More women in cybersecurity equals less risk

by Black Hat Middle East and Africa
on
More women in cybersecurity equals less risk

Much has been written about the need for equality in cybersecurity.

“Women and men should have the same opportunities.” “Having a gender diverse workplace is fairer.” “It’s the right thing to do.”

But business doesn’t care about fairness.

We all talk about it, of course. We acknowledge the need to hire women in cybersecurity. We hold roundtables at industry events and set hiring diversity targets. We might even set up programs to help women develop their skills.

But not much changes.

Why? Because fairness doesn’t inspire change — results inspire change.

Market Forces can solve this problem

What if hiring more women in cybersecurity had a measurable benefit? If it meant higher profits or fewer incidents?

The ‘diversity problem’ would evaporate. Instead of worrying about diversity targets and PR, businesses would employ a gender-diverse cybersecurity workforce simply because it made good business sense.

It turns out, hiring more women does have a measurable impact.

Research shows that FTSE 350 companies with executive committees made up of at least ⅓ women have net profit margins over 10X higher than those with no female executives (15.2% vs. 1.5%). Other studies demonstrate gender diversity at all levels leads to higher profits, fewer regulatory fines, greater board effectiveness, and less risk.

By not hiring enough women, businesses are leaving these benefits on the table—and exposing themselves to unnecessary cyber risk.

What can Women do for Cybersecurity?

Collectively, we’ve accepted that completely preventing cyber incidents and breaches is impossible… but minimizing cyber risk is within our control. And, since gender diverse workforces and leadership are known to reduce risk… you do the maths.

I’m not talking about stopping specific attacks by state-sponsored groups in China, Russia, or North Korea. But if you need to reduce risk from other vectors—which cause the overwhelming majority of breaches—more women at all levels of cybersecurity can have a meaningful positive impact.

And it doesn’t stop there.

Women Can Close the Skills Gap

For years, organizations have struggled to hire skilled cybersecurity professionals. According to ISC2, the skills shortage sits at 3.1 million unfilled positions. While the gap between demand and supply is starting to close, we’re a long way from seeing a complete workforce.

There’s a simple solution.

Tessian notes the industry employs around three times more men than women. If businesses employed as many women as men in cybersecurity roles, the industry’s economic footprint would rise by $30.4 billion in the US, £12.6 billion in the UK, and who knows how much across the globe.

This would have the side effect of bridging the skills gap, reducing cyber risk for everyone.

Of course, this begs a question: Where will these women come from?

Women With Relevant Skills Already Exist

There are some obvious ways to bring women into cybersecurity. Bringing awareness to girls at a younger age, for example, is regularly touted as part of the solution. And it is… but realistically, businesses won’t invest in long-term initiatives that may not provide benefits to their business.

And there’s another problem with this approach: it suggests there aren’t currently enough women available to the industry. This is not true.

All we need to do is to find women with transferable skills. In my experience, some of the best candidates include women from roles such as:

  • Technology
  • Law
  • HR, PR, and marketing
  • Education
  • Personal and executive assistants

All these roles require skills that transfer easily into the cybersecurity arena. There’s nothing stopping us from attracting these women into the industry. It requires a dedicated effort to raise awareness among women that cybersecurity is:

  • Exciting
  • Well paid
  • Rewarding
  • A safe career choice
  • Enjoyable

and everything else we know it to be. The women are there… we just need to attract them.

The #1 Barrier to Gender Diversity (and the Benefits it Provides)

There are plenty of barriers to hiring women in cybersecurity, including:

Lack of empirical data. We’ve discussed the need for proof when it comes to business decision-making. Currently, data that proves a link between gender diversity and better cybersecurity outcomes is patchy—but that’s about to change. I’ll have more to share on this in the near future.
Inertia. Change requires effort and time. Even with evidence, hiring women will require new processes, and that’s never easy, particularly for large businesses. This hurdle will be addressed, but it will take time.

This brings us to the real barrier to hiring more women: Risk and speed.

Plenty of leaders ‘get’ the need for gender diversity—not just because it’s fair, but because it improves cybersecurity outcomes. But security leaders have a problem now and feel they don’t have time to invest in anything but short-term fixes. Gaps in their team create risk today… And any delay in filling those gaps leaves the business open to attack.

Turning transferable skills into female cybersecurity experts takes time and it’s more expensive than hiring someone with existing skills. But, since there aren’t enough individuals with existing skills, this barrier is fading, and security leaders are looking further afield for candidates.

Improve Gender Equality and Reduce Cyber Risk in 3 Steps

Step #1: Build it into your strategy

Speed in hiring and onboarding is a concern. Since hiring women often means ‘poaching’ them from another industry, security leaders should account for the time and investment needed—and remember the ultimate prize is better cybersecurity outcomes.

It’s worth remembering women stay with employers longer than men, so investing in training for female team members is potentially less risky.

Step #2: Set women up for success

It’s natural to want ready-made practitioners… but that’s not always realistic. There’s a skills gap for a reason—there aren’t enough practitioners.

Once a woman is in a cybersecurity role, that shouldn’t be the end of the story. Due to their non-security experience, women often need support to adapt to their role and the industry. Leaders should ensure there are systems in place to support women and set them up for success.

Step #3: Communicate with your team

For now, women in cybersecurity stand out because there are fewer of them. If they struggle because they aren’t up to speed, they attract attention from other team members. It’s great to hire women… but if you alienate the team because it looks like you’ve hired someone who can’t cut it in the name of ‘diversity,’ that won’t sit well.

Instead, when hiring women from other industries, leaders should communicate with their teams that they may need support—and explain why.

The Writing is on the Wall

There are many things we can do to improve gender equality in cybersecurity. We can write better job descriptions, understand what makes roles attractive to women, and provide better mentorship.

And, there are dozens more tangible benefits to gender diversity than I’ve covered here. Women are more risk-averse, more likely to stay with an employer, and bring different perspectives.

But those are all topics for another day. Today, I want to impart a simple message:

There are measurable benefits to gender diversity in cybersecurity… and they will only become more apparent over time.

Share on

Join newsletter

Join the newsletter to receive the latest updates in your inbox.


Follow us


Topics

Sign up for more like this.

Join the newsletter to receive the latest updates in your inbox.

Related articles