Greater numbers of women are taking non-IT routes into cybersecurity roles, according to ISC2 research. They are entering the profession from other disciplines and non-STEM education paths and providing employers with a proven and talented cohort to consider when hiring.
ISC2 is publishing a series of #WomenInCyber articles throughout March based on ISC2 research findings from women working in the cybersecurity profession. The results highlight the perspectives of women in cybersecurity roles. In this article, we are looking at the routes into the profession that women respondents have taken and how a significant number have leveraged education, professional development, self-initiated experience opportunities and apprenticeships to press on with their careers in greater numbers than men who participated in the same study. We also look at how evolving organization hiring priorities are supporting these efforts, with more organizations hiring people from a wider variety of career and education backgrounds.
The majority of respondents to the ISC2 Cybersecurity Workforce Study entered the cybersecurity field via an IT pathway – be that a previous IT role or an IT-based education path. Of that majority, we see that 61% of women respondents came into cybersecurity via an IT route, compared to 72% of men. However, once we look beyond the migration from IT to cybersecurity roles, we see a very pronounced shift towards women leading the way into the profession via these other paths, using non-technical and non-traditional paths and opportunities as a launchpad.
Education Pathways
Alongside the strong percentage leveraging IT experience to get into cybersecurity, advanced education is also a significant pathway into these roles, more so for women coming into the sector. For example, nearly a quarter (24%) of women respondents said they came in with a cybersecurity-related undergraduate degree (compared to 18% men), with 23% of women (18% men) entering a cybersecurity role with an undergraduate degree in a field not directly linked to cybersecurity.
In addition to this, 18% of women respondents (12% men) noted that they held an advanced degree – a postgraduate qualification like a master's or a doctorate – in a cybersecurity-related subject prior to taking up a cybersecurity role. For non-cybersecurity advanced degrees, 16% of women respondents (11% men) held these qualifications before entering the cybersecurity workforce, aiding the transfer of a wealth of applicable knowledge into the cybersecurity field.
Alongside these insights into education leading into a first cyber role, respondent data also confirmed that overall, women respondents have reached higher levels of formal education than men who responded. For instance, 48% of all women who participated have a master’s or equivalent, compared to 42% of men who participated. Furthermore, 9% of women respondents have a doctorate or higher compared to 6% of men.
At least half of women who responded to the study have degrees in CIS/cybersecurity, with 51% of women holding an undergraduate degree in CIS/Cyber compared to 57% of men, while 58% of women surveyed held a master’s or equivalent in CIS/cybersecurity compared to 63% of men surveyed.
Internship and Apprenticeship
Seeking out pre-career experience is something that women respondents are prioritizing to a much higher level, with 11% of women stating they came into their role having undertaken a cybersecurity internship first. In comparison, only 6% of men who responded to the study did the same. Apprenticeships also played a role, again with women using this experience opportunity in greater percentages. However, the apprentice option was a much smaller group compared with internships, with 4% of women respondents using this route, compared to just 2% of men respondents.
Apprenticeship opportunities, while a proven way to develop skills and expertise, are still less common than internships in many administrative IT and cybersecurity environments. Apprenticeship programs are seen in greater volumes in industrial sectors such as manufacturing, engineering, agriculture and transport, including for personnel responsible for cybersecurity functions in such industries. According to data from the U.S. Department of Labor, there were 641,044 apprenticeships offered across the country in 2024, covering roles ranging from trades like plumbing and carpentry to IT and sales. In contrast, around 4.17 million college students in the U.S. participated in internships in the same period.
The one non-IT path that brought in more men respondents than women was the military. Of our respondents, 17% of men cited this as part of their pre-cybersecurity path compared with 14% of women. This is not surprising given that many military forces around the world tend to have significantly higher percentages of men serving. Using the U.S. and U.K. armed forces as examples, the most recent demographic data from the U.S. Department of Defense shows men comprise 82.5% of its active-duty force, with women comprising 17.5%. The equivalent data from the U.K. Ministry of Defence states men comprise 88.3% of its active-duty force, with women comprising 11.7%.
The Role of Certifications
Beyond career and formal education routes, the responses also showed us the significant emphasis women respondents placed on certifications and professional development to support their efforts when securing and furthering a cybersecurity career path.
