New research from RMIT University has investigated why women are under-represented in Australia's cyber security workforce and why the few that do enter the sector, often end up leaving it.
The findings from phase II of a major study, commissioned by the Australian Women Security Network (ASWN), came from in-depth interviews with women with over five years of experience in cyber security roles, including some who had recently left the sector, as well as a literature review.
It follows the groundbreaking 2023 report, Gender Dimensions of the Australian Cyber Security Sector, which represented the first in-depth look into the gender make-up of the Australian workforce, finding women only represented 17 per cent of the cyber security workforce and women tend to leave the cyber security industry after four years.
"This study is important to better understand the reasons why women have left the workforce, particularly those over the age of 40 years," said Founder and Executive Director of ASWN Jacqui Loustau, which supported the study.
"We wanted an academic study to understand how Australia compares to other countries and sectors in what they are doing to address this challenge, and to ensure that AWSN and the cyber industry are working on all facets of changing the number of people from where it is now, 17%, to increase this into the future."
Study co-lead, Professor Matt Warren, said the study highlighted ongoing barriers in the cyber security sector, particularly in technical and leadership roles.
"Unsurprisingly, the study found women are over-represented in administrative and clerical roles, which are lower paid compared to technical and managerial roles," said Warren, who is Director of RMIT's Centre for Cyber Security Research and Innovation.
"There is a 24/7 culture in cyber security. Job design and work commitments continue to make it difficult for women with domestic or child rearing responsibilities to achieve work-life balance, which is both a barrier for entry and a reason women may leave the sector - although not the only one."
The research found limited organisational support was offered to women returning from maternity leave.
Female participants expressed concerns about being paid less than their male colleagues for similar roles. They also noted the prevalence of organisational gendered barriers to career advancement.
Overall, interviewees were unsatisfied with the pace of change. They felt the impacts of male cultural dynamics in the industry and experienced some pressure to conform to a predominately male environment. Instances of micro-aggressions (notably professional disrespect) as well as bullying, harassment and discrimination were common. Participants also reported experiencing self-doubt around their ability to complete tasks or achieve goals within the male-dominated sector.
Female participants were largely against quotas, but supported flexibility and professional development
The study found women in the sector were averse to gender targets, due to concerns that the competence of any women hired 'to fulfil a gender quota' would be questioned.
More flexible work arrangements were viewed favourably. Female participants felt managers could be more open-minded with job design to accommodate experienced women seeking to work part-time.
Many noted they had benefited from subsidised professional development and mentoring programs, including with male mentors. They also agreed that promoting interest in cyber security among school-aged girls was necessary to challenge gendered stereotypes from an early age.
Recommendations
RMIT gender inequality researcher and study co-lead, Associate Professor Lauren Gurrieri, highlighted the need to focus on organisational and regulatory change to drive better inclusion for women in cyber security.
"A growing wealth of research points towards the need to change systems, cultures and conventions, rather than place the onus on individual women to 'fit in' or adapt to a biased system," said Gurrieri.
The report lists 14 key recommendations.
Among recommendations for government and peak industry bodies, the researchers listed:
- gender inclusivity training,
- programs to promote women and girls' interest in the cyber security profession,
- primary and secondary school level education programs,
- support for organisations to conduct internal gender pay gap audits,
- the collection and publication of gender equality indicators and retention statistics across the profession.
Workplaces were advised to:
- review and ensure organisational policies are gender neutral and target improving workplace culture and organisational practices,
- review recruitment practices to reduce unconscious bias and create a fairer hiring environment - including anonymised resumes/CV screening and diverse hiring panels,
- provide greater flexible work arrangements,
- implement formal mentoring programs specifically for women and encourage women to pursue professional development opportunities, especially relevant to management or leadership.
RMIT expert in organisational psychology and study co-lead, Associate Professor Lena Wang, highlighted the need for workplace action to drive recruitment and retention of women in the sector.
"While many companies have existing initiatives to reduce gender disparities in cyber security, we found these could be scaled and adopted by more organisations," said Wang.
"In particular, more work could be done around workplace culture and practices such as reducing gender pay gaps, improving gender inclusive culture, and redesigning jobs away from a 24/7 setup. Recruitment enablers, such as increased disclosure of gender equity and gender-neutral language, would also help."
About the study
ASWN commissioned RMIT University's Centre for Cyber Security Research and Innovation, in partnership with the Centre for Organisations and Social Change, to undertake phase II of the study examining the reasons for the low representation of women in the cyber security workforce, with a focus on why women leave the sector workforce and the best ways to address these issues.
