Cracking the glass ceiling: solutions to close the cybersecurity gender gap
As accidental and malicious cyber-breaches impact more companies across Australia, there’s a growing demand for cyber professionals and improved cyber capabilities.
This demand has only highlighted the gender disparity in the cybersecurity industry. While it’s widely recognised that women are underrepresented in cyber, what actions can we take to embrace the diversity of talent and resolve this ongoing problem?
Dr Ivano Bongiovanni and Megan Gale from The University of Queensland (UQ) Business School set out to investigate the lack of women working in cybersecurity in collaboration with fellow UQ Business School researcher Professor Tyler Okimoto, Chair and Director of UQ Cyber Professor Ryan Ko, and University of Strathclyde academic Dr Karen Renaud.
Through a series of interviews and workshops, their research uncovered barriers women face entering and remaining in the industry, as well as practical steps to promote greater diversity and narrow the gender gap.
The study involved interviewing 30 participants with varied experience in core cybersecurity areas and industries.
- 10 female industry professionals working as directors, consultants, senior managers, executives, analysts, and specialists.
- 10 female and male hiring managers working as executives, directors, consultants, and human resources managers.
- 10 female postgraduate and PhD university students.
Two subsequent design-led workshops were held in partnership with the Queensland Government Department of Transport and Main Roads* (TMR) to gather feedback from 20 female participants and co-create meaningful solutions for organisations.
*Previously the Department of Communities, Housing, and Digital Economy (CHDE)
Confronting technical misconceptions
A core obstacle uncovered in the study came from industry perception: what does it mean to be a cybersecurity professional?
Despite the variety of vital technical and non-technical roles in cyber, the research highlighted misconceptions about the industry’s preference for the former.
“Many believe that, regardless of gender, you need to be technically skilled to be a good cybersecurity professional,” Dr Bongiovanni said.
“At the same time, there’s a societal perception that suggests women are inherently non-technical.”
“Women are often stereotyped in the industry as having ‘soft’ skills, or perhaps, worse, as not having those ‘technical’ skills,” Gale agreed.
“This seems to stem from inherent biases and the inverse stereotype that ‘techies’ are men interested in computer games, so we see cybersecurity generally grouped with IT, and those biases flow into this industry.”
Senior Cyber Strategist at TMR and UQ MBA alum Shelley Smith found this misconception was often the first barrier to women applying for jobs in cyber.
“It’s easy to rule out cyber roles when you feel like you don’t quite fit that mould, so it’s important to know you don’t need deep technical skills to do many of these jobs,” Smith said.
As part of her role with TMR, Smith recognised the importance of assessing the total transferable skill set someone brings into a position.
“We want to attract people with broader backgrounds,” Smith said.
“People who come from varied life and professional experiences bring a new lens to cyber, which is highly valuable. You've got to have people with different perspectives.”
Reimagining cyber one practical step at a time
Dr Bongiovanni and Gale’s collaborative work with Smith and TMR identified a number of solutions organisations can implement to start dismantling the hurdles women face in cybersecurity.
“Organisational cultures are one of the toughest to change, which means progress can only happen over a period of time.”
Here are some helpful strategies they shared to help organisations get started:
1. Create and support initiatives that engage gender diversity
Biases run rampant in the workplace and beyond. As Dr Bongiovanni and Gale observed, the industry ‘boys club’ attitude seeps into conferences and professional retreats targeted toward men.
“When you already know there’ll be a majority of male participants, it might make sense from an organiser’s perspective to cater to that larger fraction,” Dr Bongiovanni said.
“The problem is that this perpetuates a familiar and detrimental cycle.”
According to the researchers, it’s essential for organisations and event coordinators to approach current female-orientated initiatives, such as the Australian Women in Security Network and Women in Cybersecurity, and ask questions to learn how to make these environments friendlier for diverse gender representation.
“To really support women in the industry, you need to host inclusive social events and invite women to conferences and networking events as speakers and leaders – not just participants,” Gale suggested.
“It’s also important to consciously market the achievements of the women in your team internally to your colleagues, and make sure your team and your workplace have those visible female leaders.”
