Women make up less than one-quarter of the cybersecurity workforce, which can lead to less innovation, inferior design, seriously underutilized human potential, and needlessly unfilled jobs in a growing field. In short, this lack of gender diversity means poorer security. Existing efforts to address the issue have begun to create networks among women in the field, but other solutions, particularly those intended to create systemic change in order to help women permeate cybersecurity fields at all levels, have had limited success.

This project convened a diverse group of experts from corporate, academic, nonprofit, and government backgrounds to consider new ideas and implementable strategies to bring women into and up through cybersecurity careers. The participants identified three major opportunities to create scalable change: 1) Empower coordinators to build connectivity among existing efforts and cultivate additional resources, 2) Engage and collaborate with businesses to develop new programs and systems to improve recruitment and retention of women, and 3) Use marketing, entertainment, and media platforms to change the narrative and raise awareness of women in cybersecurity careers.

To meet these opportunities, an actor—or many—must be able to incubate new solutions and implement new ways to utilize existing resources. Making this vision a reality will require resources and a coalition of supporters from both within the cybersecurity and with a broad array of external partners.

This tool is intended to share information on existing efforts supporting women in cybersecurity. In determining the criteria for inclusion in this scan, the authors generally erred on the side of including new efforts. However, there is a balance. Too much content that is not directly relevant makes it harder for users to find what they need.

While we defined "cybersecurity" loosely for this purpose, we did omit efforts that were very tangential. We did not include efforts that are available only to a single, closed population (for example, a student group that exists only at a particular university). We also did not include efforts that were a single news article, slides from a particular presentation, an op-ed piece, or similarly self-contained product.

Do you know of a resource that meets the criteria, but is not listed? Please share with us by emailing bate@newamerica.org.

Though the numbers of women in the cybersecurity¹ field are increasing, it is still overwhelmingly male. And this gender disparity is not simply an optics issue. In fact, research suggests that homogeneity in the industry can lead to less innovation as well as to inferior ideas and design. Diversity in cybersecurity contributes to the efficacy of teams and sustainability of solutions, making it both important for national security,² and a business imperative.³ In short, diversity in the field matters for all of our security—both on and offline.

Beyond the critical importance of diversity in improving security, the sheer number of unfilled jobs presents a very strong case for bringing more people into the talent pool. The latest figures estimate that the United States is facing 313,735 unfilled cybersecurity jobs.⁴ The cybersecurity community as a whole needs better ways to access and harness untapped talent in order to fill these jobs.

Depending on the source of the data, women make up 11 percent,⁵ more than 20 percent,⁶ or 24 percent of the cybersecurity workforce.⁷ However, overall participation in the field is just part of a complex problem. Women at nearly every level of cybersecurity are paid less than their male counterparts, and 51 percent report that they have experienced discrimination, compared with only 15 percent of men.⁸

In light of these findings, the community could certainly use ideas to help accelerate progress. The National Initiative for Cybersecurity Education (NICE), led by the National Institute of Standards and Technology (NIST), has recognized this need, and driven by a strategic goal to nurture a diverse learning community in cybersecurity, a partnership was formed with New America. This project, supported by NICE under grant #60NANB18D023, was designed to generate new, implementable solutions by convening a diverse group of experts to consider our central question: How can the cybersecurity community bring more women into and up through careers in cybersecurity?

The project centered on this convening of experts, but it also incorporated a number of written products in addition to this report. Specific ideas and strategies developed in the convening are gathered in a series of one-pagers suggesting concrete steps for different groups within the community. They are available for download along with this report. The project also included a community scan that aggregates many of the resources available on the topic of women in cybersecurity. The scan is available here.

What’s one thing you learned as a result of being part of the convening?

“As a guy in the field, I’m undoubtedly blind to much of what goes on, much of what the problems are, etc. I learned something of the scope of efforts trying to address the myriad challenges, including some that I didn’t even know existed.”

This report serves three purposes. First, it is intended to reflect and describe the discussion that took place.⁹ As explained below, both space and ease of discussion tightly constrained the number of participants. Practical considerations meant that many valued members of the community and important outside voices were not able to be in the room, but very clearly have a role in carrying the work forward. Thus, this report is an effort to bring these stakeholders up to speed and into the ongoing conversation. Second, the authors recognize that this conversation cannot stand alone; it must be one of many, each generating progress in different ways. For this reason, we have attempted to capture the motivations and implementation plans of the project as a resource to others that may be interested in a similar effort.

The group discussions central to the convening were far ranging and immensely successful at generating ideas. However, as can be the case in the aftermath of a thought-provoking conversation, there is added value in aggregating, organizing, and processing the information surfaced. In turn, the third purpose of this report is to pull together the various strands of thinking, highlight trends, and suggest next steps that members of the community may take to keep the work moving forward.

The goal of this project was to cultivate and evaluate concrete, implementable strategies for increasing the participation, retention, and promotion of women in the cybersecurity workforce. Within that larger goal, the project was designed with several key elements in mind:

Structural and Scalable Change

The project needed to create change. True as this was from the earliest stages of the project, feedback from participants prior to the meeting reinforced that need. We found that when we first approached participants about the convening, several—particularly women working in the cybersecurity industry—reacted with a sense of fatigue, that this could become “another women in cybersecurity event,”¹⁰ lacking significant improvement in the overall level of participation of women in the industry from one event to the next. Both to achieve project goals and to fully engage participants, the convening was designed to have a perceptible sense of moving the state of affairs forward and creating impact at scale.

"There is a real thirst for new ideas and new approaches. The convening demonstrated a recognition that the ways we have approached solving this problem have not accomplished the needed change in the required timeframe and reinforced the sense of urgency we all feel."

Ideation

The project participants were challenged to develop new, actionable ideas for bringing women into and up through careers in cybersecurity. The intent behind this charge was to steer the conversation away from generalities, descriptions of the problem, and suggestions that have been worn threadbare. Instead, we wanted to keep the focus on solutions that can be put into action and that explore new territory. In order to meet that goal, these solutions should be outlined with enough specificity that the path to implementation became, if not immediately viable, at least plausible.

