Why women from varied careers strengthen cybersecurity
While the number of women entering cybersecurity in Australia and globally continues to grow, we still make up less than 25% of the global cybersecurity workforce. Much of the industry commentary focuses on male-dominated environments and persistent pay gaps as reasons women leave the field, while simultaneously labelling many women as coming from "non-traditional" cybersecurity backgrounds. I find this framing increasingly outdated. Cybersecurity is no longer an IT problem alone - it is a business risk, an operational resilience challenge, and in some cases, a matter of national security. As the role of cyber has evolved, so too must our understanding of what skills and experience truly matter.
From my perspective, individuals who bring strong business, risk, and operational mindsets add tremendous value to any cybersecurity program. These capabilities are not alternatives to technical expertise; they are essential complements to it. Women who enter cybersecurity from diverse professional backgrounds often bring different perspectives, collaborative instincts, and problem-solving approaches that help organisations tackle complex challenges in more innovative ways. I believe the industry needs to do a better job of thinking beyond traditional career paths and credentials, and instead focus on transferable skills, adaptability, and strategic thinking. When we broaden our definition of what a cybersecurity professional looks like, we don't just create more inclusive teams - we build stronger, more resilient security programs.
Women who enter cybersecurity from diverse professional backgrounds often bring precisely these strengths. They may have worked in finance, insurance, emergency management, healthcare, law, communications, or government. In those roles, they learned to manage ambiguity, communicate across stakeholders, navigate regulatory complexity, and balance competing priorities - all capabilities that are critical during a cyber crisis.
For example, consider a woman who began her career in risk management and emergency management rather than IT. In her early work, she may have focused on assessing financial exposure, modelling potential losses, and coordinating cross-functional recovery efforts during natural disasters. She became fluent in understanding how operational disruptions translate into real financial consequences - lost revenue, regulatory penalties, customer attrition, and reputational damage. She worked with executive leadership teams to prioritise recovery decisions based not just on urgency, but on business impact.
When she later transitioned into cybersecurity, she did not start by configuring firewalls or writing detection rules. Instead, she asked different questions: What are the organisation's most critical business services? How long can each function tolerate disruption? What is the quantified financial impact of downtime? Who needs to be involved in decisions during an incident, and how will those decisions be documented and communicated?
Those questions fundamentally change how a security program is designed. Instead of centring solely on threat indicators and technical controls, the program begins to align with enterprise risk appetite, regulatory obligations, and board-level reporting requirements. Incident response plans evolve from static technical runbooks into coordinated crisis management frameworks that include legal, communications, finance, and operations. Exercises simulate not just malware containment, but executive decision-making under pressure.
This story is not hypothetical, but a summary of my personal cybersecurity journey.
The result is not a less technical security function - it is a more strategically integrated one. Technical teams remain essential. But they operate within a structure that connects their actions directly to business outcomes. Recovery priorities are informed by revenue impact. Communication strategies consider shareholder and customer expectations. Post-incident reviews measure not only mean time to detect, but the broader financial and operational consequences.
This is the value of cross-disciplinary experience. It bridges gaps that often exist between security teams and executive leadership. It translates technical risk into language that boards understand. It introduces structured risk quantification, operational planning, and resilience thinking into environments that may previously have been reactive.
When we label these pathways as "non-traditional," we unintentionally imply they are secondary. In reality, they may be exactly what the industry needs as cyber risk continues to converge with enterprise risk. The complexity of today's threat landscape demands diverse cognitive approaches - analytical, strategic, collaborative, and adaptive.
Broadening our definition of what a cybersecurity professional looks like is not about optics. It is about capability. It is about recognising that resilience requires more than technical excellence; it requires integrated thinking. When we value transferable skills such as risk assessment, crisis coordination, financial analysis, and stakeholder communication, we open the door to talent that strengthens the entire ecosystem.
If cybersecurity is now a business imperative, then the future of the profession must reflect the full spectrum of expertise required to protect and sustain organisations. By moving beyond narrow definitions of experience and embracing cross-disciplinary talent, we do more than create inclusive teams - we build stronger, smarter, and more resilient security programs.
As Australia's threat landscape continues to rapidly evolve and the stakes get higher, organisations need to broaden their talent pipeline. According to the Australian Signals Directorate's Annual Cyber Threat Report, there were 84,700 cybercrime reports in 2024-2025, an average of one report every 6 minutes. Furthermore, state actors are increasingly targeting business and critical infrastructure, as well as all levels of Australian government, in an attempt to conduct espionage, steal sensitive data or posture for disruptive attacks.
If we are going to meet Australia's cyber workforce demands and strengthen our local industry, we have to cast a wider net when it comes to attracting new talent. We must show Australian women that we value cross-disciplinary experience and inclusive leadership teams.