As cybercrime escalates, encouraging more women to seek out and be promoted to the top ranks of the cybersecurity profession is one way to tackle growing threats. Unfortunately, women who choose cybersecurity often exit mid-career in frustration at the lack of opportunities. The result? A cybersecurity workforce that lacks gender and equality balance—and a missed opportunity for greater diversity and innovation in tackling cybersecurity risk. Collectively, we can positively impact change to advance our industry and forge a path to a more inclusive future.
It is an unfortunate fact that half of all women with a technical education leave the workplace in the middle of their careers. This statistic is double the rate of their male colleagues in similar roles. In fact, women depart technical roles at a 45% higher rate than men.
If organizations can stem this tide, they stand to gain a return on investment that is currently lost when these women exit. Cost estimates to replace a salaried employee range from six to nine months’ salary—and, considering today’s skyrocketing demand for cybersecurity skills, likely more in our industry. Organizations not only lose money from turnover, but also they lose the potential for innovation as a result of a less gender-diverse workforce.
According to analysts, by the end of 2019, women were to comprise 20% of Fortune 500 Chief Information Security Officers (CISOs)—up from 13% in 2017. While that figure represents a significant improvement, it still means just one in five top information security jobs at the most powerful companies across the globe is held by a woman. And, in the largest 1,000 companies, fewer than one out of five Chief Information Officers (CIOs) or Chief Technology Officers (CTOs) are women. That’s a far cry from gender balance in the top ranks of the cybersecurity profession.
The lack of women in senior positions exposes both conscious and unconscious bias surrounding women in leadership positions. These range from a perception of a lack of “qualified” women, to organizational cultures stuck in practices from prior decades. As women who hold senior positions in the security industry and as members of the Accenture Cybersecurity Forum Women’s Council, we strongly and passionately advocate for a change in the status quo.
To help further this effort, the Accenture Cybersecurity Forum Women’s Council members candidly shared their personal career journeys, experiences and observations. This report combines their insights with Accenture research on gender equality to suggest four distinct areas of action for companies and public organizations committed to advancing women in the cybersecurity field. Through real-world examples, we aim to open a dialogue on the conscious and unconscious gender bias impacting women in cybersecurity. We also offer actionable recommendations to help organizations support more women’s aspirations to rise to the top of the cybersecurity ranks.
Four areas of action to support, retain and advance senior women
Women who have risen to top cybersecurity positions often find it difficult to discuss their career paths due to a myriad of challenges they encountered along the way. As the Women’s Council members shared their stories, commonalities emerged that point clearly to specific changes and improvements that drive impact.
Most of the Accenture Cybersecurity Forum Women’s Council executives interviewed work for organizations that put elements of potential solutions into practice, including hiring, mentoring, and promotion programs focused on women. They know firsthand how these proactive workplace policies and programs have helped them achieve professional success in cybersecurity. By sharing these successful approaches, this report aims to quicken the pace and volume of women advancing to senior levels in security careers.
Taking comprehensive action in the following key areas helps organizations retain and promote women into more senior cybersecurity leadership positions:
01/ Invest in developing future women executives.
02/ Provide flexible work arrangements for all.
03/ Decode the route to equal with metrics.
04/ Reward responsible risk-taking.
Challenges for women in getting leadership development in cybersecurity:
Invest in developing future women executives
The challenge: A lack of formalized career and leadership development.
Traditionally, development policies and programs are implemented to support high-performing junior professionals and these tend to wind down near the mid-point of people’s careers. Once these programs are complete, the program “graduates” look to sponsors to help them make the most of their new professional networks and leadership skills. However, often, when women look upward for sponsors, they lack leaders that reflect their own career path. Women need organizations to establish strong mentorship networks, such as those enjoyed by many up-and coming male executives, to assist with the next stage of their career advancement.
Our council members highlighted that for women to rise to leadership positions, we need men that currently hold leadership positions to advocate for and sponsor women. As one council member said: “Until our senior men own this problem and address it, it will just continue. I feel like I have to take a stand and stop preaching to the choir.” Organizations that enable and encourage men to speak out in support of women in cybersecurity are on the right path to support inclusion and diversity as part of the culture. A shift in tone and behaviors from the top is critical for any organization to help women in cybersecurity rise to senior levels.
Being one of a few women in cybersecurity leadership can be isolating. Take, for example, one ACF member who told us that she found herself accepting—and even perpetuating—a typical male-dominated corporate culture. She said: “I am used to being the only woman in the room, so I have developed certain survival techniques to protect my position. By doing this, I was not helping the women around me. I kept trying to fit into the toxic “one of the boys” culture. I was being gaslighted into thinking this is the way women must behave to career advance.”
Other women indicated that they have seen firsthand what happens when organizations do not make the proactive investment in developing future women leaders—they lose them to those organizations that do. As one interviewee said: “If I’m not going to win [the advancement battle], I move on.”
