Select Page

The hidden cost of cybersecurity’s “masculinity problem”

CYBSAFE-SebDB Webinar-preblog-221011MS-36

26 June 2024

Is cybersecurity steeped in masculinity? 

(Spoiler: Yes. And it’s a bigger problem than we all realized.)

Cybersecurity. On the face of things, it’s hardly the pinnacle of traditional masculinity. But it’s a man’s world. It’s undeniably. Overwhelmingly. Male.

It’s a highly male-dominated industry for one thing. 

Then there’s its associations with other traditionally male stuff. Like national security, organized crime…and Hollywood depictions can be, well, rather glamorous at times.

We all know that perceptions are rarely accurate. But if your job has a certain prestige, it’s a very human response to get invested in keeping it that way. 

It’s totally natural.

It also shoots us in the foot. Big time.

This is a blog about that. Because recent research suggests that it’s a bigger problem than most of us realize. And you can be part of the solution.

What research?

Dr Joseph Da Silva’s the CISO at RS Group plc. But before that, he spent four years obsessed with the purpose of CISOs within commercial organizations. It’s how he got his PhD in fact.

He was interested in how CISOs talk about the role, how they talk about cybersecurity, common narratives and metaphors, the language and tropes.

And he was curious about how the way we talk about cybersecurity affects the way we and others perceive it, and the very future of the industry.

Because—as we’ll get into—the language does really matter. Even if we don’t realize exactly how much.

But we’re getting carried away. Back to the research.

First he interviewed lots of CISOs and some senior leaders, predominantly from UK-based multinational organizations. 

After his series of multi-faceted deep dives, Joseph applied sociological lenses to shed light on broader perspectives. And then he shared his wisdom with the world.

And—fortunately for us—he presented his juiciest insights to the 2023 IMPACT conference. It’s the only conference completely dedicated to human risk management. It’s where researchers, practitioners and experts come together to share new insight and make real change.

Anyway, central to this blog is the idea of identities. Let’s get into it.

Joseph Da Silva IMPACT

Why do we have identities?

It’s a security thing. Specifically, something called ontological security

Ontological security means security of the self. Security of one’s own existence. It’s very closely associated with identity.

People have it, but so do organizations. All are motivated to continue their existence.

So, we like ontological security. We want to bolster it. Joseph explains that this is done “through something called identity work, which is dialogue…but also signs and symbols in order to create and maintain a particular identity.”

Read that again. It’s important and we can’t move forward without it.

Identity drives us

Not only does identity influence how people and organizations are perceived. It also influences actions that people or organizations take in order to maintain or perpetuate an identity.

And, if others don’t understand our role, we may double down on carving out that identity. 

This process is largely unconscious. We’re doing something that we don’t know we are doing, and it’s having effects we don’t necessarily notice.

If we’re interested in using behavioral science and human psychology to create a safer digital world, we can’t leave this stone unturned.

Identity leads to metaphor

Language affects our reality. Why else would realtors describe a cramped studio as “bijou”?

Or, as Joseph puts it: “Discourse that relates to identity—whether from yourself or others—can tap into a broader reservoir of meaning … [where] metaphor and narrative are particularly important.”

So, to feel secure in ourselves, we develop identities. And to bolster those identities, we use metaphors.

Groundwork = done. Time to unpack the findings.

Is cybersecurity steeped in masculine metaphors?

Joseph was keen to find out what CISOs say about the identity of their role. How did they describe themselves? How do they think others see them? What’s their relationship to—and part within—the organization they serve?

While Joseph found that the conversations painted the CISO role as “conflicted and contradictory”, there was a clear correlation…

Masculine tropes are ingrained in cybersecurity discourse,” he confirms. 

 

“While cybersecurity may not be as traditionally masculine as some other professions, it is a highly male-dominated industry.”

Three major masculine-coded themes came up time and time again…

CISO as protector and hero

Battling the bad guys…thriving in conflict. CISOs were viewed as defending the realm (alright, organization) from dangers, wielding a shield, leading an army. 

There were overtones of heroics. War metaphors. Talk of protection from enemy threats. 

“The militaristic associations of cybersecurity may lead to or encourage cybersecurity professionals to cast themselves in a heroic role and to mythologize their work,” Joseph says. 

“Heroism is a traditionally masculine concept,” he reminds us.

CISO as technical expert

In this identity, engineering metaphors were common.

“An identity as an expert is also masculine,” Joseph says. “It’s more subtly masculine than being a hero but is equally powerful. The expert identity that was occupied by the CISOs in this study was a technical—and therefore masculine—one, as technical competence is associated with masculinity.”

Because, yes, weirdly, men are more likely than women to self-describe as experts, Joseph goes on to explain. 

Why? We can only theorize, but it could be because expertise is a competitive concept, and men are socialized to be more competitive.

