For Allie Mellen her formative moment came during her first experience at Black Hat.
She was a student at Boston University in 2015, where there was only a single course dedicated to cybersecurity across the entire program. That was all it took for her to get hooked. The class was “really hands on” with students expected to hack a server for their mid-term and final exams.
It also included a research presentation, and she was part of a team that chose to hack a Square reader. Her professor was impressed and encouraged the group to submit the research for Black Hat. When their project was accepted, she jumped on a plane to Las Vegas where she gave her first cybersecurity presentation in front of a live audience, went on CNN and CNBC for interviews and made a host of new connections in her field.
Years later, that experience still sticks out in her head for influencing her decision to pursue a full-time cybersecurity career. But there were also other, less pleasant memories and encounters.
“I had people tell me that I didn’t look like a hacker. I had people tell me I was only getting on CNN because they wanted a token woman on the show,” said Mellen, now a senior analyst at Forrester. “Those kinds of comments … don’t feel great. It was very common, actually.”
It is, of course, no secret that the cybersecurity industry has a woman problem. Despite making up nearly half the overall workforce, women compose just under one-quarter of the cybersecurity workforce and slightly more than a quarter of the STEM workforce.
But recent research as well as interviews with women in the field underscore how a handful of early or formative moments can heavily shape or influence their decision to remain on their career path in cybersecurity or pursue other kinds of work entirely. Together they reveal insights into where the industry has gone right — or wrong — in attempting to foster and develop female talent.
Common 'breakthrough' experiences
Key moments or experiences like the ones described by Mellen, played out through millions of interactions by women across the country, can have a big impact on either solving or deepening this problem.
A recent study from Logitech and Girls Who Code, a non-profit dedicated to increasing opportunities for women in computer science, surveyed workers in tech and IT about the most important factors that influence a woman’s decision to pursue a career in computer science. The responses they received indicate that many women experience what they call “breakthrough” points early in their careers; experiences and connections that either encourage or discourage them from remaining in the industry.
The study highlighted five common experiences that kept popping up over and over again in the responses: having an early cheerleader or mentor, developing a passion for the underlying work, having a job where you make meaningful contributions to society, access to women-centric support communities and “meaningful” action or support from male colleagues. All were positivity associated with making women feel more welcome in the workspace and more likely to remain in or pursue a career in STEM.
Mellen has since helped develop further research on how to retain and recruit more women into the cybersecurity ranks, with a focus on breaking down existing “toxic” cultural barriers in tech and cybersecurity and replacing them with more inclusive ones, both for women and other underrepresented groups. Their research homes in on direct forms of support — such as more resources and structures to help whistleblowers who identify bad practices and visibly calling out relics from the male-dominated culture that has developed around the industry and professional networking entry points, like conferences.
It also tackles more subtle ones, like stripping out unconscious gender bias in job descriptions and expanding flexible work arrangements to account for the reality that women — working or not — often bear the primary burden of childcare and other household responsibilities.
“I know my kids sometimes say ‘mommy always works.’ I try to explain to my kids: mommy’s making the world a safer place to live.” said Saltanat Mashirova, a cybersecurity engineer at Honeywell who helps secure technologies and equipment for gas and oil critical infrastructure and a 2022 SC Media Women in IT Security honoree.
This is particularly relevant in a post-COVID-19 world, as they and others have noted that while more than 156,000 women lost their jobs during the pandemic (many of whom wound exiting the workforce completely), men gained a net 16,000 more jobs. While many employers may view their work-flex policies in neutral terms, the reality is that for some it is a perk, while for others it is often the only chance they have to balance their career ambitions with the rest of their obligations.
“There will be a huge challenge for women — single mothers, especially — who are trying to get from here to there, and it can beat them down to try to continually find avenues that are available to other people and [their] situation is different,” said Cheryl Biswas, a founding board member and advisor to the Diana Foundation, one of a number of non-profit organizations that have sprung up over the years to support women in cybersecurity and tech. “For many of those people, it feels like help isn’t coming.”
