Women, cybersecurity and power.

For decades this combination has made for a rare brew. Whether through overt sexism or misogyny, structural and societal norms that traditionally pushed many women away from pursuing careers in STEM, or a rockier and more treacherous path up the career ladder, it’s only relatively recently that female information security leaders have become a more common sight in corporate boardrooms, the investment arena and in the halls of government and policy.

The status quo is still far from where it should be, but today young women who aspire to not just be in the cybersecurity field but ascend to its highest positions have many more examples and role models to point to and learn from as they plot their path to leadership.

On crashing the corporate boardroom

Research has shown that even women who are laser-focused on their own careers and interested in pursuing leadership positions often stumble relative to their male counterparts. A 2014 study examining the attitudes of Harvard Business School graduates found that nearly identical percentages of women and men expressed the same career goals, desires to advance into leadership and expectations for work and family balance.

The reality often played out different. The male graduates were “significantly more likely than women to have direct reports, profit-and-loss responsibility, and positions in senior management.” While more men than women expected their careers to take precedence in their family, the actual results were even more lopsided. It speaks to the implicit and structural biases that often prevent women from pursuing the same opportunities as their male counterparts.

“Close to three-quarters of Gen X and Baby Boom men reported that their careers had indeed taken precedence —more than had originally expected this arrangement. Meanwhile, many women’s expectations for career equality were disappointed,” the study’s authors note.

Click here for full coverage of the SC Media 2021 Women in IT Security

Rinki Sethi was hired as Twitter’s chief information security officer in September of last year, just over two months after a hacker had successfully spearphished the company’s IT department, gotten hold of administrative access to the platform and taken over the accounts of its most high-profile users — from Barack Obama and Joe Biden to Elon Musk, Bill Gates and Kanye West — in service of what turned out to be an amateur cryptocurrency scam masterminded by teenagers.

It was an embarrassing episode, one that struck directly at the sense of trust between Twitter and its users and revealed the need for the social media giant to rethink how it approached and resourced its security operations. Sethi’s hire was one signal of that desire, and some might have felt the pressure that comes with leading one of the world’s most popular (and targeted) tech companies in the world.

In fact, in an interview with SC Media, Sethi said she was grateful to have started her tenure in the wake of last year’s hack. She was new, coming on board in the midst of a global pandemic that prevented her from even meeting other members of her team, and was expected to push through big changes to the company’s security culture.

The hack had galvanized not just the security personnel but the entire executive leadership team, creating a heightened focus in the company on “wanting to do the right thing.” Concepts like zero trust that are sometimes vague or viewed as box-checking exercises became essential frameworks to prevent another breach, while employees expressed eagerness to move faster on improvements to access management and other areas.

“The investments have been made in the security team to be able to scale security across the board, which was not the case prior that,” Sethi said.

Today, Sethi occupies one of the most prominent security jobs in tech and is part of a small but growing minority cohort of female CISOs in an environment where just 85 of today’s Fortune 500 companies employ a woman as their top security official. She also sits on the board of other security companies like ForgeRock and serves as adviser to cybersecurity investment firms like YL Ventures.

Today at Twitter, she said her biggest leadership challenges have been less about dynamics related to her gender and more about figuring out how to best direct a team of employees she has mostly never met and drive security initiatives in a remote environment due to the pandemic.

While many CISOs cite relationship building as one of their key tools of influence, Sethi said it goes beyond that. Good relationships with staff and other executives can only be established with trust, and while soft skills are great that trust is often earned through cold, hard facts and figures.

“What I’ve seen is the tool that enables influence and power is data. You have to bring the right data to the discussion and that varies from company to company,” she said. “Having to show how we are contributing to the top line, what actually resources the security team in the right way to go, then drive down risks.”

Like some other veterans of the business world, she expressed the view that while there are more opportunities for women to advance to leadership positions in security today, it hasn’t always been easy getting here.

Sethi had grown up in a family where she, her sister and brother were treated more or less equally, and early in her adult life had determined she would put her own career interests on the same footing as that of her spouse. However, like a lot of women, her desires and career goals sometimes ran smack into some unpleasant realities.

At a previous job, she was discreetly advised by another female colleague to dress more formally if she wanted a promotion. This confused her because from a pure performance perspective, she was told she had exceeded expectations. Further, she recalled her attire being no different from that of her male colleagues.

“It was frustrating that this is what’s holding me back, because I’m wearing jeans that are too tight and because I need to be — the feedback was to dress ‘less sexy,’” she said. “And I would dress exactly like a male counterpart, which is wearing jeans and wearing your top and it was a professional attire, but I worked in a legal department at the time that was really conservative, and women were judged in how they dressed and that was considered part of executive presence.”

She wound up changing her fashion and attire, but it made her feel inauthentic, and she said she wouldn’t make that same decision again today.

“I think I’m very imperfect and there’s things that I want to change. I seek feedback and want to be better all the time … but I don’t want to change the way I dress and things that I feel comfortable in for a role, and now I’m in a position where I feel like I can say, ‘Sorry, not gonna do that.’”

On politics and turning the wheels of policy

Like other sectors, politics is still a heavily male-dominated world. Women occupy less than 27% of the 535 seats in the U.S. Congress. Earlier this year, a United Nations entity dedicated to gender equality found that while the number of countries with women as head of state or government had reached an all-time high of 22 this year, the number of governments with no women in government increased and there have been only “sluggish” gains in the global growth of women legislators.

Hala Ayala knows something about breaking glass ceilings in the political arena. She was, as far as she knows, the first Black and Latina woman to be elected to the Virginia House of Delegates in 2017. She’s currently running for lieutenant governor on the Democratic ticket in a state that has never elected a female in its top two leadership spots.

She’s also one of the few politicians running for statewide or national office who has made cybersecurity a key pillar of her campaign and biography. Ayala spent nearly two decades as a civilian cybersecurity specialist for the U.S. Coast Guard and is running in a state with nearly as many open cybersecurity jobs as Texas, despite having less than a third of the population.

While she still emphasizes jobs, health care and other traditional kitchen-table issues in her stump, she also believes she is one of a select few candidates who are uniquely positioned to speak to the growing importance of digital security in the policy arena.

“A lot of cyber and technology and military members and teachers and technologists are under that umbrella of cybersecurity,” she told SC Media in an interview. “So it was [partly] speaking to my community that, ‘Hey, I am one of you. I have a clearance, I’ve been vetted, I’ve been trusted with classified information … because they understand the work that I do, how important it is to our country.”

There are other bright spots. A number of those interviewed by SC Media pointed to the federal government where two women — Deputy National Security Advisor Anne Neuberger and CISA Director Jen Easterly — occupy two of the most powerful cybersecurity positions in government. Neuberger helps run cybersecurity policy out of the National Security Council while Easterly leads the preeminent civilian cybersecurity agency in the federal government and its primary coordinator with the private sector. Other women like Val Cofield, help lead the cybersecurity division at the FBI.

Additionally, one of the most significant vehicles for cybersecurity focused legislation in recent memory, the Cyberspace Solarium Commission, was powered in part by women commissioners like Suzanne Spaulding and Samantha Ravich as well as senior staff like Erica Lonergan, Tatyana Bolton and Laura Bate.

For younger women, these female leaders and their experiences can offer a blueprint for how to navigate and advance through the cybersecurity policy landscape. One piece of advice many emphasized is the importance of understanding, but not to being intimidated by, the technical aspects of the job. There is a deep need for outside perspectives and connect digital security to larger issues in society.

“I used to have this woman who worked for me, and we would have these conversations about a problem we’re trying to solve and it would be a bunch of very technical folks [in the room] and she would always say, ‘I’m not technical, but,’ and then she would ask this brilliant question that none of the technical people had thought to ask and, in fact, couldn’t answer,” said Jeanette Manfra, director of security and compliance at Google and a former assistant director at CISA, earlier this year.

As a state delegate, Ayala has sponsored a raft of cybersecurity related bills as a Virginia House Delegate. One would create a Cybersecurity Advisory Council to assist CIO of VITA develop policies, standards and guidelines for assessing security risk, investigate data breaches for other agencies and legislative and judiciary branches. Another would compel businesses to delete or dispose of customer records and force a higher security baseline for their connected devices. Another sought to expand disclosure and search warrant requirements when law enforcement agencies seek to obtain location data in investigations.

