We live in a world where lack of investment in gender diversity in the tech industry continues to make headlines and the fact is that there's an imbalance problem that's not being dealt with quickly enough. The cyber-security industry is part of this discussion, and it's necessary to take a closer look at the industry to understand why women represent only 11 percent of the workforce, and what can be done about it.
Where are all the women?
In 2016, a CREST cross-industry workshop on diversity in cyber-security concluded that there is no lack of opportunity for women in the cyber-security industry. However, women often do not apply for advertised roles, perhaps because of negative perceptions of the industry. ‘Stopping hackers' is probably not the first thing that comes to mind when you ask little girls what they aspire to do when they grow up. In pop culture, portrayals of cyber-security range from fantasy to outlandish with just occasional depictions of any accuracy. As in pop culture, female role models in the real cyber-security industry are difficult to find. Militaristic, acronym-filled job descriptions deter even the most zealous potential new entrants, female or otherwise.
It is easy to conclude that the most effective way to improve gender diversity in cyber-security is positive discrimination. However, despite its best intentions, in reality, this tends to simply undermine efforts to address gender imbalance. The perception that hiring is based on gender devalues the skills of female candidates by sending the message that gender – not talent – is the main consideration for a job. This can leave women feeling defensive and men feeling excluded.
What can we do about it?
The industry as a whole, rather than promote positive discrimination, can promote cyber-security as a gender neutral discipline and advocate for ‘positive action'. This involves creating positive messaging for diversity and inclusion, involving everyone in the organisation and staying focussed on the issue in the longer term. We identify three actions for change.
For organisations, a first step is to talk about the lack of gender diversity in cyber-security and make a case for cyber as a gender neutral discipline. Starting this conversation has multiple benefits. It makes people aware that there is an issue. It also makes women feel valued by acknowledging the issue and demonstrating a willingness to address it. It can also bring out dissenting voices and spark healthy debate.
Second, there is a need to supplement this awareness and dialogue with a commitment to attracting new and diverse talent into the industry. This can be done by simply changing the job specifications to be jargon-free and focussed on skills rather than certifications. Another change could be a willingness to invest in developing talent by providing training and support to attract talented people – not just women – into the field. If the cyber-security industry is to solve the overall talent shortage, there will be a need to foster a change in the industry risk appetite by embracing the development of potential talent rather than relying on finding individuals who have done the exact same job elsewhere.
Finally, there is a need to nurture diversity conversations and formalise the initiatives that support them. There is a risk that such initiatives fizzle out after a few initial meetings and it is important to find focus. Deloitte's Women in Cyber initiative has been running now for three years and, in this time, we have learnt that a focus on inclusion and shared learning raises awareness and makes a lasting impact. Both men and women are part of our programme and leadership teams. At our events, the speakers come from a variety of backgrounds and the focus is on learning new things and doing things together as a team.
When should we start?
Take action and begin by doing small things that could make a big difference. Become or seek a ‘sponsor' for diversity in cyber, a senior leader and influencer in the organisation, supporting the cause of gender diversity and providing management support. Bring together a passionate team to spread the message and develop a Women in Cyber community or link into existing diversity groups or communities. Focus on identifying opportunities for positive action, make a commitment to attracting diverse talent to your teams.
Cyber-security has the opportunity to learn the lessons from other industries that have suffered from lack of diversity and to take positive action towards sustainable and meaningful change. There is no time to waste.
Contributed by Naina Bhattacharya, associate director, Deloitte cyber risk services UK
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media - but given the topic, we're happy to say that they do in this case.