When the late U.S. Supreme Court Justice Ruth Bader Ginsburg famously proclaimed, “Women belong in all places where decisions are being made,” she wasn’t speaking to the cybersecurity industry. But she could have been.
Leadership roles in cybersecurity are still hard to come by for women but the pay-off can be great – for the women and their employers.
“Multiple studies have shown that women-led companies perform better than those led by men, including in terms of stock price and employee engagement,” says Katie Nickels, director of intelligence at Red Canary. And, while the reasons for that are debatable, one theory holds that because women’s leadership styles differ from men, they get different results.
Click here for complete coverage of SC Media’s 2020 Women in IT Security
But can gender truly influence one’s approach to leadership? Nickels warns against “generalizing women's leadership styles.” And yet she and many other women cybersecurity leaders that spoke to SC Media agreed: the fact that women for years have struggled to be treated equitably has resulted in certain qualities that inspire higher performance from the workforce, high standards for themselves, and a pragmatism that's good for business and IT security.
And all of that is good for the bottom line. A survey from the Peterson Institute for International Economics showed that a profitable firm where women make up 30 percent of the leadership could expect to add more than one percentage point to its net margin, compared to a company with no women leaders at all. The researchers note that the typical profitable firm in its sample of 21,980 firms in 91 countries had a net profit margin of 6.4 percent -- so a one percentage point increase represents a 15 percent boost to profitability.
“Female leadership tends to encourage and attract diversity within the employee workforce, resulting in greater innovation and increased employee retention. And innovation is paramount to success for many tech organizations,” says Kristina Balaam, senior security intelligence engineer at Lookout.
But what about in cybersecurity?
Heather Paunet, senior vice president of product management at Untangle, contends the benefits of diversity within leadership is akin to the multi-layered security approach. Security teams have learned that a multifaceted strategy is best to safeguard data, assets and people using any network.
“In a similar way, when considering who to have on a leadership team, diversification will give a broader, more well-rounded approach to the leadership team,” she said. “Having mixed genders in leadership roles in security simply gives the right balance of perspectives. Just like any activity, or any type of group, the dynamic changes if there are only men, or if there are only women.”
Women are also seen as more empathetic, though not in what Lisa Plaggemier, chief strategy officer at MediaPro, calls “a squishy emotional sense.” Rather, “they’re good at seeing all sides of an issue – putting themselves in other people’s shoes. That can be good for relationships with customers as well as employees.”
That empathy also serves a rather valuable purpose for cybersecurity leaders. Mastercard Senior Vice President and Deputy CSO Alissa Abdullah, known as Dr. Jay, points to the tactics used in many cyberattacks, where “the adversary knows how to tug on our heartstrings” – socially engineering targets to gain access to systems and assets.
“Women, because we are nurturers, really know how those heartstrings work, and those key things that can make someone respond and not respond,” she explains. They are tools that Dr. Jay has found “super helpful” as a CISO, “trying to educate the culture – not just the Mastercard culture, but the culture in general – [about] spear-phishing attacks and what you should look for.”
Women at the top
Whether its drive, empathy, diverse thinking, a willingness to collaborate or a winning combination of those traits, women in cybersecurity leadership roles have been making their mark. Spotlighting a few is a useful exercise for understanding how far they’ve come, and what’s possible.
Then there’s The Santa Fe Group’s CEO, Catherine Allen, who founded, built and chairs Shared Assessments, creating a membership ecosystem of cross-industry organizations to tackle third-party risk. Women, Allen has said, “are naturals for the emerging cybersecurity leadership positions, because of their ability to look at risk in a more holistic fashion, their concern about broader sets of stakeholders rather than shareholders, their natural tendency to work collegially in problem solving, and their ability to communicate.”
Or Quiessence Phillips, the deputy CISO for the City of New York at NYC Cyber Command, who helped build an infrastructure meant to make New York City a gold standard of resilience. She also helped the cybersecurity team switch over to work from home, without a degradation in security, during the pandemic. “She manages multiple teams for New York City Cyber Command and has received multiple awards for her leadership in tech, as well as through her non-profit efforts,” says Nickels.
Chenxi Wang, the founder and general partner of Rain Capital, points to Haiyan Song, general manager of security markets at Splunk, and a former SC Media Women in IT Security honoree, who “joined Splunk when they had virtually no security business.” Now, Wang says, “her department - Splunk Security - is a billion-dollar business.”
And then there’s Galina Antova, co-founder of Claroty, who Wang said helped the company raise nearly $100 million, and who was instrumental in “the company's meteoric growth.” Antova is also behind the All Raise platform that helps women entrepreneurs secure funding.
