The cybersecurity gender gap persists. Couple this with the advent of a skills shortage, and the industry has two big problems on its hands beyond the constant work that is threat hunting and mitigation.
The dramatic gender imbalance in representation and leadership creates barriers to entry for young women with hopes of joining the industry who may be deterred from applying for jobs or internships because they don't see people like them among the ranks.
Michele Guel, distinguished engineer and IoT security strategist at Cisco, has been in the cybersecurity workforce for 31 years. One of two co-founders of Cisco's Women in Cybersecurity, Guel is a frequent speaker and panelist at conferences such as RSA. She speaks to her passion for increasing gender diversity in her industry, the progress she's seen over the course of her career and the challenges that still remain.
Women in Cybersecurity includes more than 600 members, 90% or more who identify as women. It hosts internal and external activities to mobilize the community and work to increase gender diversity, as well as full-spectrum diversity at the company.
Editor's note: This transcript has been edited for length and clarity.
Can you speak to why gender diversity is important to the cybersecurity industry?
Michele Guel: My personal beliefs, along with all the studies, are that full-spectrum and gender diversity in any team is a good business way to go. It is proven there is going to be more creativity and talents that mix well. I believe, in cybersecurity, the way women attack problems and men attack problems is different, and together, they're very complementary. Many women are very detail-oriented and can multiprocess. It's about solving a puzzle.
You see a lot of teams that are male-dominated. Women still only make up 20% -- depending on what report you read -- of all the professionals in cybersecurity. That doesn't make for a good role model experience for girls who are trying to decide who they want to be when they grow up. If they were to look at the industry or in the news, TV or movies, they just see mostly guys in those roles. They may think, 'Oh well, that's not something I should not want to do because it's mostly guys.'
How do you appeal to young women who might count themselves out because they don't see representation in the industry?
Guel: It's an ongoing challenge. You still see only 20% women in any given group, which makes it more difficult to encourage. At the same time, in the last two or three years, I've seen what appears to me an exponential increase in the number of young ladies -- talking junior high, high school, college -- who have demonstrated an interest in the cybersecurity profession. They've demonstrated their expertise and ability to compete in these national competitions, whether that be capture-the-flag competitions where they're hacking or the SANS CyberStart program. These programs are giving opportunities for young girls to demonstrate their skills, even if they've never had any exposure.
This year, at the RSA conference, I co-spoke with Mandy Galante from the SANS Institute on a proposal I had submitted around growing a pipeline for women in cybersecurity. We talked about the different phases, from starting in Girl Scouts to junior high, high school, college and college interns. There are a couple things that have importance. One is having someone they can see that made it; it's having those success stories and publicizing those success stories. When you see recognition for young girls and women in the news media about accomplishments they've made in the field, it speaks a story to the younger generation.
Me going out as a 55-plus white woman is not necessarily a good story to millennials. I am very encouraging, but I can point to this story about this 20-year-old and what they've done or the 16-year-old who did the keynote at RSA that started her own security consulting company. You get exponential value out of those success stories because you can share them and reshare them. Then, the younger generation can see young people they can identify with -- not just a young white person, but a 16-year-old girl with roots from India. They can see African American, Asian; they can see full-spectrum diversity and have these role models to follow.
What are concrete diversity goals companies should be striving toward? Is there a way to measure gender diversity?
Guel: Many organizations do have a way to measure gender diversity. The numbers are tightly held by the HR organization responsible for measuring diversity and reporting it. There is a U.S. federal mandate that companies must provide diversity statistics on hiring, however.
Is there any perfect ratio companies should be looking for? I think it depends on the company. If you have low diversity numbers in your cybersecurity department -- for example, if you only have 5%, then if you strive for 10%, that may be great for you to make that 100% increase in one year. If you are at 25%, then you should strive to still grow that number. I think it really depends on where the organization is at. If they don't have any measurements, then they need to start specifically looking at the problem. You're going to find that the challenges are in the smaller companies, not necessarily the Fortune 100 companies.
I've spoken to women in cybersecurity leaders within Silicon Valley. They all have specific mandates to increase women in cybersecurity and ways to measure that. But, when you get to some of the smaller organizations, you're probably just not going to see it. Most likely, in my opinion, it'll be the bro culture. They're going to have challenges.
Should hiring managers prioritize gender of applicants when they consider who might be right for a job? What is the best way to keep companies accountable to diversity goals?
