Why Aren't More Women in Security Leadership Positions?Accenture Report Covers Strategies for Greater Inclusion in Hiring Practices
A man in the cybersecurity field is seven times more likely than a woman to have applied for or been offered the job of CISO, according to a new report from Accenture on mobility and inclusion in the workplace.
Rising to the Top, produced by the Accenture Cybersecurity Forum Women's Council, says that women held only 17% of Fortune 500 CISO positions in 2021, but the underrepresentation of women in the senior ranks is not due to a lack of attention to the issue or a lack of talent.
Accenture's Lisa O'Connor, global R&D lead for security, says part of the problem is women are demonstrating less confidence in their abilities. For example, an Accenture survey found that 53% of male respondents said they had applied for or been offered a CISO position four times or more, compared to only 7% of female respondents.
O'Connor says "confidence is so important, not so much competence" in "tackling these roles and tackling some of the challenges." To build confidence, she encourages women to get feedback and guidance about career development from people in the organization who can help.
Although organizations are paying some attention to encouraging more women to follow leadership paths, more "intention" is needed, says Accenture's Valerie Abend, cyber strategy lead. "We have to have a lot of directed and intentional practices that we measure and monitor in an ongoing fashion and are actually executed by the C-suite and reported out with full transparency."
But metrics that influence hiring decisions should be "more about the context and the storytelling than they are about the numbers and the trends," Abend says.
In this video interview with Information Security Media Group, O'Connor and Abend discuss:
- Why so few women in cybersecurity hold leadership positions;
- Building a road map to become a CISO;
- How companies can recruit more inclusively.
O'Connor leads security research and development at Accenture labs in Washington, D.C., and Herzliya, Israel. She has more than 30 years of information security experience and ideates, develops and co-innovates on future cybersecurity strategies and defense for Global 2000 companies. She previously held leadership roles at Accenture in financial services for North America and was an active member of the Financial Services Sharing and Analysis Center and the Financial Services Sector Coordinating Council. She also led information security governance and provided consulting services for Fannie Mae, Predictive Systems (INS), Guardent (VeriSign) and PwC. Earlier in her career, she was a cryptologic engineer at the National Security Agency.
Abend advises C-suite executives on how to manage cyber risk and build resilient business strategies. With more than 25 years of security experience in both the public and private sectors, she has spearheaded enterprisewide and sectorwide security and resilience strategies, public-private partnerships, and cybersecurity regulatory oversight strategies. She has testified before Congress and is frequently quoted in the media on cybersecurity issues. Abend currently serves as a member of the Monetary Authority of Singapore's Cybersecurity Advisory Panel and the Executive Women's Forum and as an adviser to the board for the Financial Services Information Sharing and Analysis Center and the Carnegie Endowment for International Peace's FinCyber Strategy Project.
Anna Delaney: Hi, I'm Anna Delaney. Women represent less than a quarter of the overall workforce in cybersecurity. There is only one female CISO in the top 10 U.S. companies. Evidently, there's room or more room for women in cyber. So why is it such a challenge? Well, two women paving the way in cybersecurity - Valerie Abend, cyber strategy lead, and Lisa O'Connor, global R&D lead for security, both at Accenture - have analyzed this issue and developed practical next steps for achieving greater inclusion in hiring practices and a roadmap to becoming a CISO. Valerie and Lisa, thank you very much for joining us.
Valerie Abend: Thank you so much, really appreciate the opportunity. Three powerful women talking about cybersecurity, modeling what we're trying to accomplish. This is great.
Delaney: Absolutely. Well, Lisa, starting with you. Accenture has recently published a report, "Rising to the Top." What did you learn about why more women are not in leadership positions?
