Cybersecurity Is Becoming More Diverse … Except by Gender

Right now, in 2024, at least three of every four cybersecurity professionals is male.

Cybersecurity is hardly the only male-dominated industry, but even in contrast to others — like law (53%), accounting (46%), and doctors of medicine (37%) — it lags behind.

According to new research from ISC2, women make up just 20% to 25% of the cybersecurity industry. And that figure, it noted, has remained relatively consistent for some years.

It stands out even more when compared with the racial makeup of the industry. While the majority of cyber pros over the age of 40 in the US, the UK, Canada, and Ireland are white, the majority under 40 are not. ISC2 found that over the past 12 months, a full two-thirds of new entrants to the industry from those countries have been non-white.

The takeaway? Cybersecurity is fixing its diversity problem, but only halfway.

Gender Representation in Cyber, by the Numbers

Just 4% of ISC2 survey respondents indicated that women make up a majority of their security teams. By contrast, 11% admitted they have no women on their teams at all.

There seems to be a mild networking effect at play, too. The average woman in security works with around 8% more women (30%) on average than men do (22%).

The problem is pretty much the same across industries, as the most-diverse sectors, like cloud services, automotive, and construction (all 28% female), don't far outpace the least-diverse (military and energy, each at 20%).

There are, however, some positive trends alongside the lagging ones.

Where only around 14% or 15% of cyber pros over age 40 are women, at least 25% under age 35 are (a relative improvement).

Most interestingly, the women who do make it into the cybersecurity field tend to rise up the corporate ladder at least as high as, if not higher than, their male counterparts. Women own executive titles at a similar clip to men. A greater percentage of them possess managerial-level roles, and a lesser percentage are ranked as individual contributors. And counterintuitive though it may sound, a greater percentage of women in security are involved in the hiring process than are men (33% to 24%).

That data, however, contrasts with other recent findings.

The Root of the Problem: Exclusion

In its "2023 State of Inclusion Benchmark in Cybersecurity" report, Women in Cybersecurity (WiCyS) tracked the ways in which women experience exclusion in the industry. "Respect" ranked as the worst issue on its list, but just behind respect was "career and growth opportunities."

"Women are experiencing a glass ceiling at around six years," reports Lynn Dohm, executive director at WiCyS. "You could imagine the journey for a woman in cybersecurity as they're advancing in their career, not necessarily getting the stretch assignments they're anticipating, perhaps their managers aren't taking initiative and identifying the trajectory of their career within the organization, they're getting passed up for promotions and experiencing that lack of respect with microaggressions, tokenism, comments. All of that leads up to the point where an individual would likely choose to step out of the career and move into other areas."

It's a self-fulfilling cycle: Too little female representation is leading more women to steer clear of security. As Dohm puts it: "Lack of diversity in the workforce is a symptom of the lack of inclusion."

Simply hiring more women doesn't solve the problem, either, since exclusion extends far deeper than any one person or organization can account for.

"The gender gap in cybersecurity begins long before women reach the workforce," explains Jessy McDermott, partner solution architect at Aqua Security. "I know firsthand as a former engineering student that this gap existed at the college level. For example, only four other women — out of an original 15, excluding myself — completed the engineering program alongside me at UMass Dartmouth. During those four years, I experienced an ongoing prejudice and doubt and saw how women were ultimately driven out of the field before they even graduated.

"This is only exacerbated as time goes on and women begin to see that careers in information technology or cybersecurity are 'male-dominated.' If you’re somehow able to get through college without being driven out of the field, you've just started the first leg of a never-ending journey. Ultimately, this can all lead to imposter syndrome, which myself and many female friends in the industry deal with. I have days where, even now, as a cybersecurity professional with years of experience under my belt, I still get challenged to show and, more importantly, prove my knowledge to others."

So, she adds, "I love how more companies are going out of their way to hire more women into the field, but to see a difference, women need internal support to feel confident and be successful in their roles."

Non-Diversity Consequences to Companies

Besides the obvious consequences for people, there are also consequences for uniformity for companies.

"When retention isn't there for female talent, it costs money, because it's pulling back out recruiting dollars. And it's also a reputational risk," Dohm notes.

"Broader than cybersecurity, there's a body of research that says the more perspectives you bring to the table, the better off you will be at problem solving," says Clar Rosso, CEO of ISC2. "In cybersecurity, which is a very complex, growing threat landscape, the more perspectives that we bring to the table to solve problems, the more likely we will be able to impact our cyber defense."

Dohm puts it tersely: "It's a security risk not having the diverse perspective that women bring to the cybersecurity workforce."