Infusing the Conversation with New Perspectives

Cybersecurity is a unique field in many ways. Its relative youth, the unorthodox mindsets it attracts, and its astronomical growth all contribute to the fact that—as a general rule—what works in other fields may not translate. However true that may be, there are still many lessons cybersecurity can learn from other communities, for instance, those studying organizational change, gender studies, and human behavior.

Furthermore, lasting change takes buy-in from more than just the small group of experts who regularly work on women in cybersecurity issues. Investors, managers, students, policymakers, members of the media, career professionals, and many others all have unique perspectives and a stake in the matter. Our goal was to gather a group of leaders from different disciplines and backgrounds who could speak not only to the issues for women in cybersecurity but also to solutions and ideas they may have been exposed to through other industries.

Build Connectivity

Catalyzing lasting change in the demographics of the cybersecurity community will require ongoing and consistent support. Accordingly, one goal of this convening was to create a core group of interconnected individuals motivated by the same goal of increasing the number of women in cybersecurity. In some cases, this was a means of strengthening relationships between leaders in the women in cybersecurity conversation. In other cases, it was a means of enabling new stakeholders to enter the conversation and community.

Make Impact Stick

In order to really be successful, the project needed to have impact beyond just the convening itself. In many ways, the other project goals all feed into this end. By focusing on strategic change, generating new ideas, bringing in diverse voices, and building connectivity, we aimed to create the conditions needed for the work to continue. The participants’ own dedication to the issue is one of our greatest assets, in this respect. In all cases, they came to the convening already determined to make change, but the goal was to send them away with new ideas designed for creating change, a vision for how those might be implemented, and a network of partners willing to collaborate.

"Programs that help women should have roles for their male allies to play. We can encourage men to get off the sidelines and mentor, teach, share ideas and talk to women. Social media often elevates the view of some within tech’s “bro club” and can make the isolation worse, both for women AND for their allies. There are some terrific champions out there for diversity of all stripes, and they need their own role models to emulate."

We had a blueprint for constructing our November 2018 event in collaboration with NICE. In 2015, New America hosted an event in collaboration with the Hewlett Foundation that was similarly characterized by an interactive format and drew insights from participants. However, where the 2015 convening was intended as a scoping workshop to detect a broader sense of the recurring issues faced by women in the field, our 2018 convening focused specifically on ideation—crafting and refining specific and implementable ways to increase the number of women in the cybersecurity workforce.

With our 2015 lessons and strategies in mind, we set off in collaboration with NICE to curate and run a session that would convene a diverse group of individuals who would work together for two half-day sessions to generate implementable strategies to bring more women into and up through cybersecurity. The New America-based team brought in Jill Hellman, a strategist and innovator who is also a professional meeting facilitator. Together, we determined that the strategies we were looking for would come from four main groupings:

• Proven strategies that are already working, but would benefit from renewed vigor
• Potentially relevant strategies that are working in other industries that could be applied to cybersecurity
• Strategies that were not able to gain traction in the past but can be revisited
• New strategies

In order to design a convening that would be maximally engaging, especially for the participants who had been around the proverbial block, there were four main dimensions of the planning that required fresh thinking and ideas to get outside of the average women in cybersecurity event.

Attendee Curation

Our goal was to curate a room full of people who were diverse, in terms of age, professional backgrounds, gender, race, and geography. We also sought to represent a mix of people with institutional knowledge of the ecosystem of efforts supporting women in cybersecurity, as well as individuals who were newer to the conversation. In order to achieve this optimal mix of participants, we worked with NICE to produce lists and groupings of individuals who represented these different groups and perspectives, and began to invite people in rounds that allowed us to continuously balance and shape the group according to participant responses as we received them.

The project team deliberately enabled Hellman to have a major role in shaping the guest list as an outside perspective, recognizing that the New America team was also subject to some entrenched patterns of thought from our close involvement in the community working on diversity and inclusion in cybersecurity. Once we confirmed our 46 participants, we broke that list down into smaller groups of approximately six people each, working to make each small group equally representative of diverse identities and experiences as the larger group.

“Cybersecurity as a field is at once completely unique and very similar to many others that struggle with low involvement of women. As a first step, we can build on decades of research on advancing women in organizations as well as success stories from specific companies and sectors. For example, de-biasing hiring and talent management processes inside organizations has been shown to meaningfully increase recruitment and retention of women."

Pre-Event Calls

Our project team, led by Hellman, conducted pre-calls with each attendee. These calls allowed our project team to ensure that everyone knew what they were walking into (i.e., not your average conference and/or roundtable session), and to learn about their expectations and ideas so that they might help to inform and shape the program.

Experience and Environment

In order to ensure that all participants felt comfortable sharing their ideas in small groups and felt engaged and prepared to think outside of the box, we knew we had to create an atmosphere that was upbeat, welcoming, casual, inspirational and, crucially, interesting. The last thing we wanted was for our attendees to be bored before they had even began the work. To do this, we made several intentional choices about the environment. For example, we used round tables so that everyone was equal in terms of where they sat, and could hear and see each other easily. Details from whiteboard and blackboard table coverings to a professionally painted banner that read “CYBERSECURITY” helped to create an informal, artsy, coffee-shop vibe to encourage franker and more generative conversation. Attendees were encouraged to come an hour (or earlier) before the convening started to meet people and get ready.

Program

After the video and an opening story and remarks, each group worked as a team to choose one of four “missions,” which were written as questions that each group would answer or solve with an implementable strategy. All of the missions were related to bringing more women into, and/or up through, cybersecurity. These included:

• How do we have a more inclusive narrative?
• How do we build greater sponsorship for diverse humans in the current status quo?
• How can women get more power and influence (mindset, new plays, fair shot) now and in a world that is changing?
• What can be done to make diversity in cybersecurity a major business factor, alongside other major business factors?

The missions were informed by the strategies and ideas that participants shared in the pre-calls. Groups could also “go rogue” and choose a different mission than the ones suggested, and several groups chose to tailor their own missions. These “rogue missions” included: “How do we influence organizational behavior, practice, and culture to create a more inclusive and empowering environment for women?” and “How do we promote more diverse humans than in the current status quo?”

In her role as meeting facilitator, Hellman then led participants through several exercises that forced people to first generate ideas and solutions that they had not thought about before and then helped people to quickly sort through ideas and decide which ones to keep. Finally, the groups selected their “proposed” implementable strategies, and drafted multi-year plans of major milestones for those strategies (Appendix A). This gave their strategies some context, forced them to think through other potential challenges and opportunities, increased the stickiness of the ideas, and allowed all participants to walk away with plans that they felt were implementable.

