Women Breaking Barriers in Cybersecurity

When public policy expert Megan Garcia joined New America’s Cybersecurity Initiative in 2015, she brought with her a wealth of knowledge and experience from her previous position as a Program Officer at the William and Flora Hewlett Foundation. In addition to overseeing Hewlett’s Nuclear Security initiative, she’d helped to establish the Foundation’s Cyber Initiative. And, she was a woman.

The latter mattered because concerns about the underrepresentation of women in the cybersecurity workforce have emerged as a pressing and critical issue in public policy and a practical concern among leaders in the defense industry and the business community. To complicate matters, even by the most conservative estimates, there simply aren’t enough cybersecurity specialists entering the field to meet the current need. “There is a gap of one-and-a-half million jobs projected in the next five years,” Garcia explained in an interview with OnlineEducation.com, “and that is increasing demand for training for those jobs.”

According to a study by Stanford University’s Peninsula Press, there were over 200,000 unfilled cybersecurity jobs in the US in 2015. In a 2016 Information Systems Security Association (ISSA) report titled “Resolving the Cybersecurity Workforce Shortage,” Senior Information Security Officer Kerry Ann Anderson of State Street Global Advisors summarized the situation: “The cybersecurity field is currently experiencing a growing shortage of practitioners with over a quarter-million positions remaining unfilled in the US alone and a predicted shortfall of 1.5 million cybersecurity professionals by 2019.”

Against this backdrop of acute demand for cybersecurity expertise, a proliferation of cyber attacks, and growing concerns about the safety and security of our digital infrastructures, another data point has taken on new relevance: roughly only one in ten cybersecurity professionals are women. The 2017 Global Information Security Workforce Study, a report jointly commissioned by the Center for Cyber Safety and Education and the Executive Women’s Forum on Information Security, Risk Management & Privacy, concludes that women are just 11% of the global cybersecurity workforce.

Jane Frankland, a cybersecurity business analyst who has written a book about the importance of attracting more women to the field, told OnlineEducation.com that being a woman was not an issue for her when she co-founded a penetration testing company in the UK back in 1997. “I never even noticed a lack of women in the industry,” she admits. However, she became increasingly aware of and alarmed by the gender gap when she began seeing the actual numbers in reports from the International Information System Security Certification Consortium, or (ISC)2.

As she explains, “(ISC)2 reported on this in March: In Europe we only have 7% of women in cybersecurity.”

Several years earlier, a similar report from (ISC)2 inspired her to begin work on her book. “It all began with a blog,” she recalls. “I’d just read the (ISC)2 report on the state of women in the workforce. I was shocked at the low numbers of women, as I knew a lot of women in the industry. But what concerned me more was the fact that women [in the field] were declining year to year. In fact, from 2008 they’d dropped from 19% to 10%.”

Numbers like these have energized policy research groups like New America, professional organizations like the (ISC)2, and government programs like National Initiative for Cybersecurity Education (NICE) to actively confront the issue of bringing more women into the field. It’s what led the National Science Foundation to provide a start-up grant to the Women in CyberSecurity initiative, which has been holding an annual WiCyS conference since 2014.

Cybersecurity is defined by the computer and communications technologies we use to store and transmit information, conduct day-to-day business operations, and interact with one another. Any networked device, from the largest mainframe computer and orbiting GPS satellite, to the slimmest laptop and mobile phone, is part of a larger digital infrastructure that can be compromised, breached, and hacked. Cybersecurity encompasses all the activities associated with protecting this infrastructure: eliminating system vulnerabilities, detecting unlawful incursions, and designing deterrence protocols. This includes a wide range of jobs and responsibilities, which are broken down into eight categories in the National Institutes of Standards and Technology’s Cybersecurity Framework.

NIST Cybersecurity Framework Outline

• Analyze – threat assessment
• Collect and Operate – security planning
• Investigate – digital and computer forensics
• Operate and Maintain – data, system, and network administration
• Oversight and Development – education, planning, and security program management
• Protect and Defend – threat and vulnerability assessment, management, and deterrence
• Securely Provision – systems auditing, testing, and updating

While information security (infosec) has long been a priority in areas like military intelligence, defense, and government, the term cybersecurity represents a more recent shift toward a broader understanding of security issues. With digital technologies spreading throughout our economy and society, the security of networked infrastructures is no longer strictly a concern for computer programmers and military types.

As Megan Garcia explains, “One of the biggest lessons we try and share via New America’s Women in Cybersecurity Project is that there are so many different types of jobs in the cybersecurity and information security fields. There are lawyers, communications people, policy experts, marketing professionals, along with engineers and [people in] more technical roles. And we know that the narrow stereotype of a guy coding in a hoodie keeps many women from thinking they might thrive in the field, when at the same time, so many companies need people and are actively trying to recruit women.”

