ISC2 Report: The Number of Women in Cybersecurity Remains Stagnant, Despite Ongoing Workforce Gap
Despite an increasing cybersecurity workforce gap (4 million jobs and counting), new analysis from ISC2 finds that women continue to be underrepresented in the profession and the industry has made little progress towards significantly increasing the number of women with cybersecurity jobs.
“The number of women working in cybersecurity has remained consistent year-to-year,” according to the Women in Cybersecurity report published Thursday. “ISC2 has estimated that the percentage of women in the industry is likely in the range of 20 percent to 25 percent.”
Just 17 percent of the 14,865 respondents to the ISC2’s 2023 Cybersecurity Workforce survey identified as women, which was used to create Thursday’s report. Eleven percent of survey respondents said there were no women on their security teams, with just 4 percent responding that more than half of their security team are women.
“I’m working on almost four years of working with the cybersecurity profession, and one of the most profoundly impactful things I noticed right away is how few women seem to be working in cybersecurity,” says Clar Rosso, CEO of ISC2. “And when you’re dealing with a massive workforce and skills gap, if half the population is not part of the profession, you need to do something about it.”
To do its part, ISC2 has been gathering data on diversity within the cybersecurity field to understand how people enter the workforce and new approaches that can be taken to attract and retain minorities, including women, in the profession.
Thursday’s analysis found that women had higher rates of pursuing cybersecurity in school (14 percent, compared to 10 percent of men) and had a family member or a mentor working in the field who encouraged them to pursue it (14 percent, compared to 11 percent of men).
“Women participants also wanted to work in a continuously evolving field (21 percent) and one where they could help people and society (16 percent) at significantly higher rates than men who responded (18 percent and 14 percent, respectively),” according to the report.
Surprisingly, women held executive titles at a similar rate to men in cybersecurity. But their average salary remains below men, $109,609 and $115,003, respectively.
“In the United States, the pay gap has not changed much in the last two decades, and globally, the gender pay gap stands at approximately 20 percent,” according to the report.
Pay disparities are also wider for U.S. cybersecurity practitioners of color. The average salary for men of color was $143,610, while women of color made an average of $135,630—a nearly $8,000 difference.
Women also tend to hold advanced degrees—master’s and doctorate-level qualifications—at higher rates than men but have similar certification levels.
“When asked why they wanted to pursue a certification, both genders listed the primary reasons: to improve skills, stay current, and for career development,” according to the report. “However, women participants indicated they pursued and planned to pursue certifications to get promoted, to apply for jobs, or because their organization had a skills gap at much higher rates than men.”
These findings track with other ISC2 data that Rosso says stands out to her: women are 40 percent more likely to come into the cybersecurity profession through an educational pathway. But nearly 80 percent of employers looking to hire at the entry level prefer to hire individuals who have a certification instead of a degree.
Rosso says she does not have quantitative data about why employers appear to be more focused on certifications than degree achievement, but she adds that it could be because cybersecurity degree programs vary based on the university or college an individual attends. Certifications, on the other hand, appear to provide more reliability and predictability about a person’s knowledge and experience.
One striking finding in the report is that 76 percent of women said they were satisfied with their cybersecurity roles, but 36 percent also said they felt they could not be their authentic selves at work—compared to 29 percent of men. South Asian (48 percent), Black or African descent (43 percent), and Hispanic or Latnix (42 percent) women were most likely to report feeling they could not be their authentic selves at work, ISC2 reported.
Twenty-nine percent of women also felt that they were discriminated against in the workplace, compared to 19 percent of men. Women of Black or African descent in Canada, Ireland, and the United Kingdom reported the highest levels of discrimination, with 53 percent feeling discriminated against.
Men and women also had very different feelings about the affect diversity, equity, and inclusion (DE&I) initiatives have and their effectiveness for their teams.
“Women participants felt more strongly than men that diversity and inclusivity impacted their security team performance, viewing security team diversity as important and a contributor to success at much higher rates than the men surveyed,” the report found.
Rosso adds that ISC2’s analysis finds that organizations with more women working on their teams have smaller workforce shortages, and that, across-the-board, organizations with DE&I practices in place have smaller workforce shortages than those that do not.
“That speaks to the need to have DE&I baked into how you hire, pay, and advance people in the organization,” Rosso says.
One bright point in the data is that when looking at workforce representation by age, 26 percent of respondents under 30 in cybersecurity identified as women.
“By 2025, research predicts that women will represent 30 percent of the global cybersecurity workforce, increasing to 35 percent by 2031,” according to a press release from ISC2.
Additionally, the report found that the average percentage of women team members—reported by women participants—was “significantly higher than by the men surveyed,” 30 percent compared to 22 percent, “meaning women work at organizations with a higher percentage of women on their security teams.”
Rosso brings this back to the well-known phrase: You cannot be what you cannot see.
“We see a trend when we look at younger women moving into cyber—the percentages can be up to 30 percent [of workforce representation]—but by age 35 there are grand exits from cyber,” Rosso says. This is often because the organization does not have other women in leadership roles, so women feel like that there is no pathway forward for them in the organization and they may look for opportunities elsewhere—either in cybersecurity or a new profession.
“Something we know about cybersecurity professionals is it’s really important for people to understand ‘what are the career options I have in front of me?’,” Rosso adds.
Takeaways for Security Managers
The ISC2 report included five recommendations for security leaders to help increase women’s participation and job satisfaction in the cybersecurity profession:
- Addressing early education to expose women to cybersecurity programs earlier to create a pipeline of potential job candidates
- Creating hiring, recruitment, and advancement metrics to grow a more diverse workforce
- Making pay equity a priority
- Eliminating inequities around advancement
- Focusing on the “inclusion” aspect of diversity, equity, and inclusion programs to improve retention.
One of the easiest places to put these recommendations into action is to work with the HR team to conduct a pay equity review, Rosso says.
“ISC2 did a pay equity review back in 2021 and we found that we had gaps frequently with underrepresented groups in our organization,” she adds. “What we also learned is you have to do this on an ongoing basis.”
Rosso also recommends that managers be intentional by including personnel from diverse backgrounds in discussions about their career goals and in meetings where they have an opportunity to learn from other team members.
“Include them in learning experiences,” Rosso says. “Sometimes it’s as simple as just having a junior staffer sitting in on a meeting to find out how senior individuals are solving problems. That tells that person, this organization values me because they are including me.”
She also suggests when evaluating criteria for job listings that managers do some self-evaluation on how they are supporting the team members they already have—including providing mentorship opportunities and learning experiences—and assess what qualifications job candidates need for open roles versus those that they can be trained for on the job.
It’s also important to be aware of personal bias during the hiring process. Rosso explains that people tend to recruit and advance people who have the same educational backgrounds that they do, creating a barrier for entry for those who have a different background.
“We’re not trying to make anybody feel bad about bias,” she adds. “But awareness of it, and then taking steps to counteract it, can have a huge impact and difference.”