Security Experts:

Is The Education System Keeping Women Out of Cybersecurity?

While the Gender Bias in Professions Remains Strong, There Are Indications That Factors Beyond Genuine Aptitude Are at Play

Despite the increasing cybersecurity skills shortage, projected by Frost & Sullivan to reach 1.8 million unfilled roles by 2020, we are yet to engage with the obvious solution. There is currently more interest in reducing vacancies using artificial intelligence (AI) and automation than in training youngsters to adopt the profession.

The problem with AI as a solution, according to a report published Tuesday by ProtectWise, is, "The impact of artificial intelligence on the man-hours required to staff a security operations center is basically nil today -- and will be for a significant amount of time." 

This is confirmed by a separate survey (PDF) published Wednesday by Exabeam. Exabeam queried 481 cybersecurity professionals around the world. It found nearly 68% of respondents reported they do not currently use AI or ML in their jobs or don’t have plans to use in the future, even though 75% agreed AI/ML can make their job better or easier and improve security.

The short-term solution to the skills gap must necessarily be to increase skills rather than the long-term reduction of demand.

Together with the skills gap is an awareness of the paucity of women in security. This is also confirmed by Exabeam's study, which found that 90% of security professionals are male. 

ProtectWise returned to the data it gathered in an ESG survey last year, but specifically looked for any indication that the two problems may be linked: in short, could increasing the number of young women entering the security profession reduce the skills gap?

What it found is somewhat counterintuitive. Although the well-known gender bias in professions remains strong, there are indications that factors other than genuine aptitude are at play. In high school, twice as many men as women plan to study engineering, computer science or mathematics at college. Similarly, twice as many men as women consider IT as a future career.

At the same time, women are less confident in their aptitude for a career in cybersecurity. Forty-two percent of women profess to not knowing enough about the subject, compared to 35% of men; while 34% of women (compared to 25% of men) consider they do not have the aptitude.

What is surprising, however, is that the early exposure to technology that is believed to be the springboard to first studies and then careers in IT is stronger in young women than it is in young men. As many women as men game online, and the numbers that consider themselves to be early adopters of technology are also similar.

In some cases, however, young women are actually the early adopters -- 52% of women had tried VR compared to 42% of men; and more women than men have advanced technology in their household.

One conclusion that can be drawn is that the education system is the block. Young men and women enter the system with an equal aptitude for technology in general; but fewer women than men leave it to pursue technology careers. More concerning for cybersecurity is that very few of either gender consider security as a potential career.

A primary reason is that they simply do not have the option. Sixty-nine percent of the respondents said they had never taken a cybersecurity class in school, and 65% said that their school never offered a cybersecurity course.

This lack of interest from the schools does their pupils no favors. The Exabeam study shows a median salary range of $75,000 - $100,000 per year, with 34% earning more than $100,000 per year (chief security officers can expect around $200,000 and above); while 86% of existing professionals would recommend a career as a security analyst to new graduates. Good money and job satisfaction should be strong incentives.

ProtectWise co-founder and CTO Gene Stevens believes the problem is a latency between society's needs and society's understanding of those needs. “Our society has not yet embraced cybersecurity as a civilization-defining competency, yet it is exactly central to our capacity to function in this massively technological age," he told SecurityWeek. "In foundational terms, it's an education and awareness problem."

The solution is a sustained effort to get cybersecurity into the educational syllabus. "In education," he continued, "one of the best roads is to have cybersecurity technology standards baked into state standards of expectation for all students. State boards review these on a regular basis, usually every three to five years. We should reach out to departments of education state by state to engage on this topic. As digital citizenship is currently being developed locally, we need to reach out to school counselors and partner with teachers -- reaching out to education associations to offer resource and support is easy and could be highly beneficial."

While educational restraints may be playing a part in a lacking cybersecurity workforce, Ashley Arbuckle, Cisco’s VP of Security Services, believes that inclusion will help put a stop the perpetual scrambling for cybersecurity workers.

“No matter how you measure it, the number of unfilled cybersecurity positions is big and it’s a problem we’ve been lamenting for years,” Arbuckle wrote in a recent SecurityWeek column. “The traditional approach to address the shortage has been to encourage more individuals to pursue technical and engineering degrees. But which individuals? And if you aren’t “technical” does that mean there’s no room for you in cybersecurity? If we think more broadly about the type of talent we need and how to build even better security teams, we’ll see that the solution to the workforce gap is through inclusion.”

Arbuckle also believes there is no one definition of a cybersecurity professional and no one path to get there. “By increasing awareness of the varied skills needed and providing support to cultivate such talent, we have an opportunity to expand the pool of workers and improve security and financial performance in the process, with teams that are based on inclusion and diversity. We need to marshal all our resources to strengthen our defenses,” Arbuckle said.

Related: Working Smarter, Not Harder: Bridging the Cyber Security Skills Gap 

Related: Report Shows Few Solutions to Filling Cyber Skills Gap 

Related: NIST Publishes Cybersecurity Workforce Framework

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.