Lisa O'Connor: So, we studied, and we worked with the Accenture Cybersecurity Forum, which is a group of amazing CISOs - both men and women. We asked them a lot of questions about their journey to becoming a CISO and got insights from them on how that journey is different between men and women. We got some interesting insights on it. But some of the things they all said is that confidence is so important, not so much competence, but confidence in tackling these roles and tackling some of the challenges. And there's such a value to having mentors and sponsorship at a very senior level for these positions. Having personal resiliency came up as a theme on both sides, and especially for our women being resilient in these roles because this is a high stakes role. The CISO is at the intersection of all things that happen in cyber, a company and an organization. So they have to be resilient, both personally and professionally. But when we dig into the data, that's where it got kind of fun for me. So we saw that men tend to rise within the organizations that they're in much more frequently than women. And 57% of the time, they're a successor within their own organization. And we saw that women were actually more likely to go outside of their organization to get that role. So that kind of piqued our curiosity. We asked some more questions about that. And once the women threw their hat into the ring of being a candidate for a CISO, they were actually highly successful. In fact, they were successful faster than the men. So that kind of makes you wonder, are we over preparing? Are we ready? Are we quiet on our candidacy? And we learned more throughout the interviews and our survey about what they overestimated and wondered what they underestimated going into the CISO role.
Delaney: What did they overestimate? What did they underestimate? I'm curious now.
O'Connor: Well, how much they needed to bring to the table, technically, as a CISO. And the women definitely overestimated that; 40% of them had that on their list of overestimating the importance of that. Because by the time you're a CISO, it's about the other leadership and the C-level interactions and communications, and not so much the technical acumen that got you to the role. And that was one of them. And for the other part, there are two things that women also underestimated, which was interesting. And it was management sponsorship. So having sponsorship at very senior levels, and culture, surprisingly, and so 50% of women underestimated the importance of those in the companies where they were looking for that position or role. Men were a little bit lower, they were around 27%.
Delaney: Very interesting. So Valerie, as I mentioned in the intro, it is clear that there is room for women in cyber. And yet there has been quite a bit of attention paid to encouraging more women to follow a path in cybersecurity in the past decade. There are industry groups dedicated solely to women, conferences, magazines and online forums, and we see a lot of men in the industry promoting and praising their female colleagues on platforms such as LinkedIn. What's going wrong? What do we have to do differently?
Abend: So attention is good, but it is not intention. And I think we have to have a lot of directed and intentional practices that we can measure and monitor in an ongoing fashion and that are actually executed by the C-suite and reported out with full transparency. Because if you want to accomplish something, you will make actions very specific for people and you will hold them accountable accordingly. So if you have an intentional focus about rising women to the top, you will make sure that they are at the seat at the table when a cyber incident occurs and they have a voice at that table. You will bring them forward into actual board meetings where you're discussing cybersecurity and its intersection with the business. You will actually put them at the table in ways that not only bring them attention, but you will actually show with metrics how you're driving that improvement. One of the things that we know from experience is that when you are interviewing people, you should interview diverse candidates first, for example. There are a lot of ways in which you can actually act with intention to give the women more opportunity. And as Lisa pointed out, we have to make sure that women feel safe. Because this is a very risky business we're talking about. We're talking about companies that are under attack and making headline news, and often the chief information security is the voice and the face of the organization when that breach occurs. It's psychologically quite scary. That comment that Lisa made about personal resilience can only happen if the person in that role feels psychologically safe to be able to say, what often are difficult messages about choices that have been made, not just in the moment, but over years to arrive at a place where potentially you are more vulnerable to an attack. So I think there's a lot there to unpack about how we make women feel that they are ready for that role, and position them in ways that other people see them to be ready for that role, so that they aren't having to look outside. And they actually will get promoted from within as Lisa pointed out.
Delaney: So Valerie, the report states that being a good CISO is not enough to be successful, and women need to or should feel comfortable being more aggressive in pursuing their career aspirations. Curious about this word, aggressive? Could you explain what you mean, and maybe share some examples.
Abend: I love that we use the word aggressive, because women are always told when we're loud that we're too aggressive. But it's so funny because we have to be our own advocate. And we have to be intentional as well as women about wanting what we want for our career, which means, we can't just envision it, you actually have to help other people envision it. And the best way to do that is have your own council of mentors - not just within your company, but also outside. People who are sponsoring you; people who are giving you very honest feedback, and telling you how to groom your communication skills, how to draw conclusions that actually bring other people to the table that go beyond the information security teams, because as Lisa pointed out, it's not the technical skills that are going to get in your way. In some instances, you have all of the skills you need. It's just showing up and building that confidence over time and having other people help you arrive at that place. When we apply for jobs, we're not checking off boxes, we're looking at whole people. And we're looking for people who want an entire career, who are going to be leaders within our organization. So when you look at a job announcement, put yourself in the place of the person making the announcement and think of all the ways in which you already bring what they probably aren't even stating in that announcement. And so I think it's a great opportunity for the women and the men to work more collaboratively together to actually push the notion of aggressiveness off the table and say that it's actually a good thing. It's a good thing.
Delaney: So just as a quick follow-up. I know that the report mentioned impostor syndrome, and that is often self-inflicted. I think we can all relate to that. Are there any tips you could share as to how to balance that assertiveness with those underlying doubts?
O'Connor: Yeah, we heard this from our women CISOs that part of it is getting those at bats, getting into the environments, and getting the road time in the boardroom, the road time in key meetings, the road time working a cyber event at the table. And that's so important to building that confidence and not feeling like you're an impostor. Men have impostor syndrome too. We all kind of self-sabotage on this a little bit. But it's doing the things that you need to practice and asking for feedback. Getting guidance from that board of directors that you're going to create, to give you candid feedback in those events and how to grow and what do you need to develop so that you walk in the next time with a lot more confidence. And again, building these skills.
Delaney: Valerie, anything to add to that?
Abend: Well, I like to say, you should be a little bit nerve-cited every day. Yeah, a little nervous and a little excited. I'm going to do something; I'm going to grow. I might not get it right 100%; I might even get it wrong more than I get it right. But if I'm not challenging myself, I can't grow. So I like being a little nerve-cited. And I encourage others to do the same so that they can grow. And I'm not particularly persnickety when I make mistakes. I often broadcast them because I want other people to feel like they can come forward with making mistakes too.
O'Connor: And that's important in cybersecurity and cyber defense because we're going to make them. We have to take risks to be able to find the adversary to do some of the breachy things. And especially for my background, to innovate, I have to have a team that is motivated, and has a safe space to take those risks. And modeling what it means to hit and miss is important for those teams. And then you learn to fail fast and then get right back on and continue the pursuit - it is so important that we're doing that as leaders.
Delaney: Yeah, very true. So Lisa, let's turn around and look at what organizations can do. Can you share some practical next steps for organizations who want to incorporate greater inclusion in their hiring practices?
O'Connor: Yeah, I think the first we'll call intentionality, which is companies have to recognize the value of diversity and inclusion. We have references to it, and there are many. You're getting a better outcome or literally a better business outcome and impact with diverse teams, period. And that has to be a belief that is internalized within that company and within the leadership team, C-level and the board. And that has to drive the behaviors that then happen in hiring or recruiting process. Valerie shared some of them. Again, you have to have a diverse slate that's entry level. If you're not looking at a diverse slate of candidates, how do you expect to change this outcome and come up with them. So curating that diverse slate. And then from an HR perspective, HR can help manage this process and the expected behaviors, by setting guidelines, providing oversight to the process, holding leaders accountable for that and for consideration, and how they're actually finding the right candidates, the right qualified candidates. So those are all important things that HR can help in talent, in making sure what you're saying is happening in the processes. I think the other piece of that too is the transparency. It's not just transparency for the companies in their process. It's the candidates making sure they're asking all the questions they need to, and knowing that if you're going through a hiring process and you're the candidate, and you haven't seen diversity, haven't met with all the leaders, haven't met with any board members, you should be asking to include those on your journey to see if that is the right company for you. And if that's the right culture, if it's supportive, and if you have management sponsorship, those are all important to the success of the culture and of that CISO in their role. And the last piece of it is the work before that; it is looking at succession. In our first report, we looked at why so many women are leaving the field at the midpoint of their career. So what do we need to do differently to bring that talent along? We need to create the environments and the right framework to maintain and retain that talent throughout the pipeline. So we actually continue to nurture that talent inside. And make sure that when we're coaching and thinking about succession, that's a diverse slate too.
Delaney: Well, Valerie, I knew that at Accenture, you've formed a group called the Accenture Cybersecurity Women's Council. Talk to us about it. How did it come about?