Like most states, the lieutenant governor position in Virginia is largely a ceremonial position, though Ayala notes that past lieutenant governors have broken dozens of ties in the state legislature. It would also give her a heightened platform within the state government and Virginia Democratic Party to advocate for a range of related policies, from developing and pushing cybersecurity grants to small businesses, standardization of security policies and guidance across government and coordinating state and private initiatives.

“It has been a proud opportunity because my trajectory was not traditional and the voice that I’ll bring the spaces of power … or this leadership role that I’m going to take on will hopefully inspire others to take a greater look at cybersecurity,” she said.

On investment and innovation

Despite a healthy pipeline of female talent and record amounts of money flowing into cybersecurity from Silicon Valley and other tech hubs this year, the overwhelming majority of funding dollars still flow to startups with all-male founding teams. Despite hundreds of female founded cybersecurity startups, virtually all of the companies pitched to SC Media over the past year for stories about their lucrative funding rounds were founded and run exclusively by men.

This is not a new problem in tech investment, and it transcends cybersecurity. Like in Hollywood when a female-led movie bombs at the box office, a single bad or high-profile experience with a woman founder can reverberate throughout the startup industry, as Silicon Valley investors seek to avoid repeating their mistakes in sometimes ludicrous and unfair ways.

That’s what happened for women founders in the medical startup space, who to this day are constantly compared with disgraced Theranos founder Elizabeth Holmes when trying to secure funding for their companies. Despite some rather obvious signs from the beginning that investors didn’t do their due diligence around the actual product (Theranos and its founder could never explain how their blood testing technology actually worked) the lesson that they appear to have taken away from the experience is “beware medical startups run by blonde women.”

Ellen Pao, an investor and chief executive of Project Include, a nonprofit that advocates for diversity and inclusion in the tech sector, argued that while Holmes should face consequences, Silicon Valley investors are often far more willing to scrutinize female tech executives for their misdeeds compared with their male counterparts.

“In an industry where women founders receive only 11 percent of the seed through early stage funding and 64 percent of venture capital firms in the U.S. do not have any female partners, we should not be surprised,” wrote Pao in a New York Times op-ed this month. “When you consider intersectional data, the bias is even more damning: Venture capitalists only gave a paltry 0.34 percent of funding within the United States to Black women founders in the first six months of this year. Sexism in tech is real and alive.”

The dearth of female founders in the startup space is particularly relevant, because a successful company can often be a springboard into executive leadership roles at larger companies, investment and other positions that are better positioned to address female representation.

Cybersecurity investor Niloofar Razi Howe helps steer tens of millions of dollars to later stage cybersecurity startups and public companies like Open Raven, and Finite State and sits on the boards of companies like Morgan Stanley, Recorded Future, Tamer and SwimLane. She also hosts the Female Founders program, which brings hundreds of women in the cybersecurity community together every year to foster their entrepreneurial instincts and provide guidance along the way.

She told SC Media that the problems are twofold. One, while there are healthy pipelines for women in other parts of the field, that’s far less true when it comes to founding startups. Second, many investors in Silicon Valley may express sincere desire to increase the amount of money flowing to female-led startups, but few, if any, are willing to actually punish companies or pass on a promising investment opportunity because of a lack of representation on the founding or executive team.

Still, she called the status quo “shameful” and “embarrassing” for the industry.

“It will require stretching, but honestly, it’s not that hard,” said Howe. “This is sort of my point: there’s a lot of amazing women out there, there’s a lot of amazing people of color who bring very unique skillsets to the table and you might have to work a little bit harder to find them because they may not be in your immediate circle of friends and colleagues who you work with, but they’re out there and everyone should be making them an effort find them and to include them on their teams.”

Howe said the industry will need a “sea change” to move the needle. If investors at Silicon Valley and other places are unable to find ways to foster and fund more women and minority-owned companies, their hand could be forced by pressuring the pension funds and endowments that in turn fund investors to press for concrete requirements around diversity and inclusion.

“If it doesn’t start there, then the funds will make excuses all day long to invest in the best companies they can regardless of what the makeup of the founding team is,” she said. “What you’re seeing is that the industry is not going to do it without a forcing mechanism.”