Smith similarly recognised the part both female role models and mentoring programs can play in helping women overcome misconceptions and feel confident pursuing and staying in cyber roles.
“These initiatives can help women get a feel for the job and see what parts of cyber appeal to them,” Smith said.
“Hearing from other women in the industry is also encouraging. You see what someone else is doing and think, ‘That’s not an issue; I can do that.”
Ways to engage gender diversity in the workplace include:
○ introducing internal mentorship programs for women
○ encouraging men to be champions of industry change
○ inviting women to industry events as speakers and leaders
○ championing compliance programs on diversity, inclusion and equity.
Image: Master1305 / Adobe Stock
2. Be a proactive advocate for equitable hiring practices
When filling job vacancies, Gale encourages organisations to avoid placing a man in a technical role as the ‘safe’ course. “Ask yourself, why do I think a technical role would be better suited to a male candidate? Is there inherent bias at play?” she said.
According to Dr Bongiovanni, these biases can also trickle into job advertisements.
“Often cybersecurity is portrayed as an overtly adversarial environment where you need to defend the fort against the baddies out there,” he said.
While fighting cybersecurity threats doesn’t entail violence, Dr Bongiovanni found this perception could have a negative impact on women looking for jobs in cyber.
“Research has shown men often thrive in competitive spaces while women tend to prefer cooperative environments, so it’s important to promote collaboration in job descriptions,” Dr Bongiovanni said.
When reflecting on hiring practices, both Gale and Smith encouraged managers to focus on the benefits of diversity and the innovative and financial potential it brings to organisations.
“If everyone keeps hiring the same mindset, you're getting the same answers to the same questions,” Smith said.
Ways to introduce more equitable hiring practices include:
○ creating inclusive job descriptions for all cybersecurity roles
○ increasing the amount of entry-level jobs
○ promoting discrimination and bias training for hiring managers
○ leading HR-driven marketing campaigns to target women.
3. Support flexible work arrangements for all employees
From longer hours to lack of parental leave, women can be deterred by the inflexible work schedules that cybersecurity is known for.
Organisations need to invest in alleviating the toll that comes with the long hours expected of cyber roles, according to Dr Bongiovanni.
“For starters, by creating a number of cybersecurity teams, you can introduce an alternating roster that helps relieve individuals of an extreme workload,” he said.
Working in the public sector, Smith observed flexible work practices are increasingly being accepted as the norm and are supported by the Queensland Public Sector Act 2022. The new act provides a modern, employee-focused framework for the Queensland public sector.
“There’s a growing consideration of the fact that people need to be flexible in their career to take a break,” she said.
“Sometimes that’s a career break; other times it might be paternal leave. It’s about giving everyone access to flexible work opportunities, which can free up women to come back to work in their own time.”
Ways to support flexible work arrangements include:
○ promoting parity in parental leave for all employees
○ supporting opportunities to work from home
○ building more cybersecurity teams to help reduce extreme workloads.
Image: Mary Long / Adobe Stock
“These smaller actions might fly under the radar, but they can also have a significant impact in helping improve the representation of gender in cybersecurity.”
Learn from Dr Bongiovanni through his Executive Education short course or the Leadership field of study in UQ’s Master of Cybersecurity.
Dr Ivano Bongiovanni
Dr Ivano Bongiovanni is a Lecturer in Information Security, Governance and Leadership at UQ Business School and a member of UQ Cyber. As a researcher, consultant and speaker, his work focuses on the managerial and business implications of cybersecurity. With a risk and security management background, he helps business leaders and executives make evidence-based decisions in cybersecurity.
Ms Megan Gale
Megan Gale is Head of Digital Development at global engineering company KBR, and a researcher at the UQ Business School with a focus on cybersecurity governance. Megan has a professional background in law and business management, is a non-executive director and chairperson, and has a passion for good governance, strategy development and diversity in organisations.
Ms Shelley Smith
Shelley Smith is a UQ MBA alum and Senior Cyber Capability Strategist for the Queensland Government Department of Transport and Main Roads. With a focus on the delivery of strategic initiatives to uplift cyber security capability across the sector, Shelley works with stakeholders from educational institutions to influence and codesign relevant cyber skills programs.
Built with Shorthand