Careers & People

08:00 PM
Connect Directly

Best Practices for Recruiting & Retaining Women in Security

Gender diversity can help fill the security talent gap, new Forrester Research report says.

The ongoing challenge to fill mass cybersecurity job vacancies amid the backdrop of a lack of diversity continues to haunt one of the world's hottest industries.

But there are some best practices organizations can adopt to help hack the talent gap by recruiting and then retaining more women in the cybersecurity field, according to a new report from Forrester Research. A lack of staff (25%) and lack of staff with the right skills (22%) are the biggest challenges today for IT security decision-makers, according to the report, which draws from interviews with more than 30 women in the security field as well as men in security leadership roles, and other survey data and research.

The best practices for recruiting and retaining women in security include where to recruit outside – and within – an organization, how to build a relationship with the HR department, and creating a more inclusive and less biased corporate culture that attracts and fosters more diversity.

Forrester analyst Stephanie Balaouras, who co-authored the report with fellow analyst Claire O'Malley, says there are a couple of best practices for recruiting and retention that are fairly simple to adopt right away. "I definitely think recruiting beyond traditional security conferences and [job] fairs … is an easy step" to broaden recruitment, she says. "And looking at internal [employees who are] career-changers is a really easy one to take on, too."

That means attending or sponsoring conferences like Women in Security and Privacy, or Grace Hopper, for example, and recruiting from colleges and universities that enroll more or mostly women. Look for existing employees with risk and technology, or business skills, who may be interested in a career change like an IT staffer or business staff with strong communications skills and creativity, Forrester recommends.

On the retention side, Balaouras recommends security mentoring programs for women on staff and advocating for cybersecurity events to become more inclusive and welcoming to women. "I myself personally benefited from mentoring, and a lot of people we interviewed for the report had mentors, [including] vendors outside of their job as part of their network, too," she says. "And being a part of cultural change at cybersecurity events" is another initial first step to help in the retention equation, she says.

Number Crunching

Forrester's report cites the widely reported 11% statistic that quantifies women's representation in the security industry worldwide, and the projected 1.8 million empty security positions worldwide by 2020, according to the Frost & Sullivan report from last year.

But initial data from an as-yet unpublished study by Cybersecurity Ventures shows the 11% number may be a bit on the low side. Steve Morgan, CEO and founder of Cybersecurity Ventures, says his firm's research finds the number of women in cybersecurity jobs worldwide is actually over 20%. That number takes into account security vendors, security service providers, small-to midsized enterprises, and security startups in Israel that include women in their ranks.

"We looked at dozens of different sources and tried to synthesize [the data] and did our own outreach," Morgan explains. Morgan says that while his firm's data appears to indicate a healthier representation of women in the industry, it's still not great news.

"Women are definitely underrepresented," he says.

Forrester's Balaouras says she believes women now represent somewhere between 15- and 20% of the industry when security vendors are included in the headcount, and other factors. "It depends on how you define security. If you include security and risk, and include privacy, compliance and audit functions, I could easily see that it gets to 15- to 20% women."

If the data is focused specifically on core security architecture and operations, including detection, threat hunting, forensics and incident response, the figure stays at about 11%, she says.

Meanwhile, Forrester's report also notes that diverse teams and companies tend to be more successful, so there's an obvious business benefit as well. "Studies show that diverse groups focus more on the facts, process these facts more carefully, and are more innovative — all outstanding attributes for a security team," the report says.

"Companies in the top quartile for ethnic and racial diversity in management were 35% more likely to have financial returns above their industry mean, and those in the top quartile for gender diversity were 15% more likely to see returns above the industry mean," Forrester said, citing data from a Harvard Business Review report.

Best Practices

Here are Forrester's Best Practices for recruiting women in security:

Connect women with cybersecurity early on
Outreach with free cybersecurity classes and certificate training for underrepresented populations, for example. Another example is Palo Alto Networks' partnership with the Girl Scouts' cybersecurity badge.

Recruit from academic institutions with a higher enrollment of women
Check out colleges such as the The University at Buffalo, Florida Institute of Technology, and the Massachusetts Institute of Technology (MIT), which partner with Women in Science and Engineering and the Graduate Consortium in Women’s Studies. Consider recruiting from women's colleges like Bryn Mawr, Smith, and Wellesley.

Look to internal career-changers
Existing employees with risk and technology or business chops who bring risk management skills as well as communications and creativity strengths.

Look beyond STEM backgrounds
Few of the women Forrester interviewed began their careers via a traditional path.

Join forces with HR
Human Resources plays a major role in selecting job candidates, so work with HR to be sure you're on the same page on diversity of hiring and the type of qualifications needed.

Sponsor, recruit from diverse security events
Think Grace Hopper, etc.

Mentoring programs
Encourage security staff to mentor women both inside and outside the organization.

Here are Forrester's Best Practices for retaining and promoting women in security:

Track data on your diversity in hiring, promotions
How many women are in technical security jobs? How many have applied for open security positions? "Work with your HR department to dig into behaviors that may be holding candidates or employees back, and be honest about what needs to change," the report says.

Provide training to deal with internal unconscious bias issues
DCI Consulting, Paradigm, and PDT, are examples of firms that offer unconscious-bias training services to help organizations set policies and procedures to remedy those problems.

Offer family-friendly benefits for all employees
Flexible maternity and paternity leave, breastfeeding rooms, and working remotely.

Formal mentoring programs
Professional support, career path assistance.

Culture improvements as a performance metric
Make employees accountable for helping foster a diversity culture.

Foster cultural change at cybersecurity events
Help encourage better harassment reporting, more representation of women speakers and panelists. 


Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Senior Editor at Dark Reading,  3/20/2018
City of Atlanta Hit with Ransomware Attack
Dark Reading Staff 3/23/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.