Cybersecurity is a nascent, fast-evolving field that often lacks a common, direct path to advancement. This is a double-edged sword, as it makes career development more challenging— yet it also leaves several opportunities open for the taking. However, identifying and developing these opportunities, particularly when it comes to women in the field, requires the right development training, a risk-taking culture and qualified candidates.
Commenting on the fact that there is no single, cookie-cutter career path in cybersecurity, one ACF respondent said: “Cybersecurity is not an easy path progression. There are all sorts of twists and turns that people take and should take. And, just because I didn’t start out in security doesn’t mean I didn’t have opportunity in the cybersecurity space.” Another respondent suggests male leadership should “set a good example” by showcasing the gender equality that organizations say they want to see at the top. “Don’t look for the unicorn,” she said. “Instead, take chances on women. They may not perfectly fit the role, but they have the skill sets to build upon and to support the end goal.”
While a career in security can seem exciting, senior level positions can appear intimidating due to the amount of attention predominantly male Chief Information Security Officers (CISOs) receive by media and policymakers following breaches. When breaches do not occur, it can be difficult to explain the value of investing to keep up with the increasing costs of cybersecurity. Women with the drive, leadership acumen and technical skills may veer away from senior cybersecurity roles based on their perception that the position involves continuous firefighting and potential reputation attacks.
Further, senior positions in cybersecurity, such as the CISO role, require experience with budgeting and board presentation. For women to pursue these senior security positions, leadership should provide clear expectations around these skills and opportunities for women to gain exposure and experience. Doing so creates awareness of how their security skills can translate to the next role, along with any gaps that need to be addressed to get there. In addition to being clear about the expectations of executive roles and writing job descriptions that are objective, leaders can also engage in conversations about the scope and responsibility of leadership roles. Taking these strategic steps helps women to feel less stagnant in their careers. Instead, they could identify and seize opportunities required to ascend the leadership ranks.
Provide flexible work arrangements for all
The challenge: Sending our daughters into a workplace designed for our dads.
Melinda Gates, co-founder of the Bill & Melinda Gates Foundation, put it succinctly: “We’re sending our daughters into a workplace designed for our dads.”6 Gone are the days when men worked while women stayed at home to “mind the house and children.” Men’s needs are now no different than women’s at the mid-point of their career. Employees deal with a variety of circumstances, including supporting ailing parents or creating and raising a young family. As such, organizations need to be comprehensive when describing the flexibility they offer. Rather than organizations defaulting to maternity leave or childcare as the prime examples requiring workplace flexibility, employees, at various stages, need to be provided with and take advantage of flexibility and advocate for it.
For women who are on maternity leave or other leaves of absence, leadership can clearly express the organization’s desire to welcome them back. They can also cooperatively formulate a plan to help them continue to progress their careers, while supporting and enabling them to have a life outside of work. Many people want to return from a leave of absence by hitting the ground running, but careers are marathons—not sprints—and need to be managed as such.
In some organizations, while flexibility may be offered, it is quietly frowned upon if utilized. As a result, employees believe they must choose between personal or professional commitments, or cover aspects of their full selves at work (for example, pretending they are leaving for an external meeting instead of attending their child’s theatrical performance).
One ACF member respondent expressed that her employer would not support her stepping away from her work to temporarily care for her grandmother who suffered with Alzheimer’s disease. “The choice between work and family was a no-brainer,” she told us, “but my passion for my career and contributing to the cybersecurity industry drove me to find an employer that instead enabled me to be present for both—family and work.”
When gender stereotypes around work-life balance persist, the impacts often result in assumptions related to what a woman may or may not be willing to do as part of her job. Many women we spoke with have observed leaders who presume that a woman would not be willing to travel, move, or even work certain shift hours due to her personal obligations (potentially including childcare or other family caretaking duties).
Worse, many of our council members have seen women candidates dropped from consideration without a discussion informing them of the reason, often based on assumptions. Sometimes these assumptions are rooted in past decisions the woman made relative to her personal obligations at the time, irrespective of whether those limitations persist. Sometimes the candidate is unaware that opportunities exist at all. However, where leaders keep the lines of communication open to enable women to voice what they would and would not be willing to do for a role, they open doors for women to consider taking new challenges and advancing their careers. Simply put: always ask, never assume.
Decode the route to equal with metrics
The challenge: No measurement = No accountability.
Teams that include diverse, equitable perspectives elevate overall organizational performance and are better at innovating to solve complex challenges. Given the complex, high-stakes challenges in cybersecurity, organizations need to elevate women to achieve the best results for their risk grows from new vulnerabilities and sophisticated cyber threats.
Unfortunately, women are 2.5x more likely to depart from technology career roles than other career roles before the age of 35. One ACF member expressed frustration at experiencing something similar: “Women have to work harder to get noticed, and to get put on prime assignments in prime positions,” she said. “Even though there are strong women role models in the tech space, there is a lot more male leadership.” We also know that the proportion of women to men in technology roles has sharply declined over the past 35 years.
