Why Gender Diversity in Cybersecurity Matters to the BusinessFilling the Skills Gap by Closing the Gender Gap

REPORT

2

Table of Contents

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Security Skills Gap Reveals Useful Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Security Workforce Gender Diversity Improving . . . . . . . . . . . . . . . . . . . . . . . . . 4

But Gender Diversity Challenges Remain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Gender Diversity Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Soft Skills Differentiate, Women Candidates Often Percolate to the Top . . . . . . 6

Gender Diversity Engenders Business Outcomes . . . . . . . . . . . . . . . . . . . . . . . . 7

Recommendations to Women Cybersecurity Professionals . . . . . . . . . . . . . . . . 7

Building Gender Diversity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3

REPORT | Why Gender Diversity in Cybersecurity Matters to the Business

Executive Summary

Organizations globally are struggling to find and retain cybersecurity talent with the skill sets that meet their business

requirements. A majority indicate the skills shortage, which is pegged at almost 3 million today, is affecting them (e.g.,

lengthy and expensive recruiting cycles, unfilled positions, etc.) and impacting their ability to manage security and

compliance risks.1 At the same time, there is growing concern around the lack of gender diversity. While this is certainly

a challenge, it is also an opportunity: Organizations can tap women candidates—many of whom possess skill sets that

occur at lower numbers among male candidates—to fill these skills gaps and unfilled job requisitions. Indeed, research

shows that diverse teams produce better business outcomes.

Security Skills Gap Reveals Useful Data

Released earlier this year, a Gartner survey finds that the cybersecurity skills shortage is the top concern when it comes to risks facing

organizations.2 63% of respondents say the talent shortage is a key concern for their organization. 58% of organizations have unfilled

cybersecurity roles, and nearly one-third indicate it takes upwards of six months to fill a security opening. Repercussions go far beyond

recruiting or operating inefficiencies: Almost half of organizations indicate they have experienced security incidents due to lack of

security staff or specific skill sets over the past two years.3

Understanding the skills gaps and misalignment between employers and cybersecurity jobseekers is an important starting point.

Knowing which skill sets for different security job titles are in highest demand helps hiring managers to define skill priorities and assess

which ones may be most difficult to find in candidates. Working in concert with Datalere, which specializes in data science, Fortinet analyzed job ads and resumes across nine different security and network occupations to determine what matters most to employers and what hard and soft skills are in overabundance versus those that are underrepresented by jobseekers.4

Over 120 Days

0% 5% 10% 15% 20% 25% 30% 35% 40%

81 to 120 Days

40 to 80 Days

Less than 40 Days

Figure 1: When polled on the question of the length of time it takes to fill a security role on their team, over two-thirds of webinar attendees said 80-plus days (excludes those who did not know).

4

REPORT | Why Gender Diversity in Cybersecurity Matters to the Business

Security Workforce Gender Diversity Improving

Recruiting a more diverse cybersecurity team is an often-cited solution by employment

pundits to the security skills shortage and skills gap. Certainly, diversity is a top trending

topic across industries and occupations, and organizations are compelled to build and

implement strategies to increase the diversity of their teams.

Gender diversity remains a serious problem in the cybersecurity space, where less than

one-quarter of the workforce comprises women.5 The good news is that more women

are entering the workforce. In the case of the “2019 Women in Cybersecurity” report by

(ISC)2, more millennial women (45%) than millennial men (33%) responded to the survey.

This would seem to imply that the disproportionate men-to-women ratio will diminish more

in coming years. The survey also reveals that more women (52%) hold a post-graduate

degree than men (44%), an indication that workforce skill upgrades are on the horizon.

But Gender Diversity Challenges Remain

Men are 5x more likely to be in a CISO role than women.

