Women make up just 11 percent of information security professionals. Just increasing that number to 22 percent would solve the industry's staffing shortage problem.
Unfortunately, at most companies, the recruitment process is designed to attract the kind of people who already work there. Changing that requires conscious effort. Here are some tips that might help.
1. Build a pipeline of women entering the profession
Support educational programs aimed at girls and young women in schools and colleges in your area and around the country.
Although this may seem like a long-term approach, there is a present-time side benefit -- this kind of activity helps create a woman-friendly atmosphere at a company.
Latha Maripuri, director of IBM Security Services, says this is one of the reasons why she's stayed with IBM for almost twenty years.
"They're involved in a lot of the women in technology initiatives, a lot with education," she said. "I've gone locally into schools talking to women about science and technology and doing shows to show that science can be fun that it doesn't have to be uncool, to show what the possibilities are."
2. Set up internships for young women
An internship program aimed at attracting young women to a company can help dispel some of the myths surrounding information technology careers.
It can also help women adjust their studies, if needed, to correspond to workplace requirements.
"In October, I was at the Grace Hopper conference," said Julie Talbot-Hubbard, Chief Security Officer at Symantec. "We had a recruiting table for college-age women intersted in a job or internship. A lot of them are in IT or engineers, but some are psychology or sociology majors -- and I think that's going to become more prevalent in the security world."
Companies can work more closely with educational institutions in other ways, as well.
"I think we'll also see more training programs where companies work directly with colleges to help develop the channel," said Julie Peeler, foundation director of the International Information Systems Security Certification Consortium -- (ISC)2.
3. Participate in women's professional organizations
A company can actively participate in both national and regional professional women's groups in order to give back to the community, create networking opportunities, showcase its own female leaders, and position itself as a woman-friendly company to work for.
GoDaddy, for example, which recently appointed the first woman to its board of directors, also just announced a partnership with the Anita Borg Institute.
"At GoDaddy, more than one third of the leadership is comprised of women, who are actively involved with a variety of nonprofit organizations," said GoDaddy's CTO Elissa Murphy. "In fact, GoDaddy CEO Blake Irving has long been involved with the Society of Women Engineers and the Grace Hopper Celebration of Women in Computing."
In addition, she said, GoDaddy also has a large internal network that supports the professional development of women, GoDaddy's Women in Technology network.
BAE Systems also has its own women's professional organization, Women in Leadership, employee-owned by supported by executive management.
"It fosters women of all backgrounds, in all functional organizations -- not just infosec or IT -- helping them more forward in terms of management at BAE," said Jo Cangianelli, vice president of business development for BAE System's intelligence and security sector.
4. Set up mentoring programs for women
Mentoring relationships, both formal and informal, can provide support to women thinking of entering the profession, as well as for those looking to move up in the ranks.
"I personally do reach out to people and offer them an opportunity to be mentored," said Pam Kostka, vice president of marketing at Bluebox Security. "When I look back over my history, what gave me opportunities were mentoring relationships. And I've seen it work with other women."
5. Showcase infosec women at your company
"At IBM, even without thinking hard, I can name many senior officers in security," said IBM's Maripuri, adding that she's like to see more emphasis on visibility industry-wide. "I would love to see more focus highlighting women executives in the IT security space, for younger people in high school and college trying to figure out what careers they should go."
6. Allow for better work-life balance
Women have achieved gender parity when it comes to studying law or medicine, even though you can't -- yet -- do surgery or argue cases from a home office.
The information security profession can often lend itself to both flexible hours and flexible career paths, and more companies can take advantage of that, and publicize it.
"IT and security, because it's very much doing work remotely, gives a bit more balance than people would expect," said IBM's Maripuri. "More than other careers like being a lawyer. The IT career really lends itself to taking advantage of that."
An environment that allows employees to better balance their family and professional lives and does not penalize them for making these choices isn't just a better place for women to work, but a better place for all employees who have a life outside the office.
7. Put women on all interview panels
When a female applicant comes in for a job interview, is a row of while male faces the only thing she sees?
If so, she might leave with the impression that the company is not friendly to women. Some women are comfortable working in an all-male environment, but others may get the feeling that they're not wanted, or that the company has a culture that's inhospitable to women. Otherwise, why aren't more women already working there?
"We try to include a female in the interviewing roster, partly to encourage diversity, but also to get a full representation of the company," said Bluebox Security's Kostka.
8. Write a female-friendly ad
Too often, help wanted ads are written in the form of skill lists. This automatically skews the gender balance of applicants, since men will apply if they have any of the skills on the list, while women will apply only if they have each and every one of the skills.
As a result, some potentially excellent female candidates take themselves out of the running right from the very start.
Write an ad that focuses on outcomes, instead. Better yet, use split testing to run multiple versions of an ad, and see which approaches generate more female candidates. Then tweak the wording and repeat the test.
9. Go outside the information security industry
There are great female candidates to be found in other industries who could offer substantial benefits to your security team.
Look to the legal professions, communications, risk analysis, finance, or the hard sciences. Then train the new hires in the specific security-related skills they'll need.
"Right now, on my team at IBM, half the team grew up in the security ranks and the other half are newer, with a background in project management, analytics or IT who are now learning the security space," said Latha Maripuri, director of IBM Security Services.
10. Become more hospitable to women
Does everyone in the office hit the bars together right after work? That's fine if everyone is young and single -- or has spouses willing to pick up the slack at home.
But lunch-time outings may be more appropriate for a more diverse workforce.
Are employees rewarded for working long hours at their desks -- regardless of how much they actually accomplish? Or are they rewarded based on their actual value to the company?
Then there are more subtle things, like tone of voice. In a male-dominated environment, some men may use their knowledge and skills as a kind of verbal weapon against others. This creates an unpleasant environment for everyone else, especially for women.
"Women tend to be -- generally speaking -- more socially engaged," said Lynne Williams, an information technology professor at Kaplan University, who has seen this exact dynamic play out repeatedly in her computer science classes. Since switching to online teaching, she said, women's participation in classes has gone up dramatically -- and the gender balance is now nearing parity.
"In an online classroom, you're not having to deal with all the competition," she said. "Women are not afraid to ask questions in that environment. I have a lot of women students now coming through my IT graduate courses, and they're doing as well or better as the fellows."
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.