Opinion: Cracking the cybersecurity gender code

Attracting more women into the male-dominated cybersecurity field means ditching the bro pipeline of computer science, military, and intelligence recruits and drawing from disciplines such as law and public policy.

It's hardly news that women are poorly represented in tech. In 2015, women held just 25 percent of computing jobs, and companies such as Twitter and Google have been widely criticized for lacking gender diversity.

The cybersecurity field is even more imbalanced, with just 11 percent of jobs held by women, according to the nonprofit Women’s Society of Cyberjutsu.

Yet not every corner of the tech universe is equally male-centric. Consider the digital privacy field, those professionals charged with developing and implementing policies to protect employee and customer data from unauthorized access.

While privacy goes hand-in-hand with cybersecurity, given its emphasis on protecting customer data, it has a nearly perfect gender split. There are more female than male chief privacy officers in the US, and conferences on the subject are much more balanced.

Why is privacy faring so much better? It starts with the pipeline. Privacy is an accessible and multidisciplinary field that is frequently taught in law and public policy courses. As a result, professionals from law, policy, and human resource management have come to dominate the industry, bringing far more women into the field.

Contrast that to the pipeline feeding the cybersecurity workforce, which has traditionally drawn from male-dominated disciplines such as computer science (including hackers and coders) and national security (especially military, law enforcement, and intelligence).

As a result, the culture of security largely mirrors that of technogeeks, cops, and spooks. (It's telling that Google gives its Site Reliability Engineers bomber jackets with military-style patches.)

In contrast, the privacy community has roots in issues that themselves favor gender balance: civil liberties, consumer protection, equality, and reproductive rights. For instance, Supreme Court justices in the Roe v. Wade wrote that the "right of privacy ... is broad enough to encompass a woman's decision whether or not to terminate her pregnancy,” branding privacy as a core gender and feminist issue. Many women I have spoken with "found" their way into the privacy field following stints at other advocacy organizations.

Workplace policies have also played a role in helping women in privacy. When it first emerged as a distinct role within companies, privacy was seen as a family-friendly space, perhaps offering flexible hours and less responsibility than other mid-career roles.

In contrast, security is perceived to be more competitive, as a failure to keep a network secure can put your job on the line. Breaches can occur at any time, day or night, so work hours are not always family-friendly (though this gap is closing as privacy and security become more tightly intertwined).

Of course, women in privacy still face significant challenges, including pay equity: the mean salary for chief privacy officers remains under $200,000, while chief information security officers generally make more than $300,000, and in big companies, usually above $500,000.

The women I talked with also felt privacy was undervalued as a profession and is less respected than security. As privacy professionals spend more of their time managing the same data breaches as their cybersecurity counterparts, they often face many of the same risks, but without the potential prestige or rewards.

On the whole, though, cybersecurity and other tech sectors would be wise to look to the privacy field for inspiration. 

Some suggestions: 

1. Ditch the bro pipeline: Start recruiting from fields outside of computer science, the military, and intelligence communities. Think about psychology, law, public policy – all fields that teach skills useful for deep cybersecurity problem-solving. Women in these fields bring a lot to the table – and can set examples for other women to follow.
2. Find a newbie: Whether you’re a woman or man in the field, think about becoming a mentor for young women. Many women I have spoken with say it was a mentor – and often a man – who encouraged them to pursue a cybersecurity career.
3. Tout your security cred: If you’re a woman in the privacy or security fields, don’t be afraid to sell your security accomplishments. I have noticed many women in the field focus on their privacy accomplishments, even though they also have strong security experience. This could be a result of the general tendency for women to understate their accomplishments.
4. Sell the human side: Companies tend to market the industry as a cool, hacker-dominated space that needs "warriors" to police territory like the Wild Wild West. The industry could do more to market to women. Security, after all, is about protecting things that matter to people. Why not include that fact in marketing campaigns? 
5. Be flexible, but not too flexible: Companies should do more to support a diverse workforce, including offering telecommuting, flexible time, and family leave options. At the same time, there is risk in being too accommodating. As the privacy industry discovered, once an industry is perceived as female-dominated, it can be accompanied by lower pay, lower prestige, and limited upward mobility. 

It’s not clear whether having a male-dominated workforce affects security or other outcomes of the tech industry, but we do know that problems emerge whenever a single gender – male or female – dominates an industry. That's especially true for the workers who are in the minority, and for how their majority workers perceive them.

A gender imbalance can keep important issues out of the public debate, too, and that’s a problem for anyone who cares about security, in the digital realm or in real life. Cybersecurity is one of the greatest challenges we are facing, and the best way to develop effective solutions for tomorrow will be to ensure that everyone—men and women alike—is given a seat at the table today. 

Betsy Cooper, the executive director of the Center for Long-Term Cybersecurity and a Truman National Security Project Fellow, was recently named one of SC Magazine's "Women in Security Power Players." She would like to thank Elizabeth Weingarten from New America for her assistance with this article.