It does not get much better across other roles either,

though the gender diversity gap is not the same across the spectrum. For example, when network and security roles are compared, there appears to be a larger gender diversity gap with network roles than

with security roles.

nn CISO: 7% were women

nn Security Architect: 2.5% were women

nn Security Administrator: 17% were women

nn Director of IT Security: 11% were women

nn Security Incident Response Specialist: 9.5% were women

Yet, despite these positives, negatives do remain. For example, men are 5x more likely to be in a CISO role than women.6 In the case of

the skills-gap reports Fortinet generated in concert with Datalere, findings revealed even worse male-to-female ratios than (ISC)2 (based on

resumes analyzed):

nn Network Architect: 4% were women

nn Network Operations Center Manager: 8% were women

nn Security Operations Center Manager: 12% were women

nn Network Engineering and Operations Leader: 1.5% were women

Recognizing the importance of building diverse teams—whether gender, race, sexual orientation, or gender identity—and seeking to gain

better understanding on the topic of gender diversity, Fortinet recently produced a webinar on the topic: “Realizing the Benefits of Gender

Diversity in Cybersecurity.”7 The panel was moderated by Dr. Patrick E. Spencer, senior director of content marketing and research at

Fortinet. Renee Tarun, Fortinet’s VP of security, and Joyce Brocaglia, the CEO and founder of Alta Associates, the Executive Women’s

Forum, and BoardSuited.com, served as panelists. The webinar examined key findings from the skills-gap report series published

by Fortinet titled “Understanding the Cybersecurity Skills Shortage: An Analysis of Employer and Jobseeker Skills and Occupational

Demographics,”8 as well as data from some investigative reports on different security job personas (e.g., CISO, security architect, et al.) and

current priorities and challenges associated with each. The webinar also covered how women can help fill the security talent shortage and

skills gap, as well as the benefits of gender diversity.

5

REPORT | Why Gender Diversity in Cybersecurity Matters to the Business

Gender Diversity Matters

When it comes to addressing the cybersecurity skills shortage and gap, Brocaglia notes, “We are never going to lessen the shortage if we ignore the half of the population that are women. The dirty little secret is that there are actually a lot of really strong women in the field who are choosing to opt out because of conscious and unconscious biases they face in their security careers.” As evidence, the panel discussed survey data from the Center for Cyber Safety and Education (CCSE). Some of the key highlights from the CCSE study the panel discussed included:

nn 51% of women have experienced discrimination in their roles, compared with 15% of men.

nn Men are 4x more likely to hold executive roles than women, and 9x more likely to hold managerial roles.

Figure 2: Webinar poll question: Does your organization review job descriptions to ensure they use inclusive language—gender, race, disabilities, sexual orientation, gender identity?

Figure 2: Webinar Poll Question: Does your organization review job descriptions to ensure they use inclusive language— gender, race, disabilities, sexual orientation?

27%

25%

48%

Don’t KnowNoYes

86% of women indicate that an employer’s policies on diversity and workforce inclusion play an important role in their decision

to accept a job offer.

nn Salary discrepancies remain: Men are paid 6% more than women for nonexecutive roles, and 4% more for executive roles.

As a whole, employers are doing a poor job of recruiting women into cybersecurity roles. The skills-gap studies we produced with Datalere found almost twice as many male-gendered terms as it did female-gendered terms in job ads. Job ads that are weighted toward men—intentionally or unintentionally—drive away women applicants. “Having a gender-inclusive corporate culture starts in your job postings, ensuring that the language you are using is not biased,” Taran stresses. “And while some organizations are trying to make their job titles more attractive to get more candidates by using terms such as ‘code warriors,’ this type of male-gendered language can deter candidates as well.”

Based on webinar audience input, organizations need to spend more time reviewing job descriptions to ensure they do not contain gender bias (see Figure 2). Over half of the webinar audience indicated they either do not or are not sure if their organizations review job descriptions to ensure they use inclusive language—race, gender, disabilities, sexual orientation.

For those who doubt the importance of diversity for women, think again. 86% of women indicate an employer’s policy on diversity and workforce inclusion plays an important role in their decision to accept a job offer.9

6

REPORT | Why Gender Diversity in Cybersecurity Matters to the Business

Soft Skills Differentiate, Women Candidates Often Percolate to the Top

Soft skills are typically undervalued and underemphasized by jobseekers. In the case of the CISO, 17 of the top 20 skills listed by employers in job ads were soft skills (see Figure 3). These translate into tangible business outcomes. Brocaglia argues they should be front and center:

“The soft skills are the ‘hard’ skills. When doing a CISO search, the emphasis is rarely on the technical ability. That is almost a given by the time people get to that point. Our clients are looking for somebody who can translate technical issues for key business stakeholders. People who can lead teams and utilize outcomes.”

