Women in cybersecurity, what it really looks like, and where you can fit
Women make up about 22% of the cybersecurity workforce, according to ISC2 [1]. A separate global workforce report puts the figure at 24% [2]. Put next to the wider tech industry, the gap is clear: women hold 36% of tech roles overall, while cybersecurity remains at 24% [3].
In the lead up to International Women's Day, I spoke with privacy engineer and privacy by design advocate Kim Wuyts about what working in cybersecurity and privacy actually looks like, and where women can realistically see themselves in it. Wuyts has 15+ years across security and privacy, helped develop the LINDDUN privacy threat modeling framework, and regularly speaks at international security and privacy conferences.
Her message is practical: cybersecurity is broader than the stereotypes, the work is often collaborative and human, and you do not need to have every answer to be effective.
Cybersecurity is bigger than "super technical"
For many women, the barrier is not interest, it is the feeling that you have to be deeply technical to belong. Wuyts' advice is to separate "some roles" from "all roles." Yes, some jobs require deep technical expertise, but the field also needs people who can think clearly about risk, communicate trade offs, and work across teams.
That breadth matters because it changes the question from "Can I do cyber?" to "Which part of cyber fits how I like to work?" Architecture, threat modeling, vendor roles, sales, communication, and translating risk for different audiences sit alongside hands-on technical roles.
"There are so many different layers, flavors… it's not just that very low level techy thing out there."
Replace the stereotype, the work is collaborative and human
The popular image of cybersecurity still looks like a lone, high pressure role, one person, one screen, one adversary. In practice, Wuyts' advice is to ignore that framing. In practice the work is collaborative, it happens in teams, in meetings, and in the moments where decisions get made.
For anyone deciding whether they would enjoy the work, this matters because it reframes the day to day. Many roles involve understanding how a system works, spotting where it could fail, and helping teams improve outcomes in realistic ways.
"It's really more about collaboration… sitting together with a team and figuring out how it works, how it can be improved from a security or a privacy perspective."
"It's actually a very… human kind of work."
Start small, pick a lens, and stay curious
"Try to find this specific lens, focus area and start small because if you just want to embrace all of cyber security or privacy, you're gonna get overwhelmed…be curious and explore the different areas within the industry"
For women looking in, cybersecurity and privacy can feel too big because people try to learn "all of it" at once. Wuyts' advice is to do the opposite: pick a lens and start small. A focused start makes learning feel possible, and it gives you a way to test what you enjoy without committing to a single identity or career path too early.
Curiosity plays a practical role here. It is not about having a perfect plan, it is about giving yourself permission to explore. The goal is momentum, not mastery. Choose one topic, try it, and let the next step be shaped by what holds your attention.
"Taste the field" before choosing a lane
For women who are unsure where they fit, the most helpful step is often exposure. Wuyts recommends low pressure ways to see the work up close before making big decisions. Local OWASP meetups, conferences, and short courses can help you learn what different roles look like in practice, and meet people who can answer honest questions.
There are also hands-on ways to test your interest, including internships and capture the flag (CTF) events. For women already working in tech, another option is to learn by proximity: ask to sit in on a security or privacy review, take notes, and start building familiarity with how teams discuss risk. Where they exist, internal champion programs can be a way to contribute without needing an all or nothing career shift.
The real skill is asking good questions, not knowing everything
Many women hesitate to enter cybersecurity because they assume they need to know everything before they begin. Wuyts' advice is to reframe what competence looks like. A big part of the work is knowing what to ask, when to ask it, and how to follow up.
"It's not always about having the answers, but security and privacy is also often about asking the right questions."
As a practical starting point, she points to a simple four question structure attributed to Adam Shostack (also referenced in the Threat Modeling Manifesto): what are we working on, what can go wrong, what are we going to do about it, and did we do a good enough job.
Confidence, imperfect answers, and applying before you feel "ready"
"Try and accept imperfection… you can't know everything."
Confidence is one of the quiet barriers that keeps people on the edge of the field. Wuyts' advice is not to wait for a moment when you feel fully prepared, because that moment often never arrives. Instead, build comfort with imperfection, and treat readiness as something you develop through action. In security and privacy, nobody has every answer on demand, and she argues it is professional to say you need to look something up and come back with a better response.
She also encourages women to apply for roles even if they do not match every line of a job description. If you recognise yourself in a meaningful portion of the role, and you are curious about the rest, apply rather than disqualifying yourself early. "It's okay to not be 100% ready. If you are 60% matching the job application… apply."
The same mindset extends to visibility too, including conference talks. "It also applies to submitting a conference talk. You have expertise. Talk about what you know best."
Community matters, "find your tribe"
Finally, Wuyts describes community as a lever for confidence, learning, and staying in the field. Her phrase is simple: find your tribe, people you respect and who respect you, where you can test ideas, ask questions, and learn without fear of being shut down.
It is not framed as needing permission or protection, but as building a soundboard. Learn in a trusted space, then take that knowledge into higher stakes rooms with more confidence.
For anyone looking for a concrete place to start, there are also established initiatives designed to make that first step easier, for example Women4Cyber, which runs local chapters across Europe and offers a mentorship programme.
If you are curious, you can start
If there is one clear thread through Wuyts' advice, it is that cybersecurity and privacy are not closed clubs for a single "type" of person. The work is broader than the stereotypes, and in many roles the core skills are collaboration and curiosity.
International Women's Day is a good moment to make this visible. Not because women need a special invitation, but because the industry still signals, often unintentionally, who it expects to show up.
More women in cybersecurity and privacy means more perspectives in the room when products are designed, risks are assessed, and decisions are made. If you are curious, you already belong here. Curiosity is how expertise begins, and how this field gets better.