The cybersecurity landscape is witnessing a transformative shift, with an increasing number of women entering the field through non-traditional pathways. A recent study by ISC2 highlights this trend, revealing how diverse educational backgrounds and experiences are enriching the cybersecurity workforce. The evolution carries significant implications for the industry, the existing workforce, male allies, and aspiring female cybersecurity professionals.
Traditionally, many professionals entered cybersecurity roles via IT-centric routes. However, the ISC2 study indicates a notable change:
-
Non-IT backgrounds: Approximately 39% of women transitioned into cybersecurity from non-IT fields, compared to 28% of men. This suggests that women are more frequently leveraging diverse professional experiences to pivot into cybersecurity roles.
-
Educational diversity: Nearly 24% of women in the study possessed undergraduate degrees unrelated to cybersecurity, and 18% held advanced degrees in non-cyber disciplines before entering the field. This underscores the value of varied academic backgrounds in contributing to the multi-faceted nature of cybersecurity challenges.
The infusion of professionals from varied backgrounds enhances the industry's ability to tackle complex problems with innovative solutions. Employers are recognizing the benefits of this diversity, leading to:
-
Broadened talent pools: By valuing non-traditional pathways, organizations can address the cybersecurity talent shortage more effectively.
-
Enhanced problem-solving: Teams comprising individuals with diverse experiences are better equipped to approach challenges from multiple perspectives, fostering creativity and resilience.
"Women in cybersecurity are like the right and left hemispheres of the brain working together. With only one hemisphere dominant, the brain lacks balance and full capability," said Dd Budiharto, CISO & Advisory Board Member; Founder, Cyber Point Advisory. "Similarly, cybersecurity benefits from diverse perspectives to achieve optimal protection and innovation."
Budiharto continued, "Some examples that illustrate this concept:
1. In my experience as a CISO, I've observed that diverse security teams consistently identify a wider range of potential attack vectors during penetration testing, with team members from different backgrounds often spotting vulnerabilities that others miss.
2. As a CISO, I've seen firsthand how gender-diverse incident response teams handle breaches more effectively. Our female analysts excel at translating technical findings into actionable insights for executive leadership, while maintaining the technical rigor needed for remediation."
Men advocating for gender diversity play a crucial role in this transition:
-
Mentorship and sponsorship: Actively mentoring and sponsoring women from non-traditional backgrounds can facilitate their integration and advancement within cybersecurity roles.
-
Challenging biases: Recognizing and addressing unconscious biases ensures that hiring and promotion practices are equitable and inclusive.
"My initial thought is 'how is this new?' We have been identifying people based on personality and aptitude for decades," said Rick Doten, VP, Information Security, Centene Corporation, who just keynoted on the topic of neurodiversity at SecureWorld Charlotte on April 2nd. "I have a CISO peer who calls himself a 'compulsive interviewer' where he finds himself talking to wait staff, bartenders, retail workers, hospitality workers, those who show unique problem solving skills—working under pressure or applying pattern matching to anticipate a problem and fixing it before it appears. He asks them if they ever considered a career in cybersecurity."
"I personally have mentored a dozen young women who come from different backgrounds who certainly have the right mindset: one was an airline mechanic, another from the entertainment industry as actor and producer, one from accounting, one was a chef, and one who just liked to take things apart to see how they worked."
"I say all the time, I don't care if you have a degree, or what your degree is in, or what certifications you have; most important thing is you have the right mindset and can execute fluid reasoning," Doten said. "If you are multi-threaded, fail quickly, run forward with little information, and figure it out as you go (like you do in the restaurant or hospitality industry), you will make a great security operations or pen tester. If you are single-threaded, meticulous with each step, and won't take that first step until you figure out every step in the path, then fine, you make great project managers, governance, or even forensics analysts."
"The main criteria is passion and interest coupled with aptitude. We've made our industry too intimidating, especially for women, with expectations of having a STEM education, being good at math, know how to program, etc. So, socializing that it's open to everyone is important to keep a good pipeline of people."
Al Lindseth, Principal, CI5O Advisory Services LLC, offered his perspective: "I speak a lot at different industry and sector conferences and gatherings and always get asked the question, 'what's our biggest risk/threat?' It's not really one big threat, it's more the risk of systemic incidents—this combination of an increasing attack surface and widening asymmetric attacker advantage that results in blind spots to everyone's collective defenses. Big supply chain cyber events, realistic foreign national scenarios with broad impact (e.g., lights go out due to geopolitical event and OT), a Change Healthcare type event but with AI-enabled B2B payment fraud where hundreds of millions gets siphoned off. Mitigating these risks means we have to be able to see around the corners, be creative without paralysis by analysis."
Lindseth continued, "Diversity in teams and thought is critical to being able to do this on a continuous basis effectively while staying efficient, as well. With women making up only one fifth of the cyber workforce, this represents untapped resources to help us get there."