While the goal of everyone in the room was to create implementable strategies to bring more women into and up through cybersecurity, most of the teams chose different missions, or chose to create their own missions based on the provided ones. Even so, we still found that a set of common themes emerged among all of the strategies that groups proposed, though the level of detail developed in each varied significantly.

The Core Idea

Cybersecurity already has a range of groups that promote gender diversity, equity, and inclusion in cybersecurity; however, many potentially beneficial project ideas fall outside the established missions of these advocates. As a result, these ideas lack a clear champion to take them forward. Recognizing this pattern, many participants identified strategies for strengthening coordination between advocates for women in cybersecurity in order to make it easier to find homes and champions for new ideas.

Some groups recommended strategies that focused on building connectivity between existing organizations, while others called for an entirely new entity—an “umbrella” organization—to fill aspects of this coordinating role. Participants recognized that the establishment of an organization does not by itself resolve the problem. Creating an organization for the sake of creating an organization runs the risk of expending resources on redundant systems. Rather, the scope and purpose of the organization would need to be carefully defined in order to maximize its utility among an already growing ecosystem of existing efforts.

Supporting Details from Discussions

While strategies revolved around the theme of increased coordination, the end results of the strategies varied. One group suggested that the goal of this greater connectivity should be to unify the narrative of women in cybersecurity. Another group addressed the fact that there was no obvious central point of contact with which a company executive might connect for more information or to support the movement. That group developed a strategy around connecting companies with communities of women in cybersecurity. Another strategy described an effort that served in the role of switchboard operator, connecting existing efforts and resources with girls, women, and employers that need them.

The issue of cross-organizational coordination certainly is not unique to cybersecurity. A participant raised the example of the National Center for Women and Information Technology (NCWIT), which serves as an organizer of organizations, bringing together different efforts to increase the participation of women in information technology. If the cybersecurity community had a similarly-structured body, it could establish routine pathways for communication between organizations, support events and outreach across the community, and serve as a hub to coordinate the implementation of new ideas.

Greater coordination would facilitate shared resources on collaborative projects that benefit the entire community. For example, some organizations have access to experienced cybersecurity professionals, others have significant media profiles and platforms, and still others have networks of engaged corporate partners who might have physical space. The project participants identified several ideas that take advantage of such opportunities for collaboration:

• Establishing an incubator that builds a network of investors to fund a range of initiatives targeted at various challenges in developing and retaining female cybersecurity experts. The incubator can then remain engaged with the initiatives, connecting them with members of the cybersecurity community, providing mentorship, and supporting their ongoing success.
• Partnering with organizations that connect city leadership to set up cybersecurity recruiting events in specific cities. This could evolve into the creation of physical demo spaces or pop-ups where women could participate in cybersecurity-related activities. Discussions also emphasized the need to develop a plan for ongoing engagement with target populations, given that one-touch models—such as a single experience at a girls’ STEM summer camp¹¹—do not seem to have significant, long-term impacts on career choice and trajectory.
• Encouraging a coalition of companies to contribute to a central database of information about the demographics of their workforce, job openings, trainings and policies offered. This would then allow for the development of an app that would allow potential female recruits to view the data and easily indicate that they are interested in a particular opportunity or position. This group envisioned the app and platform evolving into a product with the ability for users to not only create and maintain their accounts, but also to use a live chat, and to apply directly for a job on the coordinating organization’s platform.

Ideas for Successful Implementation

Participants outlined year-by-year plans to take their strategies forward. To find the detailed steps to implementation of each of the strategies discussed, please see Appendix A.

To generalize across strategies, most groups mapped out a series of actions that would be necessary for the success of any effort to empower coordinators:

• Establishing the specific goals for increased collaboration among existing entities and groups,
• Identifying an executive champion(s) with which to partner or collaborate,
• Building a strong community of women and supporters of women in cybersecurity with whom to engage and work,
• Defining metrics of success and impact, and
• Developing a plan for diverse funding sources and long-term sustainability.

What do you think are the most crucial ingredients involved in being able to carry one or more of these strategies forward?

"Finding a funder who is willing to pay for the hard but indispensable work of connecting, cross-fertilizing and catalyzing over time. Having an umbrella organization fulfill those functions will yield enormous dividends over time."

This final point on funding is a particularly important one. Beyond seeking philanthropic and corporate giving, groups suggested acquiring funding through a mix of grants and a subscription-focused model, where employers might pay a fee to be part of the organization, and through it receive resources that would help design policies to bring women into and up through their workplaces.

Assembling the right group of leaders is also crucial to drive the creation of the coordinating effort at the outset. One group recommended curating a team of individuals who have different backgrounds and perspectives, and who have a variety of connections and a strong network in order to cover and represent as many organizations as possible. Beyond generating better ideas, curating a diverse team from the start could also help with potential funding and resource connections long-term.

The Core Idea

Most groups thought that organizations theoretically wanted to do the right thing in terms of changing recruitment tactics, cultural norms, and systems to enable more women to join and thrive in the industry, but that many lacked the incentives, resources, time, and ideas to do so. The ideas generated all aim to fill in one of those gaps.

Supporting Details from Discussions

Groups identified different core challenges and barriers for the organizations with the power to influence women’s experience in the workforce (and, indeed, to give them opportunities to join that workforce). One group, for instance, saw incentivizing the creation of healthier, more egalitarian work environments as key. They developed an organization recognition program designed to provide incentives for companies to cultivate inclusive, empowering environments for women, thus increasing the retention rate for women in cybersecurity.

Other groups saw opportunities to support organizations in recruitment of women. One developed a “returnship” boot camp program to bring people—especially stay-at-home mothers with a desire to telework or work part time—back into the workforce. Another sought to create a subscription-based recruitment organization, where businesses would pay for access to information and resources on talent acquisition and workforce development. Other strategies proposed directly involving corporate partners in the creation of an coordinating organization, which is described in more detail in Theme 1.

