Awareness around gender diversity in the cyber security industry is getting better, but there’s still a long way to go

A report published by CREST highlights progress made in gender diversity across the cyber security industry in the past few years and points to the next steps needed to further address the gender gap. CREST – the not-for-profit body that represents the technical security industry including vulnerability assessment, penetration testing, incident response, threat intelligence and SOC (Security Operations Centre) – has found that while awareness around gender diversity has improved, there is still work to be done to make a significant practical difference.

In polls taken at CREST’s gender diversity workshop, only 14% of attendees argued that not enough work has been done to lessen the gender gap, but 86% believed that while progress has been made, it is not nearly enough. The study also found that 59% of participants classified their experience in the industry as mixed, having received support and enjoyed roles but pointing to obstacles and challenges that had to be overcome as a result of being female.

The workshops had the primary focus and objective of inspiring change and concluded that the main priorities for change are encouraging girls at school to study computer science; improving visibility of female role models; challenging the perception of industry and perceived gender-specific roles; and industry-wide female mentoring and coaching.

The report suggests that the primary reason for the under-representation of women in the cyber security industry is down to a lack of interest in the subject from school age. When considering ways to make change, the report recommends that industry leaders – including directors, CEOs and accreditation bodies – could and should be responsible for approaching schools help educate and encourage students. Schools could also promote initiatives such as CyberFirst’s online Girls Competition, which aims to inspire the next generation of young women to consider computer science as an option with a view to a future career in cyber security.

Findings by CREST also point to issues with current recruitment practices, including the way job descriptions are written, the language used and arguably even candidate requirements. Female representatives at the workshops agreed that the inclusion of training options on the job advert would encourage more female applicants, as would flexible working hours, good maternity policies and back to work support.

Another key finding is the demand for an industry-wide female mentoring and coaching scheme to create a stronger, closer female community, while enabling women to grow and develop in their careers.


“It is encouraging that as an industry we are making progress but there is a lot more to do and improving the visibility of female role models will allow us to challenge the perception of the cyber security industry,” says Ian Glover, president of CREST. “Schools hold the key and we need to help them to encourage more girls into the industry. Furthermore, the mentoring scheme would give a platform on which role models can help to coach and guide others, which in turn will help to challenge the perception of gender as it relates to the industry,” adds Glover. “The actions are well-thought through, they are doable but just need the support of industry, education and recruiters.”


Interestingly, increasing the number of women working in cybersecurity could boost the UK economy by £12.6 billion according to a new report from Tessian, the human layer security company. The report also reveals that closing the 24% gender pay gap in the UK cybersecurity industry, and equalising women's salaries to men's, could add a further £4.4 billion to the UK economy, albeit such thoughts must now be tempered by the on-going ravages inflicted by the pandemic.

The firm carried out a survey of 200 female cybersecurity professionals in both the US and UK, and interviewed more than one dozen practitioners from some of the world's largest organisations about their personal experiences. The Tessian report highlights what it sees as the potential impact of expanding gender diversity in cybersecurity, as well as current perceptions around gender bias in the field.

Key findings:

  • 82% of female cybersecurity professionals in the US believe that cybersecurity has a gender bias problem, compared with 49% of those in the UK
  • The cybersecurity gender pay gap in the US is 17%. In the UK, it’s 19%
  • US respondents are three times as likely (68%) to believe that a more gender-balanced workforce would be an effective tool for recruiting more women to work in cybersecurity than UK respondents (22%)
  • 45% of US respondents say equal pay would help with recruitment, compared with just 10% of UK respondents
  • 61% of US respondents cite lack of qualified talent as a reason why four million cybersecurity jobs will be left unfulfilled by 2021, while only 33% of UK women cite lack of qualified talent as a barrier

Factors discouraging women from joining the cybersecurity industry:

  • 42% of respondents (US. and UK) believe a cybersecurity skills gap exists because the industry isn’t considered ‘cool’ or ‘exciting’. This opinion was most commonly shared by millennials (46%), compared with 22% of 45-54-year-olds
  • A lack of awareness or knowledge of the industry was the top challenge female professionals faced at the start of their career, with 43% citing this as a barrier
  • 43% of women said that a lack of clear career development paths was another challenge at the start of their cybersecurity career, while nearly a quarter (23%) cited a lack of role models
  • Just 53% say their organisation is doing enough to recruit women into security roles.


Sabrina Castiglione, senior executive at email security company Tessian, comments: “For organisations to successfully recruit more women into security roles, they need to understand what’s discouraging them from signing up, beyond just gender bias. We need to make women in cybersecurity more visible. We need to tell their stories and raise awareness of their roles and experiences. And once through the door, managers need to clearly show women the opportunities available to them to progress and develop their careers.”

Shamla Naidoo, former CISO at IBM, has this to say: “To many people, cybersecurity equates to – and is limited to – someone in a hoodie bent over a keyboard in a dark room. That’s not the case at all. If we don’t expand beyond that, we’ll lose out on even more people in the industry.” And she adds: "The future of cybersecurity needs diversity. 2019 was the worst year on record for data breaches, with 61% of organisations reporting a breach as a result of human error or malicious activity. With data breaches rising year on year, and with cyber threats continually evolving, we need different ideas and approaches to solving security problems, if we are going to keep people and data safe."


For its part, Cisco’s commitment to the gender equality cause can be seen in its ‘Women in Cyber’ initiative, which aims to bring diversity of thinking to a team and to a problem—what the company’s Gregory Neal Akers describes as “unique perspectives that we would otherwise not have, because of the biases we bring from our own backgrounds”.

Akers, senior vice president of Advanced Security Initiatives and chief technology officer within the Global Governments Solutions Group at Cisco, says he can see that the gender gap in security is, unfortunately, real. “We have the problem of not having enough females in STEM in general and that yields a gap in security. I’m especially concerned about female undergrads and high school students in STEM, because they tend to gravitate to other domains like natural sciences or biology – rather advanced mathematics that is important to things like encryption and quantum computing.

“Even within the research environment, I see senior-level female colleagues at other institutions lacking more women on their research teams – not because of bias, but because there simply isn’t a talent pool of qualified women to draw from.”

He believes this situation is rooted in the primary and secondary education system, where we’re not sufficiently encouraging girls and women into the field. “For example, in cryptography, which is my area of specialty, the required deep level math is not being taught to enough women. Yet these skills will be increasingly important for the ongoing critical development of Machine Learning. While some women will be drawn to this work, others may be reluctant; we need to actively demonstrate that cyber talent needs extend well beyond deep maths to a breadth of roles that demand all available talent. The imperative is urgent.”

So what can be done about this? “We must incentivise women to get involved in the cyber field; it offers satisfying experience and great intellectual stimulation,” says Akers. “I believe in mentoring; for me, as a leader, it’s very gratifying and I always get back more than I give. I insist on diversity in staffing activities: diverse interview teams to assess job candidates; diverse hiring professionals in HR; and having people with diverse perspectives make decisions on rewards and promotions. This can at times be difficult to do, given the pool of incumbents available to engage in the process. But, if you don’t have multiple perspectives on a decision-making advisory group, you end up with biases and limitations in the ways to think about things. Leaders have to be dogmatic about this and make sure it’s being done.”

Of course, the cyber talent shortage requires skilled women and men to fill much-needed jobs, he points out. "We need to balance encouraging and incentivising women to enter the field with cultivating skills of their male counterparts.

And he concludes: "I firmly believe that, if the opportunity is presented, over time there will be a natural tendency for the balance to come."