The ISC2 study offers encouraging insights for women considering cybersecurity:
-
Transferable skills: Skills from other disciplines, such as critical thinking, risk assessment, and project management, are highly applicable and valued in cybersecurity roles.
-
Educational opportunities: Pursuing certifications and training programs can bridge knowledge gaps and bolster credibility in the field.
With its government perspective on the study, Government Technology writes, "The lack of women in the IT workforce creates unique cybersecurity risks, attributed in part to the areas women prioritize, so governments have taken action in recent years to attract and retain more women in these roles," citing its own 2020 article on attracting women to IT roles in government.
We asked women and men from cybersecurity vendors their thoughts on women in cybersecurity.
Teresa Rothaar, Governance, Risk and Compliance Analyst at Keeper Security, said:
"Over the past few years, the climate for women in cybersecurity has been showing signs of improvement; however, it still faces substantial challenges. Significant work still needs to be done to ensure equal opportunities and a supportive environment for women in this industry. Continued efforts from educational institutions, industry leaders and advocacy groups are needed to address the cultural and structural barriers within the industry to achieve true gender parity.
"Ongoing challenges to women's advancement in cybersecurity include significant underrepresentation, as women remain notably outnumbered in cybersecurity roles despite efforts to close the gap, and men continue to dominate the field, particularly in leadership and technical positions. The workplace culture in many cybersecurity environments can be unwelcoming to women, with issues such as gender bias, lack of recognition, and sometimes a hostile work environment hindering their progress and retention in the field. Additionally, gender pay gaps persist in cybersecurity, with women often earning less than their male counterparts for similar roles, a disparity that is particularly pronounced in tech fields. Women in cybersecurity also face barriers to career advancement, including fewer opportunities for promotions and leadership roles, as well as a lack of support for continuing education and professional development."
"In addition to investing in existing talent, organizations should rethink their recruiting practices, especially when writing job advertisements. Research has shown that male applicants will apply to jobs even if they meet only half of the listed requirements, while women tend to be hesitant to apply unless they meet all of them. When writing ads, ensure that the requirements list reflects the actual job, and note which requirements are written in stone versus those that are simply 'nice to have.'"
"To further address the gender gap in the year ahead, organizations should tackle pay disparities to ensure equal compensation for women serving in the same or similar roles as their male counterparts. This can be accomplished by conducting regular pay audits and promoting transparency in salary structures. Additionally, creating more pathways for women to advance into leadership roles through mentorship programs, sponsorship, and leadership development initiatives can be beneficial. Offering flexible work arrangements, childcare support, and robust parental leave policies can also help retain female talent."
"The explosion in remote work post-COVID probably did more to promote women’s employment in the tech and cybersecurity sector than even the most robust corporate DEI programs. This is because women are more likely than men to be caregivers to minor children and elderly or sick adult family members. Remote work enables these women to balance their careers with their caregiving responsibilities. It also opened up opportunities that many women couldn't have seized before due to them not being able to pick up and move for a new job.
"Finally, networking is something I struggled with mightily. When I graduated from college, I had no professional network to speak of, and I had zero idea how to build one. I'm an ambivert, but I've never been the type of person who flits around a room, chatting up strangers. Thankfully, the InfoSec community is terminally online, and when I fell into this niche, I was finally able to meet other InfoSec professionals in online venues where I felt comfortable. On social media, I didn't have to 'work the room.' I could silently observe conversations and interject if I had something relevant to offer."
Kate Terrel, Chief Human Resources Officer at Menlo Security, said:
"Organizations should always be looking at their pay practices to ensure they are fair and equitable. Conducting audits to understand gender-based pay gaps allows organizations to find and then rectify potential problems."
"Considering that women are significantly underrepresented in the cybersecurity field, there are a number of initiatives and programs that can be implemented to encourage more women to pursue careers in cybersecurity and increase their representation in the industry. This can start as early as high school—visiting schools to talk about careers in cyber, what is exciting about the jobs, why girls might want to pursue a career in cyber, etc. Similar to programs, such as Girls who Code, there is also an opportunity to conduct summer camps for girls interested in coming into the field."
"From a college perspective, cyber organizations hosting externship and internship programs with really interesting projects can begin to cultivate a pipeline of young women or other minorities coming into our industry. This can be done across multiple disciplines within cyber—engineering, product management, marketing, and sales. Also, college clubs (business, engineering, etc.) can bring in women who work in cyber as guest speakers—talking about the exciting careers and opportunities that exist."
"Exposing this next generation to our purpose (fighting bad actors) and the interesting and challenging work that exists in cyber may give them ideas that they never even considered from a career perspective.