Most of these strategies required significant up-front research and initial engagement with corporate partners to ensure long-term viability and usability. In other words, groups did not want to create a product that businesses would not use, or felt like they did not need. Groups also noted the need to balance corporate and industry feedback with independent development of programs and tools.

Research proposed in these strategies included conducting market surveys on the target population (for instance, of stay-at-home moms, or women who have had to drop out of the workforce) and barriers that limit their re-entry in order to effectively design a returnship program. The “recognition program” group planned to investigate what is already known about creating inclusive workplaces, and what works, and then tailoring those insights to a unique cybersecurity context in the development of the recognition and ranking criteria.

Ideas for Successful Implementation

Resources, portals, and programs intended to influence or change corporate behavior cannot be developed without some input and buy-in from those actors at the outset. What is more, many groups agreed that preparing a “business case,” or a succinct argument for a corporate partner’s involvement, would be an essential step. Articulating why an organization should participate in a particular program or pay for a new resource can also help its creators better understand their own objectives, and ensure that they are accurately framing and interpreting the problem they seek to solve. Other suggestions to maximize the effectiveness of an “ask” or approach of a corporate partner include:

• Tailoring the message to the mission, vision, and model of that particular organization: Do not anticipate that a cookie-cutter message or ask will work for all organizations with a cybersecurity workforce.
• Considering deeply what this organization’s incentives could be to change, and what levers could motivate it to do so: For example, corporate boards, the possibility of external threat or vulnerability, good or bad PR, talent acquisition advantages, and more.
• Understanding what kinds of arguments are particularly motivating, given what we know about behavioral biases: For instance, humans tend to be far more interested in short-term rather than long-term rewards and impact.
• Keeping the ask simple: The problem is complex, but what we ask for from organizations does not need to be; a simple, straight-forward ask could increase the likelihood of an affirmative, and speedy, response.

“Meaningful progress on gender equality in cybersecurity is going to require systemwide engagement. Examples of success from other fields, such as increasing the numbers of female corporate directors overseas, have shown us that companies, individual leaders, government entities, academia, media, think tanks and other players need to work together to advance the common goal. This convening was an excellent way to catalyze such collective action.”

The Core Idea

Many of the groups saw massive value in changing the predominant narrative of cybersecurity careers, and who belongs in them, by developing large-scale social media or television awareness campaigns, and by working on more specialized projects with media outlets and film producers. That said, groups recognized that not all awareness campaigns are created equal, and that utilizing best practice research at the outset can help us to design a maximally effective campaign or media project. These strategies coalesced around three main objectives, all aimed at broader narrative change: increasing the perception of cybersecurity’s importance, developing enhanced visual representations of women excelling in cybersecurity, and surfacing obstructions to female success in the classroom and the workplace.

Supporting Details from Discussions

Groups proposed several different mechanisms for changing narratives and raising awareness. One group’s strategy suggested replicating the impact of the Rosie the Riveter campaign, which famously encouraged millions of women to join the workforce during World War II. Another centered on developing, pitching, and airing three new television shows that would both appeal to a target audience, while creatively underscoring “a successful woman in cybersecurity.” A third group developed a different kind of marketing strategy, one that culminated with a ranked list of “best cybersecurity companies to work for if you are a woman” published in conjunction with a popular media partner.

Ultimately, the goals of the Rosie the Riveter strategy and the television show production strategy were similar: using enhanced visuals, storytelling, influential individuals, and platforms to change the narrative and increase awareness of the cybersecurity field, thereby encouraging girls and women of all ages to consider and join it. These strategies aimed to dismantle problematic stereotypes about women inside the industry, and to elevate its “cool” factor without sacrificing critical nuance.

The mechanism for change varies between these first two strategies and a third. Whereas Rosie the Riveter and television characters impact perceptions of women in the cybersecurity workforce through role model exposure and targeted storytelling, the third “ranked list” strategy sought to raise awareness of current barriers for women in the industry by creating a narrative of responsible corporate practices.

The strategy described the development of criteria to rank and certify organizations that implemented policies known to increase female participation in the cybersecurity workforce (based in part on EDGE,¹² an organization that is already certifying organizations for levels of gender equality). By shaping the narrative of what makes a responsible company and by enlisting media partners to amplify that message, this tool incentivizes adoption of known best practices. It also shifts the narrative away from the overwhelming and nebulous “this is a big problem” framing to “here are the specific problems in your workforce, and here are tailored solutions.”

“We can’t achieve gender parity in the cybersecurity industry without visibility. Each of the groups that we heard from focused on promoting visibility of prominent women in the industry & career paths into the industry using what amounts to a megaphone. Through marketing campaigns, executive sponsors, or the formation of new, strong & central networks with a unified message, the point is that siloed efforts must be joined together in order to rise above the noise in tech.”

Ideas for Successful Implementation

Most effective awareness campaigns adhere to a few key principles; following these will help ensure success for some of the strategies based around more traditional marketing. Effective campaigns:

• Clearly communicate a specific action
• Make it easy to do that action
• Approach target audience in a way that is timely (in other words, delivering an ad or a prompt at a time when they will be most likely to read or engage with it)
• Create clear incentives for taking action (or disincentives for inaction)

Beyond these principles, some of these strategies—such as the ones that plan to utilize connections within media or entertainment industries—will be well-served by taking note of other necessities for implementation. For instance, strategies recommend ensuring that the leadership group has entertainment and media connections from the outset, and that people with knowledge of this industry are involved in the initial drafting and ideating of characters, scripts, and show ideas.

Groups acknowledged the need to generate contingency plans for ways to get characters in to existing shows, or to expand or improve on current offerings, in case getting a pilot off the ground is determined to not be feasible. However, participants also noted that success in these strategies was not unreasonable. In fact, it was remarkable to note how many participants had connections to or resources in media. With the right mix of contributors, participants found that many of these strategies became far more plausible.

As the discussions from this project demonstrated, there is no shortage of good ideas for new resources and projects to bring women into and up through careers in cybersecurity. There are even a handful ideas that could create systemic, scalable change. Given that, how do we as a community bring these ideas to life?

The Big Idea

One of the barriers to implementation is the lack of an obvious coordinator to activate many of the ideas put forward in this paper. A secondary but critical question is one of resources. A frequent refrain throughout the convening was, “It is a great idea, but who has incentive to fund it, and whose job will it be to do the work?” This recurring question absolutely points to the importance of the first trend—the empowerment of a coordinator—described above.

