Security Gap

A new study from the Center for Higher Education Chief Information Officer Studies, Inside Higher Ed has just reported with alarm, “contains some grim news.”

Malicious computer attacks by terrorist (or even Republican) hackers? ISIS-sourced computer viruses? No, worse! Women are only 19% of chief information security officers (CISOs), and a disproportionate number of them are approaching retirement. “Women who rise to the position of chief security information officer are already a rare sight in higher education, but over the next decade and a half, they may become an endangered species…. Four in every five CISOs who are women are 51 years or older, and two in five plan to retire within the next 10 years.”

According to Wayne A. Brown, founder of the center linked above that published the report, the proportion of women in the field will decline “if the present circumstances remain unchanged.”

The “circumstance” that needs changing, of course, is more success at enticing young women to enter and remain in the field. It is difficult “to sell [women] on a career in information security,” according to Tammy L. Clark, the University of Tampa’s CISO, because “I don’t think they find it sexy and exciting.”

Left unexamined in Inside Higher Ed’s long article and no doubt in the report itself — in fact, left unexamined in nearly all laments over this or that diversity-related “gap” — is a reply to the question that should be asked of most “gap” reports: So what? That is, unless there is evidence of discrimination, why does it matter whether women are “only” 19% of chief information security officers? If they don’t find career prospects there “sexy and exciting,” why should any effort be made to change their minds (especially if their perception is, well, accurate)?

Women, it turns out, are not the only ones “underrepresented” in computer information security. “CISOs are less diverse generally,” Inside Higher Ed notes. According to the study, “Only 5 percent of the survey respondents identified as non-white.”

Again, So What? Why does it matter one whit whether CISO’s are “diverse”?

Say What?