Women in IT Security

In cybersecurity bias is persistent, but so are women

For years, cybersecurity has been an arena where women have been forced to fight hackers and gender biases, pay gaps and sometimes Neanderthal-like colleagues. Despite these obstacles, women have steadily changed the cybersecurity landscape of the industry long dominated by men.

Fifteen years ago, women represented 11% of the cybersecurity workforce and their jobs often were relegated to junior positions with little opportunity for advancement. Today, women represent as much as 25% of the cybersecurity workforce, with gains that now include more jobs with "senior" and "executive" in the title versus those of yesteryear such as "associate" and "junior".

For cybersecurity advocates, these shifts illustrate how persistence and encouragement of women in IT security are reshaping the cybersecurity workforce.

A look at SC Media’s list of 2024 Women in IT Security honorees, announced last week, underscores a positive trend. Leaders like Tia Hopkins of Cyversity and Renee Guttmann of CisoHive represent just some of the powerhouse of innovators, leaders and advocates continuing to drive progress, inspire inclusivity, and strengthen the industry's future.

(Editor's Note: This article is one in a series of articles, part of SC Media's 2024 Women in IT Security honoree program.)

A long road with many hurdles

Fifteen years ago, the presence of women in IT security was often treated as an afterthought — almost as if the industry's playbook forgot to include half the population. It was a glaring oversight for a sector soon to be starved for talent just as the pace of threats and threat actors would soon snowball.

A 2006 IDC study titled the 2006 Global Information Security Workforce Study on the Information Security Workforce (PDF) didn’t even touch on the issue of gender. Women were effectively invisible in a sector that was rapidly becoming critical to every aspect of modern society, from protecting corporate secrets, to ensuring the integrity of government systems, and dealing with a post-9/11 world with ambitious cyber initiatives like the Department of Homeland Security's Analysis, Dissemination, Visualization, Insight, and Semantic Enhancement (ADVISE) program.

Fast forward to 2010, and we see some attention toward inequities of women in cybersecurity, albeit slow. Still, IT security industry was seen as primarily a “bro culture” moving slower by comparison than other industries at the time. 

In 2010, women comprised approximately 11% of the global cybersecurity workforce, indicating a significant underrepresentation of women in the field at that time, according to 2010 IEEE study titled Women in Cybersecurity: A Study of Career Advancement (PDF). The study’s authors blamed in part IT’s “hacker culture” and social expectations for isolating women from the IT security field.

“The hacker culture is prevalent in the IT world, leading to exceptionally long hours, late nights, and highly focused, almost obsessive behavior. This male-oriented culture raises concerns about safety and security for women working in computer laboratories alone at night and on weekends,” wrote authors Sharmistha Bagchi-Sen, H.R. Rao, Shambhu Upadhyaya and Sangmi Chai.

Prevailing attitudes of 2010 also perpetuated the idea that women were not suited for high-level executive positions — a notion that was as damaging as it was outdated. In 2010, women earned approximately 77 cents for every dollar earned by men (2024 stats are 84 cents per dollar). Women also remained underrepresented in the U.S. House of Representatives and Senate, holding only 17% of seats in both (2024 stats are 29% and 25%, respectively).

The irony was the industry obsessed with staying ahead of cyber issues was so far behind when it came to diversity in their backyard. Cybersecurity had become a business and national priority and needed to focus on workforce inclusion not exclusion to meet employment needs.

By 2013 cybersecurity job vacancies had grown to 1 million, according to Cybersecurity Ventures' Women in Cybersecurity Report.

The 2010 IEEE report outlined the barriers but also pointed toward solutions that would later take root such as training and mentorship programs. "The lack of mentorship opportunities for women creates an invisible ceiling that many find impossible to break through,” noted Raghav Rao, one of the IEEE study's authors.

The tide was beginning to turn.

2018: Women rising in leadership, but at what cost?

In 2018, a report from the International Information Systems Security Certification Consortium (ISC)², revealed that women were not only entering the cybersecurity field in greater numbers, but they were also carving out leadership roles at a higher rate than expected. According to the report (PDF), 28% of women in cybersecurity had reached C-level executive roles compared with just 19% of men.

This surprising data point suggested that if and when women broke into the field, they were more likely to rise to positions of influence than their male peers.

However, the report also highlighted a troubling paradox: the higher women climbed, the harder it seemed to achieve equal pay. Women were earning significantly less than men for similar roles. For example, only 16% of women in cybersecurity earned over $100,000 per year compared with 20% of men.

According to the (ISC)² report, that pushed many female professionals to earn multiple certifications and postgraduate degrees just to reach pay equity — efforts their male colleagues were less likely to take.

"Women feel they must over qualify themselves to be taken seriously," said Claire McGuinness, an academic specializing in information and digital literacy, in a study by the Hewlett Foundation.

