It's a perplexing -- and sometimes annoying -- question nearly every female information security professional hears over and over again: why are there still so few women in their field?
Just 10% of information security pros worldwide are women today, according to the latest data from (ISC)2, despite the fact that women are getting more high-profile roles in the industry and that there are job opportunities aplenty. It's a reality that confounds and frustrates many women in the industry, who today represent a mix of researchers, chief information security officers, executives, and top government cyber security leaders.
While women make up a tiny fraction of the industry, the good news is that there are more of them with high-profile roles in security than ever before, a trend that was evident last month at the RSA Conference in San Francisco, where women in top cyber security official jobs at the US Department of Homeland Security, US-CERT, National Security Agency, the White House, and Department of Justice, were featured speakers, as well as security researchers-turned security executives and other corporate security execs.
Their ranks may be small, but women are gradually gaining more respect overall than in the early days, some women in the industry say. Even so, they still see very few fellow women following in their footsteps.
"I very rarely get resumes" from women, says Angela Knox, engineering director at Cloudmark, who began her career as an email software expert. Other women security experts echoed Knox's experience: not many women are even applying for security jobs.
"Time will tell" whether more women join the ranks, says Lysa Myers, a security researcher with ESET. "We'll have to wait and see."
Myers says the industry must change the way it recruits and where it's getting its resumes for jobs.
"We're missing out on 50% of the population if we don't let them [women] know about the job" market, Knox says.
[Classical ballerina-turned hacker-turned CISO Justine Bone talks old-school hacking, biometric authentication, coding in stilettos, Kristin Wiig -- and finishing her kids' leftover mac and cheese. Read Dance Of The 'Next-Gen' CISO.]
Janet Matsuda, senior vice president of marketing at Blue Coat, says in order to make the security industry more diverse, the key is to stop hiring to a narrow band of skills. "A lot of times we [the industry] hire to a skillset … a narrow band that naturally excludes women. We need to open the aperture."
Matsuda says girls often don't see themselves fitting into the computer science and cyber security stereotypes, so the industry needs to do a better job selling the career options here. Plus security entails a variety of skillsets: "We have linguists, psychologists, and computer scientists," for example, she says. "That's a diversity of disciplines" and security benefits from different types of people from different backgrounds that provide a broader insight into the issues, she says.
Cloudmark's Knox, who also participated in a panel discussion during the RSA Conference on women in security called "Breaking the Glass Firewall: The Changing Role of Women in IT Security," says it's a matter of marketing security to women in college. "We need to make women aware that security is available to them … talking to them and marketing it," Knox said during the RSA panel.
"We need to invite women. Change isn't going to happen by itself: 10% is appalling. We should all be shocked by that," said Michelle Cobb, vice president of Skybox, during the panel discussion, which was chaired by Fahmida Rashid, editor-in-chief for the RSA Conference and an information security journalist who also contributes to Dark Reading. "In order to change this, you have to look out there and reach out to other women," Cobb said.
"I'm always on the lookout for good talent," she said.
Jennifer Sunshine Steffens, CEO of IOActive, says her company employs women in each department, but gets few females applying for technical roles. "It's a shame to hear that the number of women working in cybersecurity continues to be low, but I feel like we’ve already made a noticeable impact. I certainly see more women at conferences, giving talks, being mentors, and being active overall in the community," Steffens says. "I'm also meeting more women in CISO positions than ever before. All very encouraging trends."
DOJ CISO Melinda Rogers, who began her career in business administration in the financial services industry, said during the RSA panel discussion that she had both male and female mentors who helped her on her path to a career into security. She says it will take a grass-roots effort to recruit more women in the field. Rogers recommends that women already in security "pay it forward."
Like Rogers, many women in security started in other fields and ultimately migrated to it. "I didn't get into security intentionally," Knox said during the panel discussion. "I love the way it's a big puzzle of how malicious actors are working together, and you have an economy of things going on in the background … [Figuring out] how to stop them … is really fun."
Penny Leavy, chief operating officer at Outlier Security, has seen some positive change for women in the field over the years. "When I started at Control Data I was one of five women in the sales organization then," she recalled. When Leavy would speak at client engagements, the men would look to her male colleagues to question her knowledge on a topic.
"They [my colleagues] were supportive .. and would say, 'she's the expert,'" Leavy said. "But I don't see that bias anymore. Women are given more credibility in the business now, [although] not as much as we'd like to see. I've seen that change with women [being seen] as very bright, capable, and respected by their co-workers."
Skybox's Cobb said when she first started out, male engineers would stare in disbelief when they spotted her setting up equipment. "I was a definite oddity," she said. "But that's changed. Now it's normal."
Even so, Cobb says being in the minority means you "have to be above reproach" and definitely have to "know your stuff."
Self-confidence indeed is a key element for women who do enter the field. "Stay focused on the outcome," DHS's Rogers recommends. "Take a risk and put yourself out there -- that's the most important thing."
Security experts who have been in the industry for some time such as Justine Bone, a former security researcher and now CISO for Hoyos Labs, are disappointed that they are still the only women in the room for the most part. Bone believes that assertiveness helps women, as well as men, who may be intimidated by security's sometimes aggressive culture, where you can get called out publicly over a technical detail or dispute.
"The women I know who've been successful have fairly thick skin," says ESET's Myers, who landed in security by chance after a career as a florist.
Women tend to be strong collaborators and communications, skills that some female security pros say are key for security jobs. "We would all benefit as a whole if we get those traits in security," Outlier's Leavy said during the RSA panel discussion.
But girls and young women often have misconceptions about technology and tech jobs, especially in security. Matsuda says more young women flock to chemistry and biology than computer science, mainly because they see computer technology and security and "geeky" or highly technically focused rather than broader disciplines. "We have the opportunity to create another avenue" for them, she says. "That is a matter of education of teachers" as well, she says.
Young girls are sometimes more attracted to technology's use in social causes, for example, she says, rather than pure robotics.
Being in the minority also has its advantages. "It's so easy to stand out. People immediately remember you" since there are so few women, Myers says.
Blue Coat's Matsuda concurs. "It really allows you to stand out" but you also want to fit in, she notes.
But don't expect the number of women to spike before the next RSA Conference rolls around in February 2016. "It's not going to change a lot in the year. We're starting to talk about it … That will start to turn the tide" eventually, Blue Coat's Matsuda says.
IOActive's Steffens says it will be an evolution. "Change doesn't happen overnight, so we shouldn't feel discouraged. In fact, it will take a decade or more for efforts of today to reach full fruition. For now, it's important that we keep highlighting all the amazing women in our space and enabling them to be role models," Steffens says. "It's also important that we encourage young girls to get started early in technology and security. The more we empower the women in the industry today and showcase their success, the more girls will want to grow up and be involved."
Meantime, the roster of women speaking at RSA last month was promising and impressive. In addition to the RSA women in security panelists, there were several women speakers with high-profile security gigs: Phyllis Schneck, DHS's deputy undersecretary for cybersecurity and communications; Darlene Renee Tarun, senior cyber strategist for the National Security Agency’s Cyber Task Force; Ann Barron-DiCamillo, director of the US-CERT; Cheri Caddy, director for cybersecurity policy outreach and integration for The White House; Jennifer Henley, director of security operations at Facebook; Renee Guttmann, vice president of the office of the CISO at Accuvant; Katie Moussouris, chief policy officer at HackerOne; and Kymberlee Price, senior director of operations at Bugcrowd, were among some of the speakers at the massive conference.