By Camélia Radu and Nadia Smaili
The shortfall in appropriately skilled personnel to confront the ever-escalating cyber threat to organisations around the world is just one more reason for businesses to adopt measures targeted at encouraging and empowering more women to enter the field of cybersecurity.
The pandemic has driven an acceleration in digital transformation,1 exposing organisations to higher levels of cyber risks. Therefore, organisations must consider cybersecurity no longer as an operational necessity, but more of a top-level strategic priority. Hepfer and Powell2 conducted interviews with senior executives and reported that a problem arises when executives, who generally have technical expertise in areas such as engineering, finance or marketing, assign strategic priorities based on their own expertise. To develop and implement an integrated cybersecurity strategy, executives need new skills and knowledge related to cybersecurity. We put these findings into perspective in relation to the benefits of diversity on boards of directors and in senior management.
Talent shortage and the gender gap
Following the digital acceleration, the cybersecurity industry has witnessed considerable growth. The global cybersecurity workforce grew by 49.6 per cent from 2019 to 2021 (with increases of 100.0 per cent for Europe, 42.6 per cent for North America, 32.6 per cent for Latin America, and 36.6 per cent for Asia-Pacific countries) and the estimated global cybersecurity workforce for 2021 is 4.2 million.3 Despite this remarkable growth, the cybersecurity industry faces a glaring talent shortage. For 2022, Cybersecurity Ventures estimates that the lack of skilled workers in cybersecurity is the equivalent of 3.5 million jobs.4
The talent shortage is not the only issue the industry is facing. Cybersecurity Ventures found that, in 2022, women held only 25 per cent of the jobs in cybersecurity. This gender gap has nevertheless decreased, in that women made up 10 per cent of the cybersecurity workforce in 2013 and 20 per cent in 2019. In the US, women represented 28 per cent of the tech industry workforce and 34.4 per cent of the workforce of the five largest tech companies, GAFAM (Google now Alphabet, Amazon, Facebook now Meta, Apple, and Microsoft), in 2022.5
Although in recent years women have tended to hold more senior positions in organisations, they are still underrepresented in cybersecurity leadership. In the US, they hold fewer than 20 per cent of leadership positions in this industry, and only 18 per cent of the chief information officers or chief technical officers of the 1,000 largest tech companies are women.4 This low level of representation is mainly associated with the underrepresentation of women in the science, technology, engineering, and mathematics (STEM) fields. For women, the choice to embark on a STEM career is still fraught with important barriers: gender stereotypes and discrimination, income inequality, lack of female mentorship and models, jobs that are not family-oriented, etc.
Recent research reveals the scarcity of women with IT expertise on boards and in senior management positions. In 2018, for example, the 60 largest companies listed on the Toronto Stock Exchange had a total of only 22 women with IT expertise on their boards of directors (Radu & Smaili, 2021). Yet diversity, particularly the inclusion of women, can bring several advantages to cybersecurity leadership in organisations and be beneficial to society as a whole. Sustained efforts in management practice, education (universities), and regulation are needed to increase the representation and inclusion of women cyber experts in the corporate world. Indeed, academic studies show the multiple advantages of including women in management and upper echelons. In addition, the experience and expertise of women cyber experts often offer an interesting framework and a different perspective that complements other perspectives to provide a holistic view of a particular issue.
As women tend to offer different perspectives from men, their underrepresentation in cybersecurity management and governance could be critical in addressing cyber risks. Given women’s ethics and stakeholder-oriented sensitivity, they could respond to certain cyber risks differently. Furthermore, the inclusion of women in senior management could enhance their sense of accomplishment and bring improved performance. They could provide a role model for younger women who, in turn, could increase the presence of women in higher-echelon positions in the future.
We recently explored the value added by the presence of one or more woman directors on corporate cybersecurity disclosures (Radu and Smaili, 2021). Based on a sample of the companies listed on the S&P/TSX 60 index over the period 2014-18, we provide evidence of a positive association between the presence and level of cybersecurity disclosure and board gender diversity. The average percentage of women on boards of directors rose from 20.4 per cent in 2014 to 27.7 per cent in 2018. The total number of women with IT expertise, who are mainly outsiders, on the boards of the above-mentioned 60 companies increased from 11 in 2014 to 22 in 2018. In 2018, there were only four women cyber experts on the boards of directors of these TSX 60 index companies. These findings illustrate how difficult it is for women with cyber expertise to access the upper echelons of organisations. Given the rising incidence of cyber threats worldwide, together with the barriers to women’s inclusion and the importance of organisational ethics, we believe that our study sheds light on an interesting issue and proposes solutions that could increase the empowerment of women cyber experts to take on senior executive positions.
The growing number of cyber attacks in recent years and their expansion during the pandemic have stepped up the pressure on businesses to hire more cyber experts. This context provides an opportunity for organisations to attract women with cyber expertise as board members and senior executives and to benefit from their presence. Management, stakeholders (including investors), and governance actors should increase and promote the presence of female cyber experts in their organisations, which in turn will facilitate women’s access to top positions both inside and outside the organisations. Given the many advantages of including women with cyber experience, organisations should develop programmes to empower them. These programmes would involve amending recruitment plans to take this issue into account and introducing policies that promote gender diversity more effectively. In addition, management and boards of directors should demand more heterogeneous and diversified boards. Including women cyber experts on corporate boards could enhance protection against cyber attacks, and reinforce stakeholders’ trust in the ability of the firm to respond to cyber risks effectively, ethically, and fairly.
About the Authors
Camélia Radu is an Associate Professor of Accounting at the École des Sciences de Gestion (ESG), University of Quebec at Montreal (UQAM). She teaches undergraduate advances financial accounting and graduate research methodology and corporate disclosure courses. Her research focuses on environmental and social disclosure, governance and cybersecurity.
Nadia Smaili is a Full Professor of Accounting at the Ecole des sciences de gestion (ESG), University of Quebec at Montreal (UQAM). Professor Smaili’s research focuses on financial statements fraud, whistleblowing and corporate governance. She has developed several courses and postgraduate programs related to prevention and detection of fraud.
Radu, C., Smaili, N., “Board Gender Diversity and Corporate Response to Cyber Risk: Evidence from Cybersecurity Related Disclosure”. Journal of Business Ethics 177, 351–74 (2022). https://doi.org/10.1007/s10551-020-04717-9
- KPMG, https://home.kpmg/us/en/home/insights/2020/09/digital-acceleration.html
- Hepfer, M., & Powell, T. C. (2020). Make cybersecurity a strategic asset. MIT Sloan Management Review, 62(1), 40-45. https://sloanreview.mit.edu/article/make-cybersecurity-a-strategic-asset/
- (ISC)2 Cybersecurity Workforce Study, 2021, https://www.isc2.org/-/media/ISC2/Research/2021/ISC2-Cybersecurity-Workforce-Study-2021.ashx
- Cybersecurity Ventures, “Women in Cybersecurity 2022” Report, https://cybersecurityventures.com/wp-content/uploads/2022/09/Women-In-Cybersecurity-2022-Report-Final.pdf
- Zippia. “40 Telling Women in Technology Statistics”,  Computer Science Gender Ratio. Zippia.com, 31 October 2022, https://www.zippia.com/advice/women-in-technology-statistics/