More Advice on Growing Women in Security

July 27, 2015

This is the final post in three posts on how we can all promote opportunities for women in security. (The prior two posts are here and here.) The feedback has been great with one core issue coming up (and mentioned quite a bit below). It’s not an information security problem but an overall STEM (Science, Technology, Engineering and Mathematics) problem.

Before we get into what industry could do to encourage more women to become information security professionals, do we have any insights into why women say they didn’t consider information security? We don’t want to spend time solving the wrong problem. :)

As one woman who has not (yet) had significant conversations with other women about this, I can provide only my point of view. I speculate that women don’t pursue information security as a career because they mistakenly believe that one needs to be an uber-sysadmin, uber-application coder, uber-crypto specialist, etc to be successful. They envision huge amounts of time communicating with machines — BORING! While anyone who gets in this field needs to become proficient in infosec principles, there are many non-technical skills that are needed and highly valued. Below are a few. Most are derived from the fact that to do this job successfully, you’ve got to get a lot of other [non-security] people involved.

  • Collaboration
  • Emotional Intelligence
  • Project management
  • Negotiation
  • Tenacity
  • Short and long range planning
  • Communication — verbal and written — especially to senior leadership
  • Performance measurement/metrics
  • Risk analysis and risk acceptance — everyone analyzes and accepts risk in their everyday life. The methodology is not that different in information security.
  • Financial discipline — if you get money, spend it, spend it wisely, and be ready to clearly explain what you got for that money
  • Thick skin
  • A sense of humor

So in closing, I would say that industry could encourage more women to become information security professionals by actively recruiting people who have an interest in protecting information and privacy, but are really driven by the skills listed above, skills that women may be more interested in. There’s room for lots of different types of people with lots of different skills.

I think getting more women in Information Security starts with encouraging more girls, especially those in Junior High and High School, to pursue a degree in fields related to Computer Science. When I am on campus recruiting, I think we still have far too few females even in programs that would lead to a career in Information Security. The perception that Information Systems degrees are “nerdy” and not typical for females is a big hurdle. As a result, however, when you do have women that pursue these degrees, they tend to be very strong willed and confident which has made women Info Sec few but strong.

Next, we have to value diversity on our teams, across men and women. Especially in an attack and penetration testing environment, we often create almost a military-like culture, where we believe everyone needs to be the same to accomplish the mission. We pursue teams of like minds because it is actually easier and sometimes seems less like work and more like hanging out with our buddies. I have been very lucky at Crowe to work with some awesome men and women who have thought outside the box. When we work together, we know what each other’s strengths and weaknesses are, and as a result it’s actually more fun because everyone can do what they like and what they are good at because we have a diverse skill and approach.

As leaders in Information Security practices, I think we need to be very cognizant of the fact that there is still a large gender gap in computing. We have to lead by example, and go out of our way engage both male and female team members in professional and casual settings to build a cohesive team. We have to watch for “cliques” by gender or by any other designation, age, geography, skillset. When we see those forming, it’s time to consider how we mix things up.

With regard to your question, it’s an interesting one. The issue with woman in security has to do more with the question of woman in technology, which has declined over the past 20 years. The number of woman who are security specialists are a subset of the technologists (it’s a matter of numbers isn’t it?). A couple of factors relate to this — as a country, do we encourage young woman to study math and science at the same rate as we do young men and do we create a supportive environment once they are there. As a woman in technology, you have to be good at what you do but also have some perseverance to survive a career that may not be that friendly to you. To be most successful, you have to look at the differences and see opportunity. Check out the following related articles: Women in Tech and Cybrary and Wit Partner to Help Women Advance in Cybersecurity.