Women in cyber. PHOTO: Cybercrime Magazine.

(ISC)2 Aligns To Cybersecurity Ventures’ Women In Cybersecurity Prediction Of 20 Percent

Observations on a popular statistic recalculated for 2019

Steve Morgan, Editor-in-Chief

Sausalito, Calif. — Apr. 2, 2019

Last week, at the WiCyS Conference in Pittsburgh, Pa., Cybersecurity Ventures announced our 2019 Official Annual Women In Cybersecurity Report which predicts women represent 20 percent of the global cybersecurity workforce in 2019.

A few days after the Cybersecurity Ventures report published, (ISC)2, which for years and up until recently had been stating that women held 11 percent of cybersecurity positions, released a new report which aligns more closely to the Cybersecurity Ventures 20 percent figure.

The 2019 report from (ISC)2 — which relied on a small survey with 1,452 responses (conducted by Spiceworks) — states that women now make up almost a quarter of cybersecurity roles — although the methodology is new and confusing. The report asks “Why the big shift” — and answers, “We talked to certified cybersecurity professionals in official cybersecurity functions as well as IT/CT professionals who spend at least 25 percent of their time working on cybersecurity responsibilities.” 

It’s not exactly clear to Cybersecurity Ventures what the new and seemingly arbitrary method from (ISC)2 means, or if it’s sensible. If a woman spends 25 percent of her time on cybersecurity, then she’s counted in — but if she spends 20 percent of her time on cybersecurity, then she’s not?

The good news is that (ISC)2 has cleared up any confusion for the media and others that follow the representation of women in cybersecurity. Cybersecurity Ventures first shared the 20 percent figure last year, and it has been circulating in the media ever since — while other media have been featuring the old 11 percent figure espoused from (ISC)2. Now everyone can agree on the data supplied by Cybersecurity Ventures, which vets and synthesizes research from multiple sources including (ISC)2.

Cybersecurity Ventures would like to acknowledge the 2013 Global Information Security Workforce Study, a Frost & Sullivan Market Study, in partnership with (ISC)2 and Symantec. The study, authored by Michael P. Suby, VP of Research, Stratecast | Frost & Sullivan, was thorough and well written, forthcoming about its format (a survey with 5,814 respondents), and helped our industry shine a light on the underrepresentation of women in information security — which was estimated at 11 percent of the workforce. For this, the survey deserves and has earned much praise.

For perspective and clarity on the original 11 percent figure, the 2013 study was limited to women in private industry (versus government or any jurisdiction), and women employed by organizations with 500 or more employees.

At the time of the study, 48 percent of all U.S. employees worked for small businesses, according to J.P. Morgan Chase & Co. — and also at the time of the study, as majority and joint business owners, women entrepreneurs generated $453 billion in payroll for 14.9 million workers through over 12.3 million (mostly small) businesses, according to the Small Business & Entrepreneurship Council.

In the same time period, women held 14.6 percent of executive officer positions in the private sector — whereas in the U.S. federal workforce, 34 percent of all SES (leadership) positions were occupied by women, according to a March 2014 report by the Center for American Progress. Finally, all information security and cybersecurity product and services companies (which employ a disproportionately higher percentage of security workers compared to other industries) with under 500 employees were excluded from the survey.

These data points are not intended to criticize the 2013 study — rather they are provided in order to bring perspective to the actual demographic covered, and not covered.

In a 2015 follow up, Women in Security: Wisely Positioned for the Future of Infosec, a Frost & Sullivan market study in partnership with (ISC)2 and Booz, Allen, Hamilton (BAH), also authored by Michael P. Suby, offered a slightly lower figure of 10 percent of women represented in the information security profession.

The 2015 study stated that women as a percent in GRC (Governance, Risk and Compliance, which has since become more central to cybersecurity) roles is double their percent in all of InfoSec — 20 percent versus 10 percent. Unfortunately, most media inclusions (no fault of the researcher) of the report focused on the 10 percent figure, which was often rounded up to 11 percent — to align with the previous 2013 study.

