Editor's note: The following is a guest post by Jinan Budge, principal analyst at Forrester.
As if to exacerbate cybersecurity’s skills shortage problem — two years into a global pandemic — the “great reshuffle“ introduced additional dynamics impacting the brain drain.
A hidden epidemic that has hindered women’s ability to continue working at pre-pandemic levels as they take on a disproportionate amount of childcare responsibilities is expected to impact infosec, as it has many other industries.
In an industry that cannot afford to lose any more workers, attracting, retaining, and advancing women in cybersecurity needs to become an immediate priority.
Stemming from a series of highly enlightening interviews conducted last year, Forrester has identified practical solutions for addressing systemic cultural issues affecting women. These include:
- Become an outspoken ally for equal representation at industry events. The grassroots movement to end such practices and ensure that women are equally represented as attendees, speakers, and thought leaders is ongoing. Write inclusive job descriptions. Security leaders can each take a role by showing up and advocating for themselves and others.
- Rethink and expand hiring practices. Job listings are the first impression security leaders give potential employees. Leaders can give a window into the culture, priorities, and leadership by using the right language and avoiding gender-coded terms such as “hackers” or an over focus on technical requirements. Create inclusive job descriptions by using gender decoders such as Gender Decoder and Textio, networking at regional women’s associations, and implementing inclusive hiring processes.
- Dismantle toxic masculinity with disciplined process- and behavior-based KPIs. Cybersecurity is rooted in a “hero” culture that emphasizes a particular person or group with more social capital than others. Don’t be fooled by thinking that CISOs can dismantle such workplaces by bringing more women in — putting them in harm’s way. Instead, create behavior-based KPIs and disciplined processes to weed out toxic behavior
- Support and celebrate whistleblowers, rebels, and reformers. Public disclosure of toxic culture is rarely the first step — in fact, 97% of employee whistleblowers choose to report internally first. Make sure firms have the right technologies that enable anonymous internal reporting, a process to triage and investigate all internal claims, and a culture that not only supports but also encourages employees at any level to speak out.
- Remove the stigma of menopause in the workplace. Women in the age group most likely to experience menopause account for 11% of the workforce. Turning a blind eye to gendered ageism — specifically, women going through menopause — will affect overall workplace health, productivity, and inclusivity. Take the time to listen to experts and educate management, then address targets such as bathroom access, flexible work hours, environmental control in workplaces, third-party health, and counseling support. Security leaders should also empower female workers to discuss their specific challenges.
Become an outspoken champion for women in cybersecurity
For the majority of CISOs who are men (currently, 87% of Fortune 500 CISOs are men and only 13% are women), there is an urgent need and enormous opportunity to become not just an ally but an outspoken champion for women in cybersecurity, especially when so many people tell women to solve workplace challenges by simply "leaning in."
Infosec needs to do better and treat gender issues for what they really are: systemic business and social issues. For that to occur, security leaders should:
- Make diversity, equity, and inclusion (DEI) a key performance indicator for security teams. Too many detractors see these metrics as “unrealistic” when in fact organizations with diverse executive teams are 25% more likely to have above-average profitability. Continue to stress the financial implications that a lack of focus on DEI can have. In tandem, share success stories of best practices to inspire and encourage executive teams and the board to prioritize the issue.
- Mobilize male allies to influence change. Far from being an accidental thing, true male allies go through a journey of personal and professional maturity, which starts with seeing and acknowledging that there’s a problem, speaking out about even the slightest microaggression, and continuous learning.
- Avoid unpaid emotional labor. Asking women to solve systemic sexism and bias workplace challenges can result in high levels of stress, compound feelings of difference, create additional workloads, and potentially lose time spent on career-related activities rather than accelerating cybersecurity practices. Some firms have started to acknowledge the cost of emotional labor — LinkedIn recently announced that it will pay its employee resource group leaders an additional $10,000 per year, and Twitter is following suit.
Move beyond performative gender diversity and inclusivity
Despite significant efforts to recruit women into the security field, just 24% of security professionals worldwide are women. Gender-related actions need to be authentic, open, and transparent, avoiding the performative.
Employees, customers, partners, and society at large are listening. There will be a deep dissatisfaction when there’s a variance between what’s being promised and what CISOs are actually delivering.
By all means, brag about gender-related industry scholarships, dazzling DEI policies, and incredible women in your organizations. At the end of the day, however, actions and outcomes are what matter. Demonstrate real outcomes with transparency by sharing actual DEI goals, performance against those goals, and the tangible benefits that come when achieving said goals.