Women account for less than one-quarter of the cybersecurity workforce overall, and in government the gap is often even wider.
Maria Thompson, the chief risk officer for the North Carolina Department of Information Technology, shared at a conference in National Harbor, Maryland, on Tuesday her theory of why this continues to be the case.
“If you wake up in the morning and everyone you work with looks the opposite of you, you’re not going to think that’s a welcoming environment,” Thompson said at the National Association of State Chief Information Officers’ midyear conference. “And we know IT’s a man’s world.”
Thompson, who joined the North Carolina government in 2015, came to the state after a 20-year Marine Corps career she concluded as a the branch’s cybersecurity chief, and several years as a military contractor in Iraq. Even though there is a steady pipeline sending former military personnel into government IT positions, Thompson said she stuck out as a woman of color.
“I was one of the first 30 Marines selected for [information assurance],” she said. “Every step I was probably that one in ten, unfortunately. But it made me a lot stronger.”
In her current role in North Carolina, Thompson said she’s made strides in developing programs with private-sector partners in which girls in grade school can learn computer programming and related skills that could seed a talent pipeline.
“Start with the junior girls, get them interested so they want to dive in, not just using IT for TikTok,” she said, referring to a newly popular social-media platform. “They can actually learn something.”
She also highlighted North Carolina’s participation in Girls Go CyberStart, a national online competition backed by the SANS Institute in which female high-school students learn programming, cryptography and digital forensics skills. About 6,600 girls from 16 states participate in the 2018 edition, including 468 from North Carolina. State officials have said they aim to triple that figure in 2019, and Thompson said one way to increase the numbers will be inviting girls in the state’s juvenile justice system to participate.
“You can change lives if you’re able to get just one,” she said.
‘See people who look like you’
While there are many programs that target female students, Thompson said IT leaders still haven’t figured out how to attract women who have already started their careers, but might consider cybersecurity.
“There is a long-term strategy and a short-term strategy,” she said. “The long-term is getting them while they’re young. The now strategy is how you get women my age interested.”
Laura Bate, a policy analyst at the New America Foundation, said there still isn’t good research on what attracts women to cybersecurity roles and keeps them in the field. One way to get better insight would be to foster communication and collaboration between the dozens of training programs, nonprofit organizations and industry affinity groups aimed at increasing female representation in cybersecurity.
“There are lots of women-in-cybersecurity groups, but how do we get them to talk to each other?” said Bate, who co-authored a recent New America report on bringing more women into the industry. “We really don’t have a sense other than anecdotally — or really scientific Twitter surveys — what keeps women in cybersecurity jobs.”
Technology officials from other states who attended Thompson and Bate’s session offered anecdotes of their own attempts to make their cybersecurity staffs more diverse. Andy Hanks, Montana’s chief information security officer, said an office where everyone looks the same often lacks for a diversity of ideas.
“I have a cybersecurity team of 10 white guys,” he said. “I ask a question and I get back the same response.”
New York CISO Deborah Snyder said state governments could do a better job explaining the benefits of a more balanced workforce.
“Until we stop looking at diversity as a problem and talk about it as a virtue and winning proposition, we are always going to be behind the curve,” Snyder said.
Thompson said representation at high levels of IT management is one of the biggest difference-makers.
“From a leadership perspective, you need to be able to see people who look like you and see that you can advance in that position and own it,” she said. “We’ve made some strides, but there is a long way we can go.”