This post is the second in an occasional series about diversity in cybersecurity. Our first post discussed achieving diversity’s benefits in cybersecurity. In future posts, we’ll explore similar topics around diversity, equity and inclusion in the cybersecurity space.
Any good manager will want to remain alert to impediments that prevent team members from contributing as fully as possible to team efforts. This is especially true in a function like cybersecurity, which suffers a chronic shortage of talent.
Cybersecurity is distinguished not only by a talent shortage but also by having a predominantly male workforce. Women are in the minority on most cybersecurity teams that have women at all, so when they experience gender bias, they’re likely to be isolated. It’s worth considering what an experience of bias could cost a team, and it’s worth discussing what cybersecurity leaders can do to recognize and prevent bias in their ranks.
Examining the experience of one cybersecurity analyst illustrates the problem and lays the foundation for exploring what bias costs cybersecurity organizations.
An experience of gender bias in cybersecurity
This security professional was the only woman on a small cybersecurity team in a large organization. Each team member was working on similar projects, yet over time, she noticed the manager delegated an outsized portion of administrative work to her. Where each teammate typically reported on his or her own tests, this manager had this security professional creating reports for her teammates’ tests as well as her own. She found herself lobbying for more of the technical workload her male peers were routinely assigned, work that was acknowledged across the team as contributing to career growth.
At first, she doubted her own perception of bias. She tried to determine whether she misunderstood her manager’s actions. She asked herself if she was making too much of the situation and if it was really happening as she perceived it.
When a male peer started offering help with her administrative workload, it helped validate her own view that the distribution of labor was unfair. This same colleague also spoke out about the bias. Just knowing a peer saw the situation as she did confirmed she was not alone in how she saw the situation.
Soon after, when a more senior manager asked her about the status of one of the reports, she pushed back. She expressed concern that her outsized administrative role had become a precedent within the team. She offered examples of the bias she was describing. She asked that the work be distributed so that each team member would write reports for his or her own activities, which was the standard practice at this organization. To ensure the conversation followed appropriate company procedures, she offered to bring a human resources representative into the conversation if needed. The manager ultimately relented.
The high cost of bias
It’s worth examining the various ways gender bias can cost a cybersecurity team. Does it sound like these costs would apply to other teams, experiencing other forms of bias? They would.
- Bias is a major distraction. This security professional described the mental energy it took to confront the bias in her own department while continuing to be effective in her role. The self-doubt and the risky conversation with a superior were burdens her male colleagues didn’t have to bear.
- Bias wastes potential. This woman was denied the opportunity to perform technical aspects of her role because her time was taken up by administrative work. Putting one resource on administrative work at the expense of exercising her technical expertise wasted her potential.
- Bias damages reputation. Bias puts manager, team and enterprise reputations at risk. In departments and enterprises where bias is tolerated, word gets around. Observers see the behavior and form their own conclusions: “This is the sort of thing that goes on there.” They see women don’t get the same opportunities as men. They extrapolate: if they’re unfair to women, who else might be a target of their bias?
- Bias creates toxicity within teams. Bias creates an in-group and an out-group on teams where it’s tolerated. Alienation contributes to a toxic environment where out-group members can’t contribute on equal footing with in-group peers.
- Bias inhibits skill development. “The time I spent on administrative work made it harder for me to scale up,” this security professional said. “My technical ability has grown so much more in the last six months versus the same period in a biased environment,” she observed, then added: “You want your team to be as skilled as possible, so they can add more value.”
What team members can do
Being privileged by bias can be nearly as uncomfortable as being its target. It’s important for team members to speak out when they witness bias. In this example, one colleague not only took back some of the administrative work, but he also spoke out against the bias he saw.
Taking no action is also a type of action: it condones biased behavior and reinforces unfair behaviors within a team.
What leaders can do
Any cybersecurity leader might read an account of bias and recognize that incidents of bias warrant management attention. Attention happens to be exactly what it takes to prevent bias.
To begin with, managers will want to know their teams. Establishing a good rapport with each team member enables leaders to establish a baseline against which they can monitor for changes in team behavior. With a baseline, they’re equipped to notice when a team member has stopped speaking up or engaging with the work. They’ll see for themselves who’s overworked, who’s coasting; who’s getting too much of the grunt work. Managers who are paying attention to these patterns won’t miss changes in the team dynamic over time.
Fighting gender bias
Bias is distracting and costly. It damages reputations and team cultures. In cybersecurity especially — where talent is scarce and women remain underrepresented — leaders will want to watch for symptoms of gender bias, in particular. Attention is the main tool in fighting gender bias in cybersecurity: by observing their teams and knowing their teams’ members, leaders can monitor for early signs of bias and intervene to correct course.
Read the results of our 2023 Global IT Executive Survey: The Innovation vs. Technical Debt Tug-of-War.