Careers & People
5/11/2015
04:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
0%
100%

Women In Security Speak Out On Why There Are Still So Few Of Them

They're now CISOs, security officials in DHS and the NSA, researchers, and key players in security -- but women remain a mere 10% of the industry population.

It's a perplexing -- and sometimes annoying -- question nearly every female information security professional hears over and over again: why are there still so few women in their field?

Just 10% of information security pros worldwide are women today, according to the latest data from (ISC)2, despite the fact that women are getting more high-profile roles in the industry and that there are job opportunities aplenty. It's a reality that confounds and frustrates many women in the industry, who today represent a mix of researchers, chief information security officers, executives, and top government cyber security leaders.

While women make up a tiny fraction of the industry, the good news is that there are more of them with high-profile roles in security than ever before, a trend that was evident last month at the RSA Conference in San Francisco, where women in top cyber security official jobs at the US Department of Homeland Security, US-CERT, National Security Agency, the White House, and Department of Justice, were featured speakers, as well as security researchers-turned security executives and other corporate security execs.

Their ranks may be small, but women are gradually gaining more respect overall than in the early days, some women in the industry say. Even so, they still see very few fellow women following in their footsteps.

"I very rarely get resumes" from women, says Angela Knox, engineering director at Cloudmark, who began her career as an email software expert. Other women security experts echoed Knox's experience: not many women are even applying for security jobs.

"Time will tell" whether more women join the ranks, says Lysa Myers, a security researcher with ESET. "We'll have to wait and see."

Myers says the industry must change the way it recruits and where it's getting its resumes for jobs.

"We're missing out on 50% of the population if we don't let them [women] know about the job" market, Knox says.

[Classical ballerina-turned hacker-turned CISO Justine Bone talks old-school hacking, biometric authentication, coding in stilettos, Kristin Wiig -- and finishing her kids' leftover mac and cheese. Read Dance Of The 'Next-Gen' CISO.]

Janet Matsuda, senior vice president of marketing at Blue Coat, says in order to make the security industry more diverse, the key is to stop hiring to a narrow band of skills. "A lot of times we [the industry] hire to a skillset … a narrow band that naturally excludes women. We need to open the aperture."

Matsuda says girls often don't see themselves fitting into the computer science and cyber security stereotypes, so the industry needs to do a better job selling the career options here. Plus security entails a variety of skillsets: "We have linguists, psychologists, and computer scientists," for example, she says. "That's a diversity of disciplines" and security benefits from different types of people from different backgrounds that provide a broader insight into the issues, she says.

Cloudmark's Knox, who also participated in a panel discussion during the RSA Conference on women in security called "Breaking the Glass Firewall: The Changing Role of Women in IT Security," says it's a matter of marketing security to women in college. "We need to make women aware that security is available to them … talking to them and marketing it," Knox said during the RSA panel.

"We need to invite women. Change isn't going to happen by itself: 10% is appalling. We should all be shocked by that," said Michelle Cobb, vice president of Skybox, during the panel discussion, which was chaired by Fahmida Rashid, editor-in-chief for the RSA Conference and an information security journalist who also contributes to Dark Reading. "In order to change this, you have to look out there and reach out to other women," Cobb said.

"I'm always on the lookout for good talent," she said.

Jennifer Sunshine Steffens, CEO of IOActive, says her company employs women in each department, but gets few females applying for technical roles. "It's a shame to hear that the number of women working in cybersecurity continues to be low, but I feel like we’ve already made a noticeable impact. I certainly see more women at conferences, giving talks, being mentors, and being active overall in the community," Steffens says. "I'm also meeting more women in CISO positions than ever before. All very encouraging trends."

DOJ CISO Melinda Rogers, who began her career in business administration in the financial services industry, said during the RSA panel discussion that she had both male and female mentors who helped her on her path to a career into security. She says it will take a grass-roots effort to recruit more women in the field. Rogers recommends that women already in security "pay it forward."

Like Rogers, many women in security started in other fields and ultimately migrated to it. "I didn't get into security intentionally," Knox said during the panel discussion. "I love the way it's a big puzzle of how malicious actors are working together, and you have an economy of things going on in the background … [Figuring out] how to stop them … is really fun."

Penny Leavy, chief operating officer at Outlier Security, has seen some positive change for women in the field over the years. "When I started at Control Data I was one of five women in the sales organization then," she recalled. When Leavy would speak at client engagements, the men would look to her male colleagues to question her knowledge on a topic.

"They [my colleagues] were supportive .. and would say, 'she's the expert,'" Leavy said. "But I don't see that bias anymore. Women are given more credibility in the business now, [although] not as much as we'd like to see. I've seen that change with women [being seen] as very bright, capable, and respected by their co-workers."

