Section 3: Themes and Selected Strategies

While the goal of everyone in the room was to create implementable strategies to bring more women into and up through cybersecurity, most of the teams chose different missions, or chose to create their own missions based on the provided ones. Even so, we still found that a set of common themes emerged among all of the strategies that groups proposed, though the level of detail developed in each varied significantly.

The Core Idea

Cybersecurity already has a range of groups that promote gender diversity, equity, and inclusion in cybersecurity; however, many potentially beneficial project ideas fall outside the established missions of these advocates. As a result, these ideas lack a clear champion to take them forward. Recognizing this pattern, many participants identified strategies for strengthening coordination between advocates for women in cybersecurity in order to make it easier to find homes and champions for new ideas.

Some groups recommended strategies that focused on building connectivity between existing organizations, while others called for an entirely new entity—an “umbrella” organization—to fill aspects of this coordinating role. Participants recognized that the establishment of an organization does not by itself resolve the problem. Creating an organization for the sake of creating an organization runs the risk of expending resources on redundant systems. Rather, the scope and purpose of the organization would need to be carefully defined in order to maximize its utility among an already growing ecosystem of existing efforts.

Supporting Details from Discussions

While strategies revolved around the theme of increased coordination, the end results of the strategies varied. One group suggested that the goal of this greater connectivity should be to unify the narrative of women in cybersecurity. Another group addressed the fact that there was no obvious central point of contact with which a company executive might connect for more information or to support the movement. That group developed a strategy around connecting companies with communities of women in cybersecurity. Another strategy described an effort that served in the role of switchboard operator, connecting existing efforts and resources with girls, women, and employers that need them.

The issue of cross-organizational coordination certainly is not unique to cybersecurity. A participant raised the example of the National Center for Women and Information Technology (NCWIT), which serves as an organizer of organizations, bringing together different efforts to increase the participation of women in information technology. If the cybersecurity community had a similarly-structured body, it could establish routine pathways for communication between organizations, support events and outreach across the community, and serve as a hub to coordinate the implementation of new ideas.

Greater coordination would facilitate shared resources on collaborative projects that benefit the entire community. For example, some organizations have access to experienced cybersecurity professionals, others have significant media profiles and platforms, and still others have networks of engaged corporate partners who might have physical space. The project participants identified several ideas that take advantage of such opportunities for collaboration:

• Establishing an incubator that builds a network of investors to fund a range of initiatives targeted at various challenges in developing and retaining female cybersecurity experts. The incubator can then remain engaged with the initiatives, connecting them with members of the cybersecurity community, providing mentorship, and supporting their ongoing success.
• Partnering with organizations that connect city leadership to set up cybersecurity recruiting events in specific cities. This could evolve into the creation of physical demo spaces or pop-ups where women could participate in cybersecurity-related activities. Discussions also emphasized the need to develop a plan for ongoing engagement with target populations, given that one-touch models—such as a single experience at a girls’ STEM summer camp¹—do not seem to have significant, long-term impacts on career choice and trajectory.
• Encouraging a coalition of companies to contribute to a central database of information about the demographics of their workforce, job openings, trainings and policies offered. This would then allow for the development of an app that would allow potential female recruits to view the data and easily indicate that they are interested in a particular opportunity or position. This group envisioned the app and platform evolving into a product with the ability for users to not only create and maintain their accounts, but also to use a live chat, and to apply directly for a job on the coordinating organization’s platform.

Ideas for Successful Implementation

Participants outlined year-by-year plans to take their strategies forward. To find the detailed steps to implementation of each of the strategies discussed, please see Appendix A.

To generalize across strategies, most groups mapped out a series of actions that would be necessary for the success of any effort to empower coordinators:

• Establishing the specific goals for increased collaboration among existing entities and groups,
• Identifying an executive champion(s) with which to partner or collaborate,
• Building a strong community of women and supporters of women in cybersecurity with whom to engage and work,
• Defining metrics of success and impact, and
• Developing a plan for diverse funding sources and long-term sustainability.

