Women made up 11 percent of the information security workforce in 2013, but by last year, that number had dropped to 10 percent, according to surveys conducted by ISC2, the largest organization that certifies cyberprofessionals. ISC2 surveyed information security professionals in 2013 and 2015, as reported in Reuters.
The percentage drop, though small, is concerning because the field needs more specialists in general. And, experts say, companies specifically are looking for more women trained in cybersecurity to help fill open positions. More than 60 percent of survey respondents said their companies did not have enough security professionals.
The Institute asked two prominent female cybersecurity leaders about their perspectives on the percentage drop and what might be done to address it. Both are IEEE members who serve on the IEEE Cybersecurity Initiative steering committee. Terry V. Benzel is deputy director of the Internet and Networked Systems Division at the University of Southern California Information Sciences Institute, in Marina del Ray. Celia Merzbacher is vice president for innovative partnerships with Semiconductor Research Corp., a consortium in Durham, N.C.
Q: Why is it important to have female cybersecurity experts? Do women, for example, perceive threats differently from men?
MERZBACHER: It is important to have top scientists and engineers choosing to go into cybersecurity. If women are not considering careers in the field, the pool of talent is then diminished by half. The field of cybersecurity should be as diverse as the user community so that security is developed with all users in mind.
BENZEL: We all benefit from a diverse set of experts, as with any field. There is quantifiable strength in diversification. Broadly speaking, women often tend to approach problem-solving differently from the way men do. As many studies have shown, women tend to engage in open dialog and seek community-oriented problem-solving. It should therefore come as no surprise that I am an advocate of outreach and community-building. This is one example of a strength that a female expert in cybersecurity can bring to the table. I have found that working with female colleagues has helped to bring nontraditional contributions to a field of research and technology transfer that is relatively new in comparison to the jobs that have existed since the advent of industrialization that were historically male-dominated.
Q: What are some challenges of getting women interested in cybersecurity?
MERZBACHER: They include the stereotypes that those who enter and succeed are male and antisocial, preferring to spend their time working alone, looking at a screen all day. In fact, cybersecurity experts require a wide variety of skills and involvement in different activities. One important aspect of cybersecurity is understanding human behavior and working with teams during system design to make sure the systems perform as intended.
Another challenge is the widespread use of information security competitions such as hackathons; capture the flag, which touches on aspects such as cryptography, reverse engineering, and mobile security; and red team versus blue team, whereby one group of security pros (the red team) attacks something, and the opposing group (the blue team) defends it. Some have observed that these types of warlike events are less appealing to women and need to be restructured to attract them.
Finally, there is the overarching challenge at the preuniversity levels in sustaining girls’ interest in science and math. Once students fall behind, especially in math, it is more difficult to engage them later. Programs, like the robotics challenges, are attracting a diversity of students and providing hands-on experience in systems engineering that is contributing to greater enrollment in engineering at the college level.
BENZEL: The media often uses war metaphors rich with rogue hackers on both sides of a war game when portraying cybersecurity. Not only is cybersecurity discussed using war metaphors but the language used also tends to play on gaming ethos. Neither are of interest or attractive to many young women. In truth, the field is much broader and multifaceted than the attack-defend war game.
The field and the nation would be better positioned to address the many challenges facing us if they included more emphasis on cyberprevention and protection, and multidiscipline practices including cognitive behavior, human factors, and system design. This is not to imply that the only way for women to be attracted to cybersecurity is through adjacent fields; there are plenty of computer science and engineering activities in cybersecurity that do no rely on war metaphors and gaming.
Q: What training does one need to enter the field?
BENZEL: Strong backgrounds in critical thinking, looking outside the box, and taking a system-level approach are important. These skills need to be complemented by technical depth in solid computer science courses in architecture, design, operating, systems, and networking and the adjacent areas of cognitive science, human behavior, and artificial intelligence.
MERZBACHER: There are many types of positions at various levels that require training that ranges from a two-year associate’s degree to a Ph.D. With the Internet of Things, autonomous vehicles, and the storage of personal information in the cloud and accessible anytime, anywhere, there is a growing need for experts in cybersecurity.
Q: What more can cybersecurity companies do to attract female engineers?
MERZBACHER: They can promote family-friendly policies such as flexible work schedules. Given that the pipeline of engineers—male and female—with cybersecurity education is small and given the dynamic nature of the field, companies can offer on-the-job training to develop a diverse workforce with current knowledge and skills.
BENZEL: Outreach, outreach, outreach. First and foremost is letting women know they are welcome and there are careers in cybersecurity that are not strictly based on war and gaming analogies.
Important forms of outreach are the conferences, workshops, and meetings targeted at the female audience. They include the IEEE Women in Engineering International Leadership Conference, Women in Cybersecurity, and the GREPSEC workshop. Each serves different communities but offers accessibility to women in cybersecurity, mentorship, training, and community-building.
Leveraging women already working in the field is also important. There is a tremendous need for word of mouth about the field and mentoring. It is often difficult for women to see themselves working in a company that is so male-dominated. I know of women who have turned down jobs and interviews because the department or division representatives they met with were all male.
Q: If a female engineer is interested in getting into cybersecurity, what steps can she take?
BENZEL: There are lots of opportunities available, regardless of a person’s background or training. It’s not a hard field to break into. Small companies, startups, educational institutions, and research labs often have the most flexibility in making nontraditional hires and giving someone an opportunity. Larger companies, such as Internet service providers and defense contractors, often have internship and apprentice programs. Also be sure to participate in networking events, conferences, and workshops aimed at women, as well as reaching out to established women in the field for help.
MERZBACHER: Learning as much as possible about how computers and systems work provides a foundation for going into any aspect of cybersecurity. At the postsecondary level, students should consider colleges and universities that are designated National Centers of Academic Excellence in Cyber Defense. This designation is based on their robust degree programs and close alignment to specific cybersecurity-related knowledge units, validated by top subject matter experts in the field.
In addition, students interested in cybersecurity should consider participating in the Federal CyberCorps Scholarship for Service program. It is designed to increase and strengthen the cadre of federal information assurance professionals who protect the government’s critical information infrastructure. Funded by the National Science Foundation, this program provides scholarships of US $22,500 for undergraduate students and $34,000 for grad students.