The shortage of women in cyber security

Written by Joseph Poppy on 01/02/2019

Cyber security needs more people

In an age pushing for diversity, is it fair to say cyber security is still an industry dominated by men? A quick Google search seems to suggest so. Admittedly, “cyber security industry male dominated” is a somewhat loaded search, but the point still stands. By simply peering over my monitor and surveying the Bulletproof office, I am greeted by the many grizzled faces of men staring fixedly at their screens hard at work, or at least pretending to be.

I exaggerate of course, but there is a case to be made that considering the global shortage of cyber security professionals, the industry needs to be working harder to encourage people from all backgrounds to get involved. Having said that, trends are slowly moving in the right direction. For example, the number of women CISOs has grown to 20% in 2019 (which you will notice is now).

However, this logically means that 80% will be male, which is not necessarily what you will call a balanced figure. Despite this growth, there is an argument to be made that less women are currently working in ‘tech’ overall than there were in the 1980s. Furthermore, following the news that the UK government has issued new funding to help drive diversity in cyber security, it’s clear the industry is falling behind other industries as far as diversity is concerned.

The number of women CISOs has grown to 20% in 2019

Why is this?

Lots of intelligent people have talked around this subject, and there still isn’t much of a consensus as to why this is. I very much doubt that I’ll be the one to solve it. Of the limited skills I possess, solving age old social issues isn’t one. However, there are various factors that should be considered.

For example, cyber security makes up part of the vast sector that can be defined by the vague term ‘IT’. In 2018, a mere 7% of tech positions were held by women in Europe. So naturally, being a small wedge in the cheese of IT, it’s not surprising that cyber security is lacking in women.


Women looking on a computer together
Women in cyber security exist! It’s not all men in dark rooms with hoodies on.

The shortage leading to the shortage?

There is a case to be made that the fact that industry is so male dominated, contributes to it remaining as such. That’s not to say that the industry is being deliberately managed as a ‘boys club’, though there are undoubtedly isolated cases where this is sadly true. Representation is important. If recruitment fairs or industry talks aimed at student types are invariably sporting male faces, potential recruits may well get the impression that cyber security is for men. It reinforces a stereotype.

A study conducted in 2017 states that most women decide against a career in cyber security by the time they are 16. Obviously, I am over simplifying. There are no doubt numerous factors that come into play, but young people are notoriously impressionable.

There’s also the image of the cyber security expert. Search “hacker” (a term largely synonymous with cyber security) and you’re usually greeted with numerous pictures of a man wearing a hoodie. As far as mainstream culture is concerned, hackers are men and they are always cold.

This image keeps popping up whenever people discuss cyber security and, in some ways could go on to explain the shortage of experts in general. It’s not a positive image. It hints at something vaguely sinister and ‘nerdy’ and fails to highlight the fact that anyone can earn good money through a rewarding and legitimate career in cyber security.

As far as mainstream culture is concerned, hackers are men and they are always cold

Increasingly more about people

Interestingly, it’s worth noting that the aforementioned image is somewhat outdated. Cyber security is becoming more and more about people than it is about tech. Just look at the evolution of phishing and other elements of social engineering. Phishing is all about convincing people to click links, download files or send money to accounts. Social engineering is all about knowing how people work and think and using this against them.

At Bulletproof, we’re seeing a huge rise in interest for our bespoke training programmes. Why? Because people are the most important part of any cyber security defence strategy. AI and machine learning technology is rapidly evolving and requires a lot of knowledge of how humans think and make correlations. Cyber security is more sociable than many people realise. Whilst, like any job, there is a lot of monitor staring involved, there are many other elements to cyber security that aren’t nearly emphasised enough.

Women putting hand up in meeting
Cyber security is more sociable than most people realise.

Resume checklist and pen
Needing experience to get experience is a vicious circle.

We’re focusing on the wrong thing

At this point, I should address the fact that being a man myself, waffling on about the industry being male dominated may seem counterproductive. So, in order to get a better view of it, I spoke to Sarka, a Manchester based penetration tester, to get her thoughts on the issue. She has cofounded InfoSec Hoppers, which hosts quarterly meet ups for women working, or interested in working in cyber security. Their aim is to encourage women in cyber security to talk about their work, attend conferences, and encourage greater diversity in what is a vibrant field.

Sarka says, ‘I think the whole wave of attention to less women in tech has put attention on the wrong side of things. We, as an industry, are lacking skilled professionals full stop.’ Which is certainly true, and we’ve covered it before. It’s said there will be a shortfall of as many as 3.5 million vacancies in cyber security by 2021.

Sarka goes on to say, ‘The issue I see is the vicious circle of needing experience just to get experience. I see so many people from my community that can’t find jobs because of this, and that’s the real issue with our industry now. It should be about skills and not gender.’

InfoSec Hoppers is a group for women who are interested in InfoSec, based in Manchester

Nurture talent regardless

So, therein may well lie the problem for both the shortage in cyber security staff as a whole, and for the apparent lack of women. Companies have vacancies that they want to be filled by people with at least X number of years in the industry.

That is all well and good, but unless they are also creating positions for those fresh out of school or university, then there’s no way for a new generation to get X amount of years. It seems logical that, if an industry is currently dominated by men, and it’s becoming increasingly difficult for people to get their foot in the door, then the industry will remain dominated by, not just men, but the same men.

There is plenty of talent or potential talent out there, we just need to nurture it and hone it to create the next generation of cyber security experts. That’s not to say we should seek out diversity for diversity’s sake, but (as CREST President Ian Glover puts it) ‘for the sake of the industry. By consistently taking people from the same backgrounds, we’ll keep coming up with the same approaches and solutions.'

Hand putting wood block on more blocks
The next generation of cyber security specialists need somewhere to start.

If we can alter the image of the cyber security professional from the basement dwelling, anti-social anarchist to something more palatable, then more people might develop an interest.

More people will generally mean greater diversity. If we then go on to provide more entry level opportunities that don’t require an incredibly detailed CV, then that interest can be developed into a bona fide security expert.


Not just penetration testing

The notion of ‘hacking’ becoming intertwined with the idea of cyber security is also problematic. Too many people think the only job available in cyber security is penetration testing or bug hunting. Not everyone likes the idea of becoming a hacker, but that doesn’t mean cyber security isn’t the industry for them. The truth is there is a huge variety of jobs, such as SOC analysts, compliance consultancy, network architects, digital forensics and more.


We want talent

Ultimately, it doesn’t matter who you are, if you’re interested in tech and passionate about cyber security, the industry wants you – nay it needs you. There’s a wide variety of jobs in the industry to suit different interests and skill sets. Check out our careers page if you’re interested in working for Bulletproof. If there are no current vacancies, send us your CV anyway and we can see if we have a position for you.

We’re proud to say we take on keen graduates and offer work experience placements with the hope to furnish the next generation with the skills to take on tomorrow’s cyber-threats and progress in a truly rewarding cyber-security career. We need to fill the staff shortage gap before it really becomes a problem.

Help wanted poster
Get in touch and you could join our amazing team of security experts!

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.