Rob Rashotte, Vice President of Global Training and Technical Field Enablement at Fortinet, said:
"According to the Fortinet 2024 Global Cybersecurity Skills Gap Report, 70% of leaders surveyed say that the cybersecurity skills shortage creates additional risks for their organizations. This finding underscores the importance of upskilling and reskilling existing employees, as well as the need for recruiters and hiring managers to take more creative and flexible approaches to recruiting new talent. Reexamining and revising education and training requirements for cybersecurity roles is a great place to start. For example, many organizations still prioritize traditional qualifications such as four-year degrees, yet 91% of our survey respondents say that candidates with cybersecurity certifications stand out."
"We're already seeing organizations place more emphasis on recruiting and retaining cybersecurity talent. According to the report, nearly three-quarters of business leaders say their boards were more focused on cybersecurity in 2023 than the year before, and 83% of respondents say they have diversity goals in place related to cybersecurity hiring."
"However, many organizations are still likely overlooking solid candidates. While many companies have diversity hiring goals, we aren't seeing hiring numbers increase significantly among women, minorities, and veterans. Despite 91% of respondents saying they prefer to hire candidates with technical certifications, 71% of organizations require potential new hires to hold a four-year degree. Organizations should be identifying candidates who possess the right soft skills and then using certifications to help them gain cybersecurity-specific knowledge. According to the report, most leaders are open to this approach, with 89% of respondents saying they would pay for an employee to obtain a certification."
Liz Nguyen, CTO at Intrado, said:
"Companies need to make their organization more attractive to women. Certain initiatives, including targeted leadership development and mentorship programs—specifically designed for women—show them that a company values their perspective and contributions. Creating support groups focused on leadership growth can also help to foster a more supportive culture for women in the workforce. Another way to increase female representation is by instituting inclusive hiring practices that increase female representation in traditionally male-dominated technical positions. Organizations should also ensure career opportunities are promoted equitably and offer flexible work options to accommodate various schedules and needs that are more common for female employees."
"Organizations should prioritize placing women in innovation-focused leadership positions and ensure teams are diverse and inclusive across all demographics. Companies can foster innovation by providing continuous learning opportunities through training forums, conferences, and hackathons, while promoting a mindset of calculated risk-taking and learning from failure. Additionally, establishing partnerships with academic institutions and external groups focused on supporting women can create valuable pipelines for diverse talent."
"Employers should develop partnerships with educational institutions to promote education among young women, offering mentorship programs, scholarships, and internships to inspire early interest. Companies also need to adopt unbiased recruitment practices that focus on a candidate's potential and skills rather than just experience. Clear paths to leadership should be established, including mentorship and sponsorship programs, while actively highlighting successful women in technical and leadership roles within the organization."
"Mentorship and leadership programs are essential for supporting women throughout their careers, helping to build confidence and providing access to valuable networks and opportunities. These programs should focus on developing critical leadership skills through both on-the-job experience and external perspectives. Such initiatives can be particularly effective in helping women overcome common barriers like imposter syndrome, unconscious bias, and limited visibility of leadership pathways.
Anna Turner, Senior Vice President, Product Management & User Experience, at Paycor, said:
"Work-life integration and flexibility are key to attracting and retaining female talent. Providing the space for people to do their best work with flexibility and virtual options will support better work-life integration."
"Leaders modeling inclusive and flexible work-life integration speak louder than words. Work-life integration may look like stepping away from work to take kids to a doctor's appointment, being 'offline' during evening hours, building your schedule around a child's sporting event, or being present with your family during a vacation are just a few ways leaders can support women at work by normalizing these activities. For inclusive behaviors, strong teams value all voices and opinions. Environments were space is made for everyone's voice is welcomed and appreciated are more likely to attract and retain women."
"Create clear career progression paths: Provide clear career progression paths and opportunities for growth. Offer training and development programs that focus on building leadership skills and provide access to networking opportunities. Encourage women to take on challenging assignments and provide them with the necessary support and resources to succeed.
"Finally, leaders need to intentionally identify and encourage high potential women into the next steps of their career. One of the biggest obstacles for women at work from McKinsey's study is women not entering into first-level manager roles at the same rate as men. Corporate programs to help support first-time managers can increase the effectiveness of new people leaders."
ISC2 celebrates women in cybersecurity
ISC2 celebrated women in cybersecurity in March and has a webinar on the topic available to view.
"At ISC2, we are celebrating women in cybersecurity during the month of March and publishing a series of articles that encourage the cybersecurity industry to strive for equality and greater inclusivity for all.
We will be sharing more research insights along with the accomplishments, career stories, and experiences of women members working in cybersecurity roles.
Cybersecurity professionals can hear from leaders around the world during a webinar, From the Inside Out: Increasing Representation and Inclusion of Women in Cybersecurity. Available now for on-demand replay, this webinar features panelists who discuss unique partnerships and grassroots programming to increase women’s inclusion in cybersecurity. They also discuss why increasing representation matters and how individuals and organizations can play a role in making change."
