The Global Information Security Workforce Study noted attracting more women into the predominantly male InfoSec profession would reduce the workforce shortfall. Yet, as the GISWS also revealed, the proportion of women to men in the profession has been stubbornly stagnant over the last two years. The actual number of women employed in information security is growing, but only at a percentage rate equal to the profession as a whole, it said.

In addition, the Women in Security Report, a subset of the GISWS, disclosed that women:

• Make up only 11% of the information security workforce;

• Currently dominate one area within the security industry – governance, risk and compliance – thus positioning them wisely for advancement; and

• Account for roughly a third of workers at many tech firms, with fewer in leadership and technology roles.

To break it down further, 17% of the 13,930 surveyed in the GISWS study indicated they were in the banking/insurance/finance fields. Eleven percent of female respondents were in the banking/insurance/finance fields and 6% of female respondents were a chief information security officer, chief security officer or critical infrastructure assurance officer. In addition, 60% of respondents (both male and female) indicated they worked in banking/insurance/finance with understaffed security environments.

It is not clear whether gender bias plays a role in certain information security opportunities for women, according to one expert. Women are more concentrated in governance, risk and compliance roles than men are.

"There is definitely an opportunity to fill this workforce gap. We just have to find the reasons why fewer women are excited about the industry or are thwarted from joining the industry or getting the necessary support," Elise Yacobellis, (ISC)2 business development strategist, said. "As the workforce is growing, more men than women are joining at a rapid rate."

One caveat: The GISWS study took place from late 2014 to early 2015, and there has been some activity since then to encourage more women to enter the field, she added.

"More interesting, however, is the path that women are taking once in the profession. Women are increasingly taking a career path that has a primary functional responsibility in governance, risk, and compliance," the study said.

For example, one in five InfoSec women surveyed said they are in a governance, risk and compliance role. Comparatively, for men, one in eight said they are in a GRC role. The contextual importance of this is twofold, according to the ISC(2) report.

First, until the events of 9/11, GRC professionals played a relatively obscure role in the InfoSec field. Now, however, both women and men recognize the rising importance of these and other roles concentrated in managing business risk.

Second, women, more so than men, seized upon GRC growth opportunities early on. Thus, women as a percentage of all GRC roles is double the percentage they hold in all of InfoSec – about 20% versus approximately 10%.

"Prominent among the challenges are diffusing emotions, collaborating across multiple stakeholders, and adroitly balancing business objectives and risk management," Yacobellis said.

Women also differ from men in their approach to addressing the widening InfoSec workforce shortage, according to the GISWS study. While both women and men said they believed a shortage of qualified personnel is a significant contributor to the problem, women stressed the need to look beyond technical skills when hiring. They said technical skills alone are insufficient in resolving the complex risk management dilemmas leaders in InfoSec confront now and in the future.

Aggregate numbers also obscure growth in some areas led by women in information security. For example, the GISWS report revealed women in InfoSec are already converging their male counterparts in higher education. An increasing percentage of women in information have degrees in either computer science or engineering.

Education could also play a big role in encouraging more females to select the field. The GISWS report suggested organizations take action to promote the InfoSec profession among girls and women, including by supporting cybersecurity education in primary schools. Businesses can also offer internships, couple new InfoSec hires with mentors and adapt more equitable compensation plans.

Yacobellis added that showing women they can apply critical analysis and thinking not just to pure technology positions that are just about penetration testing and hacking, but to governance, risk and compliance positions – an area where women dominate, according to the study. That's because technology is a huge part of young people's lives, Yacobellis said.

"They are online constantly, they have learned the technology and they accept the technology. Now we have to talk about how they can accept the security. There is great opportunity in job fields that would be exciting to them," Yacobellis explained.

However, many girls have trouble moving past that geek mentality barrier and allowing themselves to slip past a gender predisposition at a young age.

"Even in this day and age, girls are less encouraged in math and science and more disinterested in taking that path because it does not seem to fit being female," the business development strategist observed.

Science, Technology, Engineering and Math and/or Security Information and Event Management programs can help break down obstacles for middle school and high school students by taking them beyond technology and moving them toward the security track.

"Even in colleges, the IT programs need to embrace security as a piece or the whole curriculum," Yacobellis said.

Retention is another issue in the security field as recruiters fight to find top talent. The (ISC)2 study showed men are more motivated by pay and more willing to move to a new job for greater pay than women are. Women surveyed stated buying InfoSec talent through salary incentives is insufficient in addressing the workforce shortage, however. A mix of monetary and non-monetary incentives, such as flexible work arrangements, and varied training and education methods could help attract and retain more women, they said.

"We are also seeing many women leaving the field and we are trying to discern why that is; it seems they get to a certain point and they then end up leaving or going on a divergent path," Yacobellis said.

In addition, offering diverse training options that align with flexible working arrangements is important to retaining and engaging female information security professionals. The Women in Security Report survey revealed women are more progressive in their views on training methods, which allows for a wider range of information security training opportunities. This may be increasingly valuable to retention efforts and in elevating professionals' readiness to succeed in new roles.

The report also emphasized women who have chosen InfoSec as a career recognize the need for change. Their actions are positively affecting the consideration of hiring women in the InfoSec profession and, in turn, can reduce the workforce shortage.

"Hopefully there is not this unconscious bias that women have to prove themselves from a technical level. Women seem to excel at some of the other skills that are necessary – critical analysis thinking, communication – all of these things are important," Yacobellis observed. "We need women to support other women and mentor them, and look at it from a holistic perspective."

IT in general is a male-dominated industry and security came out of the IT field, she noted.

"Many people still do not realize that security can be a career choice," Yacobellis said. "There are a plentiful amount of women who can take on these roles."