Bullying, discrimination and round-the-clock workplace culture are among the reasons women quit Australia’s cyber security workforce after just four years, according to a new report.
RMIT University’s Centre for Cyber Security Research and Innovation (CCSRI) found women are under-represented in the domestic cyber industry, saying they frequently encountered “professional disrespect” and bullying.
The Investigating the Reasons why Women Leave the Cyber Security Workforce and Strategies to Address this Attrition report found women commonly experience bullying, harassment and discrimination alongside a “pressure to adapt” to a predominantly male industry.
It follows last year’s Gender Dimensions of the Australian Cyber Security Sector report – co-authored by CCSRI and the Australian Women in Security Network (AWSN) – which found women comprised just 17 per cent of Australia’s cyber security roles in 2021, and most tend to leave the industry after four years.
Using findings from literature reviews and in-depth interviews with 30 women who had at least five years’ experience in cyber security, CSSRI observed in its new report that gender pay inequality was an ongoing concern for participants.
“Whilst there have been some advances, with the representation of women increasing in recent years, the pace of change was characterised as unsatisfactory overall, with true equality yet to be achieved,” states the report.
Furthermore, while an uptick of young female cyber professionals in the industry suggested a “growing representation of women through generational change”, the report highlighted “potential barriers” for older women who want to enter the sector.
“Women’s low level of participation in the cyber security workforce demonstrates the influence of gender biases, stereotypes and inequities that prevail across the sector,” read the report.
“There is a growing consensus that the profession needs to broaden the diversity of its workforce to address the global shortage of cyber security professionals, including targeting recruitment and retention initiatives to women and people from disadvantaged communities”.
Relentless work culture, little support
Study co-lead and CSSRI director Matt Warren said the study highlighted ongoing barriers in the cyber security sector, particularly in technical and leadership roles.
“Unsurprisingly, the study found women are over-represented in administrative and clerical roles, which are lower paid compared to technical and managerial roles,” said Warren.
Participants said they had experienced doubts around their self-efficacy, often as a result of cyber security being a male-dominated field, while adding that women “lacked interest in cyber security” thanks in part to gendered stereotypes from an early age.
The report noted cyber security roles are “highly demanding” and can include a round-the-clock work culture for operational roles.
Whether such after-hours commitments come via threat monitoring or managing workplace operations, the report found cyber security roles are typically “not compatible” with achieving work-life balance.
Coupled with industry shortcomings around organisational support for women returning from maternity leave, women – especially those in senior leadership positions or with domestic or family responsibilities – faced increased difficulty maintaining a career in the domestic cyber industry.
“There is a 24/7 culture in cyber security,” said Warren.
“Job design and work commitments continue to make it difficult for women with domestic or child-rearing responsibilities to achieve work-life balance, which is both a barrier for entry and a reason women may leave the sector, although not the only one.”
Participants favour flexibility and mentorship
Despite pointing out such blatant gender imbalances in the industry, participants in the study were “ambivalent” about implementing gender targets, favouring flexible work arrangements that allow for part-time and work from home arrangements instead.
Furthermore, interviewees said they largely benefited from mentoring programs, especially those with male sponsors, while several participants agreed gender stereotypes around cyber security could be addressed by promoting interest in cyber security at an early age.
The report ultimately gave 14 key recommendations, with government and peak industry bodies urged to promote women’s interest in cyber security, invest in gender inclusive training programs, implement educational programs “as early as possible” and help guide organisations on how to conduct internal pay gap audits.
“While many companies have existing initiatives to reduce gender disparities in cyber security, we found these could be scaled and adopted by more organisations,” said RMIT expert in organisational psychology and study co-lead Lena Wang.
“In particular, more work could be done around workplace culture and practices such as reducing gender pay gaps, improving gender inclusive culture, and redesigning jobs away from a 24/7 setup.”