CISO as disciplinarian

Many CISOs Joseph spoke to saw themselves as the enforcer of the rules. The role, he found, was often imbued with morality. A sense of right vs. wrong. Of good vs. bad.

This showed up in some metaphors related to policing, crime-fighting, and enforcement. 

It makes sense. After all, CISOs may be required to penalize non-compliance, and they may find themselves with the dual purpose of offering protection but also surveilling. 

“Many participants wished to avoid that characterization,” Joseph elaborates, “but that was how they felt they were seen by the organization.”

Anyone with a fierce grandma knows discipline isn’t exclusively male-owned, sure. But disciplinarian and enforcement roles traditionally belonged to men. And these ideas are persistent in our collective psyche. 

So the enforcer is a common metaphor in cybersecurity, and an inherently male metaphor.

Honorable mention: CISO as a pain in the ass

“CISOs’ interactions with senior leaders were commonly confrontational,” Joseph states. Interviewees generally agreed on internal conflict being part and parcel of a CISO’s day to day.

CISOs felt they were seen as both a threat to, and constituent, of their organization’s identity.

“The data suggested that the ability to succeed in a relatively hostile environment was normatively a necessary trait of a CISO,” Joseph says. 

On the surface, this may not seem gendered. But we think it is. We’ll explain.

It’s widely accepted that in most cultures women are socialized to be more compliant, to make others happy, to go with the flow. In other words, not to be a pain in the ass. 

Among other effects, this leads to how women are perceived, and how suited they may be for a “pain in the ass” role.

But…not all cybersecurity metaphors were masculine-coded…

Some were more neutral. Here are two of them.

CISO as soothsayer

In the analysis stage, Joseph identified the metaphor as ‘CISO as soothsayer’—someone who predicts the future and suggests how to deal with what’s coming.

Sounds pretty woo-woo, we’ll admit, but Joseph explains further: “Soothsayers were historically highly valued, and can be seen as more akin to weather forecasting than to astrology.” 

They’re expected to be someone who can foresee events…and suggest how those events might be handled/mitigated. 

Joseph picked up on how this mirrored the CISO’s dual role as a bad-news agent but also the comforter. In fact, this is related to the next item…

CISO as totem

The existence of a CISO within an organization is often worn into in annual reports. And like all name-dropping, it serves a purpose.

“Such statements build prestige,” Joseph explains, “they build status, and legitimacy. And in that sense the CISO is a totem, it’s a symbol that is serving to indicate to the organization stakeholders that it’s protected but also that it’s doing the right thing.”

Using the CISO as a totem is less about the CISO’s identity, though. It’s more about what the organization’s doing, and that the organization is the type who’d have a CISO. It’s a not-so-subtle brag.

IMPACT 2024 the findings full of behavioral science

Speaking the cyberlingo

A masculine bias doesn’t just need to come from identity-based metaphors though.

It can come from metaphors about cybersecurity resilience, about cybersecurity specialisms, about cyber incidents. 

Let’s touch on three of the most pervasive metaphors Joseph was keen to highlight.

Strength

Joseph found throughout conversations, and within key documents such as annual reports, the idea of strength came up again and again. Organizations want to be seen as strong, that’s only natural, right?

But it’s also about compensation. Displays of strength can also be seen as “compensating performances, in the face of cybersecurity incidents” which threatened the “strong” identity of the CISO and organization. Which leads us nicely to our next theme…

Cyber attacks as emasculating

“Humiliation through such an incident is also further gendered through the use of phrases such as ‘breach’ and ‘penetration’,” Joseph says, “and the anonymous nature of most cybersecurity attacks—at least in terms of not being a clearly responsible party—may also be emasculating.”

“Therefore the risk to the identity of a business from cyber humiliation may encourage masculine behaviors and attitudes that are focused on avoidance of that humiliation, including making public displays of strength and preparedness,” he adds.

When cyber attacks feel like humiliation, acting tough can feel like a solution to the risk of appearing weak.

‘Hard’ vs. ‘Soft’ cybersecurity

Another concerning trend that came to light during Joseph’s research was the tendency to refer to non-technical aspects of cybersecurity as “fluffy”.

This term feminizes cybersecurity activities that the speaker deems less valuable. This feeds into a hierarchy that prioritizes the technical (“hard”) elements. 

The result? A false dichotomy, unequal treatment, and the sidelining of valuable activities.

What’s more, specialist language can have an exclusionary effect, Joseph points out. “The incomprehensibility of this language may be weaponized by cybersecurity professionals in order to secure their status and exclude those who do not understand their language,” he suggests.

IMPACT 2024: The findings report

Fine, but why is masculinity such a problem?

In and of itself, it isn’t. Masculinity isn’t inherently bad, or wrong, or toxic.

But an imbalance in gendered language is likely holding back cybersecurity as an industry from reaching its full potential.

To explain, Joseph introduces the term ‘male homosociability’. It refers to the use of certain concepts and narratives that support male bonding. But it doesn’t stop there.

