It was a trial that captivated both the tech industry and those outside of Silicon Valley. In 2015, Ellen Pao was suing her former employer, venture capital firm Kleiner Perkins Caufield & Byers, for gender discrimination.

Her complaint against Kleiner Perkins, filed in 2012, charged that the firm’s culture of subtle sexism created an old boys club where men regularly interrupted women in meetings, assumed women would not want to be promoted because they had children, and failed to take action when complaints of sexist behavior were brought to the firm’s attention.

Pao alleged that she’d been passed over for a promotion to senior partner because of her gender; that when she complained about gender discrimination at the firm she was retaliated against; that the firm had failed to take all reasonable steps to prevent gender discrimination against her; and that after she filed a lawsuit against the firm, the company retaliated by terminating her employment.

Pao’s allegations were hashed out over five weeks in a San Francisco courtroom, and a jury ultimately ruled that Kleiner Perkins had not discriminated or retaliated against her. 

But while Pao lost her case and Kleiner Perkins was cleared of any wrongdoing, the trial spurred conversations in the corporate world about gender dynamics. “If I’ve helped to level the playing field for women and minorities in venture capital, then the battle was worth it,” Pao said in a statement after the jury returned its verdict.

Her case also renewed discussion about the underrepresentation of minorities and women in numerous industries—including security and most predominantly in cybersecurity—and how that impacts workplace culture.

A perfect way to visualize this underrepresentation is by attending a cybersecurity conference, where men dominate the speaker platforms and women typically never have to wait in line to use the restroom.

And the RSA Conference held annually at the Moscone Center in San Francisco is no exception to this rule, as Andrea Limbago, principal social scientist at Endgame, knows. With a background in academia and experience working in national security for the federal government, Limbago is used to being one of the few women in a field made up primarily of men.

Speaking with Security Management at this year’s RSA Conference, Limbago talked about attending a recent event for women in cybersecurity hosted by New America.

“It felt weird. It was actually not a normal feeling,” she explains of being at a professional event with only women in attendance. “It’s unfortunate that it feels odd—that it feels more normal to be surrounded by men.”

And that feeling is not unusual because females make up approximately 10 percent of information security professionals. The industry has remained stagnant at this 90 to 10 breakdown since 2013, according to (ISC)²’s 2015 Women in Security: Wisely Positioned for the Future of InfoSec.

“The number of women in information security employment is growing, but only at the rate of growth equal to that of the profession as a whole,” the report explains. “Placing these information security gender percentages into a broader context, women are, in general, underrepresented in senior leadership and information technology roles.”

These numbers persist, despite a major worker shortage in information security that’s leaving thousands of positions unfilled. Estimates from (ISC)² say that at the current rate, there will be 1.5 million unfilled information security positions by 2020. 

Which raises the question: Why are women not joining the profession to help fill the gap? Is it because they are unaware of career opportunities? Or is it because there’s an industry culture that does not welcome them?

Workplace Status

Across the board, women are still underrepresented at every level in the corporate pipeline. This disparity is greatest in senior leadership, according to the Women in the Workplace 2015 report compiled by McKinsey & Company for LeanIn.Org, a nonprofit focused on encouraging women to pursue their ambitions founded by Facebook Chief Operating Officer Sheryl Sandberg.

The report surveyed 30,000 employees from 118 North American companies and found that at the current rate, gender parity at the senior vice president level will be reached in 25 years and at the C-suite level in 100 years.

“Many people assume this is because women are leaving companies at higher rates than men or due to difficulties balancing work and family,” the report explains. “However, our analysis tells a more complex story: women face greater barriers to advancement and a steeper path to senior leadership.”

Some of the reasons women face obstacles to senior leadership are that fewer women hold roles that lead to the C-suite. For instance, a majority of manager-level women hold line roles—or positions with profit-and-loss responsibility that are focused on core operations—but at the vice president level, more than half of women hold staff roles—legal, human resources, and IT positions.