What do you think are the most crucial ingredients involved in being able to carry one or more of these strategies forward?

"Finding a funder who is willing to pay for the hard but indispensable work of connecting, cross-fertilizing and catalyzing over time. Having an umbrella organization fulfill those functions will yield enormous dividends over time."

This final point on funding is a particularly important one. Beyond seeking philanthropic and corporate giving, groups suggested acquiring funding through a mix of grants and a subscription-focused model, where employers might pay a fee to be part of the organization, and through it receive resources that would help design policies to bring women into and up through their workplaces.

Assembling the right group of leaders is also crucial to drive the creation of the coordinating effort at the outset. One group recommended curating a team of individuals who have different backgrounds and perspectives, and who have a variety of connections and a strong network in order to cover and represent as many organizations as possible. Beyond generating better ideas, curating a diverse team from the start could also help with potential funding and resource connections long-term.

The Core Idea

Most groups thought that organizations theoretically wanted to do the right thing in terms of changing recruitment tactics, cultural norms, and systems to enable more women to join and thrive in the industry, but that many lacked the incentives, resources, time, and ideas to do so. The ideas generated all aim to fill in one of those gaps.

Supporting Details from Discussions

Groups identified different core challenges and barriers for the organizations with the power to influence women’s experience in the workforce (and, indeed, to give them opportunities to join that workforce). One group, for instance, saw incentivizing the creation of healthier, more egalitarian work environments as key. They developed an organization recognition program designed to provide incentives for companies to cultivate inclusive, empowering environments for women, thus increasing the retention rate for women in cybersecurity.

Other groups saw opportunities to support organizations in recruitment of women. One developed a “returnship” boot camp program to bring people—especially stay-at-home mothers with a desire to telework or work part time—back into the workforce. Another sought to create a subscription-based recruitment organization, where businesses would pay for access to information and resources on talent acquisition and workforce development. Other strategies proposed directly involving corporate partners in the creation of an coordinating organization, which is described in more detail in Theme 1.

Most of these strategies required significant up-front research and initial engagement with corporate partners to ensure long-term viability and usability. In other words, groups did not want to create a product that businesses would not use, or felt like they did not need. Groups also noted the need to balance corporate and industry feedback with independent development of programs and tools.

Research proposed in these strategies included conducting market surveys on the target population (for instance, of stay-at-home moms, or women who have had to drop out of the workforce) and barriers that limit their re-entry in order to effectively design a returnship program. The “recognition program” group planned to investigate what is already known about creating inclusive workplaces, and what works, and then tailoring those insights to a unique cybersecurity context in the development of the recognition and ranking criteria.

Ideas for Successful Implementation

Resources, portals, and programs intended to influence or change corporate behavior cannot be developed without some input and buy-in from those actors at the outset. What is more, many groups agreed that preparing a “business case,” or a succinct argument for a corporate partner’s involvement, would be an essential step. Articulating why an organization should participate in a particular program or pay for a new resource can also help its creators better understand their own objectives, and ensure that they are accurately framing and interpreting the problem they seek to solve. Other suggestions to maximize the effectiveness of an “ask” or approach of a corporate partner include:

• Tailoring the message to the mission, vision, and model of that particular organization: Do not anticipate that a cookie-cutter message or ask will work for all organizations with a cybersecurity workforce.
• Considering deeply what this organization’s incentives could be to change, and what levers could motivate it to do so: For example, corporate boards, the possibility of external threat or vulnerability, good or bad PR, talent acquisition advantages, and more.
• Understanding what kinds of arguments are particularly motivating, given what we know about behavioral biases: For instance, humans tend to be far more interested in short-term rather than long-term rewards and impact.
• Keeping the ask simple: The problem is complex, but what we ask for from organizations does not need to be; a simple, straight-forward ask could increase the likelihood of an affirmative, and speedy, response.

