Why Are There So Few Women in Cybersecurity?
And what will it take to get more? Plus: Evidence that MSPs want more stuff from fewer vendors and the continuing wait for an AI-powered cloud boom.
Statistics are all about context.
For example, just 30% of IT jobs are held by women at present, according to 2024 data from CompTIA. Pretty bleak, but actually better than last year’s 26% and better still than the state of play in cybersecurity, where a mere 20 to 25% of the workforce is currently female, according to recent research by security member organization ISC2.
It’s a phenomenon that Ann Westerheim (pictured), founder and president of Westford, Mass.-based IT services firm Ekaru LLC, regularly sees illustrated at industry events. “If there’s a hundred people in a more technical cybersecurity session, there’ll be like five women and the rest are men,” she says.
We’ll discuss fixing that momentarily, but let’s take a swipe at explaining it first. The biggest issues, which aren’t actually unique to security, include a widespread and often unconscious bias that Westerheim experienced (far from the first time) personally during a recent conference where an exhibitor was giving away free copies of a new book.
“The guy handed it to me and said, “Oh, don’t worry, the first chapter is not very technical, so you’ll be able to understand it,” she recalls. Westerheim has three engineering degrees, including a doctorate from the Massachusetts Institute of Technology. “I think I can understand it,” she observes drily.
Other factors include a self-perpetuating dynamic often found in male-dominated workforces, or really anything-dominated workforces: men in security tend to know a bunch of other men in security, and call them when a position opens up.
“There’s a lot of referrals,” observes Celeste Blodgett, vice president of HR at security vendor ESET. “Sometimes that’s a disadvantage for women.”
Especially when hiring managers need a position filled quickly, which they usually do, notes Dwan Jones, ISC2’s director of diversity, equity, and inclusion.
“If we need to do something quickly we’re going to use shortcuts, and shortcuts mean I’m not going to go outside of the normal channels that I tap into to find talent,” she says. “That isn’t necessarily getting us where we need to be in the long run.”
Even men free of bias with the patience to conduct a fairer search can struggle to find female candidates. Far more men than women pursue careers in security at present, partly because women have so few role models to emulate and partly because they can see just how male dominated a field security is.
“It feels like they’re really climbing a mountain,” says Joy Belinda Beland, vice president of partner strategy and cybersecurity education at Summit 7, a provider of cybersecurity and compliance solutions.
There are lots of reasons to find all of this upsetting, but surely one of the greatest is that we need as many cybersecurity professionals as we can get right now. While there were 5.5 million people employed in security last year, according to ISC2, that’s a whopping 4 million shy of what’s required to meet burgeoning demand. Both MSPs and their clients, moreover, call “shortage of in-house cybersecurity skills/expertise” their single biggest security risk, per a study from Sophos published earlier this week.
“All these jobs are available,” observes Westerheim, “and very few women are winding up in those positions.”
What to do about it
Westerheim and others have suggestions for changing that sad state of affairs. Here are five examples:
1. Counter stereotypes. Like the image at the top of this post, for example, which is what people tend to envision when they hear “cybersecurity expert.” It’s also, according to Jones (pictured), off-putting for a lot of women.
“Unfortunately, what you see a lot of times portrayed in the media is not actually what a cyber professional does,” she notes. “It’s not just sitting behind a computer all day.”
In fact, it’s not just any one anything. “There are so many different things that you can do within cyber,” Jones says. “We as an ecosystem need to do a better job of making sure we explain all of those different roles.”
A lot don’t require much technical skill either. “I think that the biggest problem is that when people look at women in cybersecurity, they think hackers and coding skills,” Beland says. “There are so many areas of cybersecurity that don’t require that level of technical background.”
Project managers are a good example in the compliance world, she continues. “They’re going to have the oversight to pull all of the pieces together and make sure everyone’s marching in the same direction that meeting their milestones.”
2. Hire from within. Most organizations, Beland continues, already have people qualified to do important but non-technical cyber work. How about folks in accounting, for example?
“Auditors are trained to look for problems, and auditing a cybersecurity control is not an absolute huge leap from auditing financials,” Beland observes.
Ron Culler, vice president of cyber development programs at CompTIA, encourages more such creative thinking. “The only way we’re going to solve a lot of issues rapidly is for companies to look internally and start thinking about upskilling their employees,” he says.
3. Cast a wider net. Recognizing your tendency to approach the same set of familiar male buddies every time you have a job to fill is a good beginning. Calling someone else instead is an essential follow-up.
“You have to step outside of your comfort zone,” Jones says.
For example, you may only have male contacts, but the women you work with—whether technicians, salespeople, or admins—probably have a whole different set of relationships. “Reach out to them as a partner to help you recruit,” Jones advises.
4. Think retention as well as recruitment. Hiring women into security roles is only half the battle. “We don’t want them to just come in,” Jones observes. “We want them to stay, and we want them to progress and advance.” Emphasizing the “E” in DEI can help.
“Ensuring that everyone is on the same pay level makes a huge difference,” Jones says.
So does offering flexible hours, Westerheim adds, noting that women tend to do a disproportionate share of the cooking, cleaning, and childcare in most homes. “I worked the whole time my kids were young, and it was absolutely insane to have three young kids and work full time.”
5. Pay it forward. Women who’ve made it in security, Blodgett notes, can play a huge part in helping others do the same by sharing what they’ve learned along the way about matters like career advancement.
“Women sometimes in the interviewing process don’t sell themselves,” she says. An experienced mentor can show them how—even if they’re not a woman. Men have a part to play in mentoring female security pros too.
