Forrester predicts that in 2022, one in 10 experienced security pros will exit the industry. This brain drain is the result of a few dynamics colliding: poor financial and advancement incentives; general stress and burnout impacting security teams; and cybersecurity’s dirty little secret, workplace toxicity! And cybersecurity isn’t immune to the hidden epidemic impacting women’s ability to continue working at pre-pandemic levels as they took on a disproportionate amount of childcare responsibilities. In an industry that cannot afford to lose any more workers, let alone women, attracting, retaining, and advancing them needs to become an immediate priority, not a nice-to-have.

Security Leaders Must Tackle Gender Bias Head On

For the majority of CISOs who are men (currently, 87% of CISOs at Fortune 500 companies are men and only 13% are women), there is an urgent need and enormous opportunity to become not just an ally but an outspoken champion for women in tech and cybersecurity, especially when so many people tell women to solve workplace challenges by simply “leaning in.” While personal responsibility is important, there is only so far that your confidence can go in an industry ingrained with systemic sexism and bias. We need to do better and treat gender issues for what they really are: systemic business and social issues. For that to occur:

  • Make diversity, equity, and inclusion (DEI) a key performance indicator for your security team. Too many detractors see these metrics as “unrealistic,” when in fact organizations with diverse executive teams are 25% more likely to have above-average profitability. In a recent security services Forrester Wave™ evaluation, in which most vendors bragged about their DEI policies, the services firms that were the Leaders in the Wave were the ones that actually put their money where their mouths are and tied DEI outcomes to their profits.
  • Mobilize male allies to influence change. One of the most hard-hitting quotes we heard during our interviews (and there were many) was a male leader noting that “If one-quarter of all the men took a more active role in speaking out as an ally, doing just small things, we would make a significant difference.” We learned that, far from being an accidental thing, true male allies go through a journey of personal and professional maturity, which starts with seeing and acknowledging that there’s a problem, speaking out about even the slightest micro aggression, and continuous learning.
  • Avoid unpaid emotional labor. Asking women to solve systemic sexism and bias workplace challenges can result in high levels of stress, compound feelings of difference, create additional workloads, and potentially lose time spent on career-related activities rather than accelerating cybersecurity practices. Some firms have started to acknowledge the cost of emotional labor — LinkedIn recently announced that it will pay its employee resource group leaders an additional $10,000 per year, and Twitter is following suit.
  • Model inclusive, supportive behavior. As we were about to go to press, infosec Twitter spun up with news that DEF CON had banned a well-known Village leader for violating the code of conduct. Some wanted to know details and refused to believe the accusers without that information, but many prominent cybersecurity voices stepped in and defended the process and the accusers. As a leader, remember that your team will notice your response to external situations like these and decide whether they can trust you to help when they encounter bias and harassment.
  • Provide the tools and culture that encourage all employees to speak up. Whistleblowers such as Susan Fowler and Alexandra Abrams are publicly calling out toxic culture, and they’re naming names. But public disclosure is rarely the first step — in fact, 97% of employee whistleblowers choose to report internally first. Make sure your firm has the right technologies that enable anonymous internal reporting, a process to triage and investigate all internal claims, and a culture that not only supports but also encourages employees at any level to speak out against harassment and toxicity before it makes headlines.

In July 2021, the team at Forrester published our quick thoughts in a gender bias blog post before taking on a piece of larger research to better understand the root of this problem. With thanks to the responses to that blog post and a series of highly enlightening interviews, our latest research (for Forrester clients) addresses issues such as how to:

  1. Become an outspoken ally for equal representation at industry events.
  2. Write inclusive job descriptions.
  3. Rethink and expand hiring practices.
  4. Retain women in leadership roles.
  5. Dismantle toxic masculinity with disciplined process- and behavior-based KPIs.
  6. Support and celebrate reformers.
  7. Take a zero-tolerance policy to harassment in the workplace.
  8. Support working mothers and even the playing field for parental leave.
  9. Remove the stigma of menopause in the workplace.

Read the full report for more recommendations and insights — but this conversation is far from over. Please reach out to jbudge@forrester.com with your feedback, reactions, and insights.