Skybox's Cobb said when she first started out, male engineers would stare in disbelief when they spotted her setting up equipment. "I was a definite oddity," she said. "But that's changed. Now it's normal."

Even so, Cobb says being in the minority means you "have to be above reproach" and definitely have to "know your stuff."

Self-confidence indeed is a key element for women who do enter the field. "Stay focused on the outcome," DHS's Rogers recommends. "Take a risk and put yourself out there -- that's the most important thing."

Security experts who have been in the industry for some time such as Justine Bone, a former security researcher and now CISO for Hoyos Labs, are disappointed that they are still the only women in the room for the most part. Bone believes that assertiveness helps women, as well as men, who may be intimidated by security's sometimes aggressive culture, where you can get called out publicly over a technical detail or dispute.

"The women I know who've been successful have fairly thick skin," says ESET's Myers, who landed in security by chance after a career as a florist.

Women tend to be strong collaborators and communications, skills that some female security pros say are key for security jobs. "We would all benefit as a whole if we get those traits in security," Outlier's Leavy said during the RSA panel discussion.

But girls and young women often have misconceptions about technology and tech jobs, especially in security. Matsuda says more young women flock to chemistry and biology than computer science, mainly because they see computer technology and security and "geeky" or highly technically focused rather than broader disciplines. "We have the opportunity to create another avenue" for them, she says. "That is a matter of education of teachers" as well, she says.

Young girls are sometimes more attracted to technology's use in social causes, for example, she says, rather than pure robotics. 

Standing Out
Being in the minority also has its advantages. "It's so easy to stand out. People immediately remember you" since there are so few women, Myers says.

Blue Coat's Matsuda concurs. "It really allows you to stand out" but you also want to fit in, she notes.

But don't expect the number of women to spike before the next RSA Conference rolls around in February 2016. "It's not going to change a lot in the year. We're starting to talk about it … That will start to turn the tide" eventually, Blue Coat's Matsuda says.

IOActive's Steffens says it will be an evolution. "Change doesn't happen overnight, so we shouldn't feel discouraged. In fact, it will take a decade or more for efforts of today to reach full fruition. For now, it's important that we keep highlighting all the amazing women in our space and enabling them to be role models," Steffens says. "It's also important that we encourage young girls to get started early in technology and security. The more we empower the women in the industry today and showcase their success, the more girls will want to grow up and be involved."

Meantime, the roster of women speaking at RSA last month was promising and impressive. In addition to the RSA women in security panelists, there were several women speakers with high-profile security gigs: Phyllis Schneck, DHS's deputy undersecretary for cybersecurity and communications; Darlene Renee Tarun, senior cyber strategist for the National Security Agency’s Cyber Task Force; Ann Barron-DiCamillo, director of the US-CERT; Cheri Caddy, director for cybersecurity policy outreach and integration for The White House; Jennifer Henley, director of security operations at Facebook; Renee Guttmann, vice president of the office of the CISO at Accuvant; Katie Moussouris, chief policy officer at HackerOne; and Kymberlee Price, senior director of operations at Bugcrowd, were among some of the speakers at the massive conference. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PrincessMariam
50%
50%
PrincessMariam,
User Rank: Apprentice
8/23/2016 | 11:56:49 AM
Re: Professional Stigmas
Thank you for pointing that out. There exist jobs that are male dominated and jobs that are female dominated. The problem is - nobody complains about the jobs that are female dominated. Why? That's not the agenda.


The previous article I saw on this site was an article about "diversity" - but in the pictures were 100% women?!?!? Cleary, diveristy has less to do with including everyone and more to do with eliminating men, and even caucasions in some cases.

When I was at university, the history department's hiring practives were being investigated since almost all of the professors were white males. In my department - engineering - all of the professors were Indian males. Guess what?? No investigation.

 

You tell me.

 

As a woman, I recognise that there are simply going to be professions that are mostly women, and others that are mostly men. That has been the case since the beginning of history. Oh yeah and about not getting resumes from women - notice how it wasn't even questioned? The one time I heard a male manager state that he wan't receiving resumes from women the immediate response was that he is clearly a liar and in reality didn't pay attenion to all the resumes he received from women.

Why the different responses to the manager based on their gender?

