At first, it might sound like just another lack-of-women-in-technology story. But the story of women in cybersecurity is different. That’s because the dearth of women in the field is making all of us less safe.
To understand why, it’s first important to clarify what cybersecurity is, exactly. Cybersecurity is the intersection of technology and national security, the place where we define the policies, systems and practices that keep us and our information secure both on and offline. These policies don’t just extend to businesses and governments—they create safer systems for our families, our communities and our country.
Part of the reason why the gender gap exists is nestled in the very name "cybersecurity." The industry represents a unique and potent collision of military and tech culture—two fields that have traditionally been dominated by men, and have thus been shaped by male priorities, schedules and preferences. Indeed, the terms "cybersecurity" and "cyberwar" are artifacts of the Cold War era. They summon up Dr. Strangelove more than rocket girls.
Yet attracting a broader set of people and experiences and confronting the historically narrow idea of who belongs in the field is essential to the industry’s survival. As Betsy Cooper, executive director of Berkeley’s Center for Long-Term Security and a panelist at New America’s cybersecurity conference, wrote recently: “We need sociologists, psychologists, lawyers, and economists to understand human behavior; designers and data scientists to help change that behavior; and businesspeople and bio-scientists to bring products to market.”
Cybersecurity recruiters have a long way to go. Women comprise only 10% of the information security workforce. That’s lower than the percentage of female web developers (34%) and programmers (23%). Moreover, the industry will face a staff shortage of 1.5 million people by 2020, according to recent research. The current population of the nation’s computer science departments is just not going to get us there—in 2014, there were only 82,700 combined masters, bachelors and PhDs earned in computer science, according to analysis from the National Science Foundation .
It’s not just the staffing shortage that’s making us less safe. We’re also less secure when the people designing cybersecurity products and solutions aren’t representative of the population that’s using them. Gender, socioeconomic status, race and other identities can all influence how people perceive security interventions (i.e., those pop-ups telling you to update or install software, or warning you not to navigate to a certain page), use software, conceive of their right to privacy online, and what they think they need to do to protect themselves from cyber threats.
For instance, some early research shows that women may react to or address perceived cybersecurity threats in different ways. They are more likely, according to Pew, to restrict social-media access to their friends only. Another study in the U.K. found that women were more likely than men to set up privacy settings on their accounts. That may be in part because women are more likely than men to be harassed online. A 2015 U.N. Broadband Commission report found that about 75% of women who are online have experienced some kind of cyber violence.
Those disparate experiences may prompt women in the cybersecurity field to approach or design security solutions differently. “In my career, I’ve noticed that female analysts and engineers often ask different questions when working on online security and safety, such as around ways to protect vulnerable demographics," Jen Weedon, an analyst at Facebook, told us via email. "These analysts frequently think about security in a much broader way than some male engineers.” She explained that women may be more sensitive to online privacy breaches because they can be disproportionately impacted by certain types of attacks.
In the cybersecurity field, it’s especially important to design systems and structures that take into account the unique sensitivities and experiences of the entire population—women and men from every demographic and walk of life. That’s because we know that the failure of a single individual to protect themselves properly online can compromise an entire business, community or government. It’s imperative that cybersecurity professionals design products and solutions that everyone in a population can and will use. Put another way, if we want women, men, young people, older people, people of color or any other demographic to use a cybersecurity product, they should be part of designing that product. That’s a basic tenet of Silicon Valley, enshrined as a key principle of user experience design, the backbone of technology product development. For the most part, this mindset has yet to penetrate the cybersecurity field.
You need only look as far as Siri and other digital assistants to see the pernicious effects that homogeneity can have on technology: A recent study shows that Siri, Cortana and the rest of the gang can easily help users after they report they’ve had a heart attack—but are flummoxed after hearing "I’ve been raped." On the flip side, when women are at the designing and engineering table, they are likely to know that heart attack symptoms in women are often very different from those in men and provide a different response when a female voice asks Siri what a heart attack feels like.
Unfortunately, there’s no app or simple technological solution that can narrow the cybersecurity gender gap (yet). But after conducting interviews and condensing the latest research, we’ve identified key lessons for organizations that want to attract more women, and for women who are thinking about getting into the field.
1. Look at how your organization advertises its products and cybersecurity positions.
Do the photos on your website or in company ads primarily depict white men? Do your job descriptions use language like "cyber ninja"—a term that research shows repel women? Since we know that women tend to be more attracted to positions that have a clear communal, mission-driven or human-centered impact, you can emphasize in ads and job descriptions that cybersecurity is about protecting the security of co-workers, about advancing a larger corporate mission, and about setting up systems that will make all of us more safe.
2. Give managers the tools and support they need to address overwork culture.
While the online and remote nature of much cybersecurity work is in some ways perfect for employees who need flexible schedules to combine breadwinning and caregiving responsibilities, those same qualities can also exacerbate overwork culture—the pressure many employees feel to be connected to their office 24/7. Harvard research shows that the culture of overwork is a bigger obstacle to women in the workplace than a lack of family friendly policies like paternal leave and flex-time. That’s in part because the majority of caregiving work still falls to women, but if women take advantage of flex-time policies to fulfill these responsibilities, that ends up stalling their careers because they’re viewed as less committed to their jobs.
3. Recognize that the cybersecurity field needs diverse backgrounds and experiences in order to thrive.
It’s easy to assume that only one type of person makes a successful cybersecurity employee—the person that majored in computer science or something similarly tech-focused. Research shows that’s just not true: The field needs people with lots of different backgrounds to solve its thorniest problems, and to produce more sustainable policies, programs and practices. So start advertising at sociology conferences!
As our lives move ever more online, cybersecurity will simply become security. What it takes to keep us safe and protect our rights and liberties when we shop, talk, vote, play, learn, court and work online will be what it takes to keep us safe and protect our rights and liberties—period. We will need all the intelligence, talent and imagination we can find. It has taken centuries to open traditional national security fields to women, including the military itself. Cybersecurity can’t wait.