“When someone asks you if you’re a god, you say YES!” ~ Winston Zeddmore, Ghostbusters.
Women are held to a different standard when it comes to technical skills assessment, both in their own mind and in the minds of those who are assessing whether they are fit to be part of the team. To overcome this until we have a stronger minority, we have to demonstrate proficiency and persevere, even when circumstances are absurd.
At a recent interview, I was asked if I was technical. I was a bit taken aback, since this guy had my resume right in front of him. My technical depth was apparent. But this guy—he had at least five years on me, had grown and sold a couple of cybersecurity start-ups. He was a physics major with a CS Masters. I managed to stutter a response: Uh, yes, I suppose.
I have since had time to think about this answer I gave. I have a new answer planned for this question in the future: Less technical than Dan Kaminsky, but more technical than my mom. What is with this question?? I’ve heard it more than a few times at interviews. It’s as if the people asking this are more interested in weeding out candidates than determining if their skills are sufficient to fill or exceed the requisition.
I remember one charming, hubris-filled gentleman interviewing me for a technical PM and Compliance job, one where I would be interfacing with clients to ensure company policies were commensurate with controls. He asked if I could write APIs or code in any language. I said no, but I am a quick study.
I pointed to many demonstrations from my experience set, including the time I translated an exploit written in long-form Chinese characters and reference code that my team had dug up from some corner of the internet, which we used to hack into a vulnerable box. He was unimpressed, said he would have used Google translate.
I was not hired. Again, upon reflection, my new answer: I can learn Ruby faster than you can learn People Skills.
Frankly I am getting a little sick of this. I am thinking my new answer will always be YES. Yes, I can code. Yes I am technical. Yes, I can $__. To validate my new approach, I sent a short text to some past coworkers asking how technical they thought I was.
“You get all the high level IS concepts, and the vocab. You would not be doing the low level implementation.”
Yes, that is true. Another:
“You have a detail oriented and highly technically driven thought process. You understand architecture principles and practices but you would not be writing database queries or firewall rules. Not that you couldn’t, but we need you at a higher level.”
That is also true. I am pleased to say that was exactly in line with how I viewed and generally advertise myself. To round out my inquiry I also texted a female coworker, a CISSP who is an extremely technical PM type not unlike myself. She said in reply to my request:
“Do engineers who decide to do management spend as much time justifying their existence as we do?”
No sister, I am sure they don’t. I like it here between Business and infosec. I call myself The Glue, doing what our most technical team members don’t want to do anyway, smoothing the proposal and white paper text or making a non-technical client get the gist of our work. The Liaison. The Human Firewall.
Is it simply coincidence that Tripwire is featuring this focus on Empowering Women in Security, when in the same week Maria Korolov wrote in CSOOnline about the experiences of women stereotyped at security conferences as Sales or Marketing reps?
My experience this year at RSA was worse. I was approached twice at the after-hours parties, despite wearing a seriously reasonable and appropriate outfit. I was stunned when perfectly normal dudes shared that their wives were of the understanding that what goes on at RSA stayed at RSA. RUFKM? My husband and I do not share that same understanding. I passed on these opportunities to accelerate my career.
Also this week I read the Kay and Shipman article in The Atlantic about the Confidence Gap, where women, even amazing, powerful women outstanding in their field, feel like frauds and imposters fearing being found out. I totally relate.
I have passed on more than one requisition when I did not meet the full complement of written requirements. I was sure I would not qualify. My husband has chided me to consider my competition. “Dudes,” he said, “will apply when they can meet about half the req. They figure HR didn’t have it right when they wrote it anyway.” This never even occurred to me.
So how do we infiltrate and increase our presence from the current 11% cited in the 2013 (ISC)2 Global Information Security Workforce Study (PDF)? First, have the basics down. Have a true grounding in infosec that will give you the necessary vocab to relate and communicate. And, like Kate and Shipman note, persevere. Stop thinking and act.
Dudes are used to knocking each other down, and they do it again and again, until they’ve decided you rate. Women, me included, often assume “no means no” but in the information security dude world it means “Try Harder.” Approach your goal from all angles—if it means that much to you, you need to try multiple strategies and tactics before you give up.
It is a long haul game. At some point, you will penetrate. You will gain the trust of one dude and he will grant you the proxy trust of the rest of the team. At that point, I beseech you on all our behalf: Don’t blow it, just head down and perform. No crying, no freaking out till you get home and are out of earshot of the dudes.
Men and women alike, we all doubt ourselves. Jon Stewart’s recent rant is so timely: Let’s prove the Broads are not all Crazy. Once a strong woman is embedded in the team, it paves the way for the next woman, be she more or less technical than you. This is how we increase our numbers legitimately for ourselves and the next generation.
About the Author: Marsha Wilson has a B.A. in English from CalState Northridge, and an MBA from Embry Riddle Aeronautical University. Her crazy long string of certifications beyond OSCP can be found at linkedin.com/in/marshajwilson/, or follow @decisivemarsha. Her career has focused on the chasm between IS and Business, regardless of business sector. She is a contract consultant, mom and wife, and an avid Stone IPA and jogging enthusiast.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- A Woman’s Journey to Cyber Security
- Empowering Women in Information Security
- Empowering More Women in Infosec
- Security is a Process, Not a Destination: Have You Given It Your All?
Check out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock