ISC2 Women in Cybersecurity 2024 Research Report

Introduction

Cybersecurity, like many industries, is struggling to make sense of continued macroeconomic and geopolitical uncertainty. The ISC2 Cybersecurity Workforce Study found that 75% of cyber professionals believe that the current threat landscape is the most challenging it has been in the past five years, while more than two-thirds (67%) report that their organization lacks the cybersecurity staff needed to prevent and troubleshoot security issues. While the global cybersecurity workforce increased by 8.7% year-on-year to 5.5 million professionals, the highest ISC2 has ever recorded, the workforce gap is growing even faster, meaning that despite record numbers of people working in the profession, there is still a worrying number of unfilled demand in critical areas. The profession needs to grow by almost 75% to close this gap. One prominent area to look at to address this issue is the diversity of the profession. For various historical reasons, cybersecurity has not performed very well in this area. Attracting and retaining more individuals from non-traditional career and educational backgrounds, including attracting more women and professionals of color, is essential to address the workforce shortage.

Globally, 14,865 people took part in the 2023 ISC2 Cybersecurity Workforce Survey. Of this, 17% of the respondents were women. While this is a worryingly low figure compared to other sectors like the legal profession (53% women) and the accountancy sector (46% women), we took a deeper look at the data and discovered a number of positive trends, including women’s pathways into the profession, the roles they play within cybersecurity teams and the career path similarities with men in many areas. We also drilled further into the data around persistent challenges regarding salary, satisfaction and authenticity. 

Women’s Role in Filling the Workforce Gap

The number of women working in cybersecurity has remained consistent year-to-year. ISC2 has estimated that the percentage of women in the industry is likely in the range of 20% to 25%. While there isn’t one organization tracking this metric specifically, ISC2’s numbers are consistent with Cybersecurity Ventures' Women in Cybersecurity Report, which reported that women held 25% of cybersecurity jobs globally in 2022.

One positive trend is that ISC2 expects this percentage to shift higher as more young people enter the profession. The data showed a higher representation of women within the respondent pool, starting with the age range 39–44 (16%), and the percentage increased as the age decreases (26% in the under 30 age category). 

When respondents were asked how their security teams are staffed, and in particular, what percentage of their security teams are women, the overall global average suggests that 23% of teams are comprised of women. At the extremes, 11% of survey participants said they had no women on their security teams, while 4% said more than half of their security team are women. Interestingly, the average percentage of women team members, as reported by women participants, was significantly higher than by the men surveyed (30% vs. 22%, respectively), meaning women work at organizations with a higher percentage of women on their security teams. Also, significantly more men (21%) did not know in percentage terms the extent of women in their security teams compared to 13% of women participants who did not know.

Of the 11% of participants who said there were no women within their security teams, half worked in the U.S. They also worked in IT Services (19%), Financial Services (13%), and Government (11%), while nearly half worked at mid-size organizations with 100–999 employees. No single sector reported a significantly higher percentage of women within security teams. Security professionals working in Cloud Services, Automotive, and Construction reported the highest percentage (28%) of women within their security teams, while the Military and Utilities had the lowest (20%).

These numbers are still a significant minority, especially given the current need for cybersecurity talent. Increasing the representation of women across every industry is needed to help close the global workforce gap. Organizations should review their cybersecurity recruitment policies and practices to ensure that they get a more gender-balanced pool of candidates and that the women in their teams are also part of the recruitment process.

Women’s Paths into Cybersecurity and Their Roles Within Organizations

Women in our survey have been working in cybersecurity for slightly less time on average than men (nine years vs 11 years for men). However, the data show that their pathways into the profession and motivations for joining are slightly different from men’s common pathways.

When asked why they initially pursued cybersecurity as a profession, women participants had significantly higher rates of pursuing cybersecurity in school (14%) and having a family member or mentor working in the field who encouraged them to pursue it (14%). This was compared to 10% of men who pursued the field in school and 11% who were encouraged by others. Women participants also wanted to work in a continuously evolving field (21%) and one where they could help people and society (16%) at significantly higher rates than men who responded (18% and 14%, respectively).

Regarding formal and continuing education, women respondents hold advanced degrees (Master’s and Doctorate-level qualifications) at significantly higher rates than men. They hold cybersecurity certifications at similar rates and have plans to acquire more certifications at similar rates to men in the industry. When asked why they wanted to pursue a certification, both genders listed the same primary reasons: to improve skills, stay current and for career development. However, women participants indicated they pursued and planned to pursue certifications to get promoted, to apply for jobs or because their organization had a skills gap at much higher rates than men.

