Women. They're everywhere. Waves of women, marching on Washington, New York, L.A., in communities across the country. On the cover of Time magazine. As far as the eye can see, a sea of pink hats, an ocean of assertiveness, goodwill and promise. The Year of the Woman. #MeToo. At the ballot box where they're running for office in record numbers. In the cybersecurity industry, where they're taking a much-deserved seat at the table.
There's no doubt that the women's movement, however you define it, has had a positive effect on the plight of women in security. “The landscape is changing and the most important thing is now it's a conversation, women can now say that's inappropriate,” says Circadence Vice President of Global Partnerships and Security Evangelist Keenan Skelly, who as a former U.S. Army explosive ordnance disposal technician is no stranger to working in male-dominated environments.
That's in accordance with what Kathie Miley, COO at Cybrary, has observed while gathering data for a study on women in cybersecurity. “It's out in the open where people feel more comfortable talking about it,” she says.
Inspired by #MeToo, which saw powerful men in Congress and Hollywood forced out of their positions for harassment and even assault, the women in the national security community wrote an open letter to government and their peers. “We, too, are survivors of sexual harassment, assault, and abuse or know others who are. This is not just a problem in Hollywood, Silicon Valley, newsrooms or Congress. It is everywhere,” the letter reads. “These abuses are born of imbalances of power and environments that permit such practices while silencing and shaming their survivors.”
But if the upsurge in women-oriented initiatives and empowerment has dragged abuses and sensitive topics into the sunlight and emboldened women, it has spawned a backlash as well, sometimes blatant, sometimes more subtle. Take for instance the trio of black teen girls – the only female, black team in NASA's national high school STEM competition – who made it to the finals only to be the subject of racial slurs and a hack-the-vote effort by members of 4chan's politically incorrect board. While the three eleventh graders gleefully took to social media to tout their success – “Hidden figures in the making,” one tweeted – the seamier members of 4chan were trying mightily to skew the results against them, prompting NASA to shut down voting. Some members of the public, NASA noted in its statement, took to social media “to attack a particular student team based on their race and encourage others to disrupt the contest and manipulate the vote.”
That kind of venomous behavior comes as no surprise to Miley who faced intense – and swift – vitriol after putting out a call for responses to her company's survey on women in security. “I got death threats,” she says, noting that some male responders accused her and her company – simply because they were conducting research on women – of bias against men.
But the backlash isn't always so obvious and extreme. The push to bring women to the forefront, not only to expose inappropriate behavior and harassment (remember the penalty cards that some women handed out at cybersecurity conferences like DefCon a few years back?) but simply to advance women and highlight opportunities, has left many men tentative and even confused about where they fit in and how to behave with their female counterparts.
“Both backlash and positive movement,” says Maggie Louie, co-founder and CEO of DEV/CON DETECT, when asked about the social and industry efforts afoot, noting there is “less acceptance for inappropriate comments and touching” but they've “also added a layer of awkwardness around innocent compliments” and interpersonal relationships.
“On the guys' side, there's definitely a lot of timidity,” says Skelly. “A lot of guys are checking with me to see what's appropriate.”
On the women's side, some of the negatives are even more life-changing. Of those women surveyed, Miley says, “50.12 percent have ZERO children,” a trend that she finds “interesting” and attributable in part to the unspoken doubts that employers might have about a woman's dedication to a job or ability to perform her duties while balancing home and work demands. Miley's findings seem to track with other studies of the broader U.S. population. The Centers for Disease Control and Prevention (CDC) data shows a declining birthrate with a fertility rate that dropped 3.8 percent to 1.77-lifetime births per woman in the year ending September 2017 – with deep implications going forward, considering the replacement rate to sustain the population at about 2.1 births per woman.
One theory of what's partially behind the decline – young women are foregoing children in favor of their careers.
Nevertheless, she persisted
Despite the obstacles they've faced (in some cases, maybe because of them – adversity can be a great motivator) women continue to distinguish themselves. Like Sen. Elizabeth Warren, D-Mass., who was famously told to sit down and zip it on the Senate floor by Majority Leader Sen. Mitch McConnell, R-Ky., strong women in the cybersecurity field have stood their ground and thrived, as SC's annual Women in Security issue shows – women like Skelly and Louie and Oracle's CSO Mary Ann Davidson – have dug in, planted themselves and blossomed. A vibrant garden, more than a wave, perhaps.
