Tackling gender bias: Women in cybersecurity This blog post was authored by Krissy Safi - Managing Director, Security and Privacy and Luz Marina Reyes - Manager, Security and Privacy on Protiviti's technology insights blog.This post is the second in an occasional series about diversity in cybersecurity. Our first post discussed achieving diversity’s benefits in cybersecurity. In future posts, we’ll explore similar topics around diversity, equity and inclusion in the cybersecurity space.Any good manager will want to remain alert to impediments that prevent team members, especially women in cybersecurity, from contributing as fully as possible to team efforts. This is especially true in a function like cybersecurity, which suffers a chronic shortage of talent.Cybersecurity is distinguished not only by a talent shortage but also by having a predominantly male workforce. Women are in the minority on most cybersecurity teams that have women at all, so when they experience gender bias, they’re likely to be isolated. It’s worth considering what an experience of bias could cost a team, and it’s worth discussing what cybersecurity leaders can do to recognise and prevent bias in their ranks.Examining the experience of one cybersecurity analyst illustrates the problem and lays the foundation for exploring what bias costs cybersecurity organisations. Topics Cybersecurity and Privacy An experience of gender bias in cybersecurityThis security professional was the only woman on a small cybersecurity team in a large organisation. Each team member was working on similar projects, yet over time, she noticed the manager delegated an outsized portion of administrative work to her. Where each teammate typically reported on his or her own tests, this manager had this security professional creating reports for her teammates’ tests as well as her own. She found herself lobbying for more of the technical workload her male peers were routinely assigned, work that was acknowledged across the team as contributing to career growth.At first, she doubted her own perception of bias. She tried to determine whether she misunderstood her manager’s actions. She asked herself if she was making too much of the situation and if it was really happening as she perceived it.When a male peer started offering help with her administrative workload, it helped validate her own view that the distribution of labor was unfair. This same colleague also spoke out about the bias. Just knowing a peer saw the situation as she did confirmed she was not alone in how she saw the situation.Soon after, when a more senior manager asked her about the status of one of the reports, she pushed back. She expressed concern that her outsized administrative role had become a precedent within the team. She offered examples of the bias she was describing. She asked that the work be distributed so that each team member would write reports for his or her own activities, which was the standard practice at this organisation. To ensure the conversation followed appropriate company procedures, she offered to bring a human resources representative into the conversation if needed. The manager ultimately relented.The high cost of biasIt’s worth examining the various ways gender bias can cost a cybersecurity team. Does it sound like these costs would apply to other teams, experiencing other forms of bias? They would.Bias is a major distraction. This security professional described the mental energy it took to confront the bias in her own department while continuing to be effective in her role. The self-doubt and the risky conversation with a superior were burdens her male colleagues didn’t have to bear.Bias wastes potential. This woman was denied the opportunity to perform technical aspects of her role because her time was taken up by administrative work. Putting one resource on administrative work at the expense of exercising her technical expertise wasted her potential.Bias damages reputation. Bias puts manager, team and enterprise reputations at risk. In departments and enterprises where bias is tolerated, word gets around. Observers see the behavior and form their own conclusions: “This is the sort of thing that goes on there.” They see women don’t get the same opportunities as men. They extrapolate: if they’re unfair to women, who else might be a target of their bias?Bias creates toxicity within teams. Bias creates an in-group and an out-group on teams where it’s tolerated. Alienation contributes to a toxic environment where out-group members can’t contribute on equal footing with in-group peers.Bias inhibits skill development. “The time I spent on administrative work made it harder for me to scale up,” this security professional said. “My technical ability has grown so much more in the last six months versus the same period in a biased environment,” she observed, then added: “You want your team to be as skilled as possible, so they can add more value.”What team members can doBeing privileged by bias can be nearly as uncomfortable as being its target. It’s important for team members to speak out when they witness bias. In this example, one colleague not only took back some of the administrative work, but he also spoke out against the bias he saw.Taking no action is also a type of action: it condones