“In contrast, a majority of men hold line roles at every level,” the report says. “Since line roles are closer to the company’s core operations and provide critical preparation for top roles, this disparity can impede women’s path to senior leadership.”

In information security, just 22 percent of global senior leadership roles are held by women. Broken down regionally, women comprise 35 percent of IT leadership roles in Eastern Europe, 21 percent in North America, 26 percent in the European Union, and 13 percent in the Asia Pacific region. 

And of these roles, “women are concentrated in support roles and have a very low representation in the chief information officer role,” the (ISC)² report says. “Of the 22 percent of women in senior leadership roles, more than one-quarter of them are human resource directors. Only 9 percent hold the title of chief executive officer and just 4 percent are CIOs.” 

Also playing a role in a woman’s ability to advance are employee attitudes. This is demonstrated in the McKinsey report where senior-level women reported being less interested in advancement than senior-level men, and women see a workplace skewed in favor of men.

“Women not only observe a workplace biased against them; they believe they are disadvantaged by it,” according to the McKinsey report. “They are almost three times more likely than men to say they have personally missed out on an assignment, promotion, or raise because of their gender.”

These biases that can be seen in the workplace can keep women in lower-level positions, despite being qualified for a more senior role.

One bias, the likeability bias, is perhaps most famously explored in a Columbia Business School experiment. Basing the experiment off of real-life entrepreneur Heidi Roizen, professors assigned half of their students to read about her story using her real name of Heidi. The other half of the students were assigned to read the same story, with the name changed to Howard. 

Both Heidi and Howard had the same life story and were identical. “Yet while students respected both Heidi and Howard, Howard came across as a more appealing colleague,” Sandberg writes in her book, Lean In. “Heidi, on the other hand, was seen as selfish and not ‘the type of person you would want to hire or work for.’ The same data with a single difference—gender—created vastly different impressions.”

The experiment was a perfect example of how the likeability bias plays out in real life, where success and likeability are positively correlated for men and negatively correlated for women, the McKinsey report explains.

“If a woman is competent she does not seem nice enough, but if she seems nice, she is considered less competent,” the report explains. “This bias often surfaces in the way women are described, both in passing and in performance reviews. When a woman asserts herself, she is often called ‘aggressive,’ ‘ambitious,’ or ‘out for herself.’ When a man does the same, he is seen as ‘confident’ and ‘strong.’”

Because of this, women can be over-looked in the hiring process or passed over for promotions because people don’t perceive them as likeable.

Other biases deal with performance, in that male performance tends to be overestimated when compared with female performance—especially in industries traditionally dominated by men, like security, according to the McKinsey report.

This can be exacerbated when annual performance reviews come up with unclear criteria. “The difference in the perceived performance of men and women helps explain why women are typically hired and promoted based on what they have already accomplished, while men are hired and promoted based on their potential,” the McKinsey report explains.

Additionally, women are typically given less credit when they achieve a successful outcome and blamed more when there is a project failure.

“Because women receive less credit—and give themselves less credit—their confidence often erodes and they are less likely to put themselves forward for promotions and stretch assignments,” the McKinsey report adds.

Another major bias that can hold women back in the workplace, which was touched on in Pao’s suit, is maternal. Motherhood triggers make individuals assume women are less competent and less committed to their careers.

For instance, in a 2012 report, McKinsey found one leader who presumed that because a woman was pregnant, she would not be interested in a job promotion. 

“For one opening, we had an employee who was highly qualified—she was running operations in Asia,” the executive said. “However, we didn’t ask her if she would be interested in the position, since she was pregnant and we assumed that she wouldn’t want to move.”

Because of this bias, women are “held to higher standards and presented with fewer opportunities” for advancement, the McKinsey report explains. It also impacts men, as fathers tend to receive lower performance ratings and steeper reductions in future earnings “after taking time away from work for family reasons.” 

Along with these biases, women surveyed by McKinsey also said they were consulted less often on important decisions, which could explain why women appear to advance at lower rates than their male peers.

“Compared with their male peers, senior-level women are about half as likely to say that they are consulted on important decisions and are less likely to feel recognized for their contributions,” the report adds.

And while 74 percent of companies reported that gender diversity is a top priority for their CEO, that message is not reaching employees. 

“Less than half of workers believe that gender diversity is a top priority for their CEO, and only a third view it as a top priority for their direct manager,” the report says. “Moreover, women are less likely than men to see gender diversity as a priority for their manager and CEO.”

In fact, the report found that men are less likely than women to think that their company should do more to increase gender diversity, and “13 percent of men believe it is harder for them to advance because they are disadvantaged by gender-diversity programs.”​

What Can Be Done

Because it is facing a shortage in the near future, the industry needs to make a “concentrated effort to make information security more attractive and rewarding to women,” wrote Michael P. Suby, Stratecast vice president of research for Frost & Sullivan, who compiled the (ISC)² report.

This is why (ISC)² itself has become a strong advocate for women in information security, says CEO David Shearer. 

“It might seem kind of strange for a bald, white, American guy to be out there trying to evangelize on the topic, but I am absolutely sincere about it,” he explains. “Because when you look at our constrained workforce, and you’re saying we don’t have enough people coming in, I go everywhere and give a stump speech on this.”

(ISC)² is attempting to attract women to information security through its women’s scholarship program, where it awards scholarships to promote women into the workforce, and through research—like its Women in Security report—that identifies problems and possible solutions within the industry.

There are also steps that companies themselves can take to ensure that they are recruiting and making their workplace culture inclusive towards women. Limbago has been involved in this process at Endgame, a software developer, because the company’s CEO—Nathaniel Fick—has made greater diversification a corporate goal.

“We’re a small company—we have maybe 130 employees—and out of our last 12 hires over the past few weeks, 40 percent were women,” Limbago explains. “That was awesome, and they were almost all technical.”

Endgame has taken a two-prong approach to attracting more women: recruiting them in the first place and then creating a work culture where women—and men—want to stay on board.

One of the first changes Limbago made when she joined the company was to make sure that at technical fairs where Endgame has a presence, there’s always a woman at the table. 

“We’re making sure at the tables that we have a woman at the booth at all times, and I notice—because it’s normally me—the women are more likely to come up and chat with me,” she adds. Additionally, Endgame also makes sure that a woman gives a presentation at the booth.

That’s an intentional decision, Limbago says, and is done while keeping Endgame’s bar for presentations high to show women at the event that if they’re hired by Endgame, they are valued.

Another key change to recruit women came when Endgame redesigned its website. Initially, the website had no pictures of women on it, so Limbago made it a priority to include photos and graphics that included women and minorities. 

Endgame also took a hard look at its job descriptions for positions that it was looking to fill. Often in job descriptions, employers will say “we expect this person to do X, Y, and Z. He must…” Instead, Limbago made sure that job descriptions used gender-neutral pronouns and included only the necessary requirements for applicants.

Lisa Foreman-Jiggetts, founder and CEO of the Women’s Society of Cyberjutsu, agrees with this approach and says that employers need to “be realistic” when they put out a job description for an open position. “Don’t make it a wish list,” she explains. “A lot of women feel that if they don’t qualify for one thing on there, then they won’t even apply for the position.”

Once women are hired, it’s critical to create a work culture where they feel valued and not singled out. One obvious, yet often overlooked, aspect of doing this is making company clothing—swag—available in women’s sizes.

Looking around the office at Endgame, the men often wore shirts with the company’s logo and branding but the women did not. “And it’s not because we don’t support the company, it’s because we don’t want to wear men’s shirts,” Limbago explains. 

Since then, Endgame has started making company clothing available not just in unisex sizes, “which really means men’s” she says, but in women’s sizing as well. Making small changes like this can help foster a sense of inclusion for women, Limbago adds.

