Credentials are necessary, but they are not sufficient protection against the barriers women still face in the cybersecurity industry. Marie Wang, CISSP, CC, considers whether the most insidious barriers are rarely the ones anyone talks about openly.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
For a long time, I believed that credentials were the great equalizer; that, if I built the right skills, earned the right certifications and demonstrated consistent results, the playing field would level itself. What I've learned over eleven years in GRC, risk governance and security leadership is that credentials are necessary, but alone are insufficient protection against the barriers women still face in this industry. The most insidious barriers are rarely the ones anyone talks about openly.
When Qualifications Aren't Enough
I interviewed for a CISO-level position at a life sciences company – a conversation I came to with a CISSP, MBA and an MS I was weeks away from completing, along with over a decade of building enterprise risk and security governance programs. I was prepared to go deep on technical architecture, risk frameworks, regulatory compliance, board-level advisory… whatever the role required. But the interview never went there.
Instead, I was asked why I was working in cybersecurity given that my undergraduate degree was in communications. Not about my CISSP. Not about my years of hands-on security governance work, nor about my experience advising boards on technology risk. My undergraduate major, which I earned well before pivoting into cybersecurity, was treated as the defining data point of my candidacy. What was the feedback when I wasn't selected? That I lacked the technical depth required for the role.
I've turned that feedback over in my mind many times. The interview never tested my technical depth; instead, it questioned my right to be in the room at all. That experience crystallized something I had sensed but hadn't yet named: for many women in cybersecurity, the bar isn't just higher, it's applied differently. We’re asked to justify our presence before we’re ever given the chance to demonstrate our capability.
This is what credential questioning looks like in practice. It's not always overt. It doesn't announce itself. It shows up as an interview that focuses on your origins instead of your expertise, with an outcome that frames your exclusion as a technical deficiency.
The Loudest Silence: Performative Allyship
Credential questioning is frustrating. But the experience that has stayed with me longest involves a leader I encountered in a professional context; someone who, by every external measure, was a champion for women in the workplace. Someone who was known for acknowledging gender microaggressions privately, for saying the right things in the right rooms. The optics were right.
What I remember most, though, is a single offhand comment this person made about a male peer we both worked with. It was casual, almost throwaway, a remark signaling that this person had never had certain opportunities before, framed as something worth celebrating and protecting.
In that moment, I understood that loyalty had already been extended, quietly and completely, in a direction that had nothing to do with merit or equity. I recognized that no pattern of behavior I experienced, no microaggression I could surface, was going to move this person to act. When concerns were raised, they were acknowledged privately, even validated, but nothing followed. Just the appearance of awareness without any of the discomfort that real action requires.
This is the form that performative allyship takes. It doesn't usually reveal itself through dramatic failure. It reveals itself through a quiet signal, a comment, a pattern of private acknowledgment with no public consequence, a moment where someone who has positioned themselves as an advocate makes clear that their advocacy has a ceiling, and that ceiling is their own comfort.
The cost of this is not just personal. It erodes trust in the systems and structures that are supposed to support inclusion. When the person positioned to create accountability is the same person protecting the status quo, there is nowhere to go. That dynamic is damaging whether it is conscious or not.
What I Believe Real Allyship Looks Like
I want to be equally specific about what genuine allyship looks like, because I have experienced that too and it deserves to be named just as clearly.
A peer of mine, someone I met through professional volunteer work in the cybersecurity community, is the clearest example I can offer. He noticed the same patterns I noticed. He named them when they occurred. When it became clear that the environment we were both operating in no longer reflected his values either, he made the same decision I did: he left.
That last part matters more than people might expect. Walking away from a space that has influence and visibility, especially when staying would cost you nothing personally, is an act of integrity. He didn't stay to manage the optics or quietly distance himself while keeping the affiliation. He made a values-based decision and acted on it.
This is what distinguishes genuine allies from performative ones: they don't just witness, they act. They don't just speak in the room where it's safe, they follow up. And they use their influence not to signal virtue but to change outcomes: recommending women for high-visibility work, advocating for promotions – and yes, being willing to step back from spaces that cause harm, even when stepping back is inconvenient.
Moving Forward
I'm writing this in 2026 and I remain genuinely optimistic about the future for women in cybersecurity. Not because the barriers have disappeared, though, but because I've seen what it looks like when people choose to dismantle them rather than describe them.
Organizations like ISC2 and WiCyS are creating structures for real sponsorship and accountability. More women are reaching senior leadership and using that vantage point to open doors rather than protect them. And increasingly, the professionals entering this field seem less willing to accept the gap between stated values and actual behavior.
To any woman considering cybersecurity today: your path into a role does not have to look like anyone else's. A background in communications, in healthcare, in finance, in anything, can be the foundation of an exceptional cybersecurity career. Don’t let anyone's failure of imagination become a ceiling for your ambition.
To the allies, the real ones: thank you. Keep going. Your willingness to act, not just to notice, is what progress is actually made of.
Marie Wang, MBA, MS, CISSP, CC, is a senior GRC & technology risk leader with over 11 years of experience building enterprise risk and cybersecurity governance programs in healthcare, life sciences and technology. She serves on the Equity Advisory Committee for Women in Cybersecurity (WiCyS), providing strategic counsel on equity and inclusion initiatives. She specializes in second-line risk assurance, quantitative risk assessment and board-level risk advisory.
Global 50x50 Women’s SummitTaking place on March 18, 2026, the Global 50x50 Women’s Summit is a virtual event which will bring together women and allies from every corner of the cybersecurity ecosystem to explore how inclusive leadership, intentional sponsorship, and meaningful mentorship open doors to opportunity and reshape the talent pipeline. Supported by ISC2 and The Centre for Cyber Safety and Education, this event builds on the work of the Global 50x50 Initiative towards a future where women make up 50% of the cyber workforce by 2050. The Summit will highlight the actions needed to create a more resilient and sustainable cybersecurity workforce for all. By attending this live event, you are eligible to receive 3.5 CPE credits. Additional credits can also be earned with on-demand viewing. |
