Managing Director & Senior Partner
There’s a huge opportunity to expand the numbers and capabilities of the cybersecurity workforce by attracting women to the field.
The world is increasingly turning to digital, but there’s a twist: a significant escalation of digital threats. Cybercrime inflicted a trillion-dollar global business loss in 2020 alone. Compounding the danger: 57% of organizations report unfilled cybersecurity positions. The weaker a company’s line of defense, the more vulnerable it is to major damages.
At the same time, we note, some 75% of today’s cybersecurity workers are men.
There’s a huge opportunity to expand the numbers and capabilities of the cybersecurity workforce by attracting women to the field. Why hasn’t this happened? The apparent stumbling block is well known: long-standing obstacles have kept many women from entering and pursuing careers in science, technology, engineering, and math (STEM) disciplines, including cybersecurity.
Solving both of these cybersecurity challenges—the staffing shortfall and the gender-based inequity—begins with opening STEM doors to women and girls. But the effort can’t stop at early-stage access. It must gain breadth and depth as women advance in the field so that they can fully participate in cybersecurity throughout a career trajectory.
The findings of our research—including a worldwide survey of 2,000 women studying STEM subjects—underscore the hurdles to expanding the cybersecurity workforce and making cybersecurity a viable career focus for women. (See the sidebar “About the Survey.”) Importantly, our findings also reveal some surprising opportunities for significant progress.
The global cybersecurity workforce was short some 3.5 million workers in 2021, according to Cybersecurity Ventures; by that count, the workforce of 4.4 million was 80% shy of the demand. (See Exhibit 1.) Concern over the dearth of tech talent in general has been growing for years, but it’s coming to a head as organizations increasingly rely on digital. With cybercrime on the rise, the shortfall in cybersecurity is particularly urgent.
How did this immense talent gap emerge?
Partly from a mismatch of supply and demand. This is a fast-growing but nascent and dynamic field. It takes time and money to acquire the specialized education, certification, and experience required to gain expertise. As demand continues to outstrip supply, the talent gap expands. Between 2020 and 2021, it grew by 13%.
But the extreme gender differential among the cybersecurity employee base indicates that other forces are at work. Women make up 39% of the overall workforce. They account for 38% of workers in STEM jobs but only about 25% of the cybersecurity workforce, according to Cybersecurity Ventures.
Attracting women to cybersecurity would do more than fill the empty chairs. It would:
But various barriers keep women out of cybersecurity. According to research from (ISC)2, a nonprofit that focuses on cybersecurity training and certification, the majority of women who have worked in the field report gender-based discrimination. Nearly all women (87%) reported having experienced unconscious discrimination, while 19% said they had been subjected to overt discrimination. Women also cited unexplained delays in career advancement (53%) and exaggerated responses to errors (29%).
Discrimination also manifests in a compensation gap. (ISC)2 research shows that 32% of men working in cybersecurity earn an average of $50,000 to $100,000 annually, while just 18% of women in cybersecurity occupy the same income bracket. And 25% of men versus 20% of women earn $100,000 to $500,000 annually.
But women’s low rate of participation in cybersecurity, and STEM fields in general, has traditionally been attributed to a narrow talent pipeline, itself a consequence of women’s low participation in tertiary STEM education. In fact, that’s a major theme that emerged from our review of more than a hundred reports, studies, indices, articles, and relevant global initiatives as well as our interviews with some 20 international experts from the public and private sectors, not-for-profits, academia, think tanks, and international NGOs.
This research informed our global survey of 2,000 women undergraduate STEM students in 26 countries spanning six regions—one of just a few studies on this topic to include a global sample.
Because sources pointed to early-stage STEM access as the primary stumbling block to women’s participation in cybersecurity, we focused our global survey on women undergrads in STEM-related programs. Specifically, we regarded our survey as an opportunity to test the conventional wisdom about women in STEM and cybersecurity.
Confirming and Refuting Notions of Gender Disparity. Our survey corroborated some traditional thinking—but refuted other key, long-held hypotheses. (See Exhibit 2.)
