Ctdit23 1125 125 website image.jpg

Will we see more women CISOs in 2023?

Will we see more women CISOs as 2023 goes on?

Image:
Will we see more women CISOs as 2023 goes on?

Research from Accenture provides an insight into why there are so few female CISOs, along with plenty of advice for both C-suites and aspiring women leaders on how to help more women rise to the top.

That women are underrepresented in tech leadership is not news, but an under explored aspect of the tech diversity discussion is the gap between cybersecurity and the rest of the sector as a whole. The higher up the leadership ladder you look, the wider the gap gets.

Women held 17% of CISO positions withing the Fortune 500 by mid 2021, whereas they made up approximately 27% of CIO positions among the same group of companies.

The picture is even less diverse in the UK, with just 8 female CISOs among the FTSE100 when women make up 20% of CIO roles in the same group.

This gap is less pronounced at entry level. Women hold somewhere between 26% and 27% of tech roles overall and 25% of cybersecurity roles.

Why do fewer women progress to cybersecurity leadership positions when compared to tech leadership overall?

This is the question that the Accenture Cybersecurity Forum (ACF) Womens Council set out to answer when conducting the research contained within Rising to the Top released towards the end of last year. The research contains input from successful CISOs, both male and female, and as a consequence has uncovered some interesting areas of difference.

Risk aversion

43% of all of the CISOs surveyed rated professional risk as either very important or the most important factor in turning down such a role. CISOs often report into a CIO or CTO and are therefore often not considered professionally equal to those positions, yet it is the CISO who risks being offered up as a sacrifice in the event that bad publicity after a security breach necessitates one.

Valerie Abend, Global Cyber Strategy lead at Accenture explains how this professional risk profile can put off exactly the people that cybersecurity needs.

"Most people come to cybersecurity because they love technology. But a special thing that comes into play with people in cybersecurity is that they can be very mission focused on playing the part of the hero. That can be taken to a level of personal risk taking that is a barrier to getting all the people we need into the field to address the actual risks that we face."

Image
null
Description
Valerie Abend, Accenture

Previous research showed us that having the light shined on you when an incident occurs and all of the personal risks that comes with that, not just in terms of your company and the senior leadership, but also all of the employees and all the people who work for you and also by your peers and even the media in certain instances can weigh on people's mind. It can feel like it's too much personal risk to take."

The extent to which women are more risk adverse than their male peers is an interesting topic. The most recent research has suggested that men and women really don't differ a great deal in their attitudes to risk. Previous research that declared women to be more risk averse tended to focus on the kind of risks taken by men such as extreme sports which skewed the findings. What does differ is how other people perceive risk taking by men and women.

When women take risks they are more likely to be negatively judged as a result, whereas men report more positive responses to their risk taking.

He said, she said

Lisa O'Connor, Global R&D lead for Security at Accenture, highlights some of the most insightful research findings.

"We found that men were more likely to rise within their existing organisation and women were less so. 57% of males respondents had been offered the CISO role in their existing employer whereas only 40% of females respondents had. "

However, once women announced their candidacy and put their hat in the ring they were hired much more quickly.

Men tend to stay in that hiring cycle for mostly 12 months or more whereas women are hired within three to six months."

The numbers quoted in the report are that 76% of women said that their search had taken less than 6 months, whereas only 20% of men said likewise. This looks even more interesting when combined with the following finding:

"We found that the women we surveyed overestimated the value of tech in that CISO role," saya O'Connor. "40% of them said they had done that, whereas only 14% of men had. What gets you to the role of CISO is not what you need in that the role. As a C level role it's about communication, collaboration and getting the salient messages to the right people. I think we need to dispel the misrepresentation of the CISO role and show what leadership characteristics are and the skills needed."

I think that would also broaden the number of people seeing themselves in that role and valuing the skills they bring to the table."

Image
null
Description
Lisa O'Connor, Accenture

These combined findings would suggest that an overestimation of the technical skills required at CISO level is preventing women applying, but when they do decide to go for it, they're hired quickly.

Another area where there was a notable difference between genders was in the importance of sponsorship. 50% of women said they had underestimated its importance as opposed to 21% of men. The importance of sponsorship to progression in a corporate environment is pivotal. As O'Connor says:

"It's the person that's going to advocate for you when you're not in the room. It's the person listening out for things that can derail you and get feedback to you so that you can be successful."

As a security lead herself, O'Connor was clear in her advice for candidates.

"At this level, even in the interview process, both men and women should be asking to meet with the people who should or could be their sponsors to test the waters and the culture of the company. They need that support and advocacy when they're not in the room because this is a high-risk role. That's what will help them be successful in it."

It's not about the why, it's about the how

The report concludes with a number of recommendations for both women cybersecurity executives and also C-suite executives and boards. Abend explains why she considered both to be necessary and why this isn't about trying to "fix" women to fit the specifications of a male defined role.

"If you want a leadership role you, as a leader, have to grow. So let's demystify for women what that looks like. It's not to say we have to change women, it's to say, ‘know this is happening and this is what good leadership will require of you.' Let's make it explicit. You can still be who you are and you should still show up as who you are. But I don't want this to be a mystery anymore because it was a mystery for me until people pulled me aside and told me what I needed to do."

Both Abend and O'Connor state in no uncertain terms that effective cybersecurity depends on diversity of thought. If we're all looking at problems the same way then our adversaries have a huge advantage. When it comes to messaging, it's no longer about why cybersecurity needs to be more diverse, it's about how it can get there.

"It's about acting intentionally not just having good intentions," concludes Abend. "You have to not only have formalised programmes around sponsorship and mentorship, you have to make sure job descriptions don't have unnecessary additional boxes to check. Also think about interviewing. Don't start the interview process until you have a diverse range of candidates and interview the diverse candidate first. That's going to make a big difference in who gets hired. And you should make sure that you have a diverse slate of people do the interviewing.

"It's really important to act intentionally and then to measure it. We hold people accountable. You can't actually put people in leadership development programmes if you don't have a diverse slate of people being nominated. We can't promote people unless they have the right balance of diversity in their promotion list. It's systematised, and it's accountable. And I have seen how our business has grown and how better our solutions are for our clients through that process."

You may also like

CrowdStrike: Thousands of typosquatting domains registered after global outage
/news/4339044/crowdstrike-thousands-typosquatting-domains-registered-global-outage

Threats and Risks

CrowdStrike: Thousands of typosquatting domains registered after global outage

CrowdStrike says cybercriminals are attempting to install a new infostealer malware through fake fixes

AT&T data breach exposes call records of 'nearly all' wireless customers
/news/4335210/breach-exposes-records-nearly-wireless-customers

Hacking

AT&T data breach exposes call records of 'nearly all' wireless customers

Stolen data isn't publicly available yet, the company claims

Google strengthens Advanced Protection Program with passkey integration
/news/4334642/google-strengthens-advanced-protection-program-passkey-integration

Security Technology

Google strengthens Advanced Protection Program with passkey integration

To enroll in APP with a passkey, users need a compatible device and browser