The establishment of stronger coordination unlocks the possibility of a wide array of further good work by a number of actors. The specific purpose and language used to describe this effort with participants varied—an incubator, an umbrella organization, a coordinating council, an authoritative convener, a launch platform—but in any case, the potential impact is clear. Because of the possibility for watershed effects on other work, it becomes an obvious, if quite challenging, focus for next steps.

There are a number of organizations working on different pieces of cybersecurity’s gender diversity puzzle. However, very few of these organizations see their mandate as one of coordination across organizations, and virtually none appear to be resourced to serve such a function. Some could be adapted to such a role, if adequately funded. For example Women’s Society of Cyberjutsu (WSC), the Executive Women’s Forum (EWF), and the newly established membership organization affiliated with the well-known Women in Cybersecurity (WiCyS) conference, as well as a small group of others, fulfill roles that could be expanded to include a wider mandate for driving strategic, systemic change.¹³

Alternatively, the establishment of a coalition among these groups specifically designed not to govern its constituent organizations, but to serve as a platform or coordinating body for other efforts could be a means for filling this role. It is also possible that some wholly separate organization could step in or be created to fill such a role.

Under any of these organizational frameworks, funding for both basic operations and the implementation of specific projects is the fundamental enabler of progress. Other factors are also critical, but ultimately some kind of stable funding model has to exist. While short-term funding may suffice at the very outset, in very short order it should be sustainable on a multi-year basis. Further, funding would need to come from a broad coalition of supporters to preserve the impartiality and independence of the effort.

Implementing the Big Idea

The vision outlined above is bold, but first steps have already begun to emerge from the work of the convening and in subsequent conversations. To start with, the establishment of a network of partners (either formally or informally) is essential. Whatever the organizational structure or funding model, it cannot be successful without buy-in from the larger community. Support and partnership from established organizations working on women in cybersecurity would allow the effort to be seen as a credible voice. Recognition and counsel from individual luminaries in the community would help build a network of supporters and influence.

Perhaps most importantly, the engagement of supporters outside the “usual suspects” working on women in cybersecurity could serve a number of purposes. First, this involvement would draw in additional perspectives that can help strengthen the overall vision. Second, expanding beyond the pool of organizations and individuals working on gender diversity and inclusion efforts in cybersecurity increases the chances of tapping into new resources (because increased coordination, and especially a new organization, cannot come at the expense of existing organizations). Third, it broadens the reach of messaging and collaborative opportunities. For example, Theme Three describes the engagement of the media in gender diversity efforts, which requires building connections to members of the media.

Beyond network-building, broad outreach is a mechanism for refining the purpose of future efforts. Through soliciting input from a diverse, informed, and engaged pool of stakeholders, the vision for progress becomes better. One area where this input will be important is in very specifically defining the need for this effort, particularly if it results in the creation of a new organization. Because many organizations work on similar issues, identifying the roles of each will help to avoid overlap and redundancy.

Another reason that ongoing outreach is a natural next step is simply because the convening hosted in this project certainly did not unearth all the good ideas out there. If the goal is the creation or empowerment of a platform that can implement or catalyze new efforts to increase the participation of women in cybersecurity, then a pipeline of new ideas will be important for success over the life of the organization. Connecting with the members of the community who are motivated to move such ideas forward is a powerful means for creating that pipeline.

Other Lines of Effort

This section has, up to this point, focused on the next steps needed to empower coordination to further the cause of women in cybersecurity. However, that is certainly not the only line of effort to come out of the convening. To their immense credit, many participants of the convening have already reported that they will be reaching out to decision makers and colleagues in their own workplaces to implement lessons from the convening. We look forward to hearing about, supporting, and celebrating these efforts.

Most immediately, the New America project team will be working to connect the written deliverables of this project to their intended audiences. The community scan embedded within this report can be a resource to new and existing members of the cybersecurity community looking for resources or ways to support. It also serves to help avoid redundancies in the community by offering an at-a-glance account of existing entries and their missions.

The scan has growth potential as well. It could become a living document, updated to reflect change to existing entries and the addition of new organizations and resources. Meanwhile, the one-page resources (available for download along with the PDF of this report) developed around suggestions specific to certain audiences are only useful if members of those audiences find them. Therefore, a clear next step is to activate the network developed around this project to connect resources to audiences.

By establishing connections between participants and drawing a path forward in the follow-on deliverables, this project as a whole will enable the wider community to implement the ideas laid out. Accordingly, a second obvious line of effort is to reinforce the connectivity among the group established through this project and seek opportunities to incorporate additional members to that group. This could take a couple of formats. In the most direct sense, simple email communication with the group serves this end. But a better solution would be to create an opt-in mechanism for ongoing regular contact, such as a newsletter.

Last, but certainly never least, there is ample room for further research. An ongoing challenge of this project has been the limitations of existing data on the women in the cybersecurity workforce. In order to accurately diagnose problems and measure progress towards solutions, stakeholders in this space need to know—beyond an anecdotal level—why women enter cybersecurity careers, what keeps them in those careers, why they leave, what they need, and the answers to many, many other questions. Unfortunately, due to variations in studies and methodologies, we struggle to identify simply what percentage of the workforce is female. Future research (and funding for future research) could very helpfully fill in the gaps in what we know and can measure about female participation in the cybersecurity workforce.

Defining success in the strategies described above is easy. Successful strategies bring more women into and up through cybersecurity careers. Actually imagining what success could look like, however, paints a far richer picture.

So let's envision a future where we succeed in bringing more women into and up through the cybersecurity field.

Increased coordination among existing efforts might start with small things: conference planners (like the organizers of BlackHat, DefCon, and RSA) could have a single person to contact to share their call for proposals among the combined memberships of Women’s Society of Cyberjutsu, Women in Cybersecurity, Women in Security and Privacy, and the Executive Women’s Forum. This leads more women to submit proposals and take the stage as leaders and role models in their field. Meanwhile, when one organization releases a piece of research or a new tool to promote women in the field, the authors could quickly enlist the whole community’s support to share the new resource. Simply as a matter of routine communication, the message is drastically amplified and the resource is more quickly adopted.

