In a prior PodChats for FutureCISO dialogue with Mel Migriño, chairman and president of the Women in Security Alliance Philippines, she acknowledged, as do many other security professions on both sides of the gender spectrum, the current dilemma facing many organisations: there are not enough cybersecurity experts, and there is an opportunity for women to fill the vacuum.
With International Women’s Day 2023 fast approaching FutureCISO approached Clar Rosso, chief executive officer of (ISC)2 for her take on the current gap and how organisations like (ISC)2 are working with industry and academia to narrow the gap.
The sad state of bias in Asia
The (ISC)2 2022 Cybersecurity Workforce Study revealed that four out of five countries with the fewest DEI initiatives are based in APAC (China, Hong Kong, Japan, and South Korea), while the top five markets have the most DEI initiatives are based in North America and Europe.
“We also noticed that countries with fewer initiatives tend to have more racially and ethnically homogenous populations. Given that DEI also addresses gender and age in addition to race and ethnicity, the discrepancies in the region are noteworthy,” said Rosso.
The silver lining is that 47% of APAC respondents state that their organisations are investing in DEI initiatives, according to the same study.
The growing attention on diversity, equity and inclusion presents an opportunity for executive leaders to recruit and retain more talent in the industry. This is critical for APAC, which currently has a workforce gap of almost 2.2 million, as reported in the study.
Ideologies and social politics aside, organisations should be pragmatic and consider the increasingly clear connection between DEI initiatives and talent recruitment and retention.
The lack of female cybersecurity professionals
While acknowledging that women still make up only 25% of the cybersecurity workforce, Rosso nonetheless noted the trend of more women enterprise the profession at younger ages. “For example, women under the age of 30 represented 30% of global cybersecurity, whereas they accounted for 14% of those 60 and up,” she commented.
She also conceded that more can be done and that organisations should take the necessary steps to attract women and other underrepresented professionals into the cybersecurity community.
“Pay equity and equitable promotion practices are key actions organisations can take to retain women in cybersecurity,” she pointed out.
“Organisations must build inclusive cultures that give voice and opportunity to all team members. Everyone wins when this happens, as research shows that diverse teams are more successful at problem-solving.”
Clar Rosso
She believed these and other actions can help create a sense of belonging which goes a long way toward attracting and retaining diverse professionals.
Where it all begins
“Increasingly we are seeing women enter cybersecurity through a university education route. Let's create more opportunities earlier for women to learn about cybersecurity in their education journey,” said Rosso.
She further suggested engaging these women aspirants in cybersecurity challenges where they can shatter stereotypes and experience the dynamic problem-solving, people-focused nature of the field. An example could include hackathons with red teams, blue teams and purple teams that allow participants to experience the field from all sides.
Recruiters should look to cyber degree pursuers at training institutes and universities. “We've noticed that the student pool today is far more diverse than we have historically seen in the profession. What could help in supporting these students on their career journeys would be to open scholarship or internship programs,” said Rosso.
Challenges ahead for women aspirants
She cautioned that cybersecurity, like many other professions, suffers from gender bias—both conscious and unconscious.
“This can negatively impact hiring, retaining, and promoting talent with unconventional backgrounds, i.e., education and job experiences that are different than those of the supervisor or hiring manager,” she added.
She posited that when combined with unrealistic job descriptions, the barriers to entry for those that enter the field from outside of IT become difficult to scale.
“Organisations need to rethink how and who they are hiring, especially if they want to fill vacant positions. I recommend that organisations work with HR and hiring managers to develop job postings that not only include the required technical skills but also focus on critical non-technical skills and personality attributes. Technical skills can be trained.”
Clar Rosso
Setting up for success
According to Rosso, cybersecurity is a profession where risk management and problem-solving are vital. Individuals with the ability to problem solve, communicate effectively, think critically, as well as be curious and avid learner will go far in this profession.
“A huge game changer I've seen in this industry is the mindset shift from solely focusing on technical skills to non-technical competencies that would make someone successful within the profession,” she added.
How to excel in the field
Rosso believed in the importance of mentorship to help women excel in their cybersecurity careers. She noted that organisations do not need a formal mentorship program but anecdotal feedback from women and underrepresented groups within the profession has expressed that having a mentor helps them feel valued in their roles and encourages them to ask for advice and opinions on success in the industry.
Having a career progression, including the provision of professional development resources, is also important, according to Rosso who opined that women leave jobs due to a lack of career progression opportunities, so organisations need to invest in resources to create an inclusive environment for women that includes clear career pathways.
She added that organisations that invest in diversity equity and inclusion programs have smaller staffing shortages than those that do not. Without DEI programs, the consequences are exit from the profession.
“Our 2022 Cybersecurity Workforce Study revealed that 30% of female employees feel discriminated against at work. Individuals have told me they lack a sense of belonging when they are the only woman in the room,” she revealed.
For those looking to switch careers, she recommended checkout (ISC)2’s One Million Certified in Cybersecurity program which pledged to put one million people through its foundational Certified in Cybersecurity entry-level certification exam and education program for free.
She explained that of the one million, 500,000-course enrolments and exams – will be directed toward underrepresented communities, including women's organisations across the globe.
“This initiative provides a direct path for individuals keen on entering the field and assists employers in identifying high-value entry- and junior-level candidates for hiring and development,” she added.