There are few quick wins in cybersecurity. Best practice takes time, and the results may not become apparent for months or even years. This is especially true of arguably the most important factor in cyber: people. For as long as anyone can remember, the industry has suffered a major gender imbalance problem. When viewed in the context of overall global cyber skills shortages, it’s not so much a problem today as a crisis.

To tackle it, senior managers must back up their words with concrete actions. And they must be resolute in doing so, mindful that it could take decades to resolve.

A long way to go

The latest figures from (ISC)² last year put the global cybersecurity skills shortfall at 2.9m professionals, with women occupying just under a quarter (24%) of roles. This is an improvement on the 11% previously estimated, which went down to 7% in Europe, although the increase is due to a recalibration of the survey methodology rather than a significant improvement. Unfortunately, men still dominate the industry all the way to the top, occupying 87% of CISO roles at Fortune 500 firms.

Why are we still in this position? After all, there are a lot more female role models out there today. I’m not just talking about the hard-working women who work in the industry, but also characters like Chloe O’Brian in 24, and The Girl with the Dragon Tattoo’s Lisbeth Salander. Unfortunately, there are still not enough young people being inspired to work in the industry, while recruiters are failing to deliver on diversity promises.

Hire for attitude, train for skill

Organizations have a major part to play in tackling the problem. First, they need to improve collaboration with schools, colleges, universities and lawmakers. There are initiatives across Europe like the UK’s CyberFirst Girls competition designed to encourage girls to consider a career in cybersecurity. But employers need to build closer ties to educational institutions to build out further opportunities. They can help to sponsor courses, internships, open days and other initiatives to spark the interest of young women. In return, they could get a readymade pipeline of cybersecurity stars to recruit into the organization.

Second, organizations must relax their strict hiring policies. Too often, the focus is on industry experience, which immediately discourages a large pool of potentially excellent female candidates from applying. If you’re never giving these people an opportunity to get a foot in the door, the continued focus on “experience-first” is self-defeating. “Hire for attitude, train for skill” is an oft-repeated business mantra: employers now need to apply it to cybersecurity recruitment. With effective retraining programs, you could enhance your security team with candidates from a wide variety of backgrounds, each bringing something unique and valued to the table.

Third, senior management needs to lead by example. Don’t just voice corporate rhetoric about skills and gender diversity: act on it. This will take rigor and determination. If you don’t push recruiting teams to work up shortlists of at least 30% women, for example, they’re likely to stop at the first handful of good candidates. You need to set clear objectives, measure and monitor them and continually demand better.

A better workplace

Senior managers also need to ask the question: “Is my organization an attractive place for women to work?” At the very least, you may need to provide greater flexibility in working hours, improve support for employees returning from maternity leave, encourage more female role models, and close any pay gaps.

Gender diversity in cybersecurity is not going to change overnight. It requires more than lip service from senior executives to address. That’s why you need a clear strategy with measurable goals. Most importantly, you need to be in it for the long haul, because that’s what it’s going to take. But the benefits, in reducing overall industry skills shortages and creating a more diverse, multi-skilled workforce, will be well worth the effort.