Support networks and judgement-free learning
Access and connection to communities of women in the field are another crucial support structure. While more established women are making surprisingly strong progress breaking into higher-level executive positions within the industry, they still represent a fraction of the overall workforce, something that could indicate obstacles or bottlenecks earlier their career paths.
Biswas said many young women navigate the industry in a perpetual state of unease, understanding they must develop and grow to advance but weary of saying the wrong thing and reluctant to learn through trial-and-error in public settings, because those errors are often what gets emphasized and remembered.
This is backed up by research, like the Logitech/Girls Who Code survey, which found that women report “higher rates of judgement, isolation, aggression and sexual harassment in the workplace.” Approximately 9 out of 10 women say they have experienced these behaviors in the workplace, and the most frequent sources are not clients or their personal environment but their own colleagues, coworkers and managers.
Mashirova is a decorated cybersecurity engineer who graduated with honors from the University of California Irvine on a presidential scholarship. She also works in Dubai and other parts of the world where women are often still judged by their ability to find husbands, start families and conform to traditional gender roles. She finds herself constantly having to combat initial perceptions from men that she is a diversity hire or underqualified.
“I always have to prove how good I am when I go to a new place. Usually where I work, 90% are men, so I always have to prove first how good I am, because right now we have bias” against women in cybersecurity,” said Mashirova.
Groups like the Diana Initiative attempt to provide networks of knowledge, mentorship and learning outside of that dynamic. Biswas described it as “like sitting with your best friend at recess” where you feel free to ask questions in a setting where “you’re not made to feel awkward or ashamed in any way.”
“You never feel like, ‘Oh I can’t ask that because somebody’s going to think I’m stupid,’ or, ‘It’s going to make me look weak in the eyes of others,’” said Biswas. “I’m one of the older members of our community and I have a lot of experience — and many, very bad experiences, the kind of thing that we’re trying to overcome when we talk about the importance of having positive encouragement from early ages.”
Conferences are often one of the primary vehicles for newer cybersecurity professionals from across the world to meet network, showcase their research, build relationships and find new opportunities. Conferences like Black Hat, DefCon and RSA and others have found themselves at the center of controversies in recent years that underscore the ongoing struggle to increase representation and root out the more toxic elements within the industry.
In 2019, RSA organizers were called out for booking men for 19 of their 20 keynote speaker slots. The one woman invited to speak was Monica Lewinsky, the one-time former White House intern who has since become a noted anti-bullying activist.
Beyond the broader problem of “manels,” many of the most popular professional gatherings are still working to weed out darker and malicious behaviors. DefCon organizer Jeff Moss is currently facing a lawsuit from a longtime participant, Christopher Hadnagy, who was banned from the event following allegations of unspecified code of conduct allegations regarding harassment. In recent years, DefCon has made it a practice to publish reports around code of conduct violations in an effort to increase transparency.
But women still routinely complain that these conferences have become hotbeds for unwanted advances from men, or other unprofessional or sexist behavior. Mellen recalled one incident last year at BurbSecCon where a badge-making contest included a submission for a badge featuring an unclothed Barbie doll that squirted hand sanitizer out of her crotch “up to 15 feet.” That badge wound up winning the contest and getting retweeted by the conference Twitter account.
Alma Rinasz, a security and compliance engineer at Syndio, told SC Media said that while her experiences vary depending on the event and venue, conferences continue to reflect both the best and worst aspects of the industry. She’s been able to secure job interview opportunities and other career-advancing moves through the connections she’s made; on the other hand, as someone who has served as a conference volunteer on more than one occasion, she said she struggles over whether to recommend it to other women.
“I would put a warning sticker on it say: 'Do it at your own risk.' Not to say that good things didn’t come out of it: I got to network and meet people, yes, but it exacted a really high toll on me because I saw a lot of bad behaviors,” she said.
Passion for the work and men standing up matter
That harder path often starts at an early age. For generations culture has, for reasons that range from accidental to deliberate, communicated to young women that they are not supposed to be interested in the computer science or other technical fields. While “young girls are exposed to STEM careers, they are not encouraged like their male counterparts to participate in such careers,” Katie Kline wrote in an article for the Institute for World Politics in 2019.
