September 29, 2022:
Women comprised only 17% of Fortune 500 CISOs positions in 2021, according to a new report from the Accenture Cybersecurity Forum Women’s Council. However, the report states that these numbers are “not due to lack of attention on the issue or lack of talent.”
The cause, the Accenture research found, is the public scrutiny CISOs can suffer through during a cybersecurity incident. Some 43% of respondents rated professional risk as a “very” or “most important” factor in declining a CISO or CSO position.
It is often shown that the CISO role is typically held responsible for breaches—even though they are rarely responsible for the vulnerability that is exposed and exploited by cyberattackers, according to the report.
“Cybersecurity and resiliency are a function of multiple factors beyond the CISO’s control, including business transformations that do not consider cyber risks, innovative threat actors, extended supply chains and management inattention,” the report noted. “Nonetheless, CISOs are defending against persistent threats and high profile incidents that regularly capture national headlines and put their professional reputations on the line.”
Concerns about professional risk factor into decisions about whether to accept a leadership position, the report said, adding that, while this may be the case, “successful women CISOs encourage other women to accept the risks.”
The Accenture research found that when women respondents decided to pursue the CISO role, they typically succeeded in a matter of months.
“Successful women aspirants were more likely to be recruited from another company and to apply for a CISO position directly than their male counterparts,” the report said.
Moving up internally, the picture is not as bright: 57% of male respondents were more likely to be asked to fill the CISO position in their current company compared to 40% of female respondents, according to the report.
SEE: The COVID-19 gender gap: Why women are leaving their jobs and how to get them back to work (free PDF) (TechRepublic)
CISOs are under enormous pressure from boards and leadership to resolve issues quickly.
“As a CISO you’re in the spotlight. You have to be willing to take on high risk and visibility,” the report said. “You have to feel confident in your abilities and your team and be able to stand up in front of your board and speak to the risks and decisions that need to be made. That can be a scary thing to step into for some people.”
Cybersecurity is also a male-dominated workforce, so women “will need mentors to bounce ideas off of and to provide career development support,” the report said. “Women often don’t want to be in the spotlight, but once they build confidence, the magic happens.”
The Accenture research found “there are many very strong and qualified women candidates, and when they throw their hat into the ring, the market responds positively.” That said, the report also notes that women need to be proactive in pursuing their career. More than half of all respondents (54%) have applied for or been offered the CISO position three times or more.
Yet, there was a significant difference in frequency between males and females. For example, 53% of male respondents said they had applied for or been offered the CISO four times or more compared to only 7% of female respondents.
“Women should feel comfortable being more aggressive in pursuing their career aspirations,” the report said.
One noticeable difference in the responses of males and females is the time it took to become a CISO after starting their search. Seventy-six percent of females said their search took six months or less. Only 30% of males said the same.
“This does not mean that women have an advantage over men but that the difference in pace does suggest that women who seek out the role typically bring strong qualifications to the table,” the report noted.
There were a variety of factors cited for why a respondent might turn down a CISO offer:
Among female respondents, the most frequently cited “very important” or “most important” factors included “affinity or satisfaction with current role” and “professional goal other than CISO.”
Among male respondents the “very important” or “most important” factors that influenced the decision to decline an opportunity were “senior management sponsorship of support” and “corporate culture,” according to the report.
SEE: CISOs are taking on more responsibilities—and burning out (TechRepublic)
The phrase “get comfortable with being uncomfortable” applies to women in cybersecurity, the report said. It included anonymous comments from some of the women who were interviewed for the research.
“It is not uncommon to think you are in over your head, but you worked to get this role. You should feel worthy. Imposter syndrome is self-inflicted. You should take on this role with confidence even if you don’t know everything,” one respondent said.
Another advised women to “get over the fear that it might not work out. Don’t let that hold you back. Some CISOs move on because they want a better fit with the culture, etc. Plenty of CISOs who have been fired (and other C-level executives, too) continued on to successful careers.”
The report also stressed that CISOs need to have support from the executive suite, and the board is foundational during a cyber incident. Further, “senior management support should be deliberately assessed as a part of the aspirant’s consideration process … There also should be diversity among the people doing the interviewing.”
Do not take support for granted, the report cautioned. “Fifty percent of our women colleagues who accepted the CISO/CSO role underestimated the importance of senior management support.”
Respondents were Accenture Cybersecurity Forum members, who are senior cybersecurity professionals, with 58% men and 42% females participating.
The hiring process can be complicated, from a CISO or CSO to a security analyst. The experts at TechRepublic Premium offer hiring kits with information on salary, job descriptions and sample interview questions to make the process easier. Check out a hiring kit for a security analyst and others here.