Here’s what we found:
Our survey also explored the reasons why some women said they did not want to pursue a career in cybersecurity. (See Exhibit 3.)
A subset of these respondents (22%) cited a lack of information about cybersecurity as a career path or a lack of technical knowledge, suggesting that there is an opportunity to attract a greater proportion of women to cybersecurity by making information and technical capabilities more widely available. Also, 47% of women simply said they were not interested in a career in cybersecurity—but when we asked them to elaborate, some also cited insufficient information, telling us, among other things, “I hadn’t thought of it” and “I have never been exposed to this field,” meaning that opportunities to engage in cybersecurity projects, internships, and other experiences were lacking. This suggests that there’s an even larger opportunity to attract women to the field through outreach efforts.
Our international survey revealed interesting differences across regions as well. For details, see the sidebar “Survey Results by Region.”
Access Versus Agency. Our survey results suggest that access—such as greater awareness of cybersecurity and increased access to higher education in the field—is not the stumbling block that keeps girls and women from participating in cybersecurity. But sizable gender gaps persist in the field, which means increased access is not generating increased participation. How to explain this paradox?
The true difficulty lies in agency. The problem is not primarily a lack of access to necessary resources or opportunities, such as the option to pursue a cybersecurity degree or apply for cybersecurity jobs. Rather, the problem is a lack of capacity to control resources and make decisions about their use: in many circumstances, social or cultural norms constrain a woman’s choice of what she can study, and unpaid home and care responsibilities limit a woman’s ability to enter or succeed in a career in cybersecurity.
Both dimensions—access and agency—need to be addressed to empower women to achieve their full potential. Certainly, both are necessary to advance women’s participation in a STEM field like cybersecurity.
The push for access in general has gained ground in recent years, thanks to the work of organizations worldwide dedicated to establishing gender equity. Today, an unprecedented number of women have access to education, health care, and political commitment to gender equality. Nonetheless, women’s participation in the labor force still falls short; in fact, it is declining and on target to reach what would be a 40-year low of 46% by the end of the decade, whereas the participation rate for men is projected to be 72% in 2030.
Many initiatives consider access primarily; they don’t address agency challenges. Women continue to carry the burden of unpaid household and care work—by a factor of three. They spend half as much time as men doing paid work. The result: they work more hours than men overall but receive less remuneration for their time.
Further limiting agency, women working in fields that predominantly employ men can suffer from a low sense of belonging and from impostor syndrome—a pattern of doubting one’s abilities and feeling like a fraud despite possessing the requisite capabilities and having a track record of accomplishments. In sum, systemic cultural, social, and legal barriers continue to constrain women’s agency to participate in STEM fields, including cybersecurity.
The pace of progress has been slow. At this rate, it will take more than 130 years to close the global gender gap. We propose that the urgent need to fill cybersecurity positions should be regarded as impetus to accelerate the effort.
In creating a framework to guide women’s empowerment in cybersecurity, we did not start from scratch. We built upon lessons learned from the significant accomplishments of initiatives that are seeking to establish women’s empowerment across industries and regions. These resources showed that the main constraints are adverse social norms, lack of legal protection for women, a failure to recognize and redistribute household and care work, and women’s lack of access to financial, digital, and property assets.
BCG’s approach to women’s economic empowerment recognizes the need to address the issues of access and agency that women will confront across the four major stages of the employee journey: pipeline, recruitment, retention, and advancement. (See Exhibit 4.)
In our framework, the stages are cyclical, not linear, recognizing the value that women at each stage hold for women at the other stages. Primarily, women who are leaders in cybersecurity (who have reached the advancement stage of the journey) will bolster women who are newcomers to the field, inspiring those at the pipeline and recruitment stages and mentoring women at the retention stage. As Betsy Bevilacqua, from Facebook, told us: “Compared with careers in tech, the path of a security engineer is not clear. There are many directions you can take. Women in cybersecurity need more support navigating different career levels as we don’t have a playbook.”
Pipeline. At this stage, the issue is having a sufficient pool of talent with the requisite skills and interest to enter a field.
