Section 4: The Way Forward

As the discussions from this project demonstrated, there is no shortage of good ideas for new resources and projects to bring women into and up through careers in cybersecurity. There are even a handful ideas that could create systemic, scalable change. Given that, how do we as a community bring these ideas to life?

The Big Idea

One of the barriers to implementation is the lack of an obvious coordinator to activate many of the ideas put forward in this paper. A secondary but critical question is one of resources. A frequent refrain throughout the convening was, “It is a great idea, but who has incentive to fund it, and whose job will it be to do the work?” This recurring question absolutely points to the importance of the first trend—the empowerment of a coordinator—described above.

The establishment of stronger coordination unlocks the possibility of a wide array of further good work by a number of actors. The specific purpose and language used to describe this effort with participants varied—an incubator, an umbrella organization, a coordinating council, an authoritative convener, a launch platform—but in any case, the potential impact is clear. Because of the possibility for watershed effects on other work, it becomes an obvious, if quite challenging, focus for next steps.

There are a number of organizations working on different pieces of cybersecurity’s gender diversity puzzle. However, very few of these organizations see their mandate as one of coordination across organizations, and virtually none appear to be resourced to serve such a function. Some could be adapted to such a role, if adequately funded. For example Women’s Society of Cyberjutsu (WSC), the Executive Women’s Forum (EWF), and the newly established membership organization affiliated with the well-known Women in Cybersecurity (WiCyS) conference, as well as a small group of others, fulfill roles that could be expanded to include a wider mandate for driving strategic, systemic change.¹

Alternatively, the establishment of a coalition among these groups specifically designed not to govern its constituent organizations, but to serve as a platform or coordinating body for other efforts could be a means for filling this role. It is also possible that some wholly separate organization could step in or be created to fill such a role.

Under any of these organizational frameworks, funding for both basic operations and the implementation of specific projects is the fundamental enabler of progress. Other factors are also critical, but ultimately some kind of stable funding model has to exist. While short-term funding may suffice at the very outset, in very short order it should be sustainable on a multi-year basis. Further, funding would need to come from a broad coalition of supporters to preserve the impartiality and independence of the effort.

Implementing the Big Idea

The vision outlined above is bold, but first steps have already begun to emerge from the work of the convening and in subsequent conversations. To start with, the establishment of a network of partners (either formally or informally) is essential. Whatever the organizational structure or funding model, it cannot be successful without buy-in from the larger community. Support and partnership from established organizations working on women in cybersecurity would allow the effort to be seen as a credible voice. Recognition and counsel from individual luminaries in the community would help build a network of supporters and influence.

Perhaps most importantly, the engagement of supporters outside the “usual suspects” working on women in cybersecurity could serve a number of purposes. First, this involvement would draw in additional perspectives that can help strengthen the overall vision. Second, expanding beyond the pool of organizations and individuals working on gender diversity and inclusion efforts in cybersecurity increases the chances of tapping into new resources (because increased coordination, and especially a new organization, cannot come at the expense of existing organizations). Third, it broadens the reach of messaging and collaborative opportunities. For example, Theme Three describes the engagement of the media in gender diversity efforts, which requires building connections to members of the media.

Beyond network-building, broad outreach is a mechanism for refining the purpose of future efforts. Through soliciting input from a diverse, informed, and engaged pool of stakeholders, the vision for progress becomes better. One area where this input will be important is in very specifically defining the need for this effort, particularly if it results in the creation of a new organization. Because many organizations work on similar issues, identifying the roles of each will help to avoid overlap and redundancy.

Another reason that ongoing outreach is a natural next step is simply because the convening hosted in this project certainly did not unearth all the good ideas out there. If the goal is the creation or empowerment of a platform that can implement or catalyze new efforts to increase the participation of women in cybersecurity, then a pipeline of new ideas will be important for success over the life of the organization. Connecting with the members of the community who are motivated to move such ideas forward is a powerful means for creating that pipeline.