Women as a percent of total employed U.S. information security analysts in 2015 was more than 18 percent, according to the 2015 study. Women held 19 percent of GRC leadership positions, compared to men at 12 percent. But those figures, and others such as the difference between women represented in security in developed countries (versus undeveloped countries), were overshadowed by the media’s persistent headlines featuring the 11 percent figure.

This excerpt from the 2015 study emphasizes the growing number of women in the security profession: “According to the 2015 survey, one out of five women identified GRC as their primary functional responsibility. Comparative, one out of eight men hold similar roles. This data point is important as the GRC role is reflective of where the InfoSec profession is evolving: increasingly focused on business risk management. Both genders signal agreement on this point as both women and men in leadership positions indicated that risk assessment and management, GRC, and incident investigation and response are the skills they most need to build over the next three years. Additionally, both genders indicated that a greater share of them will be in GRC roles in the future.” And yet, from 2013 all the way up through the latest survey in 2017 — which continues to show up in the media in 2019 — the 11 percent figure continues to reverberate.

Cybersecurity Ventures posits that if the original survey and subsequent studies would have included all organizations and not just those with more than 500 employees — which would also count in the entire ecosystem of information security and cybersecurity companies — and if they also weighed in all GRC and incident investigation and response skills, then the original 11 percent figure would have been substantially higher.

The 2017 Global Information Security Workforce Study: Women In Security, a Frost & Sullivan white paper presented by The Center for Cyber Safety and Education and Executive Women’s Forum (EWF), is co-authored by Jason Reed, senior industry analyst, CyberSecurity, at Frost & Sullivan; Yiru Zhong, previously an analyst with Frost & Sullivan (and currently lead analyst, IoT & Enterprise at GSMA); Lynn Terwoerds, executive director at EWF and member of the board of directors at Northwest Maritime Center and Wooden Boat Foundation; and Joyce Brocaglia, president & CEO at Alta Associates and founder of EWF.

This latest study states that women are globally underrepresented in the “cybersecurity” profession (they’ve evolved their terminology from “information security” in early studies, but the criteria has seemingly remained the same) at 11 percent — indicating zero growth.

The 2017 study states that the number of unfilled cybersecurity positions will widen to 1.8 million by 2022, according to projections from Frost & Sullivan. That research comes from an online survey conducted by (ISC)2 released in 2017. At the time, Cybersecurity Ventures predicted that there would be 3.5 million unfilled cybersecurity jobs globally by 2021. (ISC)2 has since updated their figure by a whopping 1.2 million additional positions — and their more recent projection, which nears 3 million openings — more closely aligns to Cybersecurity Ventures’ prediction, which has been unchanged since 2016. The massive difference between (ISC)2’s two projections may be the result of relying on surveys in order to publish statistical data — and it may indicate that the survey based 11 percent figure is actually much larger as well.

We’re interpreting the 2019 report from (ISC)2 as essentially stating that they still view the number of women globally represented in cybersecurity at 11 percent when calculating based on positions devoted to Cybersecurity — and they’ve  inflated that figure to 24 percent by counting in women that spend at least a quarter of their time devoted to cybersecurity. Even still, we believe the new data will show up in the media as a top line statistic that more closely aligns to Cybersecurity Ventures’ 20 prediction, which is based on women in positions that are focused primarily on cybersecurity.

Cybersecurity Ventures has a high opinion of the organizations herein — Frost & Sullivan, (ISC)2, and The Center for Cyber Safety and Education — which have excellent reputations based on their contributions to our industry. If there’s any concern on our part, it’s the media’s tendency to lock on a statistic that can lead to misinterpretations of important data — in this case the representation of women in cybersecurity — and how it can affect outlooks and decisions. This is especially true of data that is used by students, parents, educators, and job seekers.

Out with the old 11 percent, in with the new 20 percent.

Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.

Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback and suggestions.