“Certainly, there are times I've looked around and it is stark that I'm the only woman in the room. But the people I've worked with and this community, in general, have been very supportive and being a woman has not felt like a barrier,” says Cheryl Davis, managing director at FTI Technology.
Many women have found success in the less technical side of the field – in privacy, for one, where male bias roundly didn't exist and women had wide open spaces to expand their talents and their careers.
Indeed, a couple of years ago, when SC interviewed Kathy Fithen, then the chief privacy officer at Coca-Cola, she was quick to say that her gender never stood in the way of her ascension at Coke, where she started building out a forensic program that she had helped create while consulting at PwC. She followed the program to the IT department and it eventually landed in corporate security.
Likewise, attorney Patrice Ettinger told SC that when made her move to privacy in the 1990s “there was open space there, people had not filled in positions, there were no preconceived notions or role models” or ideas that success belonged to men. “I think it happened organically, we informally became a network of women who were mentors and prompters to encourage young women,” says the Pfizer CPO.
But while Davis says she “would love to be working beside more women” and is “encouraged by the fact that an increasing number of young women are showing an interest in joining this field,” the number of women in cybersecurity still holds steady at 11 percent – and they are still relative newbies compared to their male counterparts.
Cybrary's study found that 48.07 percent of respondents “have three years or less experience in cyber,” says Miley, “which of course effectively eliminates them from most of the job requirements from employers.” Those job descriptions typically ask for 5-7 years experiencing, inadvertently skewing the pool of qualified applicants toward men. What's more, 78.05 percent say their direct manager is a man.
Those are points underscored in the open letter from women in the intelligence community. “In our field, women comprise a small fraction of the senior leadership roles — 30 percent or fewer in most federal agencies,” they wrote, noting that “pipeline is not the central problem” in their community.
“Talented women enter most of our agencies in equal numbers as their male counterparts, though this is less true of the armed forces,” the women said. “At the State Department, female foreign service officers enter at equal rates to their male colleagues. Yet, with each subsequent promotion, the numbers of foreign servicewomen decline, especially at senior levels.”
Even though women now make up 15 percent of active duty military, those “in senior ranks are being promoted far less frequently than their peers, the women said. “Many women are held back or driven from this field by men who use their power to assault at one end of the spectrum and perpetuate – sometimes unconsciously – environments that silence, demean, belittle or neglect women at the other.”
Women are often missing from the dais, despite the best intentions of organizers. The RSA Conference sparked outrage for initially announcing a 2018 lineup that included only one female keynote speaker – anti-bullying activist Monica Lewinsky – and for claims that it simply couldn't find women interested in a keynote slot.
The outrage spawned an alternate conference - Our Security Advocates (OURSA) Conference - held simultaneously with RSA in San Francisco. “The reality is, if you really want to put together this type of a conference, you can. It may mean that you have to raise your hand and ask for help or reach out to people who aren't in your social circles. But you can do it,” Uber Head of Security Privacy Communications and OURSA coordinator Melanie Ensign told USA Today, of the conference she and others put together in five days.
“We applaud the efforts of OURSA for putting this event together, and bringing attention to the need for diversity in information security,” Sandra Toms, vice president and curator of the RSA Conference, said in response.
RSA previously had taken steps to remove some of the most obvious signs of sexism and bias from the conference – nixing “booth babes” and creating a code of conduct after the 2013 show – and creating the popular women in security track.
“All Expo staff are expected to dress in business and/or business casual attire,” the language read. “Exhibitors should ensure that the attire of all staff they deploy at their booth (whether the exhibitor's direct employees or their contractors) be considered appropriate in a professional environment. Attire of an overly revealing or suggestive nature is not permitted.”
The policy provided examples of inappropriate attire, including “tops displaying excessive cleavage; tank tops, halter tops, camisole tops or tube tops; miniskirts or minidresses; shorts; Lycra (or other Second-Skin) bodysuits; and objectionable or offensive costumes.
Toms spoke to SC Media at that time about some of the challenges conferences face when trying to bring women to the dais. Who stands on the stage at the conference is largely up to the companies participating in those sessions or keynotes. “Where we can, we effect it,” she said then, noting the conference “goes for the best content,” whether the presenters are men or women. “But a lot of companies appropriately put their top executives in there.”
Where do we go from here?
“Diversity – gender, ethnic and racial – is critical to cybersecurity. It is going to take many unique perspectives and insights from various walks of life to address our cybersecurity challenges,” says Davis. “Women and other groups that are underrepresented in the field bring fresh mindsets that provide new approaches and ways to solve the problems.”