Guel: Any job opening where there are no women or other diversity categories applying for the job, there's an issue. Either the job description itself wasn't written to be inclusive, or the people reviewing the resumes and who do interviews weren't being inclusive, or they're not looking in the right areas.
Cisco has a number of resources focused on diversity in cybersecurity. We have partnerships with different colleges and universities, partnerships with things like the WiSys organization and conference to make sure they have a pipeline of candidates when we have job openings. We actually go and represent at conferences -- we have a booth where we're specifically looking for those candidates. You have to be intentional about it, or you're going to miss the boat.
If you bring in a candidate that was born in India and she's looking at an all-white, over-40 panel, that's not very attractive. So, we have specific mandates -- as well as guidelines from HR -- that we must be inclusive in terms of the language and interview panels must be diverse. We even have an internal tool where, if you don't have enough diversity of interviewers on your team, you can request a diverse interview panel to review the candidate. It ends with who is the most qualified candidate in terms of the skills that they bring to the job -- not only their technical skills, but how they'll fit into the team.
What are some of the challenges women in cybersecurity face?
Guel: In my experience, when women come into any male-dominated industry, especially cybersecurity, and they're not getting connected with other women in a community, they may feel isolated. They don't have anyone to talk to or feel like no one's got their back or helping usher them along to success.
Michele GuelDistinguished engineer and IoT security strategist, Cisco
A challenge specific to the cybersecurity industry is that it's always changing; there are new technologies coming out all the time. There are new attacks, vulnerabilities and threat actors almost every day, and so it's a field where you have to have an insatiable desire to learn. It's not like, 'I got my degree last year; I'm good now.' That doesn't work for cybersecurity. You have to know a lot about the full spectrum of technologies to understand how they may play into cybersecurity challenges. Cybersecurity professionals need to have some level of knowledge across a broad range of technologies. That may not be attractive to some people who can't keep up with the reading or can't juggle family and career. But the best way for women to be successful in cybersecurity -- I tell this to groups all the time -- is to get connected. Together, we can do things -- the power of 'we' is much more powerful. You don't feel like you're doing it alone. That's the success factor.
When do you expect to see a less homogenous cybersecurity workforce, and have you seen progress in your years?
Guel: I've definitely seen progress. I've been in the tech industry for 35 years -- I was the only girl in the room for many years. Then, I could count five -- now, 10 women in the room. I spoke at an AI conference in New York in April. I could still count them -- there's definitely way more men than women, but the numbers of women were impressive. At RSA, there were a lot of women. Whether it's all the brouhaha that happened at RSA in 2018 or just the realization of the industry, you see many talks that feature co-presenters -- they have one man and one woman, or they have panels with a mixture. I think that's a success factor because it demonstrates that women can be great speakers too.
It was 2011 when I had sort of an aha moment. I was doing a summit for the SANS Institute. During the break at the summit, I went to the ladies' room, and there was a line. We were all in the line and looked at each other and realized at the same moment: There's a line! There were more women, so there was a line. It's humorous, but it's true.
There are many more women going through college who study some aspect of computer systems, engineering, infosec, cybersecurity and privacy -- the numbers are growing. One report from Cybersecurity Ventures says there are more than 20% women in the field. Part of that is the reality that cybersecurity careers span across many types of roles within an organization. It's not just the people in infosec or security operations that are securing the infrastructure. You have the people doing risk and audit, people doing security in programming, people doing testing and people doing incident response, doing security marketing who speak to the customers.
There are many cybersecurity jobs that aren't just about defending the company where you work. So, I've definitely seen that uptick in women. Within our organization, I think we have more than 25% women within the security and trust organization.
Do you have any words of advice for women who want to break in to the cybersecurity field?
Guel: Get engaged, and get engaged early. Figure out what your passion is. Start learning. Whether it's a hackathon or some kind of cybersecurity challenge, like a capture the flag or a CyberStart, go to a conference. Just get engaged, and start learning. That's the best way.
Then, look for organizations within your community and other people you can band together, or start your own. So, maybe you're a freshman at a university, and you're interested in cybersecurity, and you can only find a few women in your courses. Start an infosec club at your university. Together, as a small group, start meeting, and start getting engaged. It's exciting, and there's a lot of career opportunities. Stay engaged, and do so using the power of 'we.'