Women account for just 10 percent of the information security workforce, a new report shows, but are making progress in governance, risk and compliance jobs.
The absolute number of women in cybersecurity jobs has been growing, but they're not even keeping up with the growth of the industry as a whole, according to a report released earlier this month by research firm Frost & Sullivan. In 2013, women made up 11 percent of the global information security workforce.
The report, based on a survey of 14,000 infosec professionals, was sponsored by International Information System Security Certification Consortium (ISC2) and Booz Allen Hamilton.
"This is very frustrating given how much growth there has been in the industry," said Julie Franz, director of the ISC(2) Foundation. "We're barely keeping pace."
When it comes to management positions women do slightly worse, accounting for 9 percent of senior leadership roles.
By comparison, in business in general, women make up 22 percent of all senior leadership roles, according to this year's Women in Business report by Grant Thornton International.
Women leaders in information security also tend to be older, according to the Frost & Sullivan survey. While only 29 percent of male leaders are 50 years old or over, 43 percent of women are.
And both women leaders and practitioners are better educated, on average, than their male counterparts. According to the survey, 58 percent of female leaders had advanced degrees, compared to 47 percent of men. And 48 percent of women practictioners have masters or doctorates, compared to 40 percent of men.
Governance, risk and compliance shows promise for women
The bright spot for women in information security is GRC, where women account for 20 percent of governance, risk and compliance roles.
"The GRC role was, until the events of 9/11, a relatively obscure role in infosec," said Michael Suby, Frost &Sullivan's vice president of research, in the report. "Now, however, not just women but also men recognize the rising importance of this role and other roles concentrated in managing business risk."
A panel of women infosec leaders organized to supplement the survey said that women leaders are more likely to have skills related to diffusing emotions, collaborating across multiple stakeholders and balancing business objectives with risk management. These are all skills important in GRC and other risk management roles.
For example, Julie Talbot-Hubbard, associate vice president for IT engineering, infrastructure and operations at Nationwide, said that she took on a GRC and continuity planning role at a prior employer because of a general lack of interest in the job, and a need for it.
"People had to be dragged into it," said Renee Hodder, information risk management consultant at Nationwide Mutual Insurance Company, in the report. She also got involved in the function because nobody else was interested in leading it, she added.
Sign up for CIO Asia eNewsletters.