Another focus for Endgame to help foster inclusion is to hold company-wide social events that encourage different parts of the company to come together. For instance, it competed in a road race in the Washington, D.C., area where one of its offices is based and then held a family brunch afterwards.

“So even if you don’t run, bring your family in to show that it’s a welcoming environment not just to 20-year-olds who don’t have family but to everyone else as well,” Limbago says. “It was something that actually fit and got the groups mixing really well.”

Also critical to engaging staff is ensuring that employees—especially female employees—are encouraged to apply for positions when they become open. “When you’re looking at your candidate pool, make sure you’re encouraging the women on your staff,” Shearer explains. “Make sure they feel that they would even be considered.”

This is key because sometimes managers can send signals that an open position “is wired for somebody,” which can discourage others from applying, Shearer adds.

Foreman-Jiggetts also recommends that companies create an internal women’s support platform that’s also open to men. This can help women make contacts within their company, get to know senior leaders in other departments, and have a better understanding of the company as a whole, she explains. 

Another change that Endgame has made—and many other companies are following suit—is making work hours more flexible. This can be highly beneficial for women because at every level, women provide a majority of child care and do the most housework, the McKinsey report finds. 

“Women are at least nine times more likely than men to say that they do more child care and at least four times more likely to say they do more chores,” the report explains. “Even in households where both partners work full-time, 41 percent of women report doing more child care and 30 percent report doing more chores.”

Creating flexible working hours that allow employees to adjust their schedule as needed creates an incentive that almost 80 percent of a subgroup of women surveyed for the (ISC)² report found valuable. This can help retain women, because “women place higher emphasis on nonmonetary incentives than men,” the report adds.

And while flexible work hours benefit women, they also benefit everyone else at the company and help promote generational diversity, Limbago says.

“It helps me with my two kids, but it helps younger employees who maybe do better working 10 a.m. to 8 p.m,” she explains. “They don’t want to come in at 8:00 in the morning.”

Other nonmonetary incentives that employers could consider adding to increase retention are paying for professional security certification expenses, supporting remote or flexible working arrangements, offering training programs, and improving compensation packages. More than 50 percent of women—and men—surveyed for the (ISC)² report rated these incentives as “very important” in retaining personnel.

Limbago says Endgame’s open personal time off policy also helps retain individuals because the focus is on their work—not on how many hours are spent in the office.

“You get your work done. That’s the priority,” she says. “It’s good for worker morale; it’s better for engagement. Things that help foster worker engagement, that can go a long way.”​

Signs of Progress

While the research about the state of women in information security may be bleak, it is creating some positives. “Sometimes you have to talk about the elephant in the room, because just through the fact of communicating what people are perceiving and how they feel they’re being treated, the other party might say, ‘I would never in my wildest dreams want to say something that would be interpreted that way,’” Shearer explains. “You have to give all parties a chance to grow through the process.”

And women are making progress and are more significantly represented in one role: governance, risk, and compliance (GRC). According to the (ISC)² report, one in five women in information security has a GRC role, compared with one in eight for men.

“Not just women, but also men, recognize the rising importance of this role and other roles concentrated in managing business risk,” the report explains. “…women, more than men, seized upon the growth opportunities in GRC early on. Thus, women as a percent in GRC roles is double their presence in all of information security—20 percent versus 10 percent.”

In the report, Julie Talbot-Hubbard, associate vice president for IT engineering, infrastructure, and operations at Nationwide, testified about her advancing role in GRC.

“September 11 was a catalyst that hit the United States, where companies experienced tangible impacts related to security preparedness. Many organizations began assessing their preparedness and reflecting if information security was critical to their company’s resilience, causing many companies to elevate the role of the cybersecurity professional,” Talbot-Hubbard explained. “I assumed a GRC/continuity planning role at a prior employer due to the need and lack of interest.”

Limbago says she is optimistic that the industry will become more accepting of women—and attractive to them—especially as the talent shortage in information security brings the issue to the forefront. 

“Necessity may force it, that we can’t just keep picking from one segment,” she explains.