Strengthening security for all through gendered implementation of cybersecurity standards  

In the evolving landscape of cybersecurity, global standards and frameworks play a crucial role in shaping responsible corporate practices. However, many of these frameworks have historically overlooked one important factor: gender. A new report from the United Nations Institute for Disarmament Research (UNIDIR) and the Organisation of American States (OAS) seeks to change this. By reinterpreting the UN’s 11 norms for responsible state behaviour in cyberspace through a gender lens, the report calls for a more inclusive and people-centred approach to security. 

A quick recap of the 11 UN norms  

In 2015, the UN General Assembly endorsed 11 voluntary, non-binding norms for responsible state behaviour in cyberspace. These norms aim to reduce the risk of conflict and enhance trust in how states operate in the digital environment. They cover areas such as: 

  • Protecting critical infrastructure 

  • Cooperating to mitigate Information and Communications Technology(ICT) vulnerabilities 

  • Respecting human rights online 

  • Providing assistance to other states in the event of a cyber incident 

  • Ensuring the integrity of supply chains 

Why gender matters in cyberspace 

Digital threats are not neutral. Online harassment and privacy violations, surveillance, and cyberstalking disproportionately target women, girls, and marginalised groups. Likewise, access to digital tools and cybersecurity resources is uneven. Failing to acknowledge these differences means that policies risk being incomplete,effective in principle, but blind to real-world impact. 

The UNIDIR/OAS report bridges this gap by introducing two complementary approaches: 

  1. Gender-sensitive interpretation: examining each of the 11 norms through a gender lens to identify where risks and protections may differ across communities 

  1. Gender-responsive implementation: offering practical guidance for governments, international organisations, and civil society to operationalise these insights 

Together, these approaches move the discussion from abstract principles to tangible action. 

From principle to practice 

What does gender-responsive cyber governance look like in practice? The report highlights a number of examples that offer useful models: 

  • Canada has integrated cybersecurity into its feminist foreign policy, gathering gender-disaggregated data on digital threats and ensuring cooperation between cybersecurity and Women, Peace and Security (WPS) experts 

  • Costa Rica has advanced inclusive capacity-building programmes that highlight the intersection between gender equality and digital resilience 

  • Chile has embedded gender considerations into its National Cybersecurity Strategy, conducting gender audits and evaluating the impact of policies on different populations 

These case studies show that incorporating gender is not only possible but also strengthens governance and improves resilience. 

Implications for organisations and privacy leaders 

Although the UN norms are directed at states, they have clear implications for organisations, regulators, and professionals working in data protection and cybersecurity. Many private actors operate critical infrastructure, manage sensitive data, or provide platforms that shape digital interaction. A gender-aware approach can therefore help organisations: 

  • Address blind spots: recognising that threats such as harassment or identity theft can affect some groups more severely 

  • Build inclusive incident response plans: ensuring that crisis communications, reporting mechanisms, and support structures are accessible and fair 

  • Strengthen trust: demonstrating to regulators, clients, and the public that security strategies are designed with people in mind 

  • Meet evolving expectations: as regulators and standard-setting bodies increasingly expect organisations to consider diversity and inclusion in risk management 

Practical steps to get started 

For organisations that want to operationalise these insights, the report suggests practical entry points: 

  1. Policy review: Audit cybersecurity and data protection policies through a gender lens. Ask whether response plans, security communications, and user protections are accessible and inclusive. 

  1. Data disaggregation: Where possible, collect and analyse security-related data by demographics to identify disparities. This could include breach reports, security complaints, or phishing susceptibility. 

  1. Inclusive governance: Build cross-functional teams that bring together legal, technical, HR, and equity perspectives. This ensures that policies do not exist in silos. 

  1. Capacity building: Train staff and partners to recognise how cyber threats may impact people differently and to respond accordingly. 

  1. Stakeholder engagement: Collaborate with civil society, gender experts, and affected communities to inform security design and response. 

These steps not only align with the spirit of the UN norms but also enhance resilience and accountability within organisations. 

Looking ahead 

The adoption of the 11 UN norms was a milestone for international cyber stability. Adding a gender lens represents the next stage of maturity: moving from state-centric, compliance-focused governance to people-centred, inclusive security. 

As digital ecosystems continue to expand, the risks of overlooking gender will grow. A cyber policy that does not account for diverse experiences is incomplete. By embedding gender-sensitive and gender-responsive practices, states and organisations alike can build more equitable, trustworthy, and secure digital environments. 

The message of the UNIDIR/OAS report is clear: inclusive cybersecurity is not optional. It is essential for achieving meaningful, sustainable, and responsible behaviour in cyberspace. 

Key takeaways 

  • Cybersecurity threats impact communities differently;therefore,policies that ignore gender may not provide sufficient protection 

  • The UNIDIR/OAS report reframes the 11 UN norms through a gender lens, offering both gender-sensitive interpretations and gender-responsive actions 

  • Organisations can act now by reviewing policies, disaggregating data, embedding inclusive governance, and training teams 

  • Inclusive cybersecurity strengthens resilience, builds trust, and ensures that digital security truly protects everyone 

As organisations navigate this next chapter in cybersecurity governance, HewardMills is on hand to provide expert support, including reviewing policies and offering guidance on developing and embedding inclusive cyber governance frameworks