Other Lines of Effort

This section has, up to this point, focused on the next steps needed to empower coordination to further the cause of women in cybersecurity. However, that is certainly not the only line of effort to come out of the convening. To their immense credit, many participants of the convening have already reported that they will be reaching out to decision makers and colleagues in their own workplaces to implement lessons from the convening. We look forward to hearing about, supporting, and celebrating these efforts.

Most immediately, the New America project team will be working to connect the written deliverables of this project to their intended audiences. The community scan embedded within this report can be a resource to new and existing members of the cybersecurity community looking for resources or ways to support. It also serves to help avoid redundancies in the community by offering an at-a-glance account of existing entries and their missions.

The scan has growth potential as well. It could become a living document, updated to reflect change to existing entries and the addition of new organizations and resources. Meanwhile, the one-page resources (available for download along with the PDF of this report) developed around suggestions specific to certain audiences are only useful if members of those audiences find them. Therefore, a clear next step is to activate the network developed around this project to connect resources to audiences.

By establishing connections between participants and drawing a path forward in the follow-on deliverables, this project as a whole will enable the wider community to implement the ideas laid out. Accordingly, a second obvious line of effort is to reinforce the connectivity among the group established through this project and seek opportunities to incorporate additional members to that group. This could take a couple of formats. In the most direct sense, simple email communication with the group serves this end. But a better solution would be to create an opt-in mechanism for ongoing regular contact, such as a newsletter.

Last, but certainly never least, there is ample room for further research. An ongoing challenge of this project has been the limitations of existing data on the women in the cybersecurity workforce. In order to accurately diagnose problems and measure progress towards solutions, stakeholders in this space need to know—beyond an anecdotal level—why women enter cybersecurity careers, what keeps them in those careers, why they leave, what they need, and the answers to many, many other questions. Unfortunately, due to variations in studies and methodologies, we struggle to identify simply what percentage of the workforce is female. Future research (and funding for future research) could very helpfully fill in the gaps in what we know and can measure about female participation in the cybersecurity workforce.

Defining success in the strategies described above is easy. Successful strategies bring more women into and up through cybersecurity careers. Actually imagining what success could look like, however, paints a far richer picture.

So let's envision a future where we succeed in bringing more women into and up through the cybersecurity field.

Increased coordination among existing efforts might start with small things: conference planners (like the organizers of BlackHat, DefCon, and RSA) could have a single person to contact to share their call for proposals among the combined memberships of Women’s Society of Cyberjutsu, Women in Cybersecurity, Women in Security and Privacy, and the Executive Women’s Forum. This leads more women to submit proposals and take the stage as leaders and role models in their field. Meanwhile, when one organization releases a piece of research or a new tool to promote women in the field, the authors could quickly enlist the whole community’s support to share the new resource. Simply as a matter of routine communication, the message is drastically amplified and the resource is more quickly adopted.

Within a couple of years, organizations are routinely sharing whatever resources come easily to them: meeting space, contacts, expertise, mentors, research, and more. This becomes the basis for a group of coordinators to meet regularly to deal with routine business and informally advise and support to new initiatives as they emerge. Corporate and philanthropic funders see this emerging coalition as a springboard for a nonprofit incubator, which gives rise to efforts and initiatives that once seemed implausible without a home or champion. Slowly the community develops an array of programs, each addressing different needs, but working collaboratively with one another.

While one group of coordinators fosters new initiatives, another taskforce could gather corporate decision-makers, ranging from human resource managers to top executives, to review data on the impacts of gender diversity on company performance. The taskforce presents a compelling business case for companies to fund projects designed to increase recruitment and retention of women in cybersecurity roles within their workforce.

As employers move from thinking of gender diversity as a “nice to have” to a “need to have” feature of their workforce, they partner with nonprofits, the media, and the leaders coordinating efforts among the women in cybersecurity community to design an advertising campaign encouraging mothers returning to the workforce to consider a career in cybersecurity. At first slowly, and then much more quickly, more women begin to enter the field and stay for the duration of their careers.

Although these outcomes are all still hypothetical, with the right community of supporters, creating lasting, sustainable change is absolutely possible.