Maybe the inspiration and answers can be found in the wisdom of civil rights leaders. At a recent talk at BookCon 2018 in New York, Rep. John Lewis, himself no stranger to marches and demonstrations and speaking out for equality, said: “after you march, you run.” For women in the cybersecurity industry, run means translating the goodwill, the political capital and lessons learned into influence and power in all facets of the industry – from the pen testing to the C-Suite to the boardroom to the dais to Capitol Hill.
First and foremost companies must continue to strive to establish workplace cultures that have zero tolerance for harassment and bias – and are more welcoming to young working women and men who are trying to balance work and home life. Generous family leave, flexible work schedules including work from home options, a process for reporting and handling – with impunity – issues that might arise. Organizations need to learn how to present the merits of a cybersecurity career.
“We have a messaging problem,” says Skelly, recounting how disappointed she was when a brilliant young female coder she worked with during the Air Force Association's Cyber Patriot program didn't want to pursue a cybersecurity career, fearing it wasn't “appropriate” for her. “We need to stop the myth of a cyber guy with a Mountain Dew and a hoodie. Cyber is everything and everywhere.”
Harassment must be dealt with harshly, too. A recent report from the International Information System Security Certification Consortium or (ISC)², the Center for Cyber Safety and Education, and the Executive Women's Forum (EWF) found that more than half of the women in this industry reported facing discrimination of some kind during their careers.
Ridding the workplace of that kind of discrimination and bias takes deliberate effort to make employees aware of unconscious bias and trying to remove it from the hiring/recruitment process, as Panaseer has strived to do using artificial intelligence (See “Starting with diversity and inclusion,” page 44).
In their open letter, the security community women suggested that government agencies and organizations:
• Make clear through leadership from the very top that these behaviors are unacceptable;
• Create multiple, clear, private channels to report abuse without fear of retribution;
• Put in place external, independent mechanisms to collect data on claims and publish them anonymously;
• Mandate regular training for all employees.
• Hold mandatory exit interviews for all women leaving federal service;
• Address the serious gender imbalances in senior leadership positions because male-dominated teams have been found to be more prone to abuses and more diverse teams are consistently linked to better outcomes.
To that last point, just like with the Women's March and the #MeToo and #MarchforOurLives, raising the profile and solidifying the power of women in cybersecurity rests in part on increasing their influence on Capitol Hill in the crafting of policy and legislation.
That's the impetus behind the EWF's “Dear Colleague,” letter – aimed at lawmakers – in support of increasing women's participation in legislative processes. The letter garnered signatures from Democrat and Republican leaders. EWF's efforts are aimed at getting women more involved at the state and federal levels, says founder and CEO Joyce Brocaglia.
In its second annual meeting on Capitol Hill aimed at public/private partnerships, EWF's team heard from a group of powerful and accomplished women in cybersecurity and met with federal lawmakers and agencies as well as members of the National Governors Association (NGA) whose conference was taking place nearby.
“We introduced our women as subject matter experts” who could be involved in the legislative process, says Brocaglia, noting that lawmakers need experts that they can turn to prepare to address a cyber issue, question a witness during testimony or craft policy. The EWF's efforts are also aimed at introducing a diversity of thought into the legislative process, where women, by and large, have been under-utilized. Of the 979 testimonies on cyber during the 112-115 Congressional sessions, Brocaglia says, only 206 were given by women.
Women also need to give other women a hand up. “We're making strides in building wealth for women with funds like Golden Seeds and the Jump Fund, for sure. Biggest opportunity is in investing in each other; hire women and pay them equal pay,” says Louie, but “we need to work harder at clearing the road for the women behind us.”
That might include serving as a mentor. Every woman that SC Media spoke with for the Women in Security issue cited mentors – both male and female – as having a profound effect on their career trajectories, perspectives and confidence levels in pursuing what they wanted under sometimes challenging circumstances. Skelly points to a mentor who gave her the confidence to boot former Secretary of Defense Donald Rumsfeld out of his office during a presidential protection sweep of the Pentagon and one who sparked her interest in cybersecurity, convincing her to become a government worker.
“Our successes will validate female-led companies and secure more investment dollars for the next generation of women in tech,” says Louie. “We must remember that, as we make decisions, we have the power to impact the future and future wealth for all women.”
Isn't that what the women's movement is all about?