Since joining TAG Cyber in September 2019 as a senior analyst, I’ve taken—along with Ed—more than 350 vendor briefings. Three hundred and fifty might actually be a conservative estimate; as the only two analysts in our small startup, we’ve only recently begun to track numbers of calls and meetings. But whether it’s been 250 or 500, it’s a lot of conversations with cyber security product and service companies, day in, day out.
Still, those briefings are just a fraction of the cyber vendor market. The vendor directory on the TAG Cyber website includes just north of 1,700 companies, and the directory is far from complete. As I have listened to companies’ stories and product presentations, I’ve come to know a good number of smart, savvy women leading their organizations. Still, I started to wonder how much of this is a self-fulfilling prophecy. As a lesser-known player in the IT analyst space, I reach out to more vendor companies to schedule briefings than vice versa. That in and of itself is a break from tradition. Therefore, I started to wonder if I was subconsciously biasing myself toward women-led organizations or if my perception of the market was skewed based on a bit of self-selection. Fortunately (unlike for call counts), we have loads of data at TAG Cyber so I started some digging.
As a woman in security, it’s hard not to notice the gender imbalance. I’ve written about the lack of women in cyber before, and when I was running content for a cyber security events company, I tried my hardest to boost non-male speaker representation. When I last published on the topic of women in cyber, the industry could only claim 11% representation. More recently, however, studies put the number of women working in cyber security at between 20% and 25%.
There’s some good news! But it did make me wonder about women in leadership positions at cyber security vendor companies, specifically, women CEOs. Thus, our team spent a few weeks sorting through our vendor database and CRM to see what percentage of security companies are currently led by women. It turns out, that number is 5.07%.
This felt like a let-down after seeing the representative percentage of women in cyber grow so rapidly over the last 3 years. After a little more research, I learned that 5.07% is a tad low compared to the percentage of women CEOs among the Fortune 500 (6.6% as of June 1, 2019) and the S&P 500 (5.8% as of May 1, 2020) companies. Thus, there’s a little catching up to do.
But only if we’re content to stay on trend with cross-industry statistics. And security doesn’t seem to me like the right industry to work in if you’re OK with the status quo.
If a double-digit increase in the total number of women working in cyber security can be achieved in only a few years, what’s stopping women from assuming more CEO positions? I turned to a few of the impressive women cyber security leaders I’ve spoken to over the last eight months to learn their take. They are (in alphabetical order): Debbie Gordon, CEO of Cloud Range, Dana Tamir, VP Market Strategy of Silverfort, Ellison Anne Williams, CEO of Enveil, and Natali Tshuva, CEO of Sternum.
To start, I asked the executives why they think the number of women CEOs is so low, and, unsurprisingly, everyone agreed that the number is a direct reflection of our male-dominated industry. “Few women get into security to begin with, let alone stay in the field long enough to rise to leadership positions or start their own company,” responded Tshuva, noting that her start in cyber was a result of her experience in the Israel Defense Forces’ elite 8200 Unit where she was one of only three women in a division of ~70.
Williams had similar beginnings; as a PhD mathematician who spent the first decade of her career in the U.S. Intelligence community she said she is “certainly familiar with being the only female in the room” and has “been labeled and mischaracterized repeatedly—as has likely been the experience of most women working in tech.”
These issues, combined, make it harder for a woman to pursue or want to pursue a highly-visible leadership position where criticism is rampant and when certain actions displayed by a woman might be described as “bossy” (or worse), yet the same actions by a man would be described as “tough,” “strong,” or “assertive.” Gordon, too, acknowledged the challenges of being a female in a male-dominated field but said her approach is to disregard gender differences and instead put her effort into being the best leader she can be. “I don’t focus on the fact that I am a female leader,” she said, “and I try to inspire others to approach their role in the same way.”
Without a doubt, it takes courage and support to climb the ranks in any company, much less in a male-dominated field. Tshuva, Williams, and Tamir all noted that the lower numbers of women in cyber means there are fewer women executive role models, yet all three credit mentors for a part in their success. The group’s sentiment is nicely expressed by Williams who said, “Regardless of the statistics, mentorship is key. I’ve been fortunate to have great mentors—male and female—throughout my career who have contributed toward my current role as a founder and CEO. There is power in having an effective support network and I advocate for making mentorship the rule rather than the exception. Having access to women already working and leading in their chosen field can give future CEOs the confidence to pursue these opportunities.” All of the women interviewed for this article stated their strong desire to remain mentors for other women in the field.
