Opinion: For gender diversity in cybersecurity, fix the image problem

 If we are failing to recruit women, we are failing to recruit people who could contribute to this field and help narrow the staffing gap – which is critical to stopping the onslaught of breaches.

A mostly male audience at the recent Black Hat USA cybersecurity conference in Las Vegas.

Steve Marcus/Reuters

November 10, 2015

So many of the ads for cybersecurity jobs, products, and services are filled with ominous voiceovers and images of pipes, binary code, and masked hackers.

They portray working in cybersecurity as a career in the shadows, a field made up of secretive techies who toil through the night, fueled by Mountain Dew, relentlessly defending our networks from attacks and intrusions. 

An online search for “cybersecurity jobs” returns job postings seeking candidates who possess an alphabet soup of certifications, “ninjas” who like to “work hard and play hard,” and militaristic calls for "cyberwarriors."

Tracing fentanyl’s path into the US starts at this port. It doesn’t end there.

These ads are certainly attention-grabbing. But ultimately, this one-dimensional portrayal is problematic, because they are only tailored to half the population: men.

We’re facing a severe cybersecurity staffing shortfall (one study predicts a gap of 1.5 million workers globally by 2020). Yet women comprise just 10 percent of the worldwide information security workforce. While there are myriad programs designed to attract more women into the field, from educational initiatives to revamped human resources strategies, few are tackling a more foundational issue: cybersecurity has an image problem.

If that doesn't change, there are serious implications for us all. We need more people working in cybersecurity, full stop. If we are failing to recruit women, we are failing to recruit people who could contribute to this field and help narrow the staffing gap – which is critical not only to stopping the onslaught of breaches, but also to the effort to ensure broader international security in cyberspace and beyond.

Cybersecurity: What’s in a name?

“You can’t be what you can’t see,”  the saying goes. It's an adage that reflects the importance of imagery and visible role models to reflect the range of women’s potential roles (or lack thereof) in fields where there are gender disparities.  The words and images we use to describe a career field matter, because they send implicit messages about what is acceptable in a given profession. This is particularly true when it comes to cybersecurity-related imagery. Stereotypes are reinforced constantly in the media, most often as male white hackers donning hoodies, working through all hours of the night, with a penchant for poor dietary choices and science fiction.

Why Florida and almost half of US states are enshrining a right to hunt and fish

These portrayals are slowly starting to change. For example, Sheryl Sandberg’s Lean In initiative recently celebrated the 2-year anniversary of the “Lean In” collection on Getty Images, which aims to change the way the media portrays women via positive and realistic stock images. But there's still a lot of work to do to dislodge long-held misperceptions about what it means to work in science and technology. University of Michigan Professor Eileen Pollack’s opinion piece in The New York Times, “What Really Keeps Women Out of Tech,” pointed to stereotypes as a stumbling block for girls in tech, noting that “at a young age, girls already hold stereotypes of computer scientists as socially isolated young men whose genius is the result of genetics rather than hard work.”

There are many studies that say mere perceptions of workers in a given field meaningfully impact attitudes about the types of people best suited for that career. This was illustrated famously in the “Draw a Scientist” test, which investigated children's perceptions of scientists and found the most common stereotype was a white male wearing a white lab coat, even across grades, gender, racial groups, and country.

The words used to describe career paths in a field can similarly illuminate or darken career pathways. Let’s take the word “cybersecurity” in itself. It has become shorthand for any topic under the broad umbrella of keeping computers, networks, and the information they hold and transmit safe.

But cybersecurity isn’t limited to the technical domain, and success as a professional (both male and female professionals) requires more than just coding skills. Broadening cybersecurity’s definition and rethinking how we portray it in the media and in job ads is an opportunity to attract a more diverse workforce and expand the roles women can play in this field.

 

So, who has cyber skills?

Of course, many of the core concepts underpinning information security are rooted in technical concepts. But as the cyber threat landscape becomes more complex, cybersecurity as a field must evolve to address them, which means recruiting people with different perspectives and approaches to problem-solving. We have to start talking about cybersecurity and the skills required to succeed in the field in a more multidisciplinary way.  

What does that look like in practice?

It could mean suggesting to students studying foreign affairs that they should consider a career in cybersecurity. After all, the issue is now discussed at the highest levels of diplomacy between governments. A regional studies expert with a background in political science could help analyze and predict different countries’ approaches towards cybersecurity, and the motives that might drive a country to attack.

Behavioral and data scientists, too, are potential professional recruits: The cybersecurity field is increasingly using behavioral science to identify insider threats or identify anomalies in large sets of data.

MBAs are also part of the pipeline; US businesses must make decisions every day on where to invest limited resources, and cybersecurity is playing a growing role in those discussions.

All of these professions have something in common – they value and reward strong communications skills. So, too, does cybersecurity: A recent survey of information security professionals put communications skills at the top of a list of attributes perceived to be most necessary for success in the field.

This means educators shouldn’t prioritize learning to code at the expense of teaching effective verbal and written communications and critical thinking. The role that “translators” can play in bridging the gap between technical and non-technical people working on cybersecurity will also be key to our future success. For example, as legislators grapple with the complexities of cybersecurity, technologists who are also skilled communicators can work to “interpret” some of these concepts to less-technical lawmakers. One such initiative is New America’s TechCongress, a fellowship that places technologists in Congressional offices to explain and socialize technical concepts to policymakers.

Next steps 

The first step is making sure women are aware of the field in the first place.  Getting more women involved in STEM education, teaching girls how to program with initiatives like Girls Who Code, and teaching cybersecurity at earlier stages of education are all initiatives that will bear fruit down the line as more women are educated in a system that normalizes these fields of study.

Next: recruitment. Employers need to rethink their recruitment strategies and job postings. One start-up, Unitive, consults companies on how to remove language from job openings that may discourage female applicants (particularly “brogrammer” language that Silicon Valley firms tend to use, like ninja, “work hard, play hard” and touting perks like free Red Bull). This reduces the chance that companies keep hiring more of the same and encourages more diverse, and ultimately effective, teams.

Finally, retention. A recent study showed that a many women in the engineering field leave because of hostile work environments, citing, among other things, a dearth of female role models and inflexible work schedules, and a structure that doesn’t adequately develop and promote female staff. Similar sentiments have been echoed across the broader tech industry.

Attracting more women to this field could have immense consequences for the global economy and state of security. The sooner we expand the language and imagery we use to discuss the cybersecurity field, the better equipped we’ll be as a country to address and prepare for the cyber threats of tomorrow. 

Jen Weedon is an expert in cyberthreat intelligence, most recently with FireEye/Mandiant, and wrote this piece as a contribution to New America's Women in Cybersecurity project, part of its Cybersecurity Initiative. Follow her on Twitter.