Another positive trend we noted is that within their organizations, women appear to hold executive titles at a similar rate to men. We saw higher rates of women holding managerial level roles and lower rates of being individual contributors when compared to men. This also translated to higher rates of women being involved with hiring decisions than men (33% of women to 24% of men). In terms of job titles, more than half (57%) of women participants hold formal security titles like Security Consultant, Security Analyst and Security Engineer, while 43% hold informal titles (e.g., IT Manager, IT Director, VP IT). Men who participated in the study hold formal security job titles at a higher rate (63%).

 

Does Gender Determine Whether or Not You'll Become a Malicious Insider?

According to IBM’s Cost of a Data Breach Report 2023, data breaches initiated by malicious insiders were the most costly. Meanwhile, Verizon’s 2023 Data Breach Report found that while the average external threat compromises about 200 million records, incidents involving an inside threat actor have resulted in the exposure of one billion records or more. Additional academic research affirms that gender bias impacts managers’ perceptions of who may be an insider threat in the workplace. This is an area that needs to be explored in more detail, but ISC2’s survey showed significant statistical differences between men and women regarding malicious activity. Over a third (35%) of women respondents reported being approached by malicious actors wanting them to act as a malicious insider, compared to just 21% of men who participated.

 

Malicious insider activity, by gender

Job Satisfaction, the Persistent Pay Gap and Ongoing Challenges

Overall, women in cybersecurity like the work that they do — and at a higher rate than men. Some 76% of women reported being satisfied with their jobs compared to 70% of men surveyed. Given that 85% of employees worldwide admit to hating their jobs when surveyed anonymously, both men and women in cybersecurity appear to be doing very well. Women participants rated their overall job satisfaction higher than men for the past five years. That gap grew in the past two years, with a 9% difference in 2022 and a 6% difference in 2023. Women participants intend to stay at their current organizations longer than men who participated. More than half (53%) plan to stay for five years compared to 49% of men in the study.

Satisfaction does not necessarily translate into passion, and women participants reported lower levels of passion for cybersecurity work in general and feeling competent in their roles than men. Women also reported lower levels of satisfaction with their teams and departments. Some 64% of women are satisfied with their teams, compared to 67% of men, while 58% of women respondents said they are satisfied with their departments, compared to 61% of respondents who are men.

Passion for cybersecurity trended positively with tenure in the field, but we saw a dip amongst women respondents with 10 to 15 years of experience. The feeling of competency increased with the length of tenure in cybersecurity, but men and women participants progressed at very different rates. The career growth of men who responded was very linear, with feelings of competency consistently increasing with tenure in cybersecurity. The results for women participants were not so linear.

Feelings of competency dipped amongst women in the 6–9 years of tenure group. The gap increased with tenure (2% difference in the 10–15 years tenure group, 4% difference in the 16+ years tenure group).

ISC2 research also showed that women cybersecurity professionals continue to struggle with fair compensation, an issue that is not unique to the industry. In the U.S., the pay gap has not changed much in the last two decades, and globally, the gender pay gap stands at approximately 20%.

The average global salary of women participants in ISC2's 2023 study was $109,609 compared to $115,003 for the men who participated, a difference of $5,400. The average salary for U.S. women participants was $141,066 compared to $148,035 for men, a difference of nearly $7,000. Additional U.S. Bureau of Labor Statistics data showed that the median salary for Information Security Analysts in 2022 in the U.S. was $112,000. The median salary of all U.S. Security Analyst participants in our survey was $110,000; the median of women participants was $105,000, while for men it was $115,000 ($10,000 more).

The pay disparities grow for U.S. participants of color. The average salary of men of color respondents was $143,610, while the average for women of color respondents was $135,630 – a difference of nearly $8,000. ISC2 does not have an adequate sample yet to compare the salaries of women and men outside of the U.S.

In addition to salary discrepancies, the data showed that women are also struggling to fully be themselves at work. More than one-third of respondents (36%) felt that they could not be authentic at work (compared to 29% of men), while 29% felt that they were discriminated against in the workplace (compared to 19% of men). These answers varied by race, ethnicity, and gender. Overall, women of Black or African descent in Canada, the U.K. and Ireland reported the highest levels, with 53% feeling discriminated against, while white and Black/African American (U.S.) men reported the lowest levels (14% each). The largest gaps existed between Hispanic and East or Southeast Asian men and women.

