Why Are We Still Talking About ‘Women in Cyber Security’? (Laura Brent, NATO)

Should we stop talking about women in cyber security?

It is easy to dismiss the discussion of ‘women in cyber security’ as a boring one – the story doesn’t ever seem to change. Blog after article upon study repeatedly demonstrate that women in technology generally and cyber security specifically continue to be underrepresented in an environment that favors men. In 2017, women represented 11% of the global cyber security workforce – the same low percentage as in 2013. Frankly, given that this state of affairs continues despite the attention it has gotten, it’s tempting to believe that female representation in cyber security isn’t changing because we, as a field, ultimately don’t care enough to fix the problem.

We shouldn’t give up yet.

Before women accept permanent minority status, though, we should ask: Do we really understand the problem?

Though it is clear women are underrepresented in technology, continuing research is giving individuals, educators, and employers a better understanding of why women are underrepresented in technology. While it is beyond the scope of this article to argue what ‘adequate’ or ‘good’ representation looks like, it’s hard not to agree that the situation is bad: In 2017 in the United States, only 14% of information security professionals were women, while women represented 48% of the workforce overall. Moreover, more, and more specific, data are now available on the significant hurdles women face at school, during the hiring process, and in the workplace.

Take schooling, for example. A recent study in Israel demonstrated that teachers, when grading math tests of their own 6^th grade students, gave boys higher grades and girls lower grades as compared to a group of independent teachers grading the same tests with the names removed. Another study showed that though women earn approximately 37% of U.S. undergraduate degrees in Science, Technology, Engineering, and Mathematics (STEM) overall, they account for only 18% of computer science degrees. While these studies do not represent great news for women in technology, they point to real and specific areas to target for improvement. In other words, we are getting better at getting the problem.

Though the general challenges of women in technology have been long known within the field, every year more is unquestionably being done to rectify the issues. Big companies are spending big amounts to make diversity a priority. Intel has allocated $300 million for diversity efforts; Apple has dedicated $50 million to get more women and minorities into the technology industry; and Google spends $150 million a year on its diversity initiatives. There are also organizations devoted to assisting companies to recruit and retain women: The Anita Borg Institute, for example, has created the data-driven Top Companies programme, which helps pinpoint specific indicators and tangible strategies that allow companies to ‘[build] workplaces where women technologists can thrive.’

We are thus doing more…but there’s still more to do.

All hope is not lost: people continue to better understand the causes of under-representation as well as devote increased resources to addressing them. But, as we said at the beginning: female representation in technology is still deeply suboptimal. Thus, the real question is: have we actually done all we can to improve?

The simple answer is no. These are huge and complex challenges, encompassing everything from bias in the classroom to workplace cultures that drive away women; more data and more money are key, but they are insufficient without long-term, serious commitment to change from the top. Once problems are identified, organizations must transparently measure their progress and then hold management accountable – in real ways, including financially – for their success in hiring, retaining, and promoting women. Company leadership needs to buy in – and demonstrate loud and continuous commitment to declared policies. Studies have compellingly shown the tangible business value of more gender-balanced companies; such focus on diversity is thus not only the moral choice, but the smart business decision.

As companies do attempt change, it’s important to realize that first solutions might not be last solutions. Unconscious bias training, for example, has become one of the most popular Silicon Valley programmes: Individuals learn to recognize the ‘stereotypes, both negative and positive, that exist in [their] subconscious and affect [their] behavior.’ Recently, however, some research has contended that unconscious bias training can, in fact, worsen behavior – if everyone recognizes that all people are biased, there’s less incentive to change a behavior that’s now firmly the norm. Some are already taking on the challenge to improve, rather than discard, this training.

Finally, as the push for more women in technology continues, it is also critical to recognize that there are real strains of active opposition to change. In September 2017, the New York Times published an article, ‘Push for Gender Equality in Tech? Some Men Say It’s Gone Too Far’, detailing how some men have begun to assert that the relatively modest efforts to level the steeply unequal playing field have already been excessive. Sadly, for some, the current gender balance seems to be a feature, not a bug.

Getting better isn’t optional.

One has only to glance at the front page of a newspaper to understand the importance of cyber security. In 2017 alone, there have been global attacks that have affected industries from shipping to healthcare, costing hundreds of millions – if not billions – of dollars. The possibility of a devastating attack on critical infrastructure remains all too real. The Euro-Atlantic security community now definitively recognizes that a cyber attack can be just as harmful to a society as a conventional attack.

In the midst of this crisis, industry is depriving itself of an enormous potential talent pool. Ultimately, the organizations that take meaningful action to hire and retain women first will be better positioned than their peers for success.

Laura Brent has held cyber policy roles in both the public and private sectors. Currently, she is a cyber defence officer on the NATO International Staff, where she helps develop and implement cyber policy on behalf of the Alliance. Previously, as a manager at EY, Laura conducted cybercrime investigations and assessed clients’ cyber security programmes and maturity. Prior to EY, Laura served at the U.S. Department of Homeland Security, working on a broad range of security issues including cyber security and critical infrastructure protection.

This article originally appeared in Cyber World, published by Secgate.