Cyber-security and information security is defined as any occupation that plans or carries out security measures to protect an organization’s computer networks and systems. These responsibilities are continually expanding as the number of cyber-attacks increases. Cybercrime is recognised as one of the greatest threats to businesses around the world, and with company and government data becoming increasingly reliant on the internet, it is critical that their computer systems are protected from malicious attacks or data breaches. As a result, there has been a huge global increase in the investment and expansion of cyber security personnel. But supply is far from meeting demand. IT experts claim that the cyber security candidate shortage is making them an easier target for hackers. As well as a general need for a good talent pool, there is also a need for more women within the industry. The information security discipline is not evolving fast enough. Most notable, women represent just 11% of this profession. Placed in the context of women in the general workforce and women in professional and managerial roles—where women are at near parity with men in both of these measurements in developed countries—this percentage is alarming. Furthermore, this low percent of women in the information security profession has been stagnant despite double-digit annual increases in this profession. In 2012 alone, the global information security workforce grew by 306,000 and by another 332,000 in 2013. Yet, these increases have done little to address persistent personnel shortages.
Essentially, more information security professionals are needed, but the profession as a whole has been slow in tapping into the pool of talent represented by women. Also, the information security discipline must transform in how it is practiced. Despite the overall growth in information security professionals and corresponding increases in expenditures on security technologies, the frequency and severity of data breaches, network compromises, and regulatory non-compliance has become a boardroom concern. The status quo is showing its weaknesses. Women as agents of change in transforming information security is what needs to be highlighted.
The information security discipline must transform and also address its perpetual shortage in information security professionals. Past transformational approaches, while well-meaning, have only produced incremental and reactionary outcomes and are not keeping pace with the many exogenous factors that are driving demand for more security and risk management, and security professionals. These pace-setting factors are well-known and include:
- Evolution in threats and threat vectors such as advanced persistent threats, distributed denial of service attacks, and application-layer software compromises.
- Introduction and adoption of new technologies such as cloud-delivered services, bring your own device (BYOD), bring your own application, and big data and analytics.
- Formation of new business-to-business (B2B) and business-to-consumer (B2C) relationships, driven by user device multiplicity, mobility, the Internet of things, and an intensifying competitive global marketplace.
- Scope, complexity and, in some cases, conflicting regulatory requirements.
This need for game-changing approaches in information security is corroborated by those most responsible (and accountable) for security and risk management strategies—security executives.
Common is the perspective that internal security teams must change in two attributes: (1) skill set diversification, and (2) partnerships with organizations that have complementary capabilities, both inside and outside their own enterprises. But in order for change of this nature to occur and change with permanence, there must be agents of change—individuals that have the mindset and skill set essential to lead transformation. Where might these agents of change be found? These individuals exist but are in the minority in most security organizations—they are women who have chosen the security profession.
Businesses and government agencies have been slow to address the dearth of female representation in cyber-security, despite the opportunities and benefits presented by increased representation. From a product development perspective, the large gap in women’s representation raises concerns about the assembly of gender-diverse teams and the ability to innovate in the rapidly changing cyber landscape. Women’s participation in an otherwise male-dominated group drives up the predictive power of a group’s collective intelligence, due partly to women’s higher scores of social sensitivity measures, which provide the necessary glue to connect all member’s contributions.
From the talent acquisition perspective, cyber-security professionals are deemed ‘mission-critical’ in government and highly sought after in the private sector. Cyber threats and attacks, especially in developed countries constitute huge financial vulnerabilities for businesses. Cyber attacks are also severe problems for government. There is a clear business case for investment in human capital in this industry, both in the private and public sectors. Why then is it still significantly under represented in the cyber-security field? Academics and professionals point to several reasons for this gender gap. Some commonly cited reasons for women’s hesitance to pursue the field include social and cultural factors related to gender. For example, gender stereotyping of roles as well as gadgets. This shifts girls’ perspective of what is expected from them in terms of academic and personal interests. For example, the computer was heavily marketed as a ‘boy’ toy for several years following its introduction to the market.
The term ‘cyber-security’ itself harkens back to the heavily, militaristic roots of the field. Without a more explicit tie between how networks and systems feed into business operations, women may discard the field without truly understanding what it is about or the opportunity it presents. Fortunately, research suggests that these social and cultural barriers can be diminished or overcome by effective role models, mentorships, and scholarships. However, the reality is that few organizations execute these programs well. For those that do, the programs have not achieved financially sustainable scalability.
For many women, when a company does not offer policies such as parental leave or flex-time, it forces them into a trade-off between staying in the workforce and completing caregiving responsibilities. Depending on workplace culture, employees may use these policies only to realize real or perceived penalties. As case studies of the medical and legal fields demonstrate, these problems are not unique to the cyber-security field and are echoed in many sectors where women are represented. Though cyber-security is a relatively new field, efforts to correct the challenges outlined above have been incremental and the representation of women in this field as a whole has remained static.
The data stored in networks and protected by cyber-security professionals is valuable and therefore vulnerable. Trusted institutions have all fallen prey to these large-scale, damaging attacks. For much of the general public, these breaches and the associated damage control are faceless. However, the largest risks lie not in the breaches seen to date. The current cyber-security workforce’s headcount is dangerously low. This renders the country unprepared to counter future threats and is exacerbated given the lack of depth and diversity in a workforce that is almost completely male. To limit the risks associated with the projected shortage of 1.5 million cyber-security professionals, the field must become more welcoming and appealing to women.
There are huge benefits to a more inclusive cyber-security workforce. The business case for f
ixing this under representation is not only one of morality or diversity, but one of necessity. Dan Geer, a leader in the cyber-security industry, observes that cyber-security is different than other technology fields due to the presence of a ‘sentient opponent’. This makes the conflict in cyber-security a talent-based competition, begging the question of why any organization would exclude 50% of the talent pool if beating a sentient opponent is the goal.
Dr. Lubna Umar
Author is the Editor of ‘Melange’ and ‘The Asian Telegraph’ & Research Associate COPAIR