Such touchpoints often happen early in a women’s life, either to obscure their perceptions of both what is possible and what they are capable of. That, in turn, can prevent many women from finding their career niche or specialty that is key to becoming a permanent member of the field.
That’s a problem because women, like any other group, are more likely to stay in a career or field when they are passionate about their work and make an impact. Jordan Fischer, a security and compliance attorney with Octillo and a 2022 SC Media Women in IT Security honoree, told SC Media that moving past the fear.
“I think a lot of times, I like to speak to that fear and sort of try to encourage people to understand that they’re probably made of sterner stuff than they realize, they are more creative than they realize, they’re more tenacious than they realize,” said Fischer. “It’s when you find something you’re passionate about is when you’re going to be able to put in that extra hour, when you’re going to be able to push through that really hard day or that awful phone call that you just had, I think that’s really the key point to emphasize to people.”
There is of course an important role for men, who still tend to dominate the cybersecurity ranks, and often at the highest levels of power and influence. Having male colleagues or bosses who are willing to shield and deflect some of that heat is crucial, because women who do speak up about these issues are often tagged as difficult to work with.
“They’re new to the field, they’re trying to figure things out,” Rinasz said of younger women who fear speaking out. “They don’t want to be labeled as a troublemaker, the problem maker, the whistleblower, the person who complains, the person who calls out bad behavior, because as soon as that happens, you’re running the risk of being stigmatized.”
These gestures — sometimes large, sometimes small — can make a huge difference when it comes to making women feel like they are valued members of the community and worthy of the opportunities they must pursue in order to advance their careers.
Among others, Mellen cited Sam Curry, chief security officer at Cybereason where she previously worked, as a formative mentor early in her career. She recalled countless conversations where she would express unease with pursuing speaking opportunities, doing media interviews or engaging with her peers as an equal. The unbridled support and encouragement of Curry, a respected member of the community and her boss, was “transformational.”
“I was very nervous about it and [Sam] was the first person to tell me: ‘Allie you are an expert in this field and you need to own it and just go for it,’ and it was transformational for me to have someone believe in me like that,” said Mellen. “I think in this field you run into people who tell you you’re not cut out for it or that you need to pay your dues, or you need to do a certain thing in order to reach the level you want to reach, and then there are people like Sam who really take pride in teaching and supporting others.”
Curry told SC Media that he feels a special burden to help women and other groups who face unique struggles advancing in the field that are largely outside of their control.
“I mentor anyone who asks, provided I have the capacity; but I go out of my way to help women, minorities and the neurodiverse,” said Curry. “The reason is simple: we need more of them in cybersecurity and it's not fair that the path is harder for them.”
Others like Bryson Bort, founder and CEO of Scythe and Grimm and Robert M. Lee, founder and CEO of Dragos, have also been cited by women interviewed by SC Media for regularly hiring women into high-profile roles and fostering environments where they can grow and develop in their careers. Other established men in the field have begun turning down conference speaking slots or panels that only feature other men or recommending unsung female colleagues take their spot instead.
The rising connectivity of the world, its growing reliance on software, and the mass exploitation of that digital landscape by foreign nations and criminals has imbued the cybersecurity worker shortage with fresh urgency by national security policymakers. As such, finding a way to recruit and retain more women in the field is viewed as a national security priority.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, where women make up around 36% of employees, has pushed to achieve parity between men and women by 2030. That’s above the current industry average, where the work often comes with great pay and the U.S. is currently dealing with a massive surplus of open cybersecurity jobs. Still government, private industry and other sectors continue to struggle to achieve anything close to that kind of parity.
Within this context, Curry believes its “stupid” to simply continue the same practices and behaviors that have led to the status quo.
“Our field has opponents, and they have realized just how brilliant women can be. They know how they can think differently than men. And if we are going to beat them, we have to have as diverse an idea and innovation base as we can get. Not doing that is ... stupid,” said Curry. “Why wouldn't we avoid groupthink and narrow perspectives of any kind? Why wouldn't we seek to understand the opponent and have as many points-of-view and ways of thinking in the race to innovate and beat the attackers?”