Giving women greater access to pursue cybersecurity education would broaden the talent pipeline. Targeted STEM engagement of girls and gender mainstreaming of cybersecurity before high school are essential steps for building the pipeline. Role models and senior encouragement will support this effort.
To spark girls’ interest in cybersecurity in middle school and high school and sustain that interest over time, it’s also necessary to address agency-related perceptions of cybersecurity as a boys-only or technologically elitist career. “We need to reframe cybersecurity as much more than a solely technical field,” said Nadya Bartol, a managing director at Platinion, a digitally focused BCG specialty business. “Women have a lot to offer in a field that requires a combination of people, process, and technology skills to succeed.”
Recruitment. The recruitment stage involves applying and interviewing for jobs and the screening and hiring process. The recruitment challenge related to cybersecurity is ensuring that women are included and treated equitably.
One key barrier to access that emerges in this stage is the tendency to want to recruit the “perfect candidate”—a tendency that kills diversity. Recruiters seek candidates who look like current employees, with the right tenure, education, and technical expertise; given the urgent need in the workplace, they are reluctant to consider candidates who will require training. This thinking can exclude women, particularly young women who are new to the field—and it doesn’t help close the workforce gap. Access could be improved here by expanding the lens to include nontraditional candidates, sometimes hiring based on aptitude and being prepared to train or reskill for specific cybersecurity roles. Targeting women for internships is another way to address the issue.
Retention. Retention is a broad stage, encompassing many years of an employee’s career. A focus on retaining women in cybersecurity must address compensation, gender biases, and more. Fostering a gender-inclusive workplace culture and implementing diversity, equity, and inclusion policies are key drivers for retaining women employees.
Efforts to date are not serving to keep women in cybersecurity jobs, though. What explains the leaky retention pipeline?
Advancement. Advancement means moving people into leadership roles—and doing so equitably. Mentors and sponsors are crucial to advancing women to senior leadership roles in cybersecurity and to helping them navigate the industry overall and build business acumen, but it’s hard to find women who can serve as mentors and sponsors at this senior stage.
Women’s networks are crucial as well. Heise attested to the value of such networks in the cybersecurity field: “I had a strong women’s network at Lockheed Martin. It was a key resource to share information and guidance for career advancement and find mentors.” But it can be difficult for women in prominent positions in cybersecurity to find resources like this.
We screened more than 120 public- and private-sector organizations around the world with a stake in women’s empowerment in general and women in cybersecurity in particular to assess existing efforts. The progress made by such initiatives is clear—but so are the limitations.
Most of these stakeholders have a national or regional scope. Most are nonprofits. And most are concentrated in the US and Europe; data on women in cybersecurity in non-Western countries is lacking. The numerous initiatives are siloed and redundant. And stakeholders tend to focus on only one or two stages of the career lifecycle—the early stages of building a pipeline of qualified candidates through education and connecting candidates with employers for entry into the job market—rather than taking the holistic view that characterizes our cyclical pipeline.
There’s a clear opportunity for an inaugural international initiative on women’s empowerment in cybersecurity that covers the entire career lifecycle holistically and connects existing stakeholders and activities to share best practices and pool resources.
What can those with an interest in women’s empowerment in cybersecurity do? National governments, companies, schools and universities, NGOs, and individuals can all play a role. For each of these stakeholders, it’s important to consider agency- and access-related barriers across an entire career lifecycle. This could result in a broad range of constructive changes: at one end of the spectrum, planning and implementing policies; at the other, resolving with a partner to redistribute household and care work.
The challenges are great but the progress is encouraging, as indicated by our survey results—demonstrating higher-than-expected access to information, for instance—and by the women who talked to us about their successful careers in cybersecurity. Other promising trends: More women are entering cybersecurity; their participation doubled from 2017 to 2020, according to (ISC)2 research. Women working in cybersecurity tend to have advanced education, which strongly positions them for leadership positions. And the cybersecurity compensation gap is narrowing among younger generations.
Continued efforts to empower women to participate in cybersecurity will bolster gender equality, broaden horizons for women, and strengthen cyber resilience.