Why Women Are Ideal to Lead GRC(ISC)Â² Study Finds 1-in-5 Infosec Women in GRC Role
(ISC)Â²'s most recent Global Information Security Workforce Study with Frost & Sullivan, "Women in Security", reveals that one in five Infosec women is in a governance, risk and compliance role. For men, that figure is one in eight.
A similar trend is observed across geographies, including the US, Eastern Europe, European Union and APAC. However, the survey determines that women have very low representation in leadership roles.
According to Hong Kong-based Clayton Jones, managing director, Asia-Pacific, at (ISC)Â², the trend is important considering the GRC role was, until 9/11, a relatively obscure one in Infosec. "Now, security practitioners recognize the rising importance of GRC," he says. "Women, more than men, seized upon the opportunities in GRC early on."
Mumbai-based Mayurakshi Ray, leader-Solutions at Aujas Networks, a global information risk consulting company, says GRC is ideally suited for women.
"I completely agree with the study," Ray says. "Women practitioners adhere to risk management principles - by being objective, good in assessing and pre-empting possible threats, taking control of the security and other controls, clear about potential vulnerabilities and good at processes and procedures in building risk mitigation techniques."
The objective behind conducting the survey, says Jones, was to gauge the opinions of InfoSec professionals regarding trends and issues affecting their profession. The survey was completed by 13,930 qualified InfoSec professionals.
While the study states InfoSec employment is also predominantly male - about 90 percent of InfoSec professionals are male - attracting women would lessen the overall global shortfall of security pros.
"The number of women in infosec is growing, but only at the rate equal to that of the profession as a whole; the aggregate numbers mask the progress made by women," Jones says.
The study shows that GRC is one of the growing InfoSec roles for women who have positioned themselves wisely in a profession that should not be defined by sheer headcount, but in roles that shape the future practice of InfoSec.
The study highlights that women also differ from men on how to address the widening InfoSec workforce shortage. While both genders said shortage was a significant factor, women stress looking beyond technical skills in hiring. This is not to discount the importance of technical skills - women in InfoSec are converging on men as they pursue academic undergraduate majors in computer science and engineering.
"There is increasing realization that technical skills alone are insufficient in resolving complex risk management dilemmas leaders in InfoSec confront," says Jones.
Most women practitioners believe that GRC encompasses huge challenges, including defusing emotions, collaborating across multiple stakeholders and adroitly balancing business objectives and risk management.
Jones says women are more likely to have these skills and have applied them in their careers, and view them as increasingly important while driving the InfoSec profession to be a more prominent strategic partner in business decision making.
"A common personality trait in this field is to want to be challenged, but men and women are challenged by different things," says Gurdeep Kaur, chief security architect at AIG. "Emotional Intelligence becomes more important beginning at the middle management level. It plays a big role in translating the dynamics (of people and technologies) that will impact the decision you make, that in turn impacts risk management," she explains.
Says Ray, "Women could resonate well with GRC and affiliate themselves to it. IT, on the other hand, has stayed a male bastion, often with the faulty notion that women don't understand technology/technical concepts."
Future of Infosec Women
Australia-based Dr. Jill Slay, Professor, director, Australian Centre for Cyber Security, University of New South Wales, says there's a huge gap in infosec skills in Australia. "This is due to a lack of qualified engineering graduates among women in Australia; those qualified and possessing Masters or Ph.Ds are a handful, and they do not take up big roles," Slay says.
She says IT security has also not become a mainstream option for women, as most often it's immigrant students who pursue technical engineering courses - not so much Australian natives.
"Since not many are qualified CISSPs or other security-wise professionally certified, there's a huge skill gap," Slay says.
According to the study, women are under-represented in senior leadership and information technology roles.
The study of senior executives says an estimated 22 percent are held by women. Regionally, Eastern Europe ranks the highest at 35 percent of senior leadership roles held by women. Developed APAC is the lowest at 13 percent. Those in North America and the European Union are 21 percent and 26 percent, respectively.
Women practitioners state that greater emphasis will be forthcoming in managerial and less in operational and security consulting roles in future. In more functionality defined areas, GRC will gain prominence, while network security architecture will decline slightly.
Ray says women should be encouraged to take up technology specialization courses. "To date, the ratio of men versus women students in all IITs is 10:1. Alongside skill development, support from employers and family to balance work and family will be very important," she says.
Jones believes specialized scholarships programs must be designed for women to encourage them to take up professional courses to move up the value chain.
"It is critical to run mentorship programs for women focused on Infosec to help them develop a passion for taking up leadership positions and evolve as better Infosec professionals," Slay says.