As the race to recruit female talent in STEM continues moving ahead with steady progress, stunning statistics still wrack the cybersecurity sector: Women working in cybersecurity currently account for less than one quarter of the overall workforce.
Megan Rapinoe. Sister Rosetta Tharpe. Shirley Chisholm. Donning jeans and a Ukrainian flag t-shirt, the director of the nation’s lead cybersecurity agency ticked through PowerPoint slides of women “who took a sledgehammer to the glass ceiling.”
“I need your help,” said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, on Friday to an audience of 1,700 female cybersecurity professionals assembled for a three-day technical conference in Cleveland. “We need to get to 50% of cybersecurity by the year 2030. Think we can do it?” Someone whistled. ACDC pulsed through the speakers. “Come on!” Easterly rallied.
After exiting the stage, Easterly told CBS News she has become accustomed to setting “unreasonable” goals. “That’s been sort of my [modus operandi] my entire life,” she quipped. “And I honestly believe if you set a super ambitious goal, and you as a leader inspire and empower people, and look at that goal as something that may be challenging, highly ambitious, but is in fact achievable, you can get there.”
Pressed on how close America’s cyber defense agency is to “getting there,” Easterly responded down to the decimal. “Right now, we’re at 36.4% women at CISA’s workforce, but I think we can get to 50% before 2030.” She paused before adding, “Actually, I’m hoping we can get there before 2025.”
Easterly says she hopes colleagues across the federal workforce – including FBI, NSA, U.S. Secret Service – make similar pledges. The Army veteran-turned-corporate leader came close to “getting there” in her previous stint as head of Firm Resilience at Morgan Stanley, where she oversaw a team that was roughly 48% women.
Currently, there’s just one woman serving as chief information security officer, or “CISO,” among the top 10 largest companies nationwide: Chandra McMahon, CISO of CVS Health. The former executive at Verizon and Lockheed Martin can remember what it was like to be the only woman in the room.
“Cybersecurity is not well understood as a career or as an opportunity,” McMahon said during an interview with CBS News on Friday. “What most people don’t realize is that there’s a spectrum of roles and careers that you can have.” McMahon rattled them off: “Penetration testers, ethical hackers, the cyber security engineers and architects.”
But the gender gap marks just one of the cybersecurity workforce’s persistent challenges. Hispanic, African American, Asian and American Indian/Native Alaskan workers made up just 4%, 9%, 8% and 1% respectively of the cyber security workforce, according to the Aspen Institute.
An estimated 3.7 million cybersecurity jobs are available but unfilled, according to the latest (ISC)² Cybersecurity Workforce Study, with 377,000 of those vacancies located in the United States. By that measure, the global cybersecurity workforce will need to grow 65% in 2022 to effectively defend organizations’ critical assets.
Last week, Microsoft called recruitment of women “mission-critical” to filling the worldwide cyber vacancies. A survey commissioned by Microsoft Security found that only 44% of female respondents felt sufficiently represented in their industry.
Not all “black hoodies” and “dungeons”
Part of the federal government’s cyber strategy is just showing up. Easterly, who ditched plans to appear via video at Friday’s Women in Cybersecurity Conference only to instead dance onto stage to the tune of ACDC, recounted the thrill of manning CISA’s booth at the conference.
“At the end of the day, if people can see me as the director of America’s Cyber Defense Agency, then there are women out there who can say I can be her,” she told CBS News.
A decade ago, that lack of visibility in a security field known for operating behind the scenes served as the inspiration for the group behind Friday’s conference, Women in Cybersecurity, or “WiCyS.”
“I think people have to understand that even though cybersecurity works best when it’s invisible, there are so many people behind it,” said WiCyS founder Dr. Ambareen Siraj.
“There’s this stereotypical notion about cybersecurity that it’s all about fighting. And we’re all working in some sort of dungeon in black hoodies. But it is really not the case,” Siraj said.
Unclogging the cyber talent pipeline will require more than just breaking a stereotype though, with experts advocating for more outreach to non-traditional candidates.
“Some of the best talent we have in cyber did not come from a background in cybersecurity,” McMahon said.
Just 38% of women came from an IT background, compared to half of men in today’s cybersecurity workforce. According to the (ISC)² report, women also have higher rates of entry from self-learning (20%) compared to male counterparts (14%).
“We’re now seeing an opening in the market for cyber skills. It’s not so siloed in that you must have a cybersecurity degree,” McMahon added.
