Harassment has no place in the security industry. Neither do sexism or discrimination. But, there they are. It's time for infosec to just say no, reports Teri Robinson.
It's easy to point to the ubiquitous booth babes peddling products, services and, let's be honest, sex, or the illusion of sex, on the exhibit floor at any conference as evidence that the security industry, or a part of it anyway, sexualizes and objectifies women. Get rid of them and we'll fix what's wrong…Well, not quite.
Just like beauty, the hot-bodied, sometimes scantily clothed women prancing around booths represent something that is only skin deep. They're window dressing, if you will, for a deeper and murkier element of a culture where women are viewed as not as competent as men, lose promotions and miss opportunities based on gender, are held to a higher standard, and even forced out either directly or indirectly when they don't comply.
OUR EXPERTS: Gender equality
Joyce Brocaglia, president and CEO of Alta Associates; founder, the Executive Women's Forum
Leigh Honeywell, platform security engineer, Heroku
Mischel Kwon, president, Mischel Kwon and Associates
Gene Spafford, professor of computer science, Purdue University
“Booth babes are not my fight,” says Joyce Brocaglia, president and CEO of Alta Associates, an IT risk management, information security and privacy executive search firm, and founder of the Executive Women's Forum. Getting more women up on the podium is. “I'm upset that no women are keynoting or participating in panels. I spend time trying to put women up on stage,” says Brocaglia, who points out that, despite the great strides women have made in the security industry, they are still under-represented in the C-suite and among thought leaders at the industry's biggest gatherings (with the exception of this year's Hack in the Box, which featured an all-female lineup).
Not that the two are mutually exclusive. Brocaglia's mission to catapult women to the dais is made that much harder by prevailing attitudes that, if not condone, then turn a blind eye to routine harassment and discrimination and sees nothing wrong with objectifying women smack dab in the middle of the exhibit floor at a heavily attended business gathering.
It would be naïve to assume that the same brush that paints the whole of society – and is responsible for bouncy, jiggly women selling everything from beauty products to cars – would leave the security industry unmarked. But it is particularly disheartening to find gender stereotypes and discrimination being reinforced in a marketplace where practitioners are typically championed for their coding skills or abilities to solve thorny technical problems and where merit elicits admiration and praise. As Mischel Kwon, former deputy director of U.S.-CERT in the Department of Homeland Security and now the head of Mischel Kwon & Associates, says, what counts should be “not what's in your pants but what's in your brain.”
Whether you wear a skirt or Dockers, if you can crack the code, or write it, you're in, right? Once again, not quite.
That Leigh Honeywell (right), an accomplished and respected security pro now on the security team at Heroku and a tireless feminist, has to pause and consider which stories of discrimination or harassment that she can tell without raising the hackles of colleagues in the industry, or suffering blowback, is in and of itself telling.
It is also a prevailing sentiment among women in security, even the outspoken. “I don't want to get caught up in anything to do with this women in infosec bit,” writes security pro Georgia Weidman in a blog post that details her assault at the Confidence conference in Poland last year. “Everyone who does gets lambasted so badly at this point I'd rather avoid it entirely.”
Yet into the breach she goes, graphically describing the violent physical and sexually charged attack by a male conference attendee who had come to her hotel room to hang out, because “If I shut up and do nothing and later hear he did this to someone else, I will feel personally responsible,” she writes.
Nearly every woman in security and tech, or more likely any male-dominated market sector, can tell a personal tale or two – maybe not one quite so harrowing and violent as Weidman's – about harassment or finding herself in an uncomfortable or sexually infused situation with a colleague or business associate.
Take for instance, Julie Ann Horvath, a coder who's allegations of sexual harassment at coding site and tech darling GitHub, led to an investigation and the eventual resignation of its founder Tom Preston-Werner. The company executive was not the target of Horvath's allegations, which included being subjected to unwanted advances, but rather he couldn't plausibly deny the implication that his company condoned or was at least complicit in its inaction.
Blatant incidents, like the ones Weidman and Horvath endured, while both appalling and inexcusable, are in some ways much easier for women to combat because there are laws in place that protect workers from sexual harassment and discrimination of any kind – and provide a clear course of action and punishment guidelines for perpetrators.
As the U.S. Equal Employment Opportunity Commission (EEOC) points out, “It is unlawful to harass a person (an applicant or employee) because of that person's sex. Harassment can include ‘sexual harassment' or unwelcome sexual advances, requests for sexual favors, and other verbal or physical harassment of a sexual nature.”
Same sexism, different decade
Sexism and harassment are nothing new in tech and security. In the not-so-distant past, tech companies routinely took business associates on jaunts to strip clubs and hosted pool parties in an effort to network and close deals.
“What woman wants to put on a bathing suit and hang around with male colleagues,” asks Kwon, who says until she was in her 40s she only worked with one other woman.
A stripper party hosted concurrent with DefCon last year illustrates that not that much has changed. The atmosphere – thick with testosterone and the digital equivalent of wolf calls – has gotten so untenable for women at some conferences (we're looking at you, DefCon) that some attendees have started handing out ‘Creeper Move' cards in red, yellow and green, which resemble penalty and warning cards in rugby and, as Geek Feminism Wiki explains, are distributed to men at tech events “who are harassing others or otherwise being creepy.”
That's not to say that the whole of the tech industry has devolved into the full-on frat house mentality that a blogger using the handle ‘zen' recently accused DefCon founder Jeff Moss of fostering – or that women are alone in their unease.
The blogger questions just “why people – primarily men, of course, but not restricted to us – condone the overt and appalling sexism present in DefCon,” in a blog post in which he details why he won't be returning to the show, after being an attendee year after year. “The security field is so bereft of women and minorities already, its difficult to even imagine why you'd either put together or go to such a hostile environment that only further discourages participation.”
He muses that some continue to participate in the conference – nearly as famous now for Animal House-like antics as the talented hacker mavericks in attendance – for fear of losing jobs and opportunities, though he acknowledges that “outright chauvinism and sexism” drives others.
Most likely, the real culprit here is a culture of sexism, indifference and insensitivity that has thrived, in part, because some men feel entitled, superior or, in many cases, insecure, and because there are simply too few women in the industry to widely counter existing sexism and discrimination.
While “simple teasing” or “offhand comments” are not prohibited, the law does apply to harassment that is not sexual in nature and/or “creates a hostile or offensive work environment” or results in an “adverse employment decision,” such as when the victim gets fired or demoted, the EEOC says.
But it is the subtler forms of harassment and discrimination – or even a simple disregard for women – that are harder to prove. “Not getting a promotion because you're a woman or you got pregnant still happens,” says Kwon.
And these attitudes may end up doing the greatest damage because they slowly shape and codify a culture that devalues and disrespects women. It creates a slightly different atmosphere where women are treated differently, says Gene Spafford, a professor of computer science at Purdue University and an expert on security.
When accusations of impropriety arise, women are often slut-shamed and maligned for doing something to “deserve” the assault. Women who speak up are often seen as shrill, defensive and over-sensitive – and may find themselves ostracized and excluded.
Nuanced harassment and discrimination can undermine a woman's accomplishments and erode her confidence, leaving her struggling to find equal footing in the workplace.
What she terms “micro-aggression” undermines one's sense of belonging, says Honeywell. “The background noise is hard to combat.”
A lot of struggle involves building self-confidence, says Kwon (left).
And in a broader sense, the constant (and even willful) marginalization of women reinforces and perpetuates stereotypes that women are somehow less than men. Blogger zen wrote recently that: “women and young girls who attend are treated like second class citizens – window dressing to look at (if young and pretty), but not be heard.”
That's common in the workplace as well where, Brocaglia notes, women are often derided as weak for showing a nurturing side. Or just the opposite. In her witty and insightful memoir, BossyPants, that recounts breaking into the male-dominated comedy writing industry, Tina Fey notes that take-charge women are often considered, well, bossy. Or worse. The same is true in the specter of information security. Show strength, act decisively, marshal confidence and the word “bitch” makes an appearance alarmingly often. Or, if not voiced, is barely concealed behind tight lips and veiled reference and innuendo.
“When you're aggressive and a hard worker, they have many ways to describe you,” says Kwon, noting that she has been referred to as “manlike” by colleagues.
The imbalance and inequity between the genders in the workplace has created a separate set of expectations and standards for women – more rigorous and subjective – than those that men must follow. “Women are under pressure to be right all the time,” says Spafford.
And, that's the biggest thing to overcome, adds Kwon. “Everyone is held to a higher standard. They want you to walk a very narrow path.”
For instance, if a man takes a controversial risk and it doesn't work, they're allowed to move on. “But a woman is judged more harshly,” explains Stafford.
Which might explain, in part, why a 2014 study found that women in science and high-tech jobs are 45 percent more likely than their male peers to leave the industry within a year.
What to do, what to do…
But, women are not the only ones who suffer from the prevailing sexism. Booth babes, industry-condoned visits to strip clubs and the like, are insulting to men as well. “Imagine how your male colleagues feel if they think that companies believe this is the way to lure them in,” says Brocaglia (left). The research shows, she notes, that booth babes don't deliver what the companies that hire them hope they'll deliver – increased business.
The climate of discrimination, sexism and harassment also leave men unsure of how to work with women. Those men who are tuned in and more aware of the issues may not treat women colleagues equally because they are afraid that they might be seen as behaving inappropriately, says Spafford.
And businesses, too, are negatively affected by both sexism and the stilted, self-conscious environment of over-compensation. “Having an environment where different people can equally contribute, leads to better, more creative results,” says Spafford. When women are involved, he notes, the “consensus is there are better results.” Those kind of results – as well as creativity, collaboration and innovation – are much-needed to develop security products, services and strategies essential to fighting and thwarting security threats in the future. Security pros are already often one step behind – reactive, not proactive. Enlisting the talents and perspective of women might help them to get ahead of attackers and assume a proactive stance.
With everyone from large enterprises to government agents and law enforcement bemoaning a shortage of security workers, women represent a virtually untapped reservoir of talent and ideas that could fill the yawning gaps. It's long past time for the industry to focus on skills gaps, not thigh gaps. There just aren't enough people in the workforce who are qualified for some to be locked out, says Spafford. “They are losing out on an opportunity to staff projects.”
It has taken a long time for sexism and discrimination to brew into the toxic stew that exists today, so it makes sense that bias, innuendo and the more subtle aspects of inequality won't simply disappear from the workplace and the industry overnight.
Still, in some ways it's so simple. Companies, security organizations and conference planners should take strong and immediate action to shut down and eliminate the dual criminalities of sexual harassment and assault from both the workplace and the industry. Some solid first steps would involve issuing strong and exacting policies that clarify codes of behavior – both in the office and offsite – and allow zero tolerance for such behavior, then standing behind women and meting out punishment to perpetrators.
“I do wonder if all the companies which sign the expense checks to their conference-goers know what they're backing,” writes blogger zen.
Spafford suggests that companies shouldn't do business with organizations that continue to practice and reinforce sexism, discrimination and harassment. “We have the ability to make choices that reinforce behavior we want to see,” he says.
Key to reaching that point, though, is raising awareness of sexism and discrimination – and, of course, harassment. Agree with them or not, ‘Creep Move' cards put men who are so inclined on notice that bad behavior will not be tolerated. They also illuminate the widespread existence of inappropriate behavior and show women that they are not alone.
A number of organizations, like the Ada Initiative, which Honeywell advises, are also committed to aggressively raising awareness and heightening sensitivity to bias and harassment. Feminist hacker sites and blogs, like Feminist Wiki, also lend support by offering safe and dynamic places for women in infosec to sharpen their coding skills, noodle out problems and solutions, as well as voice concerns and battle sexism and harassment.
Fighting the tide of sexism, discrimination and harassment alone can be overwhelming. Feminists and other supporters of women's effort to succeed in a field where they are clearly needed without being harassed, harangued or discriminated against continue to build communities to train, educate and protect women. Check out what the following sampling of organizations have to say about their individual missions.
The Ada Initiative supports women in open technology and culture through activities such as producing codes of conduct and anti-harassment policies, advocating for gender diversity, teaching ally skills, and hosting conferences for women in open tech and culture.
The core mission of the Executive Women's Forum is to attract, retain and advance women in the information security, IT risk management and privacy industries, through education, leadership development and the creation of trusted relationships.The EWF is committed to enabling women to achieve their professional goals and personal dreams.
The Geek Feminism blog exists to support, encourage, and discuss issues facing women in geek communities, including science and technology, gaming, SF fandom, and more.
FemTechNet is an activated network of scholars, artists, and students who work on, with, and at the borders of technology, science and feminism in a variety of fields including STS, media and visual studies, art, women's, queer, and ethnic studies.
But wholesale discrimination and sexism are likely to continue until more women populate the security industry. A 2013 study from the (ISC)2 found that only 10 percent of infosec pros are women. According to research from the Department of Professional Employees of the AFL-CIO, from 2003 to 2013 “women increased their density in professional and related occupations by 0.7 percent (from 56.4 to 57.1 percent), that's approximately 2.4 million new female professionals,” but “computer and mathematics occupations saw the largest decline of women's density, decreasing by 2.7 percent (from 28.8 to 26.1 percent) despite the addition of over 850,000 new computer and math jobs.”
Even in a modern tech company that boasts the likes of the high-powered Sheryl Sandberg among its ranks, women, as a recent inventory of the company's workforce shows, are simply not well-represented. By the numbers, 69 percent of Facebook employees are, in fact, white males.
Clearly, catching girls early and supporting, educating and mentoring them can turn the tide on those statistics. Many organizations are aimed at doing just that. Brocaglia's EWF, for instance, hones leadership skills through training programs and supports scholarship for young women pursuing academic degrees.
In addition, teaching girls from an early age how to articulate what they want and pursue it is key. In the book, The Curse of the Good Girl, by Rachel Simmons, head of the Girls Leadership Institute, girls are taught to deal more directly with each other as well as others. In a society where women have made great strides, women tend to deal with each other indirectly.
Women, too, must stand up, pursue what they want and insist on assuming their rightful places in the security industry. And, they must be more supportive of each other. Unfortunately, a quick perusal of comments about stories of improprieties and assault, such as Weidman's, show that women can be some of the most vocal practitioners of slut-shaming.
In the GitHub case, for instance, it was Preston-Werner's wife, Theresa, who was accused of harassing Horvath after she complained that she was the target of unwanted sexual advances while working at the company.
Ultimately, though, success rests on teaching and enforcing a culture of respect, says Spafford.
In the mean time, the security industry must elevate the few women already among its ranks into the upper echelons of management and populate the podiums with them at conferences and high-profile industry gatherings.
Maybe the industry is not quite yet seeing the sea change that's needed to abolish sexism and discrimination. As Kwon notes, “just because a few of us are successful, doesn't make it all better.”
But women are making strides and feeling more confident. After more than a decade in infosec, Honeywell says she is “more confident in my place in the world.” And Brocaglia relates feedback from a female colleague involved with the EWF who recently told her, “I can't be toppled over as easily.”
Kwon says she's reached the point in her career where experience matters most. “People stop worrying about my gender and more about what I can do,” she says. “It's a pleasure to get to that.”
The rally for equality, a workplace and an industry free of discrimination and sexism should not be construed as a request for special treatment or an attempt to displace or marginalize men. As Sarah Moore Grimke so aptly said in Letters on the Equality of the Sexes, first published in 1837 in The New England Spectator, “I ask no favors for my sex…All I ask of my brethren is that they will take their feet from off our necks.”
If the Navy, once excoriated for creating a culture that gave rise to the infamous Tail Hook incident in the 1990s, can install its first four-star admiral, then there is hope yet that women will continue to ascend in the security industry, with not only the blessing but the support of their male colleagues.
And, where does that leave the booth babes? Hopefully, in the past, as tech companies begin to understand that the tactic doesn't improve sales, close deals or work…even with men.