Holding a cybersecurity certification before entering their first job in cybersecurity was cited by 18% of women respondents and 16% of men.
The types of cybersecurity certifications held by respondents were predominantly vendor-neutral industry certifications, particularly from ISC2, ISACA, CompTIA and others. However, on this occasion more men respondents (84%) held these types of certifications than women (67%). The situation changed when looking at vendor-specific certifications. While the overall percentage of respondents holding these was lower than vendor-neutral certifications, we see that women respondents (47%) hold them in greater percentages than their male respondent counterparts (42%). Only 6% of women respondents said they do not have any cybersecurity certifications at all, alongside 3% of men respondents.
The push for continuous learning means that the certification journey for all cybersecurity professionals does not end with a single qualification. This was highlighted by 51% of women respondents (56% men) who are planning to get additional vendor-neutral certifications, while 44% of women (36% men) are intending to do the same with vendor-specific certifications.
Hiring Priorities
Nearly a quarter (23%) of women respondents stated they came into the profession via a non-IT job, compared with 17% of men who participated in the study. Organizations where women hiring managers work appear to be more open to exploring internal hires and alternate pathways into the profession, based on the research findings, while women feel their organizations are being more proactive in their hiring across the board of technical, non-technical and alternative background personnel.
An example of how efforts to broaden the routes are working, survey data from the U.K. Department of Science, Innovation and Technology showed that in the last year, 43% of cybersecurity employers hired through non-degree routes. The same data also showed an 18% year-on-year increase in the number of cybersecurity apprenticeships being started in the U.K.
Further to this, 56% of women respondents said their organizations are already changing their hiring requirements to bring in more people from non-cybersecurity backgrounds, while 41% of men surveyed said the same. This is illustrative of employer efforts globally to widen the potential cybersecurity talent pool without compromising standards. Women respondents (67%) were even more prominent in noting that their organizations were actively trying to make use of skillsets already on the payroll, recruiting technical hires from other departments to fill roles in cybersecurity teams. Over half (55%) of men who responded agreed their organizations were doing the same.
However, using the same approach to hire non-technical staff was recognized by respondents, but not to the same degree, with 54% of women respondents and 37% of men noting this as a tactic used by their organizations.
The construction, retail, automotive and transportation sectors are most open to bringing in cybersecurity staff from outside of the profession according to all survey respondents. Looking at employers by workforce size, mid-size organizations (those with 500-5,000 employees) were shown to be most open to this hiring strategy.
Of particular note is the finding that 43% of women said their organizations still need to hire more people from non-cybersecurity backgrounds. This signals that while the research revealed that high levels of organizations are trying alternative hiring options, there is room to do more, a view shared by a third (33%) of men respondents.
The Road Ahead – Recommendations and Considerations
The responses across all the study participants highlighted that while IT continues to be the primary route into a career in cybersecurity, it is far from the only path. Based on the findings shared in this article, the following recommendations are offered to both cybersecurity professionals and hiring managers:
- Hiring managers charged with recruiting individuals into cybersecurity roles also need to expand the range of candidates they can attract. Incorporating non-traditional career and education backgrounds into job descriptions and hiring strategies is an opportunity to grow the potential talent pool while maintaining standards and not compromising recruitment objectives.
- Cybersecurity certifications are an asset in the professional development journey, as noted by the majority of those professionals who participated in this research. The certifications they hold, along with the ones they plan to pursue in the coming months and years will play a role in determining a career path, while for several a cybersecurity certification was part of the process that led them to their first cybersecurity job.
Celebrating Women in Cybersecurity
At ISC2, we are celebrating women in cybersecurity during the month of March and publishing a series of articles that encourage the cybersecurity industry to strive for equality and greater inclusivity for all.
We will be sharing more research insights along with the accomplishments, career stories and experiences of women members working in cybersecurity roles.
Cybersecurity professionals can hear from leaders around the world during a webinar, From the Inside Out: Increasing Representation and Inclusion of Women in Cybersecurity. Available now for on-demand replay, this webinar features panelists who discuss unique partnerships and grassroots programming to increase women’s inclusion in cybersecurity. They also discuss why increasing representation matters and how individuals and organizations can play a role in making change. ISC2 members receive one CPE credit for viewing this webinar.
Methodology
The methodology statement for the ISC2 research on which this article is based can be found in the first part of this research series.
Related Insights