Betsy Cooper, a lawyer and political scientist who is the Executive Director of the Berkeley Center for Long-Term Cybersecurity, echoed Garcia’s comments in a post on the New America website. “Whether the question is how to design a legal framework that balances the needs of government surveillance with privacy, how to identify data that has been manipulated, or how to get people to actually keep their passwords secure, cybersecurity is about a lot more than just technological know-how,” she wrote in More Than Technological Know-How: You Don’t Have to Major in Computer Science to Work in Cybersecurity. “We need sociologists, psychologists, lawyers, and economists to understand human behavior; designers and data scientists to help change that behavior; and businesspeople and bio-scientists to bring products to market. In other words, we need people from all walks of life to work on cybersecurity problems.”

Jane Frankland emphasizes that, while technical skills are central to the overall mission of cybersecurity, we shouldn’t allow the field to be defined too narrowly. “Increasingly, cybersecurity is recruiting from the same pool – computer science, technology, and the armed forces or intelligence. While these professionals are needed and hugely valuable, having one type of profile in cybersecurity holds us back. It makes us miss things and be blind sighted. If we’re all thinking the same thing, then you could argue that no one is really thinking. Winston Churchill knew this, and that’s why he implemented ‘Corkscrew Thinking’ during the Second World War. He brought men and women together in Bletchley Park and ensured they came from diverse backgrounds. Some may have been fresh out of school, college, or university. Many believe it was this approach that lead to the Allies winning the war, or at least shortening it by several years.”

Christie Terrill is a partner at the cybersecurity consulting firm Bishop Fox, where she established and led the company’s Enterprise Security team. She’s worked in the field of cybersecurity for 15 years. But Terrill did not major in computer science; she graduated from UC Santa Cruz with a liberal arts degree. “I was interested in technology and one of my favorite classes for my rhetoric and communications minor was a technical writing and editing course,” she recounts.

After taking a computer programming class at a community college, she began working in IT finance and then information security. “My first job in information security was as a consultant at Ernst & Young, where I was hired into the security consulting practice. They knew I did not have formal education in computer security (which practically didn’t exist at the time) or in computer engineering, but they were confident in my ability to learn and their ability to train me.” Terrill admits that she’s not always the most technical person in the room. “Sometimes,” she says, “I may feel like I’m the least technical person in the room. But I have a lot of technical knowledge. Most of what I learned was hands-on.”

Jen Miller-Osborn, a Threat Intelligence Analyst at Palo Alto Networks, has also been working in cybersecurity for 15 years. She took a more traditional route into cybersecurity – the military. She then got a master’s in information technology and information assurance. “I started while on active duty in the Air Force,” she says. “My degrees all came later; the master’s I completed using my post -9/11 GI Bill. All of my initial training was on-the-job or in-house classes provided to government and contract employees. Except for the technical certificates. By the time I took college classes in the field I could have been teaching those classes. Which serves to highlight that a college degree hasn’t always been necessary to be good in this field. There is a lot of information and training online. Curiosity, stubbornness, and a desire to learn have gotten many people into this field before it was even considered a real field, and those traits are what will keep you here and successful.”

OnlineEducation.com also interviewed cybersecurity risk-management consultant Regine Bonneau, who grew up in Haiti, studied business and finance as an undergraduate, and then earned an MBA. After learning about the field of information security, she began the process of further educating herself and networking in the cybersecurity community. “I spent a lot of time researching and reading about cybersecurity,” she says, “and I started going to events that would educate me further. At those events, I would ask the organizers questions, tell them about myself, and what I was looking to accomplish, and that would lead me to speak with someone else. I would go and introduce myself to that person and start the whole process again. If they could not help me, I would ask about someone in their network who could help and guide me.”

When Jane Frankland, Christie Terrill, and Jen Miller-Osborn began working in the field, it wasn’t called cybersecurity, and careers in infosec and information assurance generally began in the male-dominated ranks of the military, or in the equally male-dominated classrooms of computer science and engineering programs. So, it’s not surprising that cybersecurity developed an early reputation as a non-traditional choice for women. It’s also not surprising that cybersecurity remains a field in which military terminology is quite common. For example, Chief Information Security Officer (CISO), Chief Security Officer (CSO), and Chief Technology Officer (CTO) are three of the more common cybersecurity job titles in the field, according to the most recent SANS Institute Cybersecurity Professional Trends survey.

Megan Garcia points to this as one reason that women might not be attracted to a career in cyber. “Take a look at any of the websites of major cybersecurity companies, or this reel we put together for New America’s Cybersecurity for a New America conference and you’ll get a sense that the dominant language and themes we use to describe the field are very masculine and focused on warfare. That may work to sell cybersecurity products, but it doesn’t work to attract the workforce we need. As a first step we encourage companies and conferences to take a fresh look at their sites and ads and ask themselves if women would be attracted or repelled by them. Companies then have to do much deeper work to create workplaces where women are truly welcome, supported and promoted, and some are doing that.”