It also provides a grounding for communication between cyber professionals, and also between cyber professionals and senior leadership, who are also more likely to be male.

Joseph expands on this: “Using masculine metaphors and concepts of warfare, attack, defense, heroism, and technical expertise to define one’s position and to describe one’s responsibility achieves a common ground with those for whom those metaphors resonate, which is particularly important when your subject is not well understood. So metaphors of war, sport and engineering may be the lingua franca for discourse between dominant masculinities.”

“These masculine aspects of cybersecurity have a regulatory effect both on those who work in the profession and those who do not. The use of militaristic language and concepts perpetuates this masculine bias that features in broader security discourse, so broader than just cybersecurity.”

This situation excludes those for whom such identities are not desirable or available. So by defining the identity of cybersecurity professionals in a particular way…it creates an iron cage of identity that is inherently masculine.”

The TL;DR of it? Cybersecurity’s masculine bias is excluding and alienating stellar talent.

This is concerning enough in even the most stacked, flourishing industries. But cybersecurity has a heavy gender imbalance. And a skills gap. Worse still, it has an overall shortage of people.

There’s no doubt that these masculine tropes make it harder to address these (rather huge) issues.

IMPACT 2024 the findings full of behavioral science

So, what can we all do about this?

We know, we know. 

We’re all part of a much wider system. The ground we walk on today is made up of thousands of years of patriarchal, heteronormative sediment. (If you can’t get metaphorical in a blog about metaphors, when can you?)

We can’t solve gender inequality overnight. But we all have a part to play in steering things to be fairer, better, and actually beneficial for the industry and our organizations.

But how exactly? Joseph has some ideas.

What would happen if we all put greater emphasis on the communicative, evaluatory and advisory aspects of the CISO role? His work suggests that acknowledging and embracing the interpretive aspects of cybersecurity would be wise.

Would seeing the CISO as a soothsayer could be beneficial for all parties? It provides greater clarity for a role that is poorly understood, without leaning into masculine tropes, so maybe.

Cybersecurity’s mystique and opaqueness could be addressed by education. This would enable more people to visualize themselves in a cybersecurity role, and would dial down the gatekeeping.

But we think the most important action Joseph rases is this: 

“Those in practice could consider whether alternative, less exclusionary metaphors and concepts can be employed in referring to cybersecurity, and whether this would help to improve representation and close the skills gap.”

We’re not going to stop using strength and defense and war metaphors. Inevitably all of us will continue relying on them to make connections and convey messages, and to uphold the crucial nature of cybersecurity practitioners’ work.

But small, mindful changes in our everyday communication can lead to a big shift in the overall culture of cybersecurity.

All hands on deck

On the surface, cybersecurity doesn’t scream macho. But we can’t ignore it’s a male-dominated field. And the way we all talk about it reinforces that.

This masculine bias is an “iron cage” that keeps out talented people who might not identify with those (rather tired) tropes.

This is a problem because cybersecurity desperately needs more people…and diversity is a strength, not a weakness.

We can’t single-handedly dismantle millennia of patriarchy. But we can be mindful of the language we use and the biases that slipped by unnoticed before now.

And, we can learn more. Because this blog is based on just one session from IMPACT 2023. There is so much more to learn, from so many other cybersecurity pros. It’s free, and you can explore the whole series right via our IMPACT 2023 playlist

(That includes Joseph’s full presentation—including what a CISO has in common with a bass player. 🎸)

And whatever you do, join our mailing list so you’ll be the first to know about new resources, and so you’ll be first in line for webinars and events, like IMPACT. Never miss out again!

It’s time to break up the cyber boys’ club. We need all hands on deck to shape an inclusive, effective industry fit for the future.

There’s plenty more where that came from

This conversation is only a small part of what made IMPACT 2024 so eye-opening.

Missed out on all the fun? Download all the unmissable insights and headlines in one report: IMPACT: The Findings

It’s your cheat sheet to the biggest takeaways in human cyber risk. The latest academic research on the human aspect of cybersecurity. No filler, all hits.

What’s inside:

    • Finding and addressing vulnerabilities in your security strategy,
    • Why we get in our own way when trying to help people act safer,
    • Why cybersecurity is so messy…and why that’s okay!
    • The huge divide in our community, and how we might be able to close it,
    • And so, so much more.

Get your hands on it right now, right here:

IMPACT 2024 the findings
Behave Hub newsletter CybSafe

Do one more thing right today. Subscribe to the Behave newsletter

You may also like

How to unlock CAM’s huge potential for behavior change

How to unlock CAM’s huge potential for behavior change

Cybersecurity Awareness Month is here. It’s the once-in-a-year opportunity where the spotlight shines bright on security. I wanted to take the opportunity to highlight some of the things CybSafe are doing to support organizations with their CAM initiatives, and call out the great work done by the...