Whilst there is no doubting that the majority of today’s security teams comprise some extremely talented individuals there is also no getting over the fact that it is an industry dominated by men.

If you look at any organisation with a large security function then you will surely know that from a simple look around the office. But for those of you who require data, a new Frost & Sullivan market study – Agents of Change: Women in the Information Security Profession – shows that the fairer sex only make up 11% of the professionals within the industry.

The reason why infosec has traditionally been a male preserve may be down to the fact that it has, rightly or wrongly, often been perceived as a highly technical field and men are often thought to have a better technical ability than men (again, I personally do not subscribe to that feeling).

Frost & Sullivan’s report shows, however, that the skill set of an information security professional is diversifying over time. Whilst technical skills are not diminishing in importance, other factors are increasingly coming into play.

If you are someone who works in the industry then I am sure that you are already aware how important other facets have become. Skills such as communication are, in my opinion, in desperate need in a profession where conveying concepts and other important data to the board are an essential part of security and yet so often badly presented.

As Julie Peeler, (ISC)2 Foundation director said,

“Security is becoming less about technology and more about people — understanding their behavior and protecting users as they do their work. The study shows that women tend to value skills such as communication and education — the skills that are currently in short supply.”

And yet, ironically, the typical skills that women can offer are exactly what the industry are crying after. The report shows that women tend to have a far more diverse educational background and a better grasp in many areas. When looking at communication skills, broad security understanding, awareness and understanding of the latest threats, technical knowledge, security policy formulation, leadership skills and business management skills women tended to possess greater skill than men in all but tech knowledge.

So why is the infosec industry not employing more women, especially in the higher levels of organisations?

The report highlighted how the proportion of women within the industry has not changed much in recent years, despite the rapid growth in the number of people employed overall. So there is obviously some fundamental reason why women are not attracted to the profession. Perhaps that is exactly because it is still perceived as being a male dominated role and so, therefore, one that women may choose to pass on? Or could the education system be to blame – computer science is still dominated by men at school level – perhaps teachers are not encouraging women enough in this area? Or could it be that those who are responsible for recruitment are still far too interested in technical skills (I think so)?

Michael P. Suby, VP of Research Stratecast said,

“Enterprises should also consider the steps that they can make to encourage more women to pursue the information security profession and, for those in the profession, to stay. Foremost among those steps is for the male leadership in and out of the information security field to recognize the concrete and complementary value that women bring to information security. Also, in their recruiting and hiring decisions, greater emphasis should be placed on building a more diverse information security team. Technical skills, while still important, must be increasingly supplemented with the multi-disciplinary skills and perspective necessary to make subtle but impactful risk management decisions.”

Do you think women are underrepresented in the industry and, if so, what do you think we can do to remedy that situation? After all, there is some exceptional talent out there and, with a shift in perception, I could see women dominating the higher echelons of infosec in the future. But only if they are encouraged to start such a career in the first place.