Women in Cyber Day finds those it celebrates ‘leaving in droves’

The information security industry has been trying for years to improve the participation of and respect for women in the cyber community, with some rising to CSO positions.

But with International Women in Cyber Day being celebrated Sunday, Sept. 1, one US-based CISO thinks things may be going backwards for women in the profession.

“I was very positive until about a year and a half ago,” Olivia Rose, head of Rose CISO Group, a virtual CISO provider, and faculty member at Boston-based management consulting firm IANS Research, said in an interview this week. 

“We’ve seen a shift in the past year and a half where women are leaving cybersecurity in droves. That’s the only way to describe it. I hear or speak to at least two to three women a week who are either giving up completely and leaving tech, or they’re going out on their own and starting a cybersecurity company like I did,” she says.

Creating your own firm may sound like a positive. But, Rose said, many who go private do it “because they feel propelled to do so” due to the way they’re treated by colleagues or employers.

And it’s the middle and senior managers who tend to be the ones leaving, she added.

Lynn Dohm, executive director of US-based Women in Cybersecurity (WiCyS), agrees, adding that many women with between six and 10 years of infosec experience hit a glass ceiling in their careers.

“Things have stalled,” she said. In 2014, around when WiCyS was formed, women accounted for an estimated 11% of the global infosec workforce. Ten years later, that percentage is estimated at between 20% and 24%.

Lisa Kearney, head of the Canada-based Women in Cybersecurity Society, thinks the situation for women in infosec has improved in the past five years, but she still sees high drop-out rates among women early in their careers in Canada.

Women in Cyber Day “shines a spotlight on the vital contributions and acknowledges the achievements of women in cybersecurity,” Kearney said. “[The day] also serves as a reminder that diversity is not just about equity. It’s necessary for innovation and effective problem-solving.”

WiCyS’ Dohm believes Women in Cyber Day is important not only to honor the talent women bring to cybersecurity but also to let women explore the possibility of a cybersecurity career. It also allows the message to be spread that diverse cybersecurity teams make the organization more secure by allowing different voices and perspectives to be heard — especially at a time when unexpected challenges pop up daily. A study for WiCyS released earlier this year shows the lack of diversity is a symptom of lack of inclusion in the workforce, she said.

Women in Cybersecurity

“It hasn’t been the easiest industry to break into,” she said. “Although we’ve moved the needle ever so slightly, there’s still more work that needs to be done.”

Sexism still a barrier

Despite significant shortages of cybersecurity talent around the globe, women still face an uphill climb establishing infosec careers, with sexism in the male-dominated field still a barrier.

Rose of Rose CISO Group has been in the infosec industry for 22 years, including holding CISO positions at Mailchimp and Amplitude. Over that time, she has experienced more than her share of toxic behavior.

Rose CISO Group

“I’ve been called every name in the book, except for one, to my face and behind my face,” she said. “At one company where it was all men, I was called the cockroach because I refused to die, I refused to leave. I said, ‘You’re not getting rid of me until I’m ready to go.’”

“You [as a woman] have to have a very thick skin and a spine of steel to last a very long time in this industry,” she said. “Every woman I know who is a leader has the same — very tough skin and a spine of steel.”

Women in cybersecurity statistics

The ISC2, a nonprofit offering training and certifications for cybersecurity professionals, estimates that women represent 20% to 25% of the global cybersecurity workforce. According to its April survey of 2,400 women in infosec roles, on average only 23% of current cybersecurity teams are female, with 11% of survey respondents saying they had no other women on their security teams. 

Another finding: Female respondents earn around 5% less than their male colleagues, with an average salary of US$109,609 compared to US$115,003 for men — a pay gap despite the fact that women respondents hold advanced degrees (master’s and doctorate-level qualifications) at significantly higher rates than men, while they hold cybersecurity certifications at equal rates.

One positive finding from the survey: Women hold executive titles in cybersecurity at a similar rate to men, with 16% of women reporting a manger-level title and 7% holding director-level roles.

Discouraging workplace cultures

WiCyS’ aforementioned “State of Inclusion in Cybersecurity” report found that women continue to face numerous unfavourable experiences that contribute to their overall feeling of exclusion in the workplace, negatively impacting their job satisfaction, productivity, and retention.

“In particular, we find that women are especially impacted by lack of respect and by lack of career opportunities,” the researchers wrote. “We also find that workplace experiences result most frequently from leadership and direct managers, but that peers also play a significant role, particularly in terms of being disrespectful.”

Examples of bad experiences women relayed included:

• “After introducing myself, I have had individuals ask to speak to ‘a guy who works in IT’ instead of me.”
• “Colleagues would play pornographic movies as I arrived to meetings. One time a colleague played a movie like this when we were meeting with a customer.”
• “My male peers received more pats on the back for far lesser accomplishments than me.”

Just over 1,000 employees, approximately 35% of whom were men and 65% women, participated in the survey. Forty-eight percent of female respondents said they were experiencing issues related to career and personal growth at their employer, significantly more than the 26% of men who report similar experiences.

Recommendations to the C-suite

ISC2 offers several tips for management to help increase women’s participation and satisfaction in cybersecurity:

• Set specific hiring, recruitment, and advancement metrics. Security leaders should help establish targets to promote a workforce that closely reflects the diversity of the general population.
• Make pay equity a priority. CISOs should actively monitor pay equity for all roles within their organization to ensure salary and benefits are aligned based on role requirements and experience — and to make adjustments as needed.
• Eliminate inequities around advancement. Security leaders must support women in defining their goals and ensure they have equal access to development opportunities to reach leadership roles. Greater representation of women in senior positions inspires other women.
• Focus on the “I” in DEI. Many organizations understand what diversity and equity mean, but emphasizing inclusion will help address feelings of not belonging and feeling inauthentic, which in turn help on the retention front.

“I love being a women in this industry,” Rose said. “It’s been a really rough ride. There have been a lot of ups and downs. I’ve had to work harder than a lot of people — like any woman leader will tell you. But my mantra has always been, ‘I’m not leaving until I’m ready to go’ because I love this industry. And I’m good at it. So I’ve stuck in there. But unfortunately, many women are giving up and leaving.”