Women in cybersecurity

Run the world

When it comes to women in the workforce, it’s a fairly well-known fact that information security does a pretty terrible job of increasing the ratio of women to men. At last count, only 11% of security professionals were women. When comparing that to women in technology on the whole (multiple sources put it at ~25%), you’re looking at less than half of what’s already a shoddy percentage.

The industry talks a lot about attracting women to the profession and encouraging girls through STEM. The Girl Scouts and Palo Alto Networks teamed up to teach girls about cybersecurity. And more organizations are naming “chief diversity officers” to ensure their organization is taking a proactive stance on inclusion and equality. These are great steps, but growth remains slow. Events like the Women’s Executive Forum and Women in CyberSecurity (WiCyS) do an excellent job of promoting women and providing places where women can meet, collaborate, and present. When attending other industry events, though, it’s easy for women to feel lost in a sea of maleness (though much easier to use the restrooms).

My persuasion can build a nation

As a woman in security, I’ve personally never felt uncomfortable being one of the only—if not the only—woman in a room. It’s part of the job (like having to sit through meetings where 90% of the discussion doesn’t apply to me). That said, this predicament is uncomfortable or untenable for some women, and that should never, ever be the case.

MISTI tries hard to include women. As a training and events company, we’re positioned to highlight women—and not just because they’re women, but because they’re smart, knowledgeable, accomplished cybersecurity practitioners. Our security conferences are open to anyone and everyone in security (who is inclusive). As the director of content, for smaller events (for which we don’t necessarily hold a CFP), I personally invite a higher concentration of women than men to speak. Not once in my tenure at MISTI has the final agenda been comprised of more than 10-12% women presenters. In this year’s InfoSec World call for presenters, only 6% of submissions received were from women.

This makes me mad. I am a woman in security and I can’t even get women in security to present at my conferences! The entire MISTI conference staff is women! What do we have to do to be more open and inclusive?

For one thing, I invited a few extra women to InfoSec World 2018 to give the keynotes and serve on the advisory board. (You’ll also notice that I invited a dog to present a keynote, so take that, chief diversity officers!) Because I can’t force more women to apply or accept invitations to speak at the conferences I program, I have to find other ways to highlight women. One of those ways is this blog post. Non-traditional? Sure. A little self-promoting? Feel free to interpret it that way.

Endless power

My true aim here is to actively encourage women to attend and speak at conferences. The more visible current female practitioners are, the greater the likelihood other women will think, “Hey, I can do that too.” They will see there is a supportive community (not just of women) who want them to succeed. Security can use more women stepping up to the plate or accepting invitations. But there is only so much participants can do to invite others in. At some point, women have to decide for themselves, “This is somewhere I want to be. This is something I want to do.” Only then will they understand that it’s pretty great to be in security—a growing field where curiosity is rampant and practitioners can literally save lives (OK, maybe just in medical IoT and connected cars, but hyperbole is fun for everyone).

After the InfoSec World 2018 CFP closed, I was dismayed, so I reached out to a group of women presenters to find out their experiences at the event. Was I missing something? What can we do better? Has InfoSec World ever felt inaccessible to women? Rather than sharing my own thoughts and experiences, I wanted to share those of attendees and presenters.

With our love we can devour

Five unbelievable women in security responded to my questionnaire. They are: A Chief Security Advisor at a major technology company, A CEO at a security provider, a Senior Security Compliance Analyst at a security provider, Senior Security Executive at a financial services company, and a Senior Security Executive at a consulting company.

My first question was: What has been your experience attending/presenting at InfoSec World as a woman in security?

All of the women reported having positive experiences at InfoSec World, but noted that most other industry events have similar audience composition. This small sample group says they are “accustomed to being in the minority,” but did note that they’ve observed a slight increase in female attendance over the years—a happy observation, indeed.  

One of the women specifically called out her wish to see more female speakers: “But I think we tend to submit fewer proposals than men and are just outnumbered.”

This point is 100% accurate, at least as far as MISTI is concerned and from what I hear anecdotally from colleagues who have served on other conference selection committees. Unless it’s a woman-centric event, women—as a group—do not raise their hands to present as readily as men. As stated earlier in this post, even when I’ve personally invited women to speak, I hear a higher percentage of “no thanks” from women than I do men.

The second question was: Is your attendee experience at ISW different from other events?

Three respondents said they did not feel InfoSec World was an especially different experience, but two women said they have noticed a “slight” difference. One commented that hacker conferences “literally feel different. Different crowd, different goals, different presenters. Also, again, very few women presenters.” Another said she has felt that attendees at InfoSec World are less “cliquey,” and more likely to talk to people sitting next to them in sessions.

It’s up to the entire security community to ensure fellow attendees feel welcome; all attendees should have a goal to meet (at least) a handful of unfamiliar people—say hello to someone sitting next to you in a session, ask her perspective on what was presented, learn about someone’s top projects and initiatives. It’s the easiest small talk I can think of. You have a lot in common with everyone attending; now go forth and act like it.

You'll do anything for me

The next question was: Does it feel different to present to a room of mostly men than it does at women-centric events?

This question received split responses. Some of these women said they prefer presenting to men because it’s more familiar; one said “Women seem so much more accepting in a group than a room full of men”; and one responded that speaking at women-centric events is less enjoyable because “there seems to be a lack of focus on the speakers and learning.”

The takeaway here is that, no matter who you are, everyone’s experience will be individual. The key is that all experiences must be equal.

The next question was: Have you ever felt any pushback as a woman at InfoSec World?  

One response essentially sums up all of the other responses: “Not at all. Last year as a presenter, I had numerous women come up to me after the session to say how nice it was to see females presenting at ISW. I had an equal number of males come up to ask questions or pay compliments. That said, are there always those few men who are chauvinistic jerks? Absolutely! But no more or less at ISW than at any other place where a group of security folks gather.”

What I take away from this response is that MISTI needs to be on the lookout for rogue chauvinistic jerks. We have a zero-tolerance policy for harassment of any kind, and anyone—male, female, non-binary—who feels in any way intimidated is simply not welcome.

I'm repping for the girls who taking over the world

I think it’s the fear of this type of behavior, and the stories that circulate about past incidents, that may put women ill at ease. As a community, we must actively speak out against aggressive, rude, exclusionary, inappropriate, hateful, and hurtful actions. These voices cannot only be women’s.

The message of this post is that there are people and organizations actively trying to welcome women to the field, but we can all do more. Current female practitioners need to be more visible for this to happen. Ultimately, though, it’s up to individuals to make the leap.

Personally, I’d love to see the rate of female talk submissions from MISTI’s CFPs double (at least). Are you a woman in security who’s too nervous to submit? Send me an email. Reach out to former speakers and attendees—of all genders. You’ll get the scoop. “If you're an experienced speaker,” says one of the women surveyed for this post, “find a colleague that has mentioned an interest in speaking but has been too scared. Help her get her first speaking gig.” If you’re reading this, be that advocate for change. Every little bit counts.


This year's highly-anticipated InfoSec World Conference & Expo takes place in Orlando, Florida from March 19-21.