In keeping with the idea of mentorship, Tshuva adds, “If we want more women in cyber security, the field needs to actively embrace them and not leave it up to chance,” meaning, in addition to mentorship, the field must continue to highlight women in cyber doing excellent work and build better support networks of women and men. Importantly, though, it’s not enough to showcase women because they are women; cyber security has enough women (percentages not withstanding) doing amazing things—building companies and products, researching ways to fight cyber insecurity, and advising enterprises on strategy after having spent years in the trenches—that every conversation shouldn’t be about being a woman in cyber. Instead, the conversation must be about skills, talent, and accomplishments. It just so happens that the people behind the accomplishments are women.
Still, Tamir noted that the problem of getting ahead in a field with low female representation can be compounded by culture: “Society is slowly changing, but we still expect mothers to be most heavily involved in their children’s lives. Some employers assume that a mother will be less committed [to her job] because she will prioritize her family. [They assume] She will probably work fewer hours or won’t be able to pitch in like a man— so they give women fewer responsibilities and opportunities.”
Tamir also noted a bit of self-selection when it comes to the grit required to take on a CEO role. “Women tend to self-criticize more than men,” she said, citing many studies on how women—on the whole— have a greater tendency to only apply for jobs when they meet 100% of the criteria. Men, on the other hand, apply for positions if they meet just 60% of the requirements.
These barriers, too, can be overcome through strong support networks, both inside the industry and at our academic institutions. There is no pre-ordained industry in which men, women, or non-binary people are more successful based on ability. While the number of women and non-binary CEOs in security are low, the key to attaining a better balance is acknowledgement and acceptance that anyone, from any background, can be successful with training, support, and experience. Whether the goal is to become a forensic analyst or a CEO, success should not be based on anything other than smarts, hard work, and commitment.
“There is a great misconception in cyber that you need a STEM background,” noted Gordon. Reality is, though, “that cyber security is about critical thinking—especially a CEO role! You don’t need to be highly technical to be a successful cyber CEO, but you do need leadership skills and the ability to identify market opportunity.” Anyone can gain leadership skills through a variety of avenues—formal education, books, role-specific training, mentors, and more. Women need to realize that the opportunity is there for the taking, and that can happen with increased support and encouragement.
Nonetheless, there are tangible challenges even when a strong woman decides to pursue her dream of becoming a CEO. Tshuva pointed to the numbers; most venture capital is given to men, and cyber security is a start-up and acquisition culture. Thus, a woman who wants to lead a cyber security company is up against higher hurdles in fund raising. “Starting a new venture is risky,” noted Tamir, and when the odds of equal treatment are stacked against women, the decision to move forward can be discouraging.
Williams agrees that there are risks but says she was able to achieve her position as CEO by “staying focused on the work I am passionate about and where I am confident I can make a substantial difference.” She advises that women “can’t blaze a trail without first planting the flag through the substance of your own accomplishments.”
There is more work to be done to help women in cyber security become CEOs, founders, and achieving other C-level positions. While the current number of CEOs is low, it is encouraging to see the overall population of female cyber security practitioners increasing rapidly, and it’s important to remember that, as recently as 1995, there wasn’t a single female CEO on the Fortune 500 list.
To grow female representation among cyber security C-levels, it will take a little moxie and a lot of hard work, dedication, and support by the entire security community. Breaking the glass ceiling isn’t easy, but we already have many amazing examples, noted above and even more broadly in the field, showing that the opportunity exists for women who want to take on the challenge, can block out any unhelpful noise and disregard all preconceived notions, and focus on learning, listening, and pursuing exciting opportunities without hesitation.
 N.B. 50% of the women interviewed for this article are CEOs of Israeli cyber security startups.
 The late Katherine Graham, of The Washington Post Co., was the first female CEO to make the Fortune 500 list, in 1972.