This is a really important question as women comprise roughly 10% of the cybersecurity workforce and that number doesn’t show any signs of improving. Clearly, women are not a homogenous group, so the answer varies based on each individual, but I can provide some general thoughts based on my own experience and research on this topic. I tend to look at this as a pipeline problem (i.e., why women aren’t entering) as well as one of retention (i.e., why women leave).
Let’s address the pipeline issue first. There are more and more programs aimed at getting girls and women into security, and these must continue andin the field, so that is positive progress. At the same time, media portrayals and popular culture have left cybersecurity with a horrible branding problem. When I speak to high school and college students, and ask what comes to mind when they think of cybersecurity, inevitably the response is a shady, socially inept young guy in a hoodie. That’s not quite the image to attract a more diverse pipeline. This media portrayal began in the mid-80s – when girls in computer science peeked – and since then has helped trigger a decline which has generally bottomed-out to the current state. This has also helped prompt the brogramming culture. Even for companies and academic programs that have avoided this issue, the perception that it exists and that the field is hostile toward women deters many girls and women from entering.
Retention is another issue. Last year I completed aon retention in cybersecurity. The key reasons people leave the field are burnout, lack of career advancement, and the industry culture. Similar to across the tech industry writ large, most efforts to address greater inclusion and diversity extend little beyond PR pitches and lack any substantive bite. Women are often still paid less, promoted less, and deal with discrimination and harassment, prompting the pursuit of other career paths. Importantly, this doesn’t just extend to the workplace, but also professional conferences (cons), each of which has its own culture and vary in their degree of inclusivity. Bad experiences at these conferences, coupled with limited professional growth, can have broader impact and may discourage women from attending these professional events or staying in the industry.