Within a couple of years, organizations are routinely sharing whatever resources come easily to them: meeting space, contacts, expertise, mentors, research, and more. This becomes the basis for a group of coordinators to meet regularly to deal with routine business and informally advise and support to new initiatives as they emerge. Corporate and philanthropic funders see this emerging coalition as a springboard for a nonprofit incubator, which gives rise to efforts and initiatives that once seemed implausible without a home or champion. Slowly the community develops an array of programs, each addressing different needs, but working collaboratively with one another.

While one group of coordinators fosters new initiatives, another taskforce could gather corporate decision-makers, ranging from human resource managers to top executives, to review data on the impacts of gender diversity on company performance. The taskforce presents a compelling business case for companies to fund projects designed to increase recruitment and retention of women in cybersecurity roles within their workforce.

As employers move from thinking of gender diversity as a “nice to have” to a “need to have” feature of their workforce, they partner with nonprofits, the media, and the leaders coordinating efforts among the women in cybersecurity community to design an advertising campaign encouraging mothers returning to the workforce to consider a career in cybersecurity. At first slowly, and then much more quickly, more women begin to enter the field and stay for the duration of their careers.

Although these outcomes are all still hypothetical, with the right community of supporters, creating lasting, sustainable change is absolutely possible.

Strategies Relating to Theme 1: Empower the Coordinators

Umbrella Organization

Year One: Create the organization; Recruit 3-5 sponsors; Create the business plan; Socialize in broader community; Define mission

Year Two: Evaluate impact of companies that adopted specific hiring principles; Grow to 10-15 companies; Development of a simplified ask; Approach women in society and ask them to focus on cybersecurity

Year Three: Evaluate pitch technique; Grow to 20-25 companies; Utilize popular online media personalities (YouTubers) to do hacker for a day video to reach young women; Partner with US Conference of Mayors for city events

Year Four: Evaluate online media outreach and adjust, if needed; Grow to 30-35 companies; Create a central database for possible positions and training; Create a Tinder-style app (similar to Indeed) and swipe right if the woman is interested in a certain job or training

Year Five: Perform organization evaluation; Grow to 50 companies; Create a “physical demo space” (via Conference of Mayors); Enhance the database

Organization for Systemic Change

Year One: Establish key message; Develop key focus points; Establish a framework; Establish mandate; Identify champions for spreading awareness

Year Two: Identify capital and financial backing; Calculate amount of partners and participants; Release a pilot test project

Year Three: Well-built ecosystem in place; Evaluate the amount of participants (joined)

Year Four: Assess and improve; Measure the overall change within the cybersecurity community

Umbrella Portal and Community of Practice

Year One: Identifying an executive champion; Formations of coalitions

Year Two: Building a strong community of women and supporters of women in cyber

Year Three: Maintaining this coalition as a sustainable resource

Strategies Relating to Theme 2: Engage and collaborate with businesses

Organization Recognition Program

Year One: Council Development and Criteria Planning: Project owner determined; Council of diverse, connected, willing, influential leaders created; Research recruit/retain successes; Partner for insights; Develop certification criteria and metrics (orgs and council); Prepare solid business arguments

Year Two: Testing and Evaluation: Pilot tested with select established, influential organizations; Monitor pilots with quantitative/qualitative research; Reevaluate the program and its feasibility and scalability and adjust, if needed

Year Three: Model Publication, Promotion, Implementation: Publish and promote the model and criteria (key conferences, journals, scholarly articles, etc.); Develop ranking criteria (studying others); Rank organizations (diligently)

Year Four: Organization Ranking and Program Iteration: Rankings published on mainstream media; keep up with organizational progress, monitor program success data, and update rankings accordingly

“Returnship”

Year One: Create business plan; Conduct market survey; Recruit large corporations and others; Create program design

Year Two: Pilot program; Develop outreach and recruitment initiatives and targeted ads; Soft launch in key markets

Year Three: Full launch in the United States; Full media kit and storyline; Refine outreach (individual’s skill gaps to be filled); Partner with influencers and individuals with success stories in cybersecurity to go viral

Year Four: Add in one-year cybersecurity certificate for participants; Go global

Career Path and Narrative

Year One: Create easy-to-understand curriculum; Increase cybersecurity exposure in student body; Identify partners; Build framework for school systems to integrate this curriculum

Year Two: Map a path of credentials for current cybersecurity employees to improve and move up; Make the path of credentials public; Get financial backing; Pilot both

Year Three: Initiate improvement of any pending issues; Evaluate the number of students participating; Expand & implement other schools and businesses

Year Four: Measure progress of new implementation; Well-built structure in place

Strategies Relating to Theme 3: Use marketing, entertainment and media platforms to change the narrative

Multimedia Campaign (e.g. Rosie the Riveter)

Year One: Establish a team of influencers; Find a sponsor; Establish focus group to identify marketing strategies

Year Two: Implement a long-term PR campaign

Media

Year One: Pitch and Content Planning—Group setup; Ideas for 3 shows; Connections; Pitch shows; Confirm partner(s); Storyline, etc. done for 3 shows; Casting auditions w/big names; Group advocates to 3rd party supporters

Year Two: Development—Production/casting members/advertisers/collaborators final; Pilot language written; Following season storylines assessed; Pilot production done; Repeated for all 3 shows

Year Three: On Air—Shows on air; High ratings and positive critic reviews; Wide recognition & promotion (talk shows, Rotten Tomatoes, loyal fans bases)

Year Four: Winning—Bring home accolades; Tangible wins in Hollywood (Emmy nomination, Kids Choice Awards, Teen Choice Awards); Uptick in women joining the cybersecurity workforce; Girls engaged in cybersecurity-related academic curriculum

Other Strategies

Forum for Fathers

Year One: Research—Focus groups to determine areas; Gather past studies; Note similar apps/platforms/conferences/print resources; Craft product outline that details structure and implemented resources

Year Two: Content—Content providers/contributors/producers/writers curated; Acquire site advertisers; Contact potential collaborators (product promotion/growth); Launch product

Year Three: Enhancement—AI used to take product to next level; Acquire improvement feedback from fathers/daughters; Boost reach via AdWords & social media analytics)

Year Four: 2.0—Revamp/reiterate product based on feedback/data/results; Launch 2.0; See substantial increase in K-12 girls in STEM-related courses w/in most active products & engaged communities; Usage increases in users & regions

Establish Women-Focused Recruiting Firms

Year One: The acquisition of funding could be feasible via grants and would contribute to expanding recruitment capabilities for government agencies and corporations.; Develop business case (incorporate societal benefit and ensuring it is legal)

Year Two: The goal would also be to have clients register.