Brocaglia goes on to indicate that often when Alta Associates is searching for a CISO, they “are doing so because the person currently in the role lacks those soft skills. Companies are looking for leaders who can work collaboratively in setting and executing strategy—individuals who possess emotional intelligence, authenticity, and communication skills.” The importance of soft skills extends to the Personal Characteristics quadrant. Asked if personal

Women Bring BroaderSkill Diversity

Only 17 of Top 20 Skills Employers List of CISOs are Soft: Communications, Planning, and Leadership

n Women are 52.5% more often to list soft skills than men

n Women list more soft skills than men in all four quadrants

n 150% more analytical skills

n 46% more skills in Leadership quadrant

LeadershipWomen, 5.7 Skills

Men, 3.9 Skills

Communications/Interpersonal

Women, 1.6 SkillsMen, 1.5 Skills

AnalyticalWomen, 2 Skills

Men, .8 Skills

Personal CharacteristicsWomen, 7 Skills

Men, .4 Skills

Figure 3: Soft skills findings from “The CISO Ascends from Technologist to Strategic Business Enabler” report.10

Figure 4: Webinar poll question: “Are personal characteristics are undervalued when you evaluate candidates?

NoYes

60%

40%

Figure 4: Webinar poll question: Are personal characteristics undervalued when you

evaluate candidates?

“The soft skills are the ‘hard’ skills. When doing a CISO

search, the emphasis is rarely on the technical ability. That is almost a given by the time

people get to that point.”

– Joyce Brocaglia, CEO and Founder, Alta Associates,

Executive Women’s Forum, and BoardSuited.com

characteristic soft skills are undervalued when they evaluate candidates, 60% of webinar attendees indicated that is the case (see Figure 4).

Interestingly, one of the findings from our CISO skills-gap study found that women include soft skills in their resumes much more often than their male counterparts (52.5% more likely). When all four soft skills quadrants are examined, women CISO candidates exceeded men in listing soft skills on their resumes in all four. The Analytical (150% more) and Leadership (46% more) quadrants were the two with the highest level of variance.

7

REPORT | Why Gender Diversity in Cybersecurity Matters to the Business

Gender Diversity Engenders Business Outcomes

Building a diverse team is important—and not simply from the standpoint of complying with corporate HR objectives or the desire for social responsibility. Data shows that diverse teams produce better business outcomes.

This is backed up by third-party research that the panel discussed. To begin, gender-diverse teams make better decisions 73% of the time compared to 58% for all-male teams. Further, 95% of the time the decision-making is related to financial performance.11 Second, a study of VC-funded teams found that women-led organizations bring in 12% higher revenue than male-dominated firms. Third, in the case of VC firms, those with at least one woman in a leadership role outperform all-male peer organizations by 63%.12

Figure 5: Webinar poll question: In terms of career development and advancement, what have you found to be the most helpful?

Slightly more than one-quarter of webinar attendees indicated that their organizations conduct

periodic reviews to ensure diversity policies and processes

are being followed.

Recommendations to Women Cybersecurity Professionals

When it comes to being engaged and feeling valued at work, the panel discussed a number of ideas. As a starting point, six recommendations from the CCSE are noteworthy:13

nn Recommendation from a sponsor for a high-profile project

nn Recommendation from a sponsor for a promotion

nn Introduction from a sponsor to other people in their professional network

nn Opportunity for formal or informal meetings

nn Opportunity for nontechnical skill development

nn Opportunity for leadership coaching

The webinar audience was polled (see Figure 5), and formal opportunities for networking was listed as the activity that benefited them the most in terms of career development and advancement (33% listed it). Executive mentoring and coaching (23%) and stretch projects (20%) also received a high ranking.