“We need support from both sides,” Blodgett says. “All of my opportunities have been because men have helped support me.”
Cause for hope
It’s worth noting before we move on that while there’s still much progress to make when it comes to women in cyber, much progress has been made already. Cybersecurity Ventures expects women to account for 30% of the global security workforce by 2025 and 35% by 2031, for example.
“The younger generation coming into the field is more diverse,” Jones notes.
A growing number of non-profits (like those helpfully listed earlier this week by Ross Haleliuk, the security executive and blogger I wrote about a few months back) is contributing to that development, along with a wide and expanding range of scholarship programs. ESET’s own scholarship competition, now in its ninth year, named four winners yesterday.
“Our applicants have tripled,” Blodgett (pictured) says.
And if you’re still not feeling optimistic, Jones adds, just remember that the legal and medical professions were once overwhelmingly male too. “Of course there are issues, but it’s definitely not as big of an issue as it was 50 years ago,” she says of those fields. “We will make progress and there is hope.”
MSPs want it all, and preferably in one place
It required fortitude, but if you made it all the way through my giant RSA Conference news roundup a few weeks back, you may have noticed a shared (if unspoken) thread uniting several of the stories:
SonicWall has introduced a centralized platform for managing the solution lineup it’s expanded multiple times of late via acquisitions.
Veeam, best known for data protection, is getting into security too.
Acronis, having added EDR and MDR to its Cyber Protect Platform earlier, is now adding XDR too.
Cisco has consolidated its many security solutions into three suites, and is paying rich rewards to partners who sell them.
Security vendors, it seems, are actively building broad collections of integrated systems. That previously cited study from Sophos (a company that’s had a wide-ranging family of integrated solutions for years) points out one reason why: MSPs are sourcing more security products from fewer vendors.
In fact, 53% of the MSPs Sophos surveyed get everything in their security stack from one or two vendors and 83% buy from no more than five vendors. Their thinking is less than mysterious too. On average, participants in the new study estimate that managing all of their security tools from a single platform would cut day-to-day administrative time by 48%.
This is not a trend limited to security either. Some 80% of channel partners plan to reduce vendor relationships of all kinds to five or less by the end of this year, according to IDC. Already in fact, per research from CompTIA, 29% of partners are enrolled in just one to four programs and 11% belong to none.
Nor is this phenomenon just about streamlining relationships. There’s mounting interest among MSPs in what Cisco exec Brian Feeney calls “tools rationalization” as well. The new Sophos data, for example, reveals that 74% of MSPs who use a combined RMM/PSA solution are very satisfied with those systems. By contrast, just 43% of MSPs using a stand-alone RMM system are very satisfied with it and just 40% using a stand-alone PSA app are very satisfied.
The closely related implications of all this for vendors are pretty clear:
Think platforms, not products, going forward.
It’s a poor time to be a maker of stand-alone anything.
Partners that do more business with fewer vendors usually expect to be rewarded with price breaks and other perks. Vendors eager to be among the few relationships those partners maintain would be wise to give them exactly what they want.
Meet the new networking
Hybrid work and the Internet of Things have changed networking and network management forever. But you know that already. You want to know what to do about it, and the latest episode of the podcast I co-host has answers. Tune in now!
We’re still waiting for the AI cloud boom
As we said above, data can be misleading in isolation. Take Gartner’s recent projection of 20.4% growth in public cloud spending this year to $675.4 billion. Looks pretty good until you consider that Gartner was forecasting $724.6 of public cloud outlays in 2024 as of last April.
Apparently, the AI-powered boom in cloud consumption so many were anticipating a year ago has yet to materialize. Further evidence arrived last week courtesy of Canalys, which reported a 21% year-over-year uptick in sales of cloud infrastructure services during Q1. Again, that’s a plenty robust number, but not significantly more robust than the 19% growth Canalys recorded in Q1 of 2023 back when genAI was still in its infancy.
That said, judging by all the money they’re pouring into hardware, the cloud hyperscalers still see a lot more AI-related revenue coming. Google parent Alphabet spent $12 billion on capex in Q1 (“driven overwhelmingly by investment in our technical infrastructure, with the largest component for servers, followed by data centers”) and Microsoft spent an even bigger $14 billion (up from $7.8 billion a year earlier). Amazon was squishier on the topic in its recent earnings report:
We anticipate our overall capital expenditures to meaningfully increase year-over-year in 2024, primarily driven by higher infrastructure CapEx to support growth in AWS, including generative AI.
Speaking of AWS, let’s close with this: As previously noted, cloud infrastructure spending industry-wide rose 21% in Q1, according to Canalys. Google did even better at 28% and Microsoft better still at 31%. I could be wrong, but the Canalys numbers implied roughly 20.2% growth for cloud infrastructure providers excluding hyperscalers.
And Amazon? Its cloud revenue was up just 17%. Which is to say that AWS is currently losing share not just to its two biggest rivals but to the entire public cloud market.
Also worth noting
Veeam’s technical training arm has added new on-demand certification courses for partners and customers through an alliance with one of its service partners, Tsunati.
CrowdStrike is collaborating with Cloudflare on SOC services and with eSentire on supporting Carbon Black users worried about that vendor’s still uncertain future.
Cisco and Lenovo are partnering on integrated AI infrastructure and networking solutions.
Keeper Security has rolled out a modernized version of its browser extension.
Big-time MSP TPx now offers dark web monitoring via Breach Secure Now.