Educational Resource to Mainstream Women in Cybersecurity

Year One: These resources can be distributed through existing educational institutions targeting early education for the establishment of a long-term appreciation for cybersecurity as well as targeting women’s schools (kindergarten through high school and higher education.)

To enable candid conversation, participants and their organizational affiliations are not named in this report, except in text boxes with direct quotes with the specific approval of those participants. However, understanding the industries and communities of these participants helps contextualize the conversation. To anonymize the participant list while still providing this context, below we describe the roles of the participants and the number of participants in each role.

Many participants fall into more than one category, but are counted only once to accurately reflect the total number of participants. In these cases, we have endeavored to list these individuals by the role most relevant to their reason for being invited to participate. This list includes the meeting facilitator and participants from the project team at New America and the National Initiative for Cybersecurity Education.

• Twelve participants worked in the federal public sector. This number includes a range of agencies and roles. It includes high-level leadership and operational positions. In includes both individuals designing policy and those implementing those policies.
• Seven participants were from the private sector, including three in leadership roles, two responsible for providing strategy for enterprise cybersecurity, and two who were engaged in strategy and entrepreneurship.
• Six participants were current undergraduate students.
• Four participants were leaders in higher education, with a focuses in gender studies, technology, or cybersecurity.
• Four participants were policy researchers.
• Three participants were researchers in behavioral science, organizational change, and/or gender studies.
• Three participants served in roles fundamentally centered around bringing people together at conferences, trainings, or as part of a larger network.
• Two participants were researchers in cybersecurity with federally funded research and development centers.
• Two participants were in human resources strategy, one in the private sector and the other in the public sector.
• One participant was retired military and a current student.
• One participant was in non-profit leadership.
• One participant was in venture capital.

The following resources can be downloaded, printed, and shared as one-pagers to help create new pathways for women in cybersecurity.

• Ask Better Questions: Ask students, “what kinds of problems would you like to solve?” rather than, “what do you want to be when you grow up?” to help encourage thinking about technology and cybersecurity career paths. Such questions will help students who value contributing to communal goals and helping others reflect on the social impact of career paths in technology. Consider using strong female characters from fictional technology roles, like on the TV show NCIS or Bones, to depict the problems that can be solved.
• Cybersecurity Is Everywhere: Incorporate cybersecurity as an element of popular extracurriculars like sports or drama. Does the team have a social media presence or a payment system for tickets? Encourage students to investigate how those systems are secured and what improperly secured systems might mean for their team. In order to shape and deliver content, partner with organizations familiar with youth activities, like 4-H or the Girl Scouts, that have experience developing computer science or cybersecurity-specific programs and badges for young learners. Understanding how cybersecurity contributes to the group’s overall goals can help create enthusiasm for careers in the field.
• Earn College Credit in Cybersecurity: Encourage high schools to develop advanced courses in cybersecurity, using language in course descriptions and other course materials that is in line with best practices for how to attract and engage more women students. Work with the College Board and the International Baccalaureate to design exams to award college credit for these courses.
• Expand the Cybersecurity Club: Create a new cybersecurity club if your school does not yet have one. Task the students with figuring out how to engage more of their peers in the club. Exposure to the subject in a socially supportive environment—and early in education—can create excitement for careers in the field among students who might otherwise dismiss the possibility. Simple things like cool graphics and a name that echoes themes from popular culture can be used to attract participants.
• Teachers are Learners Too: Sponsor teachers to attend cybersecurity courses or earn certificates, so that they are equipped with the latest information to teach students. Make resources about coding clubs and cybersecurity camps available to students, too.
• Show Cybersecurity’s Impact on Communities: Turn a real-world community problem into a cybersecurity competition. This encourages students to explore the link between the technology, its impact on people’s lives, and the ability to be creative. Give prizes to students who win intramural programs, or work with existing programs (for example, eCybermission) to compete with teams from other schools.
• Cultivate Growth Mindsets: Research suggests that girls sometimes need different kinds of feedback to succeed in STEM classes and can get discouraged if they fail. Consider training teachers in how to encourage a growth mindset among those students. In other words, teaching them that their abilities in math and science are not innate, but can be developed over time, and that failure is not weakness, but an opportunity to get stronger.
• Introduce Female Role Models: As the saying goes, you cannot be what you cannot see. Show students what women in cybersecurity look like by bringing in guest speakers, integrating women’s stories into history lessons, or even featuring video clips of fictional female technologists from TV solving relevant problems.

Download the one-pager

• Coordinate with Greek Life: Plan a cybersecurity awareness challenge or event with a philanthropic goal with Greek Life organizations on campus (perhaps supporting efforts to protect vulnerable communities from hacking and/or identity theft). Make sure to have free food.
• Connect Careers to Course Registration: Schedule a career event—or series of events—that brings female cybersecurity professionals in to talk about their careers with clubs and societies for women. Ask speakers to be explicit about the links between their work and specific academic disciplines or courses. Time these events to coincide with course registration periods, so that students are connecting with female role models as they make decisions about their academic pathways.
• Redefine Foreign Language Requirements: Allow computer languages to count towards university curriculum (UCC) language requirements.
• Emphasize Security Roles: Partner with organizations like ROTC to break down gendered assumptions around “security” as a general concept. Showcase women in the military as role models, pointing out the many different ways women are protecting the nation’s security. If it encourages the idea to stick, consider using “Mama Bear” images and memes to help students think of how women do play security roles.
• Reframe Cybersecurity: Where technology courses or cybersecurity awareness trainings are a mandatory part of the curriculum or campus life, integrate examples and narratives that emphasize the ways in which good security relies on creativity and helping other people in order to encourage students to connect with careers in the field. Emphasize how cybersecurity jobs use skills—like pattern recognition—that are often considered common strengths for women.
• Gender Equality By Design: Consider making changes to systems, processes, and environments to foster a greater sense of belonging and to reduce the negative impact of internalized stereotypes among girls and women. For instance, putting posters of women up on the walls and including more women in the syllabus can all contribute to a greater sense of belonging and achievement in the classroom.
• Partner with Industry: Beyond hosting career fairs, partner with industry practitioners to collaborate on designing cybersecurity skills and educational career paths. Areas as diverse as St. Louis, Albuquerque, Baton Rouge, and many others already have established cybersecurity apprenticeship programs that pair educators with employers. Consider reaching out to explore the possibility of collaborating or establishing a new program.

