The Department of the Prime Minister and Cabinet has published a new academic literature review that explores why so few women work in cyber security, as part of its increasingly active and multi-faceted role in helping beef up cyber defenses across the board.
It is part of the government’s work to build up Australia’s overall “cyber resilience” through initiatives like the new Cyber Resilience Taskforce, headed by Sandra Ragg, which held its second “sprint” last Wednesday. According to to PM&C:
“As the worldwide gap between qualified security professionals and unfilled positions climbs towards a projected 1.8 million by 2022, attracting and retaining women in cyber security professions is a crucial part of ensuring Australia’s cyber resilience.”
There isn’t much literature to review that looks specifically at the cyber security niche so the researchers looked at the wider world of ICT, and the more general category of science, technology, engineering and maths (STEM). It found “marketing, role models and hiring practices” are key barriers that discourage women from this type of work, in line with PM&C’s own exploratory research.
The researchers from UNSW Canberra’s new Public Service Research Group and the Australian Centre for Cyber Security (an academic team not to be confused with PM&C’s Australian Cyber Security Centre) found “a complex and multi-layered picture, replete with persistent and enduring barriers” that combine to make cyber part of the STEM boys’ club:
“Barriers to girls and women commence early – from primary school – and continue throughout women’s careers to the executive levels. Barriers also exist at all stages of the employment life cycle, from recruitment to career development and performance management, culminating in women leaving the industry.”
The reviewers list eight key findings, including a lack of specific information about the cyber security sub-industry in Australia.
They cite a study published this year by the Executive Women’s Forum, which found women make up just 11% of the global information security workforce, and 10% in the Asia-Pacific region, where it also found no women holding “c-level” cyber jobs. Over half of the worldwide cohort are working in “entry-level or nonmanagerial” jobs.
As an aside, the CSIRO recently appointed a female chief information security officer, Jayne Leighton, who began on August 7. ““I am excited to lead CSIRO’s cyber security operations, and am looking forward to being a part of the extraordinary and innovative organisation that is CSIRO,” Leighton said in a statement on Tuesday.
“It will be wonderful to contribute to and enable CSIRO’s scientific and organisational objectives, to support the CSIRO culture while ensuring the security and integrity of CSIRO’s information systems.”
The EWF global survey also found “women in the cyber security industry experience widespread discrimination, persistent occupational segregation, and wage inequality” and the literature review cites other research that painted a depressing picture of what it is like for those women who do try to crack into the masculine industry:
“In Australia, specific practices and policies that have been found to exclude, marginalise, or disadvantage women in the STEM and ICT fields include: long hours working cultures, women professionals being excluded from the “boys’ club”, women being subjected to sexist remarks, and the technical expertise of women being regarded less seriously than that of male colleagues.”
According to data from Professionals Australia, a union representing some scientists and engineers, almost a quarter of women who decide to leave their current employer, occupation or industry list “culture” as a major factor. The review also cites a range of research showing other factors pushing women to give up on their careers include “widespread discrimination” and a lack of flexible working arrangements, as well as limited career progression and development opportunities.
The new report points out it wasn’t always this way, noting that in the early days of computing, “programming was so female dominated, it was seen to be a ‘pink collared profession'” among other types of clerical work seen as suitable for women, and that in World War Two, code-breakers were mostly women.
By the 1970s, it notes computer programming “began to shift from low-level clerical work to a more highly skilled, challenging, and well-remunerated profession requiring knowledge of logic, mathematics, and electronic circuits” and men began to take over the higher-level roles. Early home computers were marketed mostly as toys for boys, “giving boys an early head start in the burgeoning computer sciences field” according to some research.
The literature review shows there isn’t much research specifically investigating the gender gap in cyber security, but it seems reasonable to expect it is mostly due to the same factors that cause gaps in ICT and other STEM professions, which have been studied.
The reviewers line up evidence that strongly suggests the issue is cultural, and demonstrates “the belief that women are inherently less capable than men, or biologically predisposed to non-STEM disciplines” is likely to be incorrect:
“If this were so, … gender differences would be consistently observable across countries, over time. Instead, the gender gap in mathematics varies from country to country, and has been shown to rise and fall with different pedagogical approaches (Prinsley et al., 2016). A metaanalysis of more than 240 studies published between 1990 and 2007 found no statistically significant gender difference in mathematics performance (Lindberg et al., 2010).”
In Australian schools, the gender gap has widened since 2003 in terms of both results and choosing to study maths and science, the review notes.
“In contrast, Singapore, one of the world’s top performing countries in maths and science, has nearly closed the gender gap in both performance and perceived self-efficacy in these subjects through a targeted maths curriculum and heavy investments in pedagogical training, illustrating that girls can and do excel in these subjects given the right educational environment (OECD, 2014).”
The PM&C-commissioned literature review is linked to the department’s Women in Cyber program, which involves an event held on International Women’s Day in March and a Women in Cyber mentoring program that was run last year and will be back again in 2017.