biased behavior and reinforces unfair behaviors within a team.What leaders can doAny cybersecurity leader might read an account of bias and recognise that incidents of bias warrant management attention. Attention happens to be exactly what it takes to prevent bias.To begin with, managers will want to know their teams. Establishing a good rapport with each team member enables leaders to establish a baseline against which they can monitor for changes in team behavior. With a baseline, they’re equipped to notice when a team member has stopped speaking up or engaging with the work. They’ll see for themselves who’s overworked, who’s coasting; who’s getting too much of the grunt work. Managers who are paying attention to these patterns won’t miss changes in the team dynamic over time.Fighting gender biasBias is distracting and costly. It damages reputations and team cultures. In cybersecurity especially — where talent is scarce and women remain underrepresented — leaders will want to watch for symptoms of gender bias, in particular. Attention is the main tool in fighting gender bias in cybersecurity: by observing their teams and knowing their teams’ members, leaders can monitor for early signs of bias and intervene to correct course.Read the results of our 2023 Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.To learn more about our cybersecurity solutions, contact us. Find out more about our solutions: Pro Building office Data security We help preserve your business value by protecting sensitive data while assessing and maintaining compliance with regulatory and contractual requirements. Pro Document Consent Attack and penetration Our experts conduct vulnerability assessment and penetration testing to protect your critical assets and data by identifying vulnerabilities and providing actionable remediation guidance. Applications, infrastructure, databases, IoT and mobile apps, whether on-premises or in the cloud, are safer with Protiviti. Pro Tools Gear Cyber defence and cyber resilience Protiviti helps you prepare for, respond to, and recover from security incidents. When incidents happen, a trusted partner like Protiviti guides you through the process to help avoid costly pitfalls and recover as quickly as possible. Leadership Leslie Howatt Leslie is a managing director, and Protiviti’s technology consulting solution lead. She specialises in digital and technology strategy as well as transformational change with over 25 years’ experience across consulting, industry, and government sectors. She has ... Learn More Krishnan Venkatraman Krishnan is a director with over 14 years’ experience in professional services. He has specific expertise in technology risk consulting and has been advising clients both in the public and private sector in designing and implementing information security controls.Major ... Learn More Tim Speelman Tim is a director with a track record of developing and implementing strategic plans that align with the demands and gaps of global and local enterprises. Before joining Protiviti, Tim was a regional CISO responsible for APAC within a large recruitment company with core ... Learn More Hanneke Catts Hanneke is a director in Sydney with over 15 years’ experience focusing on technology consulting, including privacy, technology risk, project management and assurance, IT controls and security compliance, enterprise risk management, and internal audit and regulatory ... Learn More Featured insights BLOGS Inclusive culture starts with contract language Anyone who wins business via competitive bid may have noticed that requests for proposals (RFPs) increasingly feature instructions to adopt inclusive language in responses. Over the past several years, more and more potential customers are seeking... BLOGS Embrace DEI intersectionality for effective cybersecurity The role of a cyber incident responder is more critical than ever as these professionals are tasked with protecting organisations from cyber threats, mitigating risks and minimising the impact of security incidents. As cyber threats continue to... BLOGS Achieving Diversity’s Benefits in Cybersecurity Could any security organisation benefit from greater innovation? Or from responding more effectively to diverse internal customers? How about benefitting by retaining the talent its leaders have so carefully nurtured, by accessing more diverse... BLOGS Cyber risk quantification for chaos management The most important use of any risk assessment tool is that it must contribute to better decision making on how to manage individual risks. Whether that is treating and reducing risk, or accepting that risk exists, risk management activities must... BLOGS Metrics’ role in cyber transformation We’ve all heard the saying, “what gets measured gets done,” meaning that regular measurement and reporting helps to keep organisations focused on the information that matters. But with so many data points available to measure security, it is... BLOGS Creating a resilient cybersecurity strategy: The governance lifecycle approach Cybersecurity governance should do more than manage cyber risk. Goodcybersecuritygovernance creates efficiencies by clarifying the outcomes expected from its processes and establishing boundaries of responsibility among cybersecurity... Button Button