Increasingly, metrics that report on the relationships between gender balance and organizational benefits are becoming important to shareholders. Some organizations publish metrics on gender equity, helping to establish aspirational goals, focusing on why the numbers are what they are, and holding management accountable for change.
The transparency regarding metrics is essential and should go beyond measuring overall percentages to include measuring by career level and role. This context is important because it can help organizations to understand where gaps may exist to help women advance to higher positions and, eventually, leadership roles.
Most women we spoke with are concerned that the gender ratios in middle management cannot support the scaling required to achieve gender equality in executive positions. Our interviewees also wonder if this could negatively impact the reputation of women across an organization. It is important that organizations clearly outline job expectations, including required technical and soft skills, but also defining what capabilities are truly “required” for the role to ensure that candidates are comfortable matching their skills to the opportunities.
Pay equity
Meanwhile, it is clear that pay equity continues to be a problem for many organizations. Part of this challenge comes from earlier practices in which people were paid based on their previous salary, rather than the value the position merits. Or, some companies offer below market value with the expectation of negotiation. This strategy does not work the same across all genders. Women are less likely to negotiate salary than men, which can lead to discrepancies in wages. In a recent study, 68% of women interviewed accepted the salary offered and did not negotiate, a 16-percentage point difference when compared to men (52%). Gaps in pay widen exponentially as a career progresses because of percentage-based raises. And, while women ask for raises as much as men do, they get them less often, at 15% of the time compared to men’s 20%.
Furthermore, percentage-based raises penalize women for the remainder of their career. This can be seen more acutely if a woman slows down her career progression at the midpoint, when she may desire to start a family. Even if she gets promoted after becoming a mother, if the promotion is within her same organization and she is given a percentage increase to her current salary (rather than the salary that is set for the role), she may continue to remain at a wage parity disadvantage. As with salary discrepancies, bonuses have similar variances between genders. While there are new laws prohibiting many organizations from asking salary histories, organizations should maintain awareness for potential mismatches in salaries among mid-level employees and work towards closing this pay gap.
Reward responsible risk taking
The challenge: Women tend to underestimate their qualifications.
For years, studies have indicated that women tend to self-select out of roles when they are not confident they have the skills or out of a fear of failure. A Hewlett Packard study showed that men apply for a job or promotion even if they meet only 60% of the requirements, while women apply only if they meet 100% of them.
Women are less likely to take the risk of a stretch opportunity, which limits their ability to gain a breadth of experience and a broader perspective of the organization. The situation may be even more acute in cybersecurity where executives fear being humiliated personally if their organization experiences a breach. An executive who had support in advancing said: “My bosses pushed me to take jobs I didn’t think I was ready for.” Many women do not feel they can do that next job because they do not have all of the expertise. Women frequently undersell themselves.
Leadership often have clouded perspectives on their organization’s culture of risk-taking. In fact, when Accenture interviewed leaders, more than two-thirds (68%) of leaders interviewed felt they create empowering environments in which, for example, employees can be themselves, raise concerns and innovate without fear of failure. However, slightly more than one-third (36%) of employees agree.
Ask – don’t assume
One form of responsible risk-taking that can be championed and demonstrated from the top down in the cybersecurity sector is making it safe for women to assertively speak up and speak out during meetings—as well as in all strategic and other workplace conversations. This goes beyond simply giving women a seat at the decision-making table. Invite increased participation by explicitly asking women to take part, instead of assuming that they do not want to.
Support their voices when they participate by acknowledging their comments to the group and their contributions to successful outcomes. Follow up with women to provide feedback to help them to continue to grow. This involves abandoning cultural biases and stereotypes around how women have traditionally been perceived for asserting their opinions in historically male-dominated careers. And, it also requires not penalizing women—specifically not stunting their career trajectories—for using their voices. “I run into assertive women who have no problem making their opinions known in the working world, an ACF member shared. These are the women who also struggle to get promoted. Witnessing their struggles, a skill I had to learn was not to communicate in ways where I didn’t get labeled a ‘challenge.’ You still have to have your voice— and be loud with that voice—but in ways that effectively get you what you want.”
Women’s success fosters Business success
As the responses of the ACF Women’s Council members have shown, organizations play an important role in promoting women to the top of the cybersecurity ranks. Helping women rise from the mid-point to the top ranks in cybersecurity can help to realize early investments in individual training and development and achieve organizational impacts. With growing cybersecurity challenges that organizations face from expanding digital transformation, helping to attract, develop, retain and advance a gender-balanced cybersecurity workforce is more important now than ever before.
Organizations such as Accenture are deeply committed to achieving a gender-balanced workforce—and not simply because it is the right thing to do. Supporting the equal and fair advancement of women’s career paths is critical to business success. That is why Accenture has committed to 50/50 gender equality within our company at all levels by 2025.10 The tide is turning across the global corporate landscape We must act boldly—and now—to make organizational gender equity and advancement a reality
