Press Coverage

Women are great cybersecurity hires. So why are they so underrepresented in a short-staffed field?

The following article first appeared in DX Journal on Sept 20, 2023.

In January 2023, the Canadian Centre for Cyber Security (CCCS) delivered its baseline cyber threat assessment with a stark warning: organized cybercrime, it said, “will very likely pose a threat to Canada’s national security and economic prosperity over the next two years.”

Possible targets cited by CCCS included hospitals, where cyberattacks can disrupt patient care and delay tests; goods and services, where they can drive up prices and short supply; and of course, banking attacks, payment card frauds, and identity theft.

Cybersecurity, consequently, is a fast-growing field where the stakes are already relentlessly high and only promise to grow — but not only because the threats are multiplying.

The number of vacant cybersecurity positions globally outpace the skilled workers available to fill them, and according to IT World Canada, this means the escalating likelihood of cyberattacks are expected to be exacerbated even further by the sector’s chronic talent shortage.

Canada is not exempt from this problem. The Information and Communications Technology Council (ICTC), a digital research-based not-for-profit, reported in a 2021 study that despite offering robust, competitive salaries, one in six Canadian cybersecurity positions go unfilled.

That represents about 25,000 jobs left open — attributed partly to burnout, students opting out of cybersecurity programs while they’re still in school, and competition from U.S. companies offering higher salaries, the study read.

But while the nation faces a shortage of workers, ICTC’s research also suggested a lack of diversity in the talent pool could prolong it: those identifying as Black, Indigenous, or people of colour represented only 25% of cybersecurity workers.

Those identifying as women had the least representation — just 20%.

“We need to pull more women in,” Rushmi Hasham told DX Journal in September.

Hasham is the director of cybersecurity workforce training at Toronto Metropolitan University’s Rogers Cybersecure Catalyst, which offers innovative training and certification programs aimed at boosting Canada’s competitiveness in the sector.

And although Hasham says more women are beginning to pursue cybersecurity, increased representation is necessary to perpetuate that progress — and the valuable contributions women make to the field.

“We want to have their opinions heard, we want their unique perspective, and women offer new solutions that we need, frankly, across the entire industry,” she said.

“But we also need to make sure that we’re creating the space, that they feel the inclusion.”

The value women bring to cybersecurity

Cultivating a gender-diverse staff offers a litany of benefits for companies, and when it comes to cybersecurity, there are practical, research-based incentives to hire women.

Université du Québec à Montréal professors Camélia Radu and Nadia Smaili found “evidence of a positive association between the level of cybersecurity disclosure and board gender diversity” in their 2021 research study, Board Gender Diversity and Corporate Response to Cyber Risk: Evidence from Cybersecurity Related Disclosure.

“The presence of women IT experts on boards resulted in improved cyber risk management — board monitoring, management supervision and corporate governance in particular,” Radu and Smaili wrote for The Conversation in December of 2022.

In addition to bringing new perspectives to the decision-making process and adding a greater variety of skills and capabilities, they said their research also found that women “had lower risk tolerance, enhanced ethical practices and engaged less in fraudulent practices.”

In short?

“These specific skills, combined with their IT expertise, meant women improved the cybersecurity risk monitoring of their companies,” Radu and Smaili said.

But despite all they bring to the table, The Globe and Mail’s Tayo Bero wrote in August 2022 that women continue to face barriers in the industry that include being talked over in meetings, having their ideas ignored or co-opted by their male colleagues, and never being recognized for their work.

The effects on women’s cybersecurity careers are detrimental.

“Obviously, if a [young woman] sees this type of treatment towards her where she is constantly reminded that she has to prove herself [and prove] that she actually knows something, she would think twice whether this is a good career for her,” Natalia Stakhanova, an associate professor of computer science at the University of Saskatchewan and a Canada Research Chair in security and privacy, told Bero.

Research also suggests women are also less likely to apply for cybersecurity jobs in the first place.

According to a survey commissioned by Microsoft Security, men are more likely than women to feel qualified to apply for a cybersecurity job posting, while many respondents “indicated a bias that cybersecurity isn’t a traditional career choice for women.”

“Some women expressed these biases themselves,” Vasu Jakkal, the Corporate Vice President of Security, Compliance, Identity, and Management with Microsoft, wrote in a March 2022 blog post.

“The survey indicated women are more likely than men … to think that cybersecurity is ‘too complex’ of a career.”

This perception could be influenced by the shortage of women in the industry — possibly creating a self-fulfilling, and perpetuating, prophecy.

“A lack of representation can then reinforce the gender gap by dissuading women from entering cybersecurity,” Jakkal said.

How to improve equity and inclusion in cybersecurity

With challenges like these at play, Hasham believes that we can start attracting women to cybersecurity jobs by lowering barriers to entry.

“If we’re looking at the mid-career woman making a pivot, she’s looking at: can I put my family aside? How do I do this?” Hasham said. “So, time is a barrier.”

Hasham’s work has been closely tied to the development of solutions that include rapid workforce programs like Toronto Metropolitan University’s Accelerated Cybersecurity Training Program, which took students six months rather than years to complete.

It has since been replaced by Certifications for Leadership in Cybersecurity (CLIC), but the goal, she explains, remains the same: to boost the number of qualified individuals entering the cybersecurity workforce while increasing representation.

Delivered online and taken part-time, CLIC is both self-directed and instructor-led, has a focus on mentorship, and is designed to be thorough: within six months, graduates join the labour pool having attained two globally-recognized SANS GIAC certifications.

“Women always think, ‘If I’m going into training, what will the return be?’ And then: ‘That investment is coming out of my family budget. Can I really do this?’” Hasham said.

“It’s about putting ourselves first. We really don’t.”

Hasham also suggests that women who don’t apply for cybersecurity roles because they don’t exactly meet the qualifications in the job description should reconsider.

“A woman will say, ‘Oh, they wanted these certifications, but my certifications are [different],’” she said. “And then, she doesn’t apply. But meanwhile, all of the skill requirements are what she has, and more.”

Once women secure jobs in cybersecurity, they need allies in the workplace, Hasham said. And here, men and management have an important role to play in lifting their female counterparts up.

“We need men to be collaborating with us in that learning process, for them to be part of the solution,” Hasham said.

“We’ve gone through this notion that if we created women-only cohorts, women would succeed more. And we learned that men need to be part of that, because you’re going to work in a collaborative co-ed environment anyway. So, we need to create that in our training.”

Finally, Hasham said that women in the industry need to be seen and heard so that others can imagine themselves in a similar role.

“It’s the full belief of: ‘If I see a woman in this profession, I can be a woman in this profession,” she said.

“We need to amplify the women who are in the industry. We need to give them a voice, we need to give them a platform. We need to help them shine.”

More from the Catalyst