Mind the gap: reshaping the federal workforce
Just 25.2% of the full-time federal cyber workforce is female, compared to 43.6% of government workers nationwide, according to the non-profit Partnership for Public Service, which assesses data from the U.S. Office of Personnel Management and U.S. Census Bureau.
The federal cybersecurity workforce is also decades older than the U.S. labor force. The percent of full-time cyber employees under the age of 30 steadily increased from 4.1% to 6.3% between September 2014 and September 2021. But it still lags behind the almost 20% of the employed U.S. labor force in 2021 that is under age 30. In the federal IT workforce, there are 15 times more employees over the age of 50 than under age 30.
“I think the most fundamental problem in the federal workforce is the lack of generational diversity,” said Max Stier, head of the Partnership for Public Service. “There are very, very few young people in the federal technology and cyber workforce. And it becomes this self-fulfilling prophecy: the absence of young talent makes it harder for new young talent to want to come in or stay.”
Data on the federal government’s cybersecurity workforce vacancies remains scarce, but Stier estimates a “minimum of tens of thousands of jobs” is needed to bolster U.S. cyber defenses.
A 47-page audit by the Senate Homeland Security Committee last year found federal agencies responsible for safeguarding the security and personal data of millions of Americans earned a C- report card in talent recruiting.
Since 2014, the Department of Homeland Security has received a whopping $76 million to create a new cyber talent recruiting system, which launched with 150 job postings, last November. DHS received 650 applications in its first 48 hours of operation but has not released further progress reports on hiring. There are currently five positions posted on the Cyber Talent Management System’s dashboard.
Easterly says CISA, an agency of approximately 5,000 full and part time employees, plans to hire between 500-1000 more in the next few years.
In an effort to reach young talent, the agency has also formed partnership programs with the Girl Scouts, Cyber Corps, and Historically Black Colleges and Universities.
But among career leaders in the government’s Senior Executive Service (SES), just 28% of STEM leaders are female, and only 19% are people of color.
“It’s not just women, but it’s all types of diversity. Whether that’s neuro diversity, diversity of gender identity, of sexual orientation of race, of national origin,” Easterly said.
Leaders from across the federal government and private sector have likened diversity initiatives to a national security imperative.
“What we would like to see is a strong, adequate cybersecurity workforce that has people of all kinds, different racial backgrounds, ethnicity, gender,” said Siraj. “When we have diverse people working in cyber, which is an extremely complex place, then it is more likely that we are going to bring the different perspectives and skills necessary to solve complex problems.”
No room for “vigilance fatigue” amid Ukraine-Russia crisis
As information warfare plays out in the shadows of the Ukraine-Russia crisis, Easterly worries about “vigilance fatigue.”
“It is hard to maintain a very high tempo of extreme preparedness,” she conceded. “But we are not even a month into this unjust illegal, unprovoked invasion of a democracy and we need to continue to keep our shields up,” Easterly told CBS News.
CISA and the FBI have released two alerts this week alone, including a joint bulletin to satellite communication (SATCOM) networks just days after the hack of telecommunications firm Viasat by unidentified actors disrupted broadband satellite internet access at the start of the Russian invasion.
That fatigue is further punctuated by a cybersecurity workforce shortage that sees more than just the federal government working overtime to monitor potential threats.
CISA and FBI “have not identified cyber activity in the US Homeland attributable to Russian state actors since the invasion commenced,” an NYPD intelligence bulletin obtained by CBS News and published last week indicated.
But since November, the Department of Homeland Security has overseen more than 80 briefings, table exercises and informational sessions with the private sector designed to bolster U.S. cyber defenses in the event of Russian malicious cyber activity.
Through its Joint Cyber Defense Collaborative, CISA administers a Slack channel dedicated to information sharing with tech and cybersecurity giants, including Cloudflare, CrowdStrike, Mandiant, Microsoft, Verizon, Google, and Amazon Web Services, along with the NSA, the FBI, and US Cyber Command.
Still, cybersecurity advocates worry that a lack of investment in cybersecurity extends to the larger workforce, with compromises a few clicks away from unwitting employees scanning through email inboxes. “You actually need the broader workforce familiar and capable of addressing these cyber challenges in the context of their normal, daily jobs,” Stier said. “Consider the classic phishing incident.”
“We are putting out more and more information so that the public understands the nature of the threat environment,” Easterly said, Friday. “We have said consistently, that every business – large and small – remains at risk and is vulnerable to Russian malicious cyber activity. That’s why we need to continue to keep our shields up to be prepared to be vigilant, to keep our thresholds low for sharing information about anomalous activity, and to ensure that we are working together for the collective cyber defense of the nation.”
Catherine Herridge contributed to this report.