Download the one-pager

Outreach

• Seek Out Visitors: Reach out to community organizations to invite groups to see your workplace in action for a day and learn what cybersecurity jobs really look like. Offer free child care for these events.
• Seeking Second and Third Careers: Explicitly encourage applications from individuals in pursuit of a career change, for example, former military or network administrators looking to expand their skillsets. Mothers seeking full-time work as their children become more independent are a particularly large population of experienced employees, and are often contactable through organizations like MotherCoders and Moms Can Code. This allows seasoned employees to enter the workforce and incorporates their existing expertise into cybersecurity.
• Internships without the Commute: Work with schools and other community centers to conduct virtual internships and webinars that reach students, early-career professionals, or career changers who are looking to expand their STEM knowledge and network, but who are not able to commute to a worksite. For example, consider programs that connect with underprivileged communities, single parents, or spouses of deployed members of the military.
• Consider Your Workforce Geography: Which of your work roles actually needs a daily physical presence in the office? If remote employees are a possibility, get creative about what “remote” can mean, and look for employees from geographically diverse areas. Be explicit about your policies on remote hiring. If you are interested in applications from rural areas, distant cities, or from parents of small children, saying so can encourage applications from these potential teleworkers.

The Hiring Process

• Shift Your Focus: Instead of evaluating job applications for specific qualifications like degrees, look for applications that show evidence of quick learners, competency, and motivation.
• Blind Review: Remove names and other information indicating gender from job applications before they are reviewed.
• Structure Your Process: Approach each interview with a consistent process, set of questions, and means for comparing candidates’ responses to those questions. If a test or other evaluation is administered to some candidates, use it with all candidates.
• Mind Your First Impressions: Ensure that company representatives present in hiring interviews reflect your values around diversity. Take advantage of this first opportunity to show candidates that diverse people and perspectives are welcome in your workplace.
• Call an Expert: Consider working with experts who specialize in eliminating unconscious bias in the hiring process. Researchers have uncovered a great deal of information about gendered language in job advertisements and other steps in the hiring process. Look for experts who are well-versed in this information to help develop a conscientious hiring process.

Download the one-pager

• Map Career Pathways: Make career pathways in cybersecurity roles in your organization clear. How does each work role lead to the next position? Be explicit about the knowledge, skills, and abilities required to advance into those positions. Find ways to measure progress in unambiguous, trackable ways, and hold periodic career assessments with your employees to discuss their progress towards their goals.
• Watch out for “Volunteer” Jobs: Whether it is organizing birthday cupcakes, serving as rapporteur at the planning meeting, or taking on the project that “we all know is more work than it is worth,” volunteer jobs reduce the amount of time employees can spend on the projects that build their portfolio. Such jobs tend to fall disproportionately to women. Create a company culture that prioritizes distributing these jobs evenly and allows employees to say “no” without penalty.
• Make Your Policies a Selling Point: Flexible work schedules, paid family leave policies, review and advancement programs, and other inclusive policies matter to more than just your current workforce. Good policies are a way of attracting and retaining talent, and particularly women. Your employees have friends in the industry. Give them a reason to tell those friends about your supportive working environment.
• Cultivate a Culture of Mentorship: Consider ways to reward employees who invest their time in helping others. Create opportunities for mentorship. This can be as formal as scheduling meetups and connecting new hires with seasoned employees, but it can also be informal. Physical space—like the office kitchen—that encourages employees from all departments and seniority levels to cross paths can help to build a culture of mentorship. Company leaders (of all genders) can also demonstrate this culture by visibly making time to serve as both mentor and mentee.
• Boards that Care: Board members of any gender can help to make inclusivity a priority throughout the organization. Beyond just being good business practice, recruit diverse board members who signal their dedication to inclusion through their own behavior and choices help to establish and reinforce company culture. National groups that help place women in C-suite positions and on boards can be an asset in instilling these priorities.

Download the one-pager

Participants in a New America Women in Cybersecurity convening in 2018 generated these ideas and strategies to get more women and girls into and up through cybersecurity. But not all strategies begin and end within the cybersecurity community. External partners in industries as diverse as cosmetics, entertainment, gaming, toymaking, and many others all have a role to play. Each and every one of these organizations has a stake in building strong cybersecurity and in good jobs for women. Below are ideas for these partners that can serve both of these ends.

Leaders in fashion can spark interest in cybersecurity through:

• Fashion magazines spreads that depict women as masters of emerging technology.
• High-end designers that feature security-minded products (e.g. RFID-blocking handbag pockets).
• Cosmetics advertising campaigns that show powerful “hacker” women.
• A red-carpet gala theme focusing on STEM and cybersecurity.

More inclusive gaming can draw women and girls into the industry through:

• Videogames with non-gender-specific appeal that feature story elements around cybersecurity and its impacts on people.
• Female avatars and characters that are technologically skilled and reflect physical features and dress with which young women might identify.

By influencing early childhood, toymakers can have a profound impact with:

• Adding cybersecurity to the careers showcased by dolls marketed to girls. Barbie has lots of STEM careers. Cybersecurity should be one of them.
• Card decks that feature famous women in science, technology, engineering, and mathematics. Grace Hopper, Ada Lovelace, Annie Easley, Elizebeth Smith Friedman, and Mary Kenneth Keller would make an impressive full house!

Those who make movies and television can shine a spotlight on cybersecurity by:

• Creating tech-savvy heroines in animated films. Animated princesses are the theme for children’s costumes, backpacks, binders, toys, accessories, and many other day-to-day necessities. Imagine if that could be used to inspire girls to see STEM education as a way to emulate their cultural icons.
• Mainstreaming women in tech roles. Such role models have already started to appear in popular television, but imagine if this was so normal that it was unremarkable.

Download the one-pager