2021: Leveling the playing field in a rigged game

By 2021, education had become a key battleground for women aiming to overcome the obstacles they faced in cybersecurity. An updated 2021 (ISC)² Cybersecurity Workforce Study (PDF) from that year found that 52% of women in the field held postgraduate degrees compared with 44% of men. This marked an important shift: education and certifications were increasingly seen as the tools women could wield to carve a path to leadership.

In Hewlett Foundation's 2021 report The Hewlett Foundation’s Cyber Talent Pipeline (PDF) it lays out a “pipeline” strategy that involves supporting universities in developing programs that merge technical and policy education to graduate students who meet the cyber workforce's needs​. The pipeline emphasizes increasing diversity, specifically women in cybersecurity.

Yet, the reality is even with advanced degrees and specialized certifications, the barriers don’t just disappear. Instead, they seemed to morph into different forms of subtle, cultural bias, noted (ISC)². Even with advanced degrees, women continued to face significant challenges, especially related to organizational culture.

Authors of the Hewlett report agreed, noting that progress also needs to include diversity, equity, and inclusion (DEI) and those initiatives were lagging at national and corporate levels.

Jodi Nelson, the report's co-author, noted, "Until DEI becomes a true priority, we will continue to see capable women leave the field out of frustration.”

Ironically, quitting their jobs, but not leaving the field, would later turn out to be a viable option. Another trusted route to bridge the gender gap was the promotion of mentorships among women within cybersecurity. 

Mentorships have had measurable impacts on women's progress in cybersecurity, and the data supports this. According to a SANS 2020 whitepaper Women in Cybersecurity: Spanning the Career Life Cycle(PDF), 37% of women who were mentored by senior professionals went on to attain leadership roles within five years. Additionally, 75% of respondents who received mentorship reported higher job satisfaction and increased confidence in applying for promotions.

Women have also turned in greater numbers to STEM related majors, including cybersecurity, as a way to bias-proof their career paths, according to a report Women in STEM Special Topics Report FY 20 (PDF), released by the U.S. Equal Employment Opportunity Commission’s Office of Federal Operations. In the federal STEM workforce women made up 41% of science occupations but only 17% of engineering roles, underscoring the disparities in different fields of STEM.

Bias is persistent, but so are women

Another dark truth, women in STEM didn’t dodge bias in the workplace, according to the STEM report. Rather they faced challenges including generalized harassment and gender discrimination, impacting retention and advancement.

A 2023 report conducted by SPR paints a vivid picture of the current state of women in tech. According to the survey, 73% of women in tech had experienced gender bias within the last year, with most citing incidents involving promotions, salary negotiations, or interactions with male colleagues.

"It happens every day," said one SPR survey respondent, a 46-year-old software engineer. "Everything from men taking over my role in meetings to unequal opportunities."

Many women chose not to report these incidents to human resources, either out of fear that their complaints would not be taken seriously or because they believed that reporting would have no impact. Only 14% of those who experienced gender bias reported it to HR, and more than half of those said their complaints were inadequately addressed.

"The culture of silence is pervasive because we know that speaking up often leads to nothing," one SPR survey respondent said.

But despite the obstacles, women are resilient

The SPR report also found that more than a third of women in tech planned to leave their current jobs within the next two years, but not to exit the industry. The report spotted a growing new trend where women seek to find opportunities with companies that prioritize inclusivity and professional development.

This migration of women in the cybersecurity workforce is growing and is motivated by a push for flexibility, more female role models, and opportunities, SPR asserts. Women are increasingly making these career jumps to companies that value what they bring rather than trying to change those that refuse to evolve, the survey noted. 

According to SPR, the trend is driving a new wave of successful females thriving in an atmosphere of like-minded cybersecurity professionals.

Looking forward: Addressing the systemic issues

Bias, as many of these studies show, is persistent — but so are women. The last 15 years have seen remarkable growth, not only in the number of women in cybersecurity but also in the roles they occupy and the influence they wield.

Although women have made significant strides, representation is only part of the victory — true progress requires systemic change.

The throughline over the past 15 years of reports cited here is a call for more inclusive policies, a push to actively work on eliminating pay disparities, and the creation of mentorship programs that foster the growth of women in all stages of their career.

The goals can be seen as ideal, but the reality is business and government can’t afford to be less than pragmatic and inclusive. Today, global vacancies for IT security stands at 3.5 million, with more than 750,000 of those positions in the U.S., according to Cybersecurity Ventures' Women in Cybersecurity Report.

By continuing to break barriers and challenge outdated norms, women are proving that the future of cybersecurity will be diverse, inclusive and resilient. The resilience of women in cybersecurity sends a clear message: the obstacles are real, but so is the determination to overcome them.

(Editor's Note: This article is one in a series of articles, part of SC Media's 2024 Women in IT Security honoree program.)

Tom Spring, Editorial Director

Tom Spring is Editorial Director for SC Media and is based in Boston, MA. For two decades he has worked at national publications in the leadership roles of publisher at Threatpost, executive news editor PCWorld/Macworld and technical editor at CRN. He is a seasoned cybersecurity reporter, editor and storyteller that aims always for truth and clarity.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds