The sunniest estimates of how many women are in cybersecurity hover at around 20%. This is a news story for the other 80 percent.
As companies scramble to hire cybersecurity talent amidst historic and growing talent gaps, the most important part of a brand identity for women isn’t something that can be measured with a Google search or publicly available data. It is the reputation for how a company treats women shared in informal conversations. The thing that holds you accountable might not be visible.
That may come as a surprise for hiring managers and other executives who think the recruitment value of their brand comes from how public discussion of their companies on venues like press coverage and Twitter chatter. The more important dialogs happen in person, informally, in the bathrooms at conferences and over drinks at networking events. There may not be a Yelp for how companies treat women, but there is a grapevine.
“It honestly is becoming very similar to traditional consumerism behavior where, if one person has a bad experience, they'll tell, like on average, 10 to 15 people,” said Allie Hansen, a security professional who focuses on human behavior and social sciences relating to security. ”And honestly, probably more.”
There are no shortages of well-documented issues facing women in the workplace, ranging from issues of harassment to unequal access to promotion to office culture. One woman who spoke to SC Media for this story mentioned the office of all men she walked into that played a competitive game of throwing objects at each other’s groins. Another mentioned being stalked by a colleague at work. Industry-wide, cybersecurity firms are known to filter women from technical jobs to “soft skill” positions like sales. Issues range from the illegal to the uncomfortable, from a single problematic supervisor to an entire workplace.
None of these are new problems. But a culture of being quiet, appreciating just having a job, and tolerating bad practices by an employer for the sake of loyalty, has come and gone. Cybersecurity is a field with zero unemployment, structured to encourage multiple job changes over the course of a career. People can leave an employer and be in demand.
Meanwhile, women are more comfortable than ever acknowledging inequitable treatment is problematic. That is both generational — younger employees are not as set in old business norms — and based on a growing normalization of once-taboo discussions.
“It has been better since the Uber engineer Susan Fowler wrote a blog on just how miserable her experiences were at Uber. And that just started a huge discussion in Silicon Valley about how women are treated,” said Carlota Sage, a virtual CISO who also serves on the board of the women-in-cybersecurity-focused Diana Initiative.
Inclusivity has seeped very publicly into some aspects of security. Women have seen major conferences like Black Hat and RSA — mainstay communal events for the industry — called out and counterprogrammed for not including women speakers.
But discussing issues about employers in public and or in offices can still be problematic for women. More than one woman interviewed for the story felt like raising the issue of gender led to retaliation, or that publicly discussing problems on social media might brand them too controversial to hire.
So, many of these conversations happen in person and through networks of friends.
“I think that's why there's such a huge explosion of women in cybersecurity groups,” said Sage. “WiCys was a national conference and exploded all of a sudden in the last two years as regional and local meetups.“
It is not just women in cybersecurity groups, of course. Informal conversations happen anywhere women come together.
“I think some companies have developed a pretty negative reputation at this point,” said Jackie Singh, an industry veteran.
However, it’s not only about what companies are good or bad, but also individuals in leadership roles. Singh said job hunters asking around about the supervisors they would specifically work with was “standard procedure at this point.” More than one woman said they had worked for a company they liked while letting colleagues know they should not work for their supervisor.
While some conversations are warnings and advice, these aren’t just negative conversations. Several women interviewed for this story had recommended workplaces or supervisors to colleagues, or accepted a job because of the good things they had heard. It's a situation where, just by being a modern company acting out of enlightened self-interest, firms can advance their standing.
Other conversations are attempts to figure out if experiences are normal or being misconstrued.
“I've seen a lot of women sort of bounce experiences off of each other and go ‘I'm going to describe something to you, how does that resonate in your mind?’ just as a sanity check,” said Kelley Misata, founder of Sightline Security. “You really do rely on those, those networks, to be able to say, you know, ‘This seems weird,' or that it doesn’t.”
Over time, these kinds of conversations can lead to intergenerational wisdom, something industry veterans do not feel was available when they started.
“Women of my age and my generation are more comfortable saying to younger women: ‘This is what we had to deal with and hopefully you don't have to, but here are the kinds of things that you look for,'” said Sage.