Diversity is an essential driver of innovation and business growth, which makes the future look bleak for the cybersecurity industry as it rises to the challenge of countering escalating cybercrime.
Gender breakdown statistics for the industry worldwide are dire: only 11% of the world's cybersecurity workforce is female, and in the Asia-Pacific it's 10% with just 1% of executive management roles held by women, and even fewer in C-suites.
These startling figures surfaced with the release by Australia's Department of Prime Minister and Cabinet of the 'Women in Cyber Security Literature Review', conducted by a team of academics at UNSW Canberra. It told an eye-opening story of an industry that over time has developed a series of persistent and enduring barriers to women.
"Lack of diversity is a national security issue as cyber threats are growing," says review co-author Sue Williamson, a senior lecturer at UNSW Canberra School of Business.
Williamson and research colleagues, including Meraiah Foley and Linda Dewey, conducted a systemic review to understand cybersecurity's gender equity challenges.
Statistics show there will be a global shortfall of 1.8 million employees in cybersecurity by 2022, with some estimating that figure may balloon even sooner to 3.5 million as organisations and governments galvanise efforts to combat growing threats from ransomware, malware, phishing and more.
Understaffing is just one repercussion of the deficit of women in the industry. There's also the loss of diversity benefits for businesses as they miss out on this large potential talent pool.
"There's a danger that women could be locked out of the cybersecurity industry," argues Williamson. "Women will be marginalised if they are not actively encouraged to go into the industry now."
'It magnifies what happens in other blokey cultures where women are not given career development opportunities'
– SUE WILLIAMSON
A leaky pipeline
Among its findings, the review listed many reasons holding women back: discrimination, an inflexible 24/7 work culture, wage inequality, high levels of sexual harassment, lack of role models, and the old glass ceiling among the main causes for the scarcity of women who, due to "occupational segregation", are over-represented at entry level and in lower job classifications.
Women face barriers "from recruitment to career development and performance management, culminating in women leaving the industry", the review explained.
It acknowledged a "leaky pipeline" for women in ICT careers broadly, which starts in primary school with stereotypical attitudes that pitch science, technology, mathematics and engineering (STEM) as boys' domains. Only one in four ICT graduates and one in 10 engineering graduates in Australia are women.
Williamson describes cybersecurity as an "extreme industry" in which unconscious biases are rife and discrimination against women is overt.
"It's interesting because it magnifies what happens in other blokey cultures where women are not given career development opportunities," she says.
It's not for lack of ability. The review notes that women enter the profession with educational levels that are higher than their male counterparts. Plus, there's historical evidence. Two-thirds of the 10,000 people employed as codebreakers, deciphering messages from the Germans and Japanese at Bletchley Park in the UK during World War II were women.
Back then it was "a pink-collared" profession, but as computing power grew over the decades, so did wages which attracted men, and with the advent of the personal computer in the 1980s, a new geek culture was born – substantially male.
Not all women are deterred. A search reveals women in senior cybersecurity roles at some major Australian organisations, including Telstra and the Australian Federal Police.
More varied roles
Bianca Wirth, IAG's manager of corporate security education and awareness who developed the insurer's global cyber and physical security education program, has clocked up 20 years in the IT industry. She was lured more recently into cybersecurity by the opportunity to specialise in "the human side".
"Over time security started to intrigue me," Wirth says. "Early on in my career I perceived security to be aligned with networking infrastructure, like routers and firewalls, which didn't interest me very much. However, over the past eight years or so, cyber has matured into an integrated element of every aspect of technology. It's a growth area with a need for diverse skills and experience.
"We're seeing the rise of more varied types of roles like business stakeholder management, education and awareness, communications and cybersecurity-specialised project management."
The innovation that comes with diversity will be critical in future for differentiating not only cyber products and services, but will also allow internal cyber teams to show their value within an organisation "beyond being a cost centre", believes Wirth, a guest lecturer and cybersecurity industry adviser at UNSW Business School.
While she hasn't noticed any career snags due to her gender, Wirth points out that IAG puts a major focus on building a diverse workforce. In her view, the industry's gender imbalance is baffling.
"Perhaps, as an industry, we're just not that good at marketing how great this area is to work in and how valuable this diversity of skills is to business," she ventures.
Marketing and hiring practices are among the comparatively quick fixes pinpointed in the UNSW Canberra review. However, for large-scale change, what's needed is concerted action, starting at a national level, says Williamson.
Australia's Cyber Security Strategy released in 2016, identified the need to get more women and people with diverse backgrounds to seek careers in cyber security. The need to tackle low participation by women was reiterated in the strategy's 2017 annual review. The Office of the Cyber Security Special Adviser also has launched a women-in-cyber mentoring initiative.
'Perhaps ... we’re just not that good at marketing how great this area is to work in and how valuable this diversity of skills is to business'
– BIANCA WIRTH
Williamson is looking for signs of tangible action. "There needs to be a gender lens run over cybersecurity policies to ensure women are included and differential impacts on women are addressed. That needs to feed into short-term wins at national, organisational and employee levels, and then in the longer term, pipeline issues and education need to be addressed," she says.
For organisations, the first step for increasing gender equity and diversity is talking about it in the workplace. "It's not enough to have a policy, you need to communicate that policy and get buy in," Williamson says.
The growing trend among Big Tech companies, from Google, Twitter and Amazon to Australia's Atlassian, to publish diversity statistics – even when they don't show the organisation in a positive light – is a smart idea, Williamson believes, because it highlights company commitment to the issue and its targets.
The Women in Cyber Security Literature Review made two key recommendations.
First, redefining cyber security skills to attract women from more diverse backgrounds such as human resources, business management and consulting.
Second, tackling the overarching deterrents for women by increasing transparency, accountability and flexibility; rethinking culture; establishing zero tolerance for discrimination, harassment and bias; outlining clear career paths; and supporting mentoring and other development opportunities for women.
"More research is required because we don't know much about it at all – it's quite opaque," Williamson says.
"We need clear examples of what careers in cybersecurity look like for women." Is that in the Department of Defence's Signals Directorate, in a bank, or for a software vendor? "We need to see clearly that it's a viable option for women."