“Meaningful progress on gender equality in cybersecurity is going to require systemwide engagement. Examples of success from other fields, such as increasing the numbers of female corporate directors overseas, have shown us that companies, individual leaders, government entities, academia, media, think tanks and other players need to work together to advance the common goal. This convening was an excellent way to catalyze such collective action.”

The Core Idea

Many of the groups saw massive value in changing the predominant narrative of cybersecurity careers, and who belongs in them, by developing large-scale social media or television awareness campaigns, and by working on more specialized projects with media outlets and film producers. That said, groups recognized that not all awareness campaigns are created equal, and that utilizing best practice research at the outset can help us to design a maximally effective campaign or media project. These strategies coalesced around three main objectives, all aimed at broader narrative change: increasing the perception of cybersecurity’s importance, developing enhanced visual representations of women excelling in cybersecurity, and surfacing obstructions to female success in the classroom and the workplace.

Supporting Details from Discussions

Groups proposed several different mechanisms for changing narratives and raising awareness. One group’s strategy suggested replicating the impact of the Rosie the Riveter campaign, which famously encouraged millions of women to join the workforce during World War II. Another centered on developing, pitching, and airing three new television shows that would both appeal to a target audience, while creatively underscoring “a successful woman in cybersecurity.” A third group developed a different kind of marketing strategy, one that culminated with a ranked list of “best cybersecurity companies to work for if you are a woman” published in conjunction with a popular media partner.

Ultimately, the goals of the Rosie the Riveter strategy and the television show production strategy were similar: using enhanced visuals, storytelling, influential individuals, and platforms to change the narrative and increase awareness of the cybersecurity field, thereby encouraging girls and women of all ages to consider and join it. These strategies aimed to dismantle problematic stereotypes about women inside the industry, and to elevate its “cool” factor without sacrificing critical nuance.

The mechanism for change varies between these first two strategies and a third. Whereas Rosie the Riveter and television characters impact perceptions of women in the cybersecurity workforce through role model exposure and targeted storytelling, the third “ranked list” strategy sought to raise awareness of current barriers for women in the industry by creating a narrative of responsible corporate practices.

The strategy described the development of criteria to rank and certify organizations that implemented policies known to increase female participation in the cybersecurity workforce (based in part on EDGE,² an organization that is already certifying organizations for levels of gender equality). By shaping the narrative of what makes a responsible company and by enlisting media partners to amplify that message, this tool incentivizes adoption of known best practices. It also shifts the narrative away from the overwhelming and nebulous “this is a big problem” framing to “here are the specific problems in your workforce, and here are tailored solutions.”

“We can’t achieve gender parity in the cybersecurity industry without visibility. Each of the groups that we heard from focused on promoting visibility of prominent women in the industry & career paths into the industry using what amounts to a megaphone. Through marketing campaigns, executive sponsors, or the formation of new, strong & central networks with a unified message, the point is that siloed efforts must be joined together in order to rise above the noise in tech.”

Ideas for Successful Implementation

Most effective awareness campaigns adhere to a few key principles; following these will help ensure success for some of the strategies based around more traditional marketing. Effective campaigns:

• Clearly communicate a specific action
• Make it easy to do that action
• Approach target audience in a way that is timely (in other words, delivering an ad or a prompt at a time when they will be most likely to read or engage with it)
• Create clear incentives for taking action (or disincentives for inaction)

Beyond these principles, some of these strategies—such as the ones that plan to utilize connections within media or entertainment industries—will be well-served by taking note of other necessities for implementation. For instance, strategies recommend ensuring that the leadership group has entertainment and media connections from the outset, and that people with knowledge of this industry are involved in the initial drafting and ideating of characters, scripts, and show ideas.

Groups acknowledged the need to generate contingency plans for ways to get characters in to existing shows, or to expand or improve on current offerings, in case getting a pilot off the ground is determined to not be feasible. However, participants also noted that success in these strategies was not unreasonable. In fact, it was remarkable to note how many participants had connections to or resources in media. With the right mix of contributors, participants found that many of these strategies became far more plausible.