Judge: Jane Frankland, you have been picked up by the male police (one acting alone)) and stand here accused of potentially spreading FUD. On the 8 June you posted on LinkedIn highlighting data gaps and inconsistencies with regards to reporting for women in cyber, specifically methodologies. How do you plead?
Jane: Not guilty, your honour. 😉
Judge: Please explain yourself.
Jane: On the 8 June, I shared a post and graphic that I’d created for a new Women in Cyber Assessment Tool and Report, which is coming soon. It will be able to help companies who value women in cyber attract and retain more women by diagnosing where their efforts are falling short. Cue blatant plug….Companies interested can sign up here.
It looked like this,
“I’m working on an Assessment tool for companies who want to increase the numbers of women in cyber & as part of this, I’ve been examining data. Although some companies have been reporting on some aspects of diversity, for gender, we are still so data poor. Here are some interesting data points from the past 7-years thanks to (ISC)2, Forrester, Cybersecurity Ventures, Kaspersky, Ipsos / UK DCMS, NCWIT & COQUAL.”
At about 10,000 words, it had taken me about 2 weeks to write and I was reaching my last hurdle – the graphics. I’d been instructed by one of my coaches to make some data “pop” so I could get through to people who consumed info more visually. As I was collating the data from numerous sources, I was struck by a few things. Firstly, there were big data gaps. Secondly, how inconsistent some of the methodologies used to report the situation for women in cyber were. Thirdly, how old some of the data was. Some of the data that was referred to was more than 6-years old.
Before I share the data sources I’m referring to, I want to make it clear I’m not intending to criticise any of the companies or individuals who have produced the studies or blogs.They are hugely valuable. However, I’m merely giving you them as an observation, and to provide you with some insight as to the methodologies used and the actual demographics covered, and not covered. I encourage you to read the data sources if you’re interested in this topic and don’t know about them.
Here are examples and data sources.
In 2022, The UK government Department for Digital, Culture, Media and Sport (DCMS) commissioned Ipsos and Perspective Economics to conduct the latest in an annual series of studies to improve their understanding of the current UK cyber skills labour market. Drawing from a quantitative survey of 4 audiences (general businesses, public sector organisations, charities, and cyber sector firms) with a data set size of 1,505, and a more focused strand of qualitative research, with 29 in-depth interviews split across cyber firms, other medium and large businesses, and recruitment agents all within in the UK, the report detailed that women in cyber account for 22% of the workforce. However, in their report they noted:
“It is important to note that these estimates are very variable. For example, if we remove the 2 largest businesses from the cyber sector sample, the proportion of female workers falls from 22% to 17%. For ethnic minority workers it falls from 25% to 19%. Therefore, more years of data are required to validate the suggestion that diversity has increased. A total of 1 in 10 people in the cyber sector workforce are neurodivergent (i.e., people with conditions or learning disorders such as autism, Asperger syndrome, dyslexia, dyspraxia and attention deficit hyperactivity disorder, or ADHD). This is in line with previous years. There are no reliable statistics to show how neurodiversity overall compares to other sectors.
We acknowledge that these estimates are very different to those reported in the NCSC/KPMG. In their survey, a much higher proportion of respondents identified as female, disabled and neurodivergent. However, while their survey is useful to understand the lived experience of people from these excluded groups, it is not designed to produce figures that are representative of the entire cyber workforce. We consider our figures to be representative. The NCSC/KPMG survey also does not produce evidence to suggest that gender and ethnic diversity has improved over time, underlining the point that this hypothesis needs further validation in future years.”
“The ISC2 and PwC surveys appear to have been carried out online with a self-selecting sample, skewed towards the largest and most engaged organisations. These studies are important, as they have good coverage of the organisations with the most sophisticated cyber security skills needs. However, they are not necessarily representative, and typically omit micro, small and medium businesses, and the charitable sector, where there are often more basic cyber security skills needs.” DATA SOURCE
In 2021 ‘Decrypting Diversity and Inclusion in Cyber Security’ was released. This is the report DCMS was referring to and was produced jointly by the UK’s National Cyber Security Centre (NCSC), KPMG (including KPMG Nunwood) and Imperial College London. They used Stonewall, Office of National Statistics, and UK Cabinet Office best practice guidance on which questions to ask to capture the data, aligned to the 2021 UK Census. The survey included both open and closed questions. Respondents had to answer all questions but could choose the option of ‘prefer not to say’ to questions in line with leading practice survey techniques. The survey was responded to by 945 individuals who worked or studied in the cyber industry. In addition to the survey, the NCSC and KPMG conducted interviews with individuals from NCSC, KPMG and other organisations and sought their views on the data and findings. They reported that over 36% of their respondents were female, up from 31% in 2020. Note, their report does not give a figure or percentage on the numbers of women in cyber in the UK workforce, only how many responded to their survey. DATA SOURCE
(ISC)² is the world’s largest non-profit membership association of certified cybersecurity professionals. In 2021, they released the findings of their ‘Cybersecurity Workforce Study’, in collaboration with Aberdeen Strategy and Research (a Ziff Davis company). They collected responses from 4,753 individuals responsible for cyber at workplaces throughout North America, Europe, Latin America (LATAM) and the Asia-Pacific region (APAC).