Take a look at any of the websites of major cybersecurity companies … and you’ll get a sense that the dominant language and themes we use to describe the field are very masculine and focused on warfare. That may work to sell cybersecurity products, but it doesn’t work to attract the workforce we need. As a first step we encourage companies and conferences to take a fresh look at their sites and ads and ask themselves if women would be attracted or repelled by them. Companies then have to do much deeper work to create workplaces where women are truly welcome, supported and promoted, and some are doing that. (Megan Garcia)

There is also a good argument to be made that unconscious biases and lingering sexism have kept women from pursuing cybersecurity careers. This didn’t deter Jen Miller-Osborn, as she explains: “Getting started in the field while being active duty military and the continuing to work as a government contractor, I was used to working with more men than women. It was common for me to be the only woman on a team.”

Miller-Osborn wasn’t deterred, but over the years she has encountered some sexism. “What did highlight it was negative attention I received over the years – male colleagues that would talk down to me, ignore my contributions, force me to go above and beyond to prove I knew what I was doing, if I was ever acknowledged at all. Positions I was told I wasn’t qualified for, but for which I was expected to both train the new hire and step in and do the job whenever needed. Thankfully, for all those negative experiences I also had a lot of male colleagues who treated me just like anyone else, as well and mentors and managers who supported me and wouldn’t tolerate negative treatment based on my sex. They focused on getting the job done, and that I could do.”

“When I started my career,” Regine Bonneau recalls, “it was very explicit that cybersecurity was an unusual career choice for women.” She remembers being able to count the number of women in the room at cybersecurity conferences and not seeing any women who, in her words, “looked like me.”

“At some events, I was the only woman there,” she continues. “One time, a gentleman thought that I was lost and tried his best to help me. Once he decided to accept the fact that I was registered for the correct workshop, I was allowed in. The sad part of my early entrance into cybersecurity is that I was welcomed by more men than women. This all changed when I attended an event organized by the ISSA Tampa Bay Chapter. I met my first mentor and other women who were actually eager to work with and guide me.”

Bonneau cites several potential reasons that women may be discouraged from pursuing a career in cybersecurity:

• Family obligations
• Working hours
• Skills
• Education and training
• Confidence

Bonneau feels that these hurdles can be overcome if women are promoted to more senior level positions in the field, if those women mentor younger women, and if more women are encouraged to enter the field at a young age. “We are actually seeing a lot of new programs and initiatives aimed at attracting more women in the field. Yes, we are still at 11% in the actual workforce; however, I expect to see a change in the percentage in the next five years due to these programs actively promoting women figures in the industry, offering scholarships to women, and implementing training programs in collaboration with corporate partners and academic institutions. We also need more women helping other women. There needs to be a shift to women mentoring and sponsoring other women in preparation to take over as the next set of leaders.”

Christie Terrill did not have formal IT security training when she began her career, but she was able to leverage her considerable communications skills to advance her career. “Whether it’s in the context of consulting, or on a team, everyone needs to contribute in the ways that they can,” she explains. “I have found myself in situations, even when I was in junior positions, where I had greater access to the executives in the company or to members of a team because I was tasked with detailing and explaining the risks and issues in the work we were doing. So even very early on in my career I started to translate between engineers and executives and different team members. That clearly helped me. I did not plan it that way, but I capitalized on it once I realized that was the case.”

Terrill now finds herself in the position of interviewing and hiring cybersecurity specialists and points out that technical training is important. “When I entered the field 15 years ago, there were no cybersecurity programs. There are educational options now. So, as a hiring manager, it’s more of an issue. If I see an applicant for an entry level job, and that person doesn’t have a computer science background or some kind of technical training, I want to understand that person’s story. Why are they interested in this field? Why didn’t they study it? It’s not an absolute prerequisite. But there are many jobs in cybersecurity that do require intensive technical skills that you’re not going to acquire just playing around on a computer in your parents’ basement.”

Beyond technical training, Terrill says she looks for three traits in job candidates:

• Passion – “doing something related to the industry outside of your current school or work commitments.”
• Dedication – “a clear focus on why you want to pursue cybersecurity.”
• The ability to learn quickly – “adapting and integrating new information and experience into your repertoire.”

“I’m looking for something that would indicate passion or interest in the industry,” Terrill adds. “That could be a membership in a college hacking club, or it could be that a person volunteers to go out to schools and educate kids about online safety. In the same way that every top college looks for extra-curricular activities, we look for the same kinds of things, beyond a person just passing courses in a CIS program or a cybersecurity program. We want to see what they do outside of their job or outside of the classroom to give us an indication that they’re committed to working in this field.”

