Gazing up at the dais at virtually any security conference – save Hack in the Box – a newcomer just might assume there are no women in the security industry. That's very nearly true – women make up only 11 percent of the personnel in this exploding field. But their numbers dwindle even lower at the podium.
“Statistics don't lie,” says Pam Kostka, vice president of marketing at Bluebox Security. “Whether you agree with all of [Facebook chief operating officer] Sheryl Sandberg's philosophies espoused in her best-selling book Lean In or not, women are still statistically under-represented in management across all industry sectors, including security. The climb has stalled out despite more women graduating with undergraduate degrees, especially engineering degrees.”
To kickstart the ascent, individual women and some mainstream organizations have set out to address the challenges, in part by developing venues that are more clearly defined as friendly toward and supportive of women. “Last fall, I attended what is, as far as I know, the only women-only security conference: the Executive Women's Forum, in Arizona,” says Leigh Honeywell (left), a security engineer based in San Francisco. “It was a powerful experience for me as I've been involved in the security community for 10 years – but few of the events I've attended in that time have had more than 10 percent women.”
During the three days of that conference, she met more women in her field than she had in her entire career so far. “Meeting that many women who were years ahead of me in my field – many of whom were CSOs – was a huge confidence booster for me,” she says. With that inspiration, she started the whysecurity meetup shortly after moving to the Bay Area. “I wanted to try to create an event that captured some of the less competitive, more collaborative energy of several of the spaces and communities I've been involved with outside the security conference circuit, namely the feminist hackerspace I started in Seattle and the one I'm now a member of in San Francisco,” says Honeywell, who's gained a well-deserved reputation as a community-builder.
She did that in part by setting a code of conduct and aiming to “defocus the event from drinking.” So far, both meetings have attracted attendees that are male and female, with slightly more of the latter, she says. “Some of that [response] is a function of my network, but I've heard from folks that the things I tried to address in creating it – elitism and sexism, specifically – are reasons that they've stayed away from security meetups and events in the past.”
Acknowledging that a segment of people in the industry will say, “Well, if they don't have a thick skin we don't want them to show up,” from Honeywell's viewpoint that simply means the security field is missing out on some amazing people who just don't want to put up with those kinds of attitudes.
“I know I've gotten pretty tired of them,” she adds. For now, people who are of a like mind are finding camaraderie at her meetup. “It's been lovely so far,” she says. “Snacks, tea and hacking. What more could you want?”
OUR EXPERTS: Empowering women
Jamesha Fisher, system administrator of DevOps, CloudPassage
Leigh Honeywell, security engineer
Pam Kostka, VP of marketing, Bluebox Security
Kristin Lovejoy, GM, Security Services Division, IBM
Vidhya Ranganathan, SVP of products, Accellion
Haiyan Song, VP of security markets, Splunk
Christy Wyatt, CEO, Good Technology
The Executive Women's Forum, which hosted the long-established event that Honeywell so enjoyed, got off the ground thanks to a similar impulse, according to Joyce Brocaglia, president and CEO of Alta Associates, a search firm in IT risk management, information security and privacy. As founder of the forum and for years used to being the only woman in the room, Brocaglia says as she saw more and more women gaining positions of influence, she decided to create a venue that would be a trusted and safe place for like-minded women to get together, share ideas and empower each other.
That was a dozen years ago. Today, the Executive Women's Forum has blossomed into an annual event that attracts more than 300 individuals – and it has spawned its own ecosystem, including Leadership Journey, a virtual leadership development program; regional meetings, many hosted by corporate sponsors; the “Cheer” networking dinners, also hosted locally; and an online community expected to launch in October, which is setting out to link about 1,000 women.
While the annual gathering and its spinoffs may be oriented toward women specifically, Brocaglia stresses the topics are universal: the Internet of Things, risk, IT security, for example. “Our conference has content as good as any event, but we purposely design it to be highly interactive,” says Brocaglia.
“As human beings, we always seek a common denominator with others who we want to interact with – people who shares an interest, a perspective on a problem, or even just a common upbringing,” says Bluebox's Kostka. Thus, she says, women-only events can provide an easier and more open networking environment for attendees to share their experiences, challenges and opportunities. As a practical matter, she notes, events for women can mean less time spent on seeking common ground and more time invested in meaningful conversations.
A seat at the table
Although there may not be any single antidote to the problem of women being so poorly represented in infosec leadership, a combination of factors can help them earn a spot at the managerial table at the highest levels, says Kostka. “I don't think any woman wants a hand-out, but to have a fair shot at the brass ring,” she says. In her view, that's why conferences and industry events that support women are an integral part of the strategy: They facilitate women finding female mentors that may not be available in their own company.
“All venues that encourage stronger open participation from young innovators are needed to demonstrate to young women that the path is clear for their contribution,” notes Christy Wyatt, CEO of Good Technology.
However, Vidhya Ranganathan, senior vice president of products at Accellion, a solutions provider that focuses on ensuring security and compliance, is somewhat dubious about the need for “special” events and venues. At her company, half the management is female and she says the demographics of the security industry are reflections of company cultures. “As more and more companies are starting to welcome varied and diverse viewpoints, the industry is steadily changing,” she explains.
That's borne out by industry stalwart IBM, which has made great strides in advancing women and whose general manager of its Security Services Division, Kristin Lovejoy (left), has voiced support for the value of women-oriented events. The recent Hack in the Box conference in Amsterdam, a stand-out for having a keynote lineup of all women, featured Lovejoy as an invited speaker. She admits the all-female lineup was a first and confesses to having “become absolutely androgynous” herself through years of work in a field in which women remain a small minority.
“Having said that, I do think women are inherently disposed toward being good risk managers because many traditional roles – caring for small children, for example – require a constant flow of decisions about actions or activities and their relative safety.”
A need for more role models
To be effective in security you must manage down and also manage up – which can mean putting aside ego and speaking in broad terms for an executive audience, she explains.
For women to succeed in the field in greater numbers, though, Lovejoy says it is critical for them to have more role models. In her own career, although she eventually majored in engineering, she says she did not initially credit high school aptitude tests that pointed her in that direction. And, she adds, that's where women-oriented events can play a role. “It has nothing to do with succeeding over men and everything to do with finding the place where you can contribute and make a difference.”
Jamesha Fisher, system administrator of DevOps at CloudPassage, agrees. “In the security industry, networking is incredibly important, whether you're learning about the latest exploit or understanding how to advance your career. Industry connections are invaluable.” However, she notes, it can be challenging to build connections when opportunities are absent because one doesn't fit the primary demographic at conferences.
“You don't necessarily need to have more women-only events to bring more women in,” says Fisher. “However, you can provide opportunities at events that are more welcoming for both men and women.” This can take the form of meet-ups – such as those Honeywell arranges – which provide a more informal atmosphere for making valuable connections within larger events.
Fisher says the real challenge for large events and the majority of informal events surrounding them, that are oriented toward a primarily male demographic, is to “change the tide” by creating smaller events geared toward all genders.
In the meantime, Brocaglia says it will remain critical for women to have opportunities to connect, learn and network in environments of their own. “People have told me our conference doesn't change the stress or frustrations of work, but it gives people stronger roots so they can no longer be toppled over,” she says.
Events geared toward women can help close the gender gap in technology and security, adds Haiyan Song (left), vice president of security markets at Splunk. “These conferences empower women by showing the success of their peers, while also inspiring others to become involved in the industry.”