Only 24% of cyber workers are women. CISA is determined to change that.

The race to attract female talent in STEM is moving forward with steady progress.

Only 24% of cyber workers are women. CISA is determined to change that.

However, shocking statistics still plague the cybersecurity sector. At the moment, women working in cybersecurity account for less that one-quarter of the total workforce .

Megan Rapinoe. Sister Rosetta Tharpe. Shirley Chisholm. The director of the nation’s leading cybersecurity agency, Shirley Chisholm, wore jeans and a Ukrainian flag shirt as she flipped through PowerPoint slides that featured women who "took a sledgehammer on the glass ceiling".

"I need your support," stated Jen Easterly director of the Cybersecurity and Infrastructure Security Agency to a crowd of 1,700 female cybersecurity professionals gathered for a three day technical conference in Cleveland. "We must reach 50% cybersecurity by 2030." Do you think we can do this? Someone whistled. ACDC pulsed through speakers. "Come on!" Easterly rallied.


Easterly explained to CBS News that she is used to setting unreasonable goals after leaving the stage. She laughed and said, "That's kind of my [modus operandi] all my life." "And I truly believe that if you set an extremely ambitious goal and inspire and empower others, and consider that goal to be difficult and highly ambitious but achievable, you can achieve it."

Easterly was asked how close America's cyber defense organization is to "getting there". "We're currently at 36.4% women in CISA's workforce. But I believe we can reach 50% by 2030." Before pause, she said, "Actually I hope we can get there prior to 2025."

Easterly stated that she hopes her colleagues in the federal workforce - FBI, NSA and U.S. Secret Service – will make similar pledges. The Army veteran-turned-corporate leader came close to "getting there" in her previous stint as head of Firm Resilience at Morgan Stanley, where she oversaw a team that was roughly 48% women.

Currently, Chandra McMahon is the CISO at CVS Health, and she's the only woman who serves as chief information security officers (or "CISO") among the top 10 largest corporations in America. Former executive at Verizon and Lockheed Martin will recall what it was like being the only woman in the room.

McMahon stated that cybersecurity was not widely understood as a career path or opportunity during a Friday interview with CBS News. "Most people don't know that there are many roles and careers you can pursue. McMahon gave them a quick rundown: "Penetration hackers, ethical hackers and cyber security engineers, architects."

The gender gap is not the only problem facing the cybersecurity workforce. According to the Aspen Institute , Hispanic, African American and Asian workers made up just 4% and 9% respectively of the cyber security workforce.

According to the latest ISC2 Cybersecurity Workforce Survey, there are 3.7 million cybersecurity jobs available, but none have been filled. 377,000 of these vacancies are located in the United States. To effectively protect organizations' critical assets, the global cybersecurity workforce must grow by 65% by 2022.

Microsoft last week called women's recruitment " mission critical" in order to fill cyber-vacancies around the world. Microsoft Security conducted a survey to find that 44% of female respondents did not feel adequately represented in their industry.

Not all "black hoodies" and "dungeons"

The federal government's cyber strategy includes just showing up. Easterly, who abandoned plans to appear via Video at Friday's Women in Cybersecurity Conference to instead dance on stage to ACDC's tunes, recalled the excitement of being manning the CISA booth at the conference.

She said that if people can see me in the role of America's Cyber Defense Agency director, then there are women who can claim she can be her."

Ten years ago, the lack of visibility in security fields that are notorious for working behind the scenes inspired the Women in Cybersecurity group, "WiCyS" conference.

Dr. Ambareen Siraj, founder of WiCyS, stated that cybersecurity is best understood when it's visible. However, it has many users.

Cybersecurity is often viewed as a fight sport. We all work in some kind of dungeon wearing black hoodies. Siraj stated that this is not true.

Experts recommend that more outreach be made to non-traditional candidates in order to unclog the cyber talent pipeline.

McMahon stated that "some of the greatest cyber talent we have didn't come from a background with cybersecurity."

Only 38% of women come from IT backgrounds, while half of the cybersecurity workforce today is made up of IT-related workers. The (ISC2) report shows that women have a higher rate of self-learning (20%) than their male counterparts (14%).

"We are now seeing a market for cyber skills. McMahon said that it's not as isolated as you might think.