Stretch Projects

0% 5% 10% 15% 20% 25% 30% 35%

Participation inLeadership Training

Formal Opportunitiesto Work

Codification of aCareer Plan

Executive Mentoringand Coaching

8

REPORT | Why Gender Diversity in Cybersecurity Matters to the Business

Building Gender Diversity

Beyond ensuring job descriptions employ gender-inclusive language, the panel listed other recommendations that CISOs and hiring organizations can employ to build gender diversity.

nn Mandate, measure, and reward diversity hiring

nn Lift out the must-have skills from the nice-to-have skills in job descriptions

nn Conduct blind resume reviews (strip all gender, age, and ethnicity information)

nn Look for people from nontraditional backgrounds whose analytical, communication, and creative skills can add value to your team

nn Regularly review and adjust salaries to achieve gender pay parity

nn Tie bonuses and other performance to behavior that encourages and supports diversity

One cause for concern arose during the webinar when the audience was polled on whether their teams conduct periodic reviews of hiring outcomes to ensure diversity policies and processes are being followed, and only 27% said this was the case. 42% said their teams currently do not conduct periodic reviews, and another 31% said they did not know.

“I also think people hire in their own image,” Brocaglia says. “So, unless companies are actively reviewing their job descriptions in technical roles for unconscious bias and unless they’re really forcing their hiring managers to provide diverse lakes of candidates and choose and work with recruiting companies that have a track record of doing so, the pace of change will continue to be slow.”

This is a real problem, according to Tarun. “You’re putting your company at risk,” she notes. “You can actually be hurting your company from an innovation standpoint, because everybody brings in different ideas and different experiences and backgrounds. Solving problems is a critical part of the cybersecurity world, and diverse teams are better at doing so.”

Watch the webinar “Realizing the Benefits of Gender Diversity in Cybersecurity.”

Read The CISO Collective article on “The State of the Female CISO, and What Can be Done About It.”

9

REPORT | Why Gender Diversity in Cybersecurity Matters to the Business

1 “Cybersecurity Skills Shortage Soars, Nearning 3 Million,” (ISC)2, October 18, 2018.

2 “Gartner Survey Shows Global Talent Shortage Is Now the Top Emerging Risk Facing Organizations,” Gartner, January 17, 2019.

3 “Cyber Security Skills in Crisis: A Professional’s Call to Action,” ISSA, December 5, 2018.

4 Consists of nine reports published in a series by Fortinet titled “Understanding the Cybersecurity Skills Shortage: An Analysis of Employer and Jobseeker Skills and Occupational Demographics.”

5 “(ISC)2 Cybersecurity Workforce Study: Women in Cybersecurity,” (ISC)2, accessed August 28, 2019.

6 “The Future Tech Workforce: Breaking Gender Barriers,” ISACA, accessed August 28, 2019.

7 “Webinar: Realizing the Benefits of Gender Diversity in Cybersecurity,” Fortinet, accessed August 28, 2019.

8 “Understanding the Cybersecurity Skills Shortage: An Analysis of Employer and Jobseeker Skills and Occupational Demographics,” Fortinet, accessed August 28, 2019.

9 “Celebrating International Women’s Day: Bold actions for gender equality,” PwC, accessed August 28, 2019.

10 “The CISO Ascends from Technologist to Strategic Business Enabler,” Understanding the Cybersecurity Skills Shortage: An Analysis of Employer and Jobseeker Skills and Occupational Demographics, Fortinet, September 5, 2019.

11 Marcia W. Blenko, et al., “The Decision-Driven Organization,” Harvard Businss Review, June 2010.

12 “Hacking Diversity with Inclusive Decision Making,” Cloverpop, accessed August 28, 2019.

13 Jason Reed, et al., “The 2017 Global Information Security Workforce Study: Women in Cybersecurity,” Frost & Sullivan, accessed August 28, 2019.

References

Copyright © 2019 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

www.fortinet.com

September 9, 2019 1:25 PM

report-why-gender-diversity-in-cybersecurity486057-0-0-EN