In terms of not being able to be authentic or “fully yourself,” men of Black or African descent in Canada, the U.K. and Ireland and South Asian women reported the highest levels (48%), while Black/African American (U.S.) and white men reported the lowest levels (26% and 27%, respectively). The largest gaps existed between Hispanic, Black/African American (U.S.), and South Asian men and women.

These are not trivial issues and may help explain the retention challenges surrounding women. McKinsey’s Women in the Workplace report found that women who experienced microaggressions in the workplace are much less likely “to feel psychologically safe, which makes it harder to take risks, propose new ideas, or raise concerns.” The report, now in its ninth year, noted, “The stress caused by these dynamics cuts deep. Women who experience microaggressions – and self-shield to deflect them – are three times more likely to think about quitting their jobs and four times more likely to almost always be burned out.”

Men and women also expressed significantly different feelings about the impact diversity, equity and inclusion (DEI) initiatives have on addressing these issues, as well as the effectiveness of their teams. Women participants felt more strongly than men that diversity and inclusivity impacted their security team performance, viewing security team diversity as important and a contributor to success at much higher rates than the men surveyed.

They also felt that DEI has been increasingly important for their security teams over the past five years and will continue to become more important over the next five.

Women participants tend to work at organizations that are doing more to attract diverse candidates with the goal of mitigating cybersecurity staffing shortages. Their organizations are looking for potential talent from within (employees outside cyber/IT), implementing job rotation and hiring those without cyber experience at significantly higher rates than the organizations that men who participated in the study work for. These initiatives appear to be working as women participants reported lower cybersecurity staffing shortages at their organizations than men (62% vs. 68%).

What Does This Mean for the Industry? Takeaways for Leaders

There are many “why” questions to ask about the data. From a numbers perspective, incrementally increasing the percentage of women in cybersecurity from only a quarter of the workforce can go a long way toward starting to fill the workforce gap.

The International Monetary Fund estimates that emerging and developing economies could boost gross domestic product by about 8% over the next few years by raising the rate of women’s labor force participation by 5.9% and that countries that close gender gaps see substantial returns. Our research revealed encouraging signs that more young women are entering the profession, progressing into managerial-level roles and impacting hiring decisions.

That said, there are ways to help increase women’s participation and satisfaction in cybersecurity.

  • Address early education. A recent Gallup poll found that Generation Z interest among women in engineering, mathematics and computing is lagging behind men’s interest and that women are exposed to fewer STEM topics in school. Only 14% of our women respondents pursued cybersecurity in school, but exposing women to cybersecurity programs early on can help create a stronger pipeline of candidates.
  • Set specific hiring, recruitment and advancement metrics. Establish targets to help organizations grow and promote a workforce that closely reflects the diversity of the population.
  • Make pay equity a priority. Actively monitor pay equity for all roles within an organization and ensure that salary and benefits are aligned based on role requirements and experience. Adjust as needed.
  • Eliminate inequities around advancement. Support women in defining their goals and ensure they have equal access to development opportunities to reach leadership roles. Greater representation of women in senior positions inspires other women.
  • Focus on the “I” in DEI. Many organizations now understand what diversity and equity means. Inclusion will help address feelings of not belonging and feeling inauthentic and help on the retention front.

When companies commit to and implement them correctly, DEI programs can help address skills shortages.

Methodology

Findings in this report are derived from the 2023 ISC2 Cybersecurity Workforce Study based on online survey data collected in collaboration with Forrester Research, Inc., in April and May 2023 from 14,865 cybersecurity practitioners (2,400 of whom identified as women). The respondents reside in North America, Europe, Asia, Latin America, the Middle East and Africa. A detailed explanation of the estimation methodology for the Cybersecurity Workforce Gap is included in the report at www.isc2.org/research.

About ISC2

ISC2 is the world’s leading member organization for cybersecurity professionals, driven by our vision of a safe and secure cyber world. Our more than 600,000 members, candidates and associates around the globe are a force for good, safeguarding the way we live. Our award-winning certifications – including cybersecurity’s premier certification, the CISSP® – enable professionals to demonstrate their knowledge, skills and abilities at every stage of their careers. ISC2 strengthens the influence, diversity and vitality of the cybersecurity profession through advocacy, expertise and workforce empowerment that accelerates cyber safety and security in an interconnected world. Our charitable foundation, The Center for Cyber Safety and Education, helps create more access to cyber careers and educate those most vulnerable. Learn more and get involved at ISC2.org. Connect with us on X, Facebook and LinkedIn