 

Again, you tell me.
rasoolirfan
50%
50%
rasoolirfan,
User Rank: Apprentice
5/14/2015 | 9:29:03 AM
diversity
its vital to empower women security professionals at all levels and orgarnizations should find ways to have the mix of gender at all roles

nicely articulated. kudos
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/12/2015 | 3:01:50 PM
Re: Women In Security Speak Out On Why There Are Still So Few Of Them
Totally agree, Kelly. Obviously STEM skills are important to security professionals who are entering the field, But I think a lot of women who can do the math & science would by equally attracted by some of the other disciplines that are critical to the profession. The industry -- and schools at all levels --  need to do a better job of explaining what the job is  all about. 
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/12/2015 | 8:59:28 AM
Re: Women In Security Speak Out On Why There Are Still So Few Of Them
The comment that I believe you are referencing wasn't about downgrading skills for infosec jobs--it was about embracing the wider array of skills needed for the field today, such as psychology, linguistics, a broader world view of the issues in the field. We're actually already seeing a lot of this in the industry. Here's the section I believe you're referring to: 

Matsuda says girls often don't see themselves fitting into the computer science and cyber security stereotypes, so the industry needs to do a better job selling the career options here. Plus security entails a variety of skillsets: "We have linguists, psychologists, and computer scientists," for example, she says. "That's a diversity of disciplines" and security benefits from different types of people from different backgrounds that provide a broader insight into the issues, she says.
RyanSepe
100%
0%
RyanSepe,
User Rank: Ninja
5/12/2015 | 8:52:20 AM
Professional Stigmas
I think the biggest hurdle for this is getting over the professional stigmas. The "that's a man's job" or "that's a woman's job"; those statements are still woven in the fabric of our minds to some extent and you can see it in the numbers. InfoSec is not the only career path that sees this.

You have the 10%F and 90%M denoted by this article.-2015

For Nursing you have 88%F and 12%M-Economic Modeling 2010 (Gap has probably decreased since then but not by much)

The overall point is your can do this for many career paths. Until those professional stigmas are eradicated it will be difficult, no matter how much data is divulged, for those metrics to change. This will take time. Constant reiteration is very helpful in this matter and will hopefully decrease the time gap.

 
AvaxaS781
50%
50%
AvaxaS781,
User Rank: Apprentice
5/12/2015 | 8:50:12 AM
Women In Security Speak Out On Why There Are Still So Few Of Them
I think forcing more women to be involved in InfoSec for the sake of more women is not a good idea. Good ideas can come from anyone and gender should never be a qualifier or disqualifier. One of the women quoted in this article stated we need to change what is needed for the job to less relevant skills to just get them in. I think this is a very bad idea and we need to focus on weeding out the ones in the industry whom do more harm than good. I think the best way to get more women involved in InfoSec is to start at the schools and colleges. Title 9 stated off being a good idea, but its implementation in recent years has done more harm than good. Right now women make up the majority of college students. With this pace, most jobs requiring a college degree will be filled by women simply because the pool of candidate will be mostly women. The oppressed have become the oppressors in US Universities. To make changes in a positive way, we need to show young girls in school more than just solving math problems, but how solving those problems helped create all the technological marvels we have today. Not just teach to a test or to regurgitate information. Kids today do not learn how to learn. I know that sounds odd, however kids today; including my own, do not understand how to figure things out on their own. They cannot function outside of what is told to them. This is sad and in my option, a huge reason why other countries are surpassing the US in education. Just my 2 cents as a Information Security Subject Matter Expert.
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
5/11/2015 | 8:41:24 PM
Re: Father-Daughter Nerd/Geek Day
Love the Father-Daughter Geek Day mention! And your point about exposure and encouragement are key. I am constantly talking to my daughter and son's female friends about this industry. One of these days I'll get a recruit.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/11/2015 | 5:53:59 PM
Father-Daughter Nerd/Geek Day
As the father of two daughters I know the responsibility I have to make sure I don't look at them as "girls" in the stereotypical sense is an immense one.  My eldest is a true scientist and absorbed more knowledge about animals and nature before she was six than I had learned in forty years of life.  She created her own database on sea life somewhere between five and six years of age on an old laptop I gave her with gNewSense GNU/Linux, using LibreOffice Calc.  I encourage everything in her that longs for scientific engagement. 

My youngest is a brute and quite the hacker.  I suspect she'll be the one with eyes on the software industry as a career, and probably she will enjoy InfoSec since breaking into things is her passion, clearly, and she's not even two.   

I think a major part of this deficiency across the board in tech industries of women in various roles has as much to do with the parents as with the schools the kids go to, or the tech culture in general.  I had to discover the world of electronics and computing on my own with absolutely no encouragement on the home-front – exposure is also half the battle won.  For my daughters, I plan on making sure they get every opportunity, and hope that - as they learn - it isn't once pointed out to them that because they are female, some employers might not want to hire them, or that some schools might not think they will be interested in certain classes, or that some of their friends might look at them funny when they break out their sticker-covered laptops to write some code between classes instead of doing whatever it is girls who don't do that do... 

For me, I try to balance it all out, but every day should be Father-Daughter nerd/geek day, as far as I'm concerned, since the daughters need to hear from their Dads that "it's perfectly OK to want to crawl under a car with a set of tools, to build your own robot or Arduino cluster, and certainly OK to be interested in InfoSec and enjoy breaking into systems to make them better."
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: No, no, no! Have a Unix CRON do the pop-up reminders!
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.