How to recruit women in cybersecurity?

The need for more cybersecurity professionals is still increasing. We need to recruit, attract talents to join the cybersecurity world to improve the level of security of our organisations, our countries… the world! Dedicated efforts have to be done to explain what working in cybersecurity means to attract more diverse talents to join the cybersecurity workforce.

The part of women cybersecurity professionals is improving but remains low. In the world, 24% of cybersecurity professionals are women (Cybersecurity Ventures & ISC2 report - 2021). Cybersecurity is technical and not technical! Women can do both. Men can do both. Let's speak up that cybersecurity has nothing to do with gender.

Why recruiting women in cybersecurity is at stake?

Women represent an unptapped pool of talents

The need for cyberprofessionals is huge. According to Enisa, the European workforce needs is evaluated at 833,000 professionals. The current shortage is circa 260,000 professionnals and could increase to 500,000 by 2027.

Women represent only 24% of the cybersecurity workforce. In 2022, 21% of the graduates in cybersecurity programmes are female (Enisa source). We can't let time take its course. We have to act to attract more women in cybersecurity studies in the years to come.

Diversity in teams brings performance

Achieving gender convergence in cybersecurity means reinforcing our capacity to better face the threats. Each person is unique, each of us can bring additional view, opinion to complete how we manage cybersecurity threats, how we protect our organisations, manage the incidents/attacks and above all how we continuously improve what we do to increase the level of security.

Diversity of the opinions, diversity of the backgrounds allow new ways of thinking, new ways of working if the communication is well set up. It simply brings more performance!

Now, you are convinced that more women in cybersecurity can make us stronger, let's see how we can adapt our practices to succeed in the recruitment of women.

✨Let me share my experience and the tips I have been using to recruit more women in my team. First, let me tell you a true story. Almost 6 years ago I moved from Paris to Brussels to create the Wavestone cybersecurity team in Brussels. My first questions were:

• What is my need? What do I expect from my future teammates? A growth mindset, human skills, "technical skills", curiosity, teamwork, client relationship, agility/flexibility, etc. Some skills can be taught, for others, it's more difficult. Define this balance allows me to evaluate the need for training, the investment.

What about the passion for cybersecurity? It can come with time. We don't need to be all passionate. Passionate cyber people share they passion with no specific effort and the others easily benefit from them. I can personally reassure you!

• Where to find the talents? Educational backgrounds, universities, Belgian "Hautes Ecoles", foreign universities or school, etc. At the end of the first year, I met 120 candidates. Only 3 of whom were women. Wow, I was very disappointed! Few verbatims of what I heard from recruitment firms working with me, people around me: "women are not interested in cybersecurity", "cybersecurity is too technical for women", etc.

I discovered how candidates perceive cybersecurity. I had to work on it to receive more women. I committed (to myself ;)) to recruit 50% of women!

This is a (non-exhaustiv) list of tips you can test to attract more women.

1. Explain what working in cybersecurity means. Rather than talking about that cybersecurity is not, focus on all the various jobs you can find. Use the 12 job profiles described by ENISA to explain what the cyber professionnals do.Prefer "cybersecurity world is made of cyber threat specialists (including geopolitics), educators, auditors, legal officers, architects, risk managers, pentesters"…. to "cybersecurity is more than a pentester in a basement". We have to make the full possibilities concrete in the imaginary of people. The media talk a lot about the cyberattacks. Let's offer them additional food for thoughts about protection, research, etc. Take every opportunity to explain what working in cybersecurity means for you and encourage people around you to do the same. We often underestimate the power of influence.

1. The job offer is your entry point. Make sure that you open the door to more talents. We often find an infinite list of certifications, responsibilities, duties. Sorry but unicorns don't exist, even in the cybersecurity world. The market is competitive. That makes candidates crazy, not confident to apply... Every organisation has its own value proposition. The goal is to attract people who can fit it, not all the candidates.
2. Express what you have to offer: who you are as a company, your context (innovative environment, international firm, less maturity in cyber, high regulated sector, high business stakes, etc.), your values (diversity is part of them!), where you stand in cybersecurity and your target for the years to come. Use your own words and concrete objectives.
3. Tell candidates your need, your expectations. The real ones, not all your dreams! Remember that unicorns don't exist. Writing down a long list to take the less worst candidate is not the best strategy (you will frighten some good candidates and miss them). Be consistent with your needs. Analyse your existing team, what do you have, what do you need? What could be learnt? We regularly see "junior accepted" but with a long list of expectations and certifications… This is clearly not consistent! The European Cybersecurity Skills Framework (ECSF), delivered by ENISA one year ago is a powerful tool which can support you to describe your needs. Your position is not one of the 12 ENISA job profiles? No panic, pick & choose in the different roles to build your job offer! It is certainly a mix of some existing roles. The ECSF is an insightful tool to speak a common language in cybersecurity.
4. Open the door to people who don't match all your requirements. It seems that men and women don't react the same when it comes to apply. Rumors say (and I'm convinced that there is a bit of truth even if I don't understand why) that a man could apply to a job if he ticks 60% of the expectations. A woman will apply if she ticks 100% of your list. The more you ask skills which are not necessary, the less you attract women. Explicitly write it down in the job offer that you will analyse all the applications even if it doesn't perfectly fit with the expectations.
5. Prefer to talk about the responsibilities the person will have, the activities she will do rather than past experience you expect for the job. Transferable skills from other domains can be very useful for a cybersecurity position while learning others. You can attract colleagues not working in cyber at the moment.
6. Adapt the speech in your recruitment process. The job offer is the entry point. The whole recruitment process has to be aligned with the approach. Training the stakeholders in the recruitment process to make them able to explain what you are looking for, the position but also the environment around, the compensation & benefits package, the working conditions, the culture, the training path, the skills and the career path. Training them to learn how to ask the appropriate questions to assess the candidates.

In our Wavestone Talent Management survey published in April, we discovered that 0% of the respondents train their recruitment stakeholders. It is clearly an area of improvement which can change the game.

1. Strengthen your onboarding to secure the well integration within the team. The recruitment is successful only at the end of the onboarding period, not at Day 1. Work on your onboarding process, briefing, buddy/mentorship programmes to welcome the person in the team and offer her the best conditions to adapt herself, to understand your internal processes and learn with the others.
2. Role models - Give visibility of the diversity increases women attractivity. When you see it, you understand that it's possible. Being myself a woman maybe helped to recruit other women. We can promote the women of your team but also others women as well to tell candidates that diversity means for us and we support it.

Beyond the recruitment of women, these actions are strong assets to recruit. Promoting the cybersecurity jobs to everybody working or studying in cybersecurity or outside is essential to bridge the gap in cybersecurity. The key point is to explain what working in cybersecurity means through role models, the visibility of all cybersecurity professionals. Speaking up who we are, what we do and why we care about securing the world.

Recruitment is the starting point, nurturing, retaining our talents remains a permanent challenge. This will be the focus of future articles…😉 In the meantime, let's explain what working in cybersecurity means. Let's tell women, men, everybody how much they can enjoy it.

I'm really curious to discuss this topic with all of you! Whether you agree or disagree, I will learn from our discussion so let me know what you think!

I would be happy to contribute on how to attract more talents in cybersecurity and make them successful.