To keep data safe, companies must recruit more women in cybersecurity, experts say
Industry short of skilled workers hasn't fully explored one solution: women
The cybersecurity industry desperately needs more skilled workers to help protect our data, yet experts in the field say it has only just begun to explore one obvious solution: recruit more women.
Recent high-profile data breaches at three Ontario hospitals, credit-monitoring agencies TransUnion and Equifax, as well as at Capital One, Desjardins and DoorDash, compromised the sensitive information of millions of Canadians. These serve as powerful examples of a growing problem.
"National and economic security depends on strong cybersecurity defences, and most nations are lacking," said industry veteran Lisa Kearney.
Yet in the 24 years she's been in the field, the Vancouver-based Kearney says she has only worked with "a handful" of other women, raising questions about why nearly half of the potential workforce is giving the industry a pass when so much rides on filling those empty positions.
In 2018, Kearney founded a non-profit called the Women CyberSecurity Society, aimed at helping women and girls interested in the cybersecurity field find good careers — and then supporting them so they want to stay.
Women are great at multitasking. They're great investigators that pay great attention to detail.- Lisa Kearney, founder of the Women CyberSecurity Society
"I think there's a huge opportunity for women to be able to come into this space and have a successful, satisfying career in cybersecurity," said Kearney.
In Canada, women make up only about 10 per cent of the cybersecurity workforce, she said.
There are a number of reasons why. Often the field simply isn't on the radar of girls and women as they pick post-secondary programs and consider new careers. If it is, "there's the perception that it's a man's-only industry," said Kearney. "The other perception is that it's all technical and you have to come from an IT background."
In fact, there are all kinds of jobs in cybersecurity and not all of them centre around coding, said Kearney. Some workers focus on things like government compliance or client management, yet most people assume only those with a programming background can find a home in the field.
Besides, women have traits that are valuable in cybersecurity. "Women are great at multitasking. They're great investigators that pay great attention to detail," said Kearney.
If women do enter the field, many will drop out because they feel isolated in such a "bro" culture, or because they've faced bullying, harassment or marginalization through lack of advancement, Kearney said.
"I was at a meeting where I was actually hired by the company to go in and help these men secure their systems and databases. And when we were concluding the meeting, my colleague to my right looked at me and said, 'Oh you don't need to be at the next meeting; that's technical."
She's also been invited to conference calls where she was told to stay on listen-only mode, and had male colleagues take credit for her work — an experience she says is common among women in the industry.
Why would women pursue work in the field if they're likely to face challenges like these?
There's the satisfaction of doing work that's become critically important now that our personal information exists in so many different digitally connected places, but also the promise of steady work with good pay.
Alana Staszczyszyn didn't initially see herself working in cybersecurity or any other information technology field.
"I thought I was going to be an artist and musician," she said.
But when a family member told her she'd never be out of work if she pursued a career in the field, she opted for a cybersecurity degree program at Sheridan College.
She got summer work in her field immediately following her first year, and though her LinkedIn profile clearly stated she was a summer intern, Staszczyszyn said she was soon getting messages from recruiters inviting her to apply to senior analyst positions.
Coming out of school, starting salaries often range from $60,000 to $75,000, said Staszczyszyn. But Kearney said she's seen starting salaries as high as $100,000.
Although estimates vary, a group called (ISC)², the world's largest professional organization for the cybersecurity industry, pegs the global shortage of workers at close to 3 million.
'Boys' club culture
Now 23, Staszczyszyn is a security consultant at Security Compass, a firm that specializes in software security.
But when she was starting out as one of only five or six women in a class of 60, she said she had to work to overcome being outnumbered. For group work, for example, she had to be assertive in order to find partners.
There's a lot of initiatives and conferences out there that are trying to address gender inequality gaps in the industry, but a lot of those initiatives are fairly recent.- Nicholas Johnston, Sheridan College cybersecurity professor
"There was definitely a boys' club culture where I felt I wasn't included in the discourse," said Staszczyszyn.
Her male classmates tended to be the coding- and robotics-club types, and since they didn't recognize her as one of their own, she had to "work a bit harder to prove that I could do things and I knew stuff."
Nicholas Johnston, a professor and program co-ordinator with Sheridan's bachelor of applied information systems and information systems security, says women have comprised about 10 per cent of the program's student body since it started in 2004.
"It also echoes the general ratio in the industry, which has been a concerning piece for a long time," he said. "It's starting to improve. There's a lot of initiatives and conferences out there that are trying to address gender inequality gaps in the industry, but a lot of those initiatives are fairly recent."
The low number of women in the field represent a missed opportunity, said Johnston. "Some of the best social engineers who are ethical hackers … that I have ever met have been women."
Interest in the program and demands for its graduates have ballooned in recent years, Johnston said. From just 10 or 15 students in the initial graduating classes, the program now has approximately 350 students and a wait list.
And demand for co-op students and graduates exceeds supply, he said. "A lot of the students come back from their co-op, oftentimes with a conditional employment offer from their co-op partners."
For her part, Staszczyszyn says she's encouraged by the advocacy efforts of organizations such as Girls Who Code, which provides free coding programs for teen girls, and The Diana Initiative, an annual conference about women, diversity and inclusion in information security, held in Las Vegas.
Asked what she wishes other young women could know about her field, Staszczyszyn reflects on her seemingly unlikely path from an arts-focused high school to becoming a cybersecurity analyst.
"If I had to tell them anything, it's that there's room for every single talent in this industry."
With files from Laura MacNaughton and Jacqueline Hansen