(ISC)² has not given us a separate report on women, drawing from their Workforce Study, like they did in 2017, and that’s OK. Instead, in 2021 they provided us with a report which draws on qualitative research from 22 respondents from the United States, United Kingdom, Germany, Croatia, Serbia, Singapore, Malaysia, South Africa, and Canada. These women were interviewed as groups for 90-minutes (with 1 individual interview) by a seasoned moderator from Synergia Multicultural Research and Strategy. DATA SOURCE
In their 2021 Workforce Study (ISC)² reported that cyber continues to be predominantly male (76%) and Caucasian (72%) in North America and the U.K. However, they did not provide the reader with information on the other regions which I beleive would have been useful. They observed a lower percentage of women among the year’s study participants—20% overall—compared to 25% in 2020 and 30% in 2019. They questioned why fewer women participated in their study which included cyber professionals in formal cyber functions, as well as IT professionals who were responsible for cyber operations at their organisations. They thought the reason why fewer women participated in the study was because their response base included a higher participation of professionals holding formal cybersecurity roles, which are more frequently held by men than women. Nonetheless, they believe their data suggests a reliable estimate of women in the cyber workforce globally remains at 25%. DATA SOURCE
In 2020, Accenture released a blog called ‘Jumping the Hurdles: Moving women into cybersecurity’s top spots.’ In it, they reported that half of all women with a technical education left the workplace in the middle of their careers. However, their data source was taken from a study that was captured more than 6-years ago. It does not cover cyber specifically. DATA SOURCE
In 2019, (ISC)² released their Women in Cybersecurity report, and revealed that women represented 24% of the cyber workforce. Their survey had 1,452 responses and was conducted by Spiceworks. This estimate was a higher percentage than in their past reports. For example:
- In 2017, the Center for Cyber Safety and Education (Center) and (ISC)² released The Global Information Security Workforce Study (GISWS). This was conducted by Frost and Sullivan and sponsored by (ISC) 2 and Booz Allen Hamilton. To date, this has been the largest study ever conducted, with responses from 19,641 information security professionals in 170 nations. The report said women accounted for 11% of the workforce. DATA SOURCE
- In 2015, the Center for Cyber Safety and Education (Center) and (ISC)² released The Global Information Security Workforce Study (GISWS). This was conducted by Frost and Sullivan and sponsored by (ISC) 2 and Booz Allen Hamilton. The survey was completed by 13,930 qualified information security professionals; a combination of (ISC) 2 members and non-members. Women were found to account for 10% of the workforce. DATA SOURCE
- In 2013 the Center for Cyber Safety and Education (Center) and (ISC)² released The Global Information Security Workforce Study (GISWS). This was conducted by Frost and Sullivan and sponsored by (ISC) 2 and Symantec. The report said women accounted for 11% of the workforce and involved 12,396 survey respondents. It was limited to women in private industry (versus government or any jurisdiction), and women employed by organisations with 500 or more employees. DATA SOURCE
(ISC)² said their new methodology, used from 2019, served to create a more accurate and holistic representation of the cyber and IT/ICT professionals responsible for securing their organisations’ critical assets. Data was collected from cyber and IT/ICT professionals, all of whom dedicated at least 25% of their time to cyber tasks, working with small, medium, and large organizations throughout North America, Europe, Latin America (LATAM) and Asia-Pacific (APAC). Study participants served at all levels within their organisations, and held titles that included Security Administrator, Security Analyst, Security Architect, IT Manager, IT Director, IT Security Manager, IT Specialist, CISO and CIO. DATA SOURCE
As you can see, these studies use different methodologies, and the data set sizes vary considerably. When (ISC)² changed their methodology, I believe it would have been useful useful to have been able to compare education vs. compensation and millennial representation in their 2021 report as was reported in their 2019 report when their new methodology was introduced.
There’s one more example I want to use which wasn’t illustrated in the graphic. It’s from Cybersecurity Ventures who continue to provide an excellent source of information and support for women in cyber, for example in this blog.
So, let’s look at what FUD is just in case you are unclear. FUD is an abbreviation and stands for fear uncertainty and doubt / disinformation. Wiki tells you that the term was first used with its common current technology-related meaning by Gene Amdahl in 1975, after he left IBM to found his own company, Amdahl Corp. FUD is also thought to be a propaganda tactic used in sales, marketing, public relations, politics, polling and cults, and is generally a strategy to influence perception by disseminating negative and dubious or false information and a manifestation of the appeal to fear.
I argue that I wasn’t spreading FUD. There is undoubtedly a shortage of women in the cyber profession, there are data gaps, fresh data is needed and there are methodology inconsistencies. But I’ll leave this up to you to decide.
Now I want to hear from you
Tell me what you think.
Could we be doing better when reporting on women? What data would you like to see?