That said, the International Information Systems Security Certification Consortium (ISC)2 and the consulting firm of Frost & Sullivan feel they understand why digital bad guys are winning. Information-Security departments are not paying enough attention to company business objectives, they are unable to communicate effectively with other departments, and team members have a homogenous set of skills.
Women under representedThe two organizations go on to explain why the situation is what it is in their report, Agents of Change: Women in the Information Security Profession [PDF]. Quite simply, the group feels there are not enough women in the Information-Security field. Women only represent 11 percent of the Information-Security workforce which is discordant with other professions where women are near parity with men. According to the report:
“In comparison to representative labor statistics—women in 2012 accounted for 46.9% of the United States total labor force and 51.5% of United States management, professional, and related positions—it is clearly evident that women, at just 11% of the Information-Security profession, are greatly under represented.”
The report did not go into detail as to why the dramatic difference, but did say it was crucial that the status quo change.
Why women are needed
As to why it is crucial to change the status quo, the report was clear. The expertise needed to get Information Security back on track requires skills that are not prevalent and not considered crucial by today’s Information-Security departments. The (ISC)2 news release for the report explains: “While technical skills are integral to developing a strong security posture within organizations, it's important to supplement the proper skills and perspectives necessary to make impactful businesses decisions.”
The news release then hints at why it is important to have qualified women working in Information Security: “The report findings demonstrate that the surveyed women believe a successful information security professional should maintain a variety of skills vs. surveyed men, who believe technical skills should be the priority.”
The group running the survey came to that conclusion based on how participants responded when asked to determine how important the following attributes were:
- Communication skills
- Broad understanding of the security field
- Awareness and understanding of the latest security threats
- Technical knowledge
- Security policy formulation and application
- Leadership skills
- Business management skills
Here are the results.
It may seem too close to call, but Michael Suby, author of the report and Vice President of Research at Frost & Sullivan spoke to the significance of the results:
“While graphically the differences seem slight, these differences are nevertheless statistically significant with the exception of technical knowledge—the sole category selected by a smaller percentage of women as very important or important. Our interpretation is that technical knowledge is not becoming less important; rather, other skills that cut across disciplines are growing in importance with both genders, but more so with women.”
Julie Peeler, Director of (ISC)2 explained to Tim Wilson of Dark Reading News why these attributes are increasingly important:
Security is becoming less about technology, and more about people—understanding their behavior, and protecting users as they do their work. The study shows that women tend to value skills such as communication and education—the skills that are currently in short supply.
The report alludes to it, but I want to come right out and say it. It is all about diversity. Ask any sociologist: cultures or any group of people with a common purpose such as a business, do best when there is a diverse pool of human resources functioning together toward a common goal.
I’m no whiz in the math department, but even I know that 90 percent is about as “un-diverse” as a group can get.
All slides were courtesy of (ISC)2 and Frost & Sullivan.
Michael Kassner is currently a systems manager for an international company. Together with his son, he runs MKassner Net, a small IT publication consultancy.