Cyber security has long been a male dominated field. According to an ISACA survey, 89 per cent of respondents said there were more men than women in cyber roles in their companies. Some 15 per cent of the 1,500 ISACA certified respondents said they worked in organisations where the entire security function was male.
In Australia, a 2018 McAfee Cybersecurity Talent Study estimated that the local cybersecurity workforce was 25 per cent female, slightly above the 20 per cent global average.
The sector is worse off for it. Lynwen Connick, chief information security officer of ANZ Bank and the only female Big Four bank CISO, wrote last month that the sector was “absolutely missing out by not having women involved”.
“The reasons women don’t enter cyber security are varied,” she said, “from the perception it’s a male-dominated field, to the lack of female role models to the struggle within our educational system to overcome stereotypes questioning women’s abilities to excel in the sciences.”
In response, many companies have taken affirmative action to fix the gender imbalance in their security functions.
ANZ, along with the other major banks and BT, for example, recently backed an initiative to give high school students cyber challenges, which Connick said would help “alter the perception of technology stereotypes among young females”.
Others have taken the decision to publish their gender pay gap data, even if it casts them in a less than positive light. Deloitte in a number of regions runs a ‘Women in Cyber’ program, which promotes the vocation to young women.
However, according to the ISACA survey, it appears these concerted efforts are in decline.
When respondents were asked if their enterprises have specific diversity programs to support women cybersecurity professionals, only 44 per cent responded in the affirmative – a seven percentage point decline on the previous year.
“Attempts to diversify the workforce and create gender inclusion are either not happening enough or are failing to meet employee expectations,” said ISACA board chair Rob Clyde.
ISACA suggests cyber gender programs are “arguably decreasing in effectiveness” as, among respondents in enterprises with a diversity program, fewer women (59 per cent) believe they are offered the same career progression opportunities as their male counterparts, 18 per cent less than last year.
By contrast, 90 per cent of their male colleagues believe women are given the same opportunities.
“Analysis of the current data should prompt consideration and potential reappraisal of these programs’ impact and effectiveness. Respondents do not believe their organisations prioritise increasing the number of women in cybersecurity roles or advancing them within the organisation,” he added.
The benefits of diversity in businesses as a whole are clear. For example McKinsey says ethnically diverse businesses are 35 per cent more productive and nine per cent more profitable. It also found that companies in the top quartile for gender diversity are 15 per cent more likely to have financial returns above national industry medians; while Morgan Stanley says gender diversity focused businesses enjoy higher productivity, better decision making and higher employee satisfaction.
There are also cyber specific advantages to a diverse workforce; including different approaches to problems, greater resilience and better decision making.
“More urgency and awareness needs to exist within management teams and organisational cultures today to build a level-playing field for women in cybersecurity,” wrote Mailguard CEO Craig McDonald last week.
“While this is true for the entire business, I think it’s important for infosec teams, in particular, to be diverse. This is mainly due to the increasing ambiguity around the nature of contemporary cyber threats. Cybercrime in itself is diverse now and rapidly evolving,” McDonald added.