Minding the Gap: Restructuring the Federal Workforce

According to the non-profit Partnership for Public Service which analyzes data from U.S. Office of Personnel Management (US Census Bureau), only 25.2% of full-time federal cyber workers are female.

Federal cybersecurity workers are also many decades older than U.S. workers. Between September 2014 and September 2020, the percentage of full-time cyber workers under 30 has steadily increased from 4.1% up to 6.3%. It still falls behind the nearly 20% of U.S. workers who are under 30 in 2021. The federal IT workforce has 15 times as many employees over 50 than those under 30.

Max Stier, the head of the Partnership for Public Service, stated that "I believe the greatest problem in the federal workforce" "There are very few young people working in federal technology or cyber. It becomes a self-fulfilling prophecy. The lack of young talent makes it difficult for young talent to come in and stay.

Although data on the federal government's cybersecurity workforce is scarce, Stier estimates that there are "minimum tens of thousand jobs" needed to strengthen U.S. cyber defenses.

The Senate Homeland Security Committee conducted a 47-page audit last year that found federal agencies responsible in protecting the security and personal information of millions of Americans . This earned them a C- report in talent recruitment.

The Department of Homeland Security received $76 million in 2014 to establish a new talent recruitment system. It launched last November with 150 job postings. DHS received 650 applicants within its first 48 hours of operation, but has not yet released any progress reports regarding hiring. Five positions are currently posted to the Cyber Talent Management System's dashboard.

Easterly states that CISA, a agency with approximately 5,000 employees, will hire 500-1000 more workers in the coming years.

The agency also has partnership programs with the Cyber Corps and Historically Black Colleges and Universities in an effort to reach young talent.

However, only 28% of the STEM leaders in government's Senior Executive Service are women and only 19% of them are people of color.

It's not just about women. Easterly stated that neuro diversity, gender identity diversity, and diversity of sexual orientations of races, are all examples of diversity.

Diverse initiatives have been compared to a national security imperative by leaders from both the federal government as well as the private sector.

Siraj stated that a strong and adequate cybersecurity workforce should include people from all backgrounds, racialities, ethnicities, and genders. "When there are many people working in cyber which is a complex field, it is more likely we will bring different perspectives and skills to solve complex problems.

There is no room for "vigilance fatigue” in the Ukraine-Russia crisis

Easterly is concerned about "vigilance fatigue" as information warfare unfolds in the shadows surrounding the Ukraine-Russia crisis.

She acknowledged that it was difficult to maintain an extremely high level of preparedness. Easterly stated to CBS News that she is not yet a month into the unjust, illegal, and unprovoked invasions of a democracy. "But we need to continue to keep up our shields," Easterly said.

CISA and FBI released two alerts in a row this week, including a joint bulletin on satellite communication networks (SATCOM), just days after Viasat was hacked by unidentified individuals. This hack disrupted satellite internet access during the Russian invasion.

This fatigue is further exacerbated by a shortage of cybersecurity workers that monitors potential threats and sees more than the federal government working overtime.

CISA and FBI "haven't identified cyber activity within the US Homeland that is attributable to Russian State actors since the invasion began," a NYPD intelligence bulletin obtained from CBS News, published last week.

The Department of Homeland Security has supervised more than 80 briefings and table exercises with the private sector since November to strengthen U.S. cybersecurity in the face of Russian malicious cyber activities.

CISA manages the Joint Cyber Defense Collaboration Slack channel for information sharing with tech and cybersecurity titans like Cloudflare and CrowdStrike, Mandiant and Microsoft.

Cybersecurity advocates are concerned that the lack of investment in cybersecurity could lead to a larger workforce. Unwitting employees can scan through their email inboxes and discover compromises. Stier stated that you need a wider workforce who are capable of dealing with cyber problems in the context of their daily jobs. Consider the classic phishing attack.

Easterly stated Friday that "We are providing more and more information to help the public understand the nature of this threat environment." We have repeatedly stated that all businesses, large and small, are at risk from Russian malicious cyber activity. We need to maintain our cyber shields to remain vigilant and keep our thresholds low to share information about suspicious activity. This will ensure that we work together to defend the nation's cyber assets.