Abend: I'm glad you asked. We're proud of what we built. But of course, there's always more to do. There was an eccentric cybersecurity forum when I joined Accenture, chaired by our own chief information security officer, and I had the pleasure to come and present one day on regulation facing all of these organizations around the world around cybersecurity. And when I joined the call, the attendees comprised 100% men. There were literally no women on the call. And I said, well, that can't be, and what can we do to help the women chief information security officers out there? And so I said, look, I want to start a thing. I want to start a Women's Council. The women will have their own special space to talk both about professional development as well as technical issues and also the members of the full ACF. I talked to a lot of the members. And it was clear to me that the men outnumber the women by so much. I said, well maybe what we need to do is model who we are, and we are about helping women increase in numbers and get that equal place at the table. So in that vein, we've opened up the membership a little bit more to include women who report to chief information security officers, who want to become that CISO role. So all of those women are now members of the ACF Women's Council, members of the full ACF. And it's a robust and highly curated group that meets under Chatham House rules. We're not looking to be the biggest group in the history of the world from the standpoint of the most prolific numbers. We're meant to have a very safe and special place, where we can address very specific topics about how we get women from the midpoint to the top role in cybersecurity. And in walking that talk, we also have rising leaders from Accenture who help support our mission. Women managers who rotate, who are rising stars, and who help us actually run the council. Lisa has done a fantastic job taking that forward.
Delaney: Yeah, Lisa, I will be curious to know what your progress has been to date.
O'Connor: So we have grown, and I think that's the exciting thing, when I look at the ACF and the Women's Council. We've grown and we've grown in our impact. One of the things that is also of note is that the content and the topics are curated by the membership. So they're telling us what they want to learn more about, and what they want to focus on. And one of the things that we do in the Women's Council is, we go back and forth between a tech topic that might be a specialized topic that we think that women have a deeper interest in. And then we will go to personal resiliency, coaching and the other things that we might call softer - but happen to be the exact skills that are so relevant for the senior relationships and leadership and board and other things like that - we want to continue to curate and grow. That's been a kind of a fun combination of what we've been doing and the agenda. But I think in looking at it in terms of what is Accenture doing, like what do we do in our programs, we put a lot of practices in place to make sure we are coming up with diverse slates of candidates for every position, not just managing directors. We're very pleased to have Julie Sweet as our CEO. We're very pleased to have 50% of our board members as women, and 47% of our workforce, globally, is women. So our goal was 50-50 by 2025. And we've been incredibly transparent about it, which is important to the business community, and putting those metrics out and keeping the yardstick on us to make sure we're doing those things. But within security, we do a lot of things. We have Women in Security, which is an internal forum that is a place where women meet monthly to discuss all kinds of cybersecurity topics and create community. And those are important in terms of creating that community globally for women at all different levels to have access to managing directors, analysts and everybody else. It's been an amazing community growth.
Delaney: And it's two years since the group was created, what has been particularly interesting or even surprising in the journey so far, would you say?
Abend: I actually think we're like three and a half years, maybe four and a half. I think when you look back some of the big highlights, one is we don't want to just be a place that talks, we actually want to produce thought leadership, which is why you see the first report jumping the hurdles, now rising to the top of both staying true to the mission of getting women from the middle of their career to the top. As Lisa mentioned, the topics are highly curated. So next one coming up, I think it's about AI and defending yourself against cyber weaponized AI. And in the past, we've done workshops on personal resilience, and what do you need to do. How do you put your own oxygen mask on first and then everyone else's. Remind myself to slow down to show up sometimes is important. And I think that we'll continue to do that rotating of how do we address bringing forward the new skills that will matter most as the world moves to a faster pace and the digital transformation and cyberattacks take advantage of that. These communication skills and the ability to adapt in a highly changing environment and still make yourself somebody who's personally resilient as you support your teams are going to be an increasing demand. And women are positioned well to take advantage of that opportunity. So I'm sure, we'll continue to do these things, point out the hard-soft skills while we also address the important technical skills to move forward.
Delaney: Well, this has been excellent. Thank you, both of you for all your hard work. And I look forward to speaking with you again soon. I've been speaking with Valerie Abend and Lisa O'Connor of Accenture and for ISMG, I'm Anna Delaney.