More broadly speaking, look no further than the lineup of female speakers at a number of high-profile events in recent years. Hack at the Harbor, Messdaghi said, provides “a small slice of just how accomplished these cybersecurity professionals are, how far reaching their expertise and vision.”
Make some noise
Of course, once women land in leadership roles, their interactions with others matter. And some of the misogynistic treatment often persists.
“There are a lot of times we will enter a room and open our mouths and say something powerful and still not get the recognition that we so deserve,” says Dr. Jay. “In previous organizations I have been in meetings when I have given instructions, given an idea, said this is what I think we should do. A male peer would say the same thing and it was as if this was a new thought.”
“There are a lot of times we will enter a room and open our mouths and say something powerful and still not get the recognition that we so deserve.”Mastercard Deputy CSO Alissa "Dr. Jay" Abdullah
While some have expressed gratitude that men intervened so their views could be heard, women in cybersecurity would do well to heed the words of the late civil rights icon John Lewis to “make some noise” for themselves.
“I’m not a quiet person. I’m an aggressive leader and an aggressive woman,” says Dr. Jay, who believes women have had to work harder to make the same gains as their male counterparts. “I, a lot of times, don’t wait for the recognition. I don’t wait for the promotion. I don’t wait to be invited to the table.”
Rather, she got more education and more training, to ensure nobody could question her right to be at that table. According to the ISC(2) study, women proportionally earn more degrees and certifications than men. Women also place more value than men (28 percent versus 20 percent) on cybersecurity or related college graduate degrees. On average, women also earn more cybersecurity certifications.
Noting that her “path has been very, very specific” and she knew would bring certain obstacles, Dr. Jay says, “I intentionally got my PhD, I intentionally put myself in some positions [for growth]. I got my PhD to compete and to be in those competitive circles.”
And once there, she spoke up. “I am going to be sure it’s not just a check in the box,” she said.
Are we there yet?
Seeing successful women hold down and excel in top security spots, often with flare, can imply the industry finally has found balance and equality, but that’s far from true.
“Women have been playing key roles in cybersecurity dating back to the 1930s,” notes Farah Gamboa, director of technical product management, at Stealthbits Technologies. She pointed to the ‘code girls’ who were pivotal in cracking enemy codes and working out military logistics during World War II. But those early beginnings haven’t translated into leadership positions at the same rate as male counterparts.
For every modern-day pioneer, as Gamboa calls Ann Cavoukian, who has been lauded “as one of the world's leading privacy experts and the brains behind the Privacy by Design framework,” there are thousands of women whose profiles remain much lower.
Men outnumber women “by three to one,” she says. “This can be blamed on the societal views that dictate these types of jobs are better suited for men, or due to the impression that only technical skills matter.”
But there’s evidence that is changing. Women, for all their strides, do make up only 24 percent of the cybersecurity workforce globally, according to a study by ISC(2) cybersecurity workforce report. But that’s progress from the 11 percent often cited in years past.
And compared to men, the study found a higher percentage of women cybersecurity professionals are reaching positions such as chief technology officer (seven percent of women versus two percent of men), vice president of IT (nine percent versus five percent), IT director (18 percent versus 14 percent) and C-level/executive (28 percent versus 19 percent). The study’s authors say those “figures show that women are forging a path to management.”
But there’s still a long way to go – with some formidable and persistent obstacles to overcome, among them, the notion that men are better suited than women for STEM.
“Now, while it may only be perception that STEM is for men, the line between perception and reality is easily blurred when you are the only woman in the room among a team of men,” says Gamboa. “It is extremely important to break that perception and forge a new reality by making a concerted effort to keep diversity in mind through the hiring process, and for women themselves to not feel intimidated or fearful of breaking down these barriers.”
Unbelievably, women continue to fight bias in the workplace.
“The crux of the challenge pertaining to women not being in more leadership roles has to do with pervasive unconscious bias, specifically when women have to give negative feedback on subjects like organizational performance or strategy,” says Samantha Madrid, vice president of security business and strategy at Juniper Networks. She points to studies that showed both men and women unconsciously react more negatively toward a woman versus a man when they receive negative feedback.
“The higher you go in an organization, the more challenging this becomes with the lack of women,” says Madrid. “This is why the security industry needs more women in leadership roles” – to break the cycle. And it’s why women need to recognize they’re qualified and they’re worthy.
In the words of Dr. Jay: “I decided I’m going to be the leader I wanted to be. I invite people to my table."