity roles. As this industry has matured, both the number and types of positions have naturally expanded.This shift could indicate a more realistic view of who \u201ccounts\u201d as a security practitioner. I\u2019m far from alone in saying that there are a lot of different kinds of positions available to those who are interested in helping people secure computers, not all of which fit the stereotype of someone sitting in a dark room in a hoodie while staring at a computer all day. Eschewing certain positions as \u201cnon-technical\u201d and thus \u201cnot infosec\u201d is arbitrary and nonsensical. \u00a0That said, it is useful to break down information more granularly to see if there are areas within cybersecurity that have a particularly skewed gender representation.The first step in doing this is to have consistent definitions of what a cybersecurity position actually entails. I\u2019m sure we\u2019ve all had the experience of meeting people working in infosec who have the same title, but whose job functions are radically different. Because this is such a new industry, it can be difficult to pin down specific positions in order to compare apples to apples.\u00a0This is something the National Initiative for Cybersecurity Education (NICE) National Cybersecurity Workforce Framework, which my colleague Stephen Cobb has described is intended to address. I hope that in future reports, survey organizers work with this framework to gather data specific to positions so that we can get granularity about specific, problematic areas while still acknowledging that cybersecurity has grown to include a wide variety of different career paths.Beyond specific job titles, there are also notable discrepancies between different specialties within cybersecurity. In a previous report, (ISC)2 highlighted Governance, Risk and Compliance (GRC) as an area that has a more balanced representation of men and women. At the time the survey was taken, the percentage of women in GRC was twice that in security as a whole. This sort of specificity is valuable because it allows us to ask important questions: why is it that women find this area more suitable, or why is it that people are more inclined to hire women for these positions?Commentary from women in GRC positions seems to point to these being jobs that they volunteered to take when no one else would. This is a theme that has been repeated since the beginning of computing. Sometimes women and minorities are able to \u201csneak\u201d past gatekeepers into more technical positions because the role is incorrectly viewed as unskilled, or that is initially considered \u201clow-prestige.\u201dNecessary changesThere are a lot of areas where we lack data that could be very helpful in determining why there is such a dismal proportion of women in cybersecurity. We need to clarify what positions and job specialties are included in surveys. And with standardized, consistent job titles, we could better ensure that we\u2019re comparing things that are actually alike. \u00a0These data could be used to eschew past biases, to provide a broader and more accurate view of which jobs are truly security-related, while shining a light into the dark corners where problems still exist.