Jen Easterly, the first woman to lead the nation’s powerful Cybersecurity and Infrastructure Security Agency (CISA), sees a problem at the heart of the nation’s digital defenses. And it’s not the failing of federal agencies to secure their networks, as a recent CISA directive points out.
The problem, she says, is deeper than that. It’s one that’s hindering the recruitment of cybersecurity professionals and potentially endangering the country’s networks and its data.
It’s the lack of women on the cyber team. “The gender gap that
exists today in the cybersecurity workforce,” says Easterly, “contributes to the overall cyber workforce shortage that persists in the United States and globally, which ultimately makes us less secure as a nation.”
As director of CISA, Easterly fought hard to get where she is (a graduate of West Point, the recipient of two Bronze Stars, a Rhodes Scholar, special assistant to President Obama and senior director of counterterrorism, and the first woman to head cybersecurity at Morgan Stanley, among other achievements). She is at the top of her field and very much in the moment.
CISA is spearheading a high-profile recruitment drive to bring in fresh cybersecurity talent and overseeing a security crackdown at federal agencies—two strategies central to the Biden administration’s effort to strengthen the nation’s cybersecurity defenses. But while Easterly may be an inspiration to young women considering tech security careers, she’s shouldering a heavy responsibility. Women represent about a quarter of the cybersecurity industry, according to an (ISC)² study in October, and 17% of Fortune 500 chief information security officers (CISOs).
It’s hard to pin down one single reason why women continue to represent such a small proportion of the industry. Reshma Saujani, founder and CEO of Girls Who Code, a nonprofit aimed at closing the gender gap in technology, talks about the “brogrammer,” the caricature of the lone male in a hoodie hunched over a keyboard, as embodying the industry for many young women. Saujani and other experts say cybersecurity is still seen as an industry geared to encouraging boys not girls.
Looking at things at the grassroots level helps to shed some light on the challenges. Take Jessica Robinson. In 1998, she went to college with a clear goal: to double major in computer science and security law. Soon after she started, Robinson says her goal grew fuzzy. Few women were enrolled in her courses. Even fewer were women of color. She says she was made to feel she couldn’t cut it. When struggling in a class, she was told that the material was “pretty basic.”
We’re leaning in hard on this and excited to make some real progress in closing the gender gap.
“That’s when I felt my dreams ooze out of me,” says Robinson. She dropped computer science and instead pursued a career in law, security, and international affairs. But in 2014, she was ready to try tech again. She started PurePoint International, a consultancy firm that outsources CISOs and provides other data security services. She also received cybersecurity training at New York University. Robinson says her present role is rewarding and fulfilling, but the road to win it was “very challenging.”
The cybersecurity industry has rapidly expanded over the past 20 years. But its gender mix has remained relatively flat, and support for women is wanting. A 2017 (ISC)² study found 51% of women in cybersecurity faced unconscious bias, unexplained delay in career advancement, tokenism, and overt discrimination.
Lauren Bean Buitta says she experienced “overt sexism” firsthand. She began her career in 2003 as a policy analyst for the National Strategy Forum think tank, focusing on cybersecurity and critical infrastructure protection. In 2016, after holding several security-related positions in the private sector and experiencing the sexism she says is “familiar in most male-dominated professions,” Buitta set up the nonprofit Girl Security. Its goal is to help women advance in cybersecurity and give them a voice in a profession where their opinions are often overlooked.
Betsy Cooper, director of the Aspen Tech Policy Hub, which trains technologists in public and national security policy, says the singular reason cybersecurity has traditionally appealed to men is because of its roots in male-dominated fields like computer science, national security, the military, law enforcement, and intelligence. The roadblocks range from culture to language.
“There is an entire militarized language in which people are ‘attacking a problem’ and ‘drilling down,’ and ‘putting boots on the ground,” says Cooper. If you want to start changing the culture, she says, then you need to change the language. “There are ways to make this culture more gender neutral.”
Many women, especially younger members of the workforce who are looking for jobs with flexibility, may not even consider the cybersecurity field given its reputation for inflexible work schedules and long hours. “While cybersecurity industry culture might appear like a job in which people must be chained to their desks, that is simply not true,” says Clar Rosso, CEO of (ISC)².
She says larger organizations usually have global security teams that enable staff to balance work and life, and smaller enterprises can implement rotational programs where staff cycle through different positions every six to eight weeks. Employers everywhere are rethinking the future workplace, and some may also adopt fractional work, allowing individuals to focus on specific tasks that aren’t necessarily full-time.
Women seeking to advance their careers in cybersecurity also face challenges familiar to those in other industries. Salaries for women tend to be less than those for men.
As people like Jen Easterly climb to the top of federal agencies, and as cybercrime continues to make headlines, women are starting to move into cyber. In 2017, they represented 11% of the industry. Now it’s a quarter. “Things are getting a little bit better than they used to be,” Cooper says.
In a 2018 study, (ISC)² found that 7% of women cybersecurity professionals became chief technology officers (CTOs) compared with 2% of men, and 18% of women became IT directors compared with 14% of men. “Even though men outnumber women in cybersecurity by three to one, more women are joining the field—and they are gunning for leadership positions,” the report said.
Behind the scenes
Though the actions of women in cybersecurity may not be as visibly apparent as men’s, they are crucial to the industry, says Jumoke Dada, lead project manager at the Making Space Initiative, which aims to increase representation and encourage diversity on cyber-policy related panels.
“They are behind the scenes,” says Dada. “They are constantly fighting, they are constantly in protection mode. They are quietly solving problems and not getting recognized like leaders in other tech firms.”
[Women] are quietly solving problems and not getting recognized like leaders in other tech firms.
One of the biggest disincentives to women engaging in the field of cybersecurity is the lack of role models, says Buitta. “If you are not seeing any women leaders, you are not going to identify with that pathway,” she says.
In the public sector, it is easier to promote role models compared with private enterprise. “From the top leadership at the federal level, you can see women doing the job,” Cooper says. “There just isn’t the same visibility for women in leadership jobs in cybersecurity in the private sector.”
Among federal and civilian agencies, there is a twin workforce challenge. Not only are more women needed in cybersecurity roles, but there is also a recruitment crisis. There are estimated to be more than 36,000 unfilled public-sector cybersecurity jobs, with the Department of Homeland Security (DHS) alone needing to fill about 1,700 posts.
Easterly clearly sees the challenge as an opportunity to recruit more women. In a series of tweets on Nov. 16, she promoted the DHS’s new recruitment system and hiring portal, which is designed to help the agency compete with the private sector by offering more competitive remuneration and faster hiring.
In addition to role models, culture, recruitment policies, and education, providing outside support is fundamental in encouraging more women to join the industry. For Robinson, creating a “pipeline” for women at different levels of development will improve things. She cites the cybersecurity badge for Girl Scouts as one example. Job listings should also be “intentional” and explicit in trying to attract women, she says.
Easterly says she also relies on outside nonprofits to help create a more inclusive cyber workforce. In October, CISA awarded $2 million to two innovative organizations, NPower and CyberWarrior, to bring cybersecurity training to rural communities and diverse populations. CISA also recently established a partnership with Girls Who Code to develop pathways for young women to pursue careers in cybersecurity and technology.
“We’re leaning in hard on this and excited to make some real progress in closing the gender gap,” she says.