Harassment has no place in the security industry. Neither do sexism or discrimination. But, there they are. It's time for infosec to just say no, reports Teri Robinson.
It's easy to point to the ubiquitous booth babes peddling products, services and, let's be honest, sex, or the illusion of sex, on the exhibit floor at any conference as evidence that the security industry, or a part of it anyway, sexualizes and objectifies women. Get rid of them and we'll fix what's wrong…Well, not quite.
Just like beauty, the hot-bodied, sometimes scantily clothed women prancing around booths represent something that is only skin deep. They're window dressing, if you will, for a deeper and murkier element of a culture where women are viewed as not as competent as men, lose promotions and miss opportunities based on gender, are held to a higher standard, and even forced out either directly or indirectly when they don't comply.
OUR EXPERTS: Gender equality
Joyce Brocaglia, president and CEO of Alta Associates; founder, the Executive Women's Forum
Leigh Honeywell, platform security engineer, Heroku
Mischel Kwon, president, Mischel Kwon and Associates
Gene Spafford, professor of computer science, Purdue University
“Booth babes are not my fight,” says Joyce Brocaglia, president and CEO of Alta Associates, an IT risk management, information security and privacy executive search firm, and founder of the Executive Women's Forum. Getting more women up on the podium is. “I'm upset that no women are keynoting or participating in panels. I spend time trying to put women up on stage,” says Brocaglia, who points out that, despite the great strides women have made in the security industry, they are still under-represented in the C-suite and among thought leaders at the industry's biggest gatherings (with the exception of this year's Hack in the Box, which featured an all-female lineup).
Not that the two are mutually exclusive. Brocaglia's mission to catapult women to the dais is made that much harder by prevailing attitudes that, if not condone, then turn a blind eye to routine harassment and discrimination and sees nothing wrong with objectifying women smack dab in the middle of the exhibit floor at a heavily attended business gathering.
It would be naïve to assume that the same brush that paints the whole of society – and is responsible for bouncy, jiggly women selling everything from beauty products to cars – would leave the security industry unmarked. But it is particularly disheartening to find gender stereotypes and discrimination being reinforced in a marketplace where practitioners are typically championed for their coding skills or abilities to solve thorny technical problems and where merit elicits admiration and praise. As Mischel Kwon, former deputy director of U.S.-CERT in the Department of Homeland Security and now the head of Mischel Kwon & Associates, says, what counts should be “not what's in your pants but what's in your brain.”
Whether you wear a skirt or Dockers, if you can crack the code, or write it, you're in, right? Once again, not quite.
That Leigh Honeywell (right), an accomplished and respected security pro now on the security team at Heroku and a tireless feminist, has to pause and consider which stories of discrimination or harassment that she can tell without raising the hackles of colleagues in the industry, or suffering blowback, is in and of itself telling.
It is also a prevailing sentiment among women in security, even the outspoken. “I don't want to get caught up in anything to do with this women in infosec bit,” writes security pro Georgia Weidman in a blog post that details her assault at the Confidence conference in Poland last year. “Everyone who does gets lambasted so badly at this point I'd rather avoid it entirely.”
Yet into the breach she goes, graphically describing the violent physical and sexually charged attack by a male conference attendee who had come to her hotel room to hang out, because “If I shut up and do nothing and later hear he did this to someone else, I will feel personally responsible,” she writes.
Nearly every woman in security and tech, or more likely any male-dominated market sector, can tell a personal tale or two – maybe not one quite so harrowing and violent as Weidman's – about harassment or finding herself in an uncomfortable or sexually infused situation with a colleague or business associate.
Take for instance, Julie Ann Horvath, a coder who's allegations of sexual harassment at coding site and tech darling GitHub, led to an investigation and the eventual resignation of its founder Tom Preston-Werner. The company executive was not the target of Horvath's allegations, which included being subjected to unwanted advances, but rather he couldn't plausibly deny the implication that his company condoned or was at least complicit in its inaction.