Terrill stresses that, “Cybersecurity is a broad label that we’ve put on what is actually a collection of very different sub-specialties. Teamwork is a necessity, and having a diversity of perspectives is critical in this field, because there is such a wide range of skills and perspectives necessary to solve what we label as cybersecurity problems. You can’t do this solo. You can’t do this in isolation.”

Cybersecurity is a broad label that we’ve put on what is actually a collection of very different sub-specialties. Teamwork is a necessity, and having a diversity of perspectives is critical in this field, because there is such a wide range of skills and perspectives necessary to solve what we label as cybersecurity problems. You can’t do this solo. You can’t do this in isolation. (Christie Terrill)

Megan Garcia offers a similar perspective on what has become a popular misconception about cybersecurity. “The other important element of the guy coding in a hoodie all night image is that it’s of someone working alone. We know from research that many women seek out work environments where there is a sense of teamwork, and that the idea of working in isolation isn’t particularly exciting to many women. In reality, much cybersecurity work requires teams. You can’t assess a severe vulnerability, engage with clients, or project future vulnerabilities in isolation. And cybersecurity and information security employers and employees report that communication skills are just as important as technical understanding to be successful in the field.”

Increasing general awareness about the range of career opportunities that are available to women and men in cybersecurity clearly ranks high up on the list of steps that can and should be taken to bring more people into the field. There are a number of national initiatives targeting women already underway at various levels. In addition to New America’s Women in Cybersecurity Project and the annual WiCyS conference, the SANS Institute now has a SANS CyberTalent Immersion Academy for Women, NYU’s Tandon School of Engineering holds a GenCyber Computer Science for Cyber Security (CS4CS) summer program for high school women, and the National Center for Systems Security and Information Assurance’s has created a toolkit for teaching high school-age women about cyber careers.

“Women are underrepresented, there’s no denying that,” Jen Miller-Osborn readily admits. “But as the need for cybersecurity professionals continues to grow, it simply isn’t feasible to ignore qualified candidates based on gender.” She sees women in cybersecurity educational programs and initiatives as part of the solution. “They allow more women to get the necessary skills to get started and grow in the field, which has been a critical missing component. Those programs also come with built-in support networks, which is another important factor. As more and more women are successful in the field, it both encourages companies to hire them and lessens incorrect arguments against their capability. It’s sad we’re still talking about whether women are capable of any job in this day and age, but I like the positive progress being made.”

Christie Terrill doesn’t think there’s an easy way to close the gender gap in cybersecurity, but she does believe that mentoring is part of the solution. “The lack of perceived mentors or real mentors who are women has got to be a factor. If you are doing job interviews as a young woman, and you are going on site, and you don’t see any other women in the department, that’s probably a factor. While it didn’t faze me back in the day, that type of anomaly is more of a recognized problem now. If you don’t see women ahead of you in that field, it may not seem like a practical career choice.”

Another issue for women in cybersecurity, as Megan Garcia points out, is retention. “Some companies do an incredible job of recruiting women into their workforces – equal numbers to men – but they have problems retaining them. The issues they have largely boil down to company culture. Flexible work settings, and managing gender discrimination policies, unconscious bias training, and understanding the subtle differences between men and women can help.”

Women are underrepresented, there’s no denying that. But as the need for cybersecurity professionals continues to grow, it simply isn’t feasible to ignore qualified candidates based on gender. (Jen Miller-Osborn)

This gets at another issue of perception, or misperception, which is that, in addition to sitting alone writing code, cybersecurity specialists work odd and difficult hours, are on-call 24-7, and may have difficulty establishing a reasonable life/work balance. Christie Terrill resists this characterization: “I don’t think there is much of a difference between the work/life demands for professionals in cybersecurity compared to other corporate or professional fields. Personally, I think it’s America’s corporate cultural expectations and lack of mandatory paid maternity leave or part-time job role options that cause women to reconsider certain professional careers. It is not an issue isolated to cybersecurity.”

She goes on, “I don’t think that there are that many problems in cybersecurity that are exclusive to cybersecurity. Whether it has to do with work/life balance, gender imbalance in the industry, or any issue like that, you could say that about so many other fields. I don’t want to falsely point a finger at any other professions, but maybe it’s the same for surgeons, and in the past it may have been true for lawyers. There are so many fields in which women are or have been underrepresented. I don’t think cybersecurity is unique in that way. This is a societal problem, not a cybersecurity problem.”

Megan Garcia puts a slightly more optimistic spin on that narrative. “We know from research that when women, or any other minority group, sees itself represented in the leadership of an organization, they are more likely to envision themselves as a part of the organization. What that means is, as we raise the profile of the women already doing stellar work in the field, that should also draw more women in.”