I began this third blog post for The State of Security by begging the question, “are women underrepresented and smacked down in the Infosec community?”
With an industry that is dominated by men — I blatantly stated that I had heard both sides of the coin. From problems with the good old boys club, sexual harassment at security conferences, and surviving the workplace in a woman-poor environment to my workplace is awesome and I could not have made it this far without male mentors.
I wanted to know if women needed to “fight to be heard,” or did they feel that infosec was just like any other profession — where they could work their way to the top regardless of gender. I asked all the wrong questions… During my brief meandering into the realm of sexism in Infosec: I was sometimes smacked down for lack of clarification, and at the same time enlightened with alternative dialogues.
There are plenty of Infosec women who are delighted with their experiences within the infosec community. From engineering, IT, operations, product managers, and marketing — these are the women who have few complaints about sexism in the workplace and work cohesively with their teams regardless of gender. Though some have experienced risque behaviors at tradeshows and security meets — most have been able to coexist on an equal playing ground with their peers (again, regardless of gender).
Lise Feng of CipherCloud, who is Director of Corporate Communications stated:
While I’ve has some less than desirable interactions at trade shows, I see those as isolated incidents and not symptoms of infosec or the broader tech industry trying to bar women from entry. The awkward actions of a few don’t represent an entire industry.
Jennifer (Jabbusch) Minella, a network security engineer and consultant with Carolina Advanced Digital, Inc. had this to say at her Security Uncorked blog:
Here’s where I come from; I grew up in this industry, but before I got here, I was a kid who loved science and math, and I had parents that nurtured that passion. My Dad taught me binary when I was but a wee lass. He taught me calculus early, because I demanded to know what the “sin” and “cos” buttons on the calculator meant. Being the math genius that he is, he used the opportunity to launch a full-scaled course, books and all. Maybe I’m privileged; maybe I had advantages that others didn’t; maybe I was set up for success early; maybe I’m naïve; you’re entitled to any of those opinions, and I wouldn’t argue it. But while school sets you up for many of life’s lessons, navigating the tribulations of 8th grade isn’t the same as managing a successful career, in any industry. And, while there’s a component of reaching girls early in life, we should look at our current situation closely first.
For now, I think we need to encourage women to seek help and support from ALL people – men and women. And we should all understand that during changes, there are times when things aren’t fair, when things are frustrating, and a little messy. Stay classy, stay calm and cool, handle it like a lady, and we’ll all come out winners in the end. Life’s not fair, but you can work with the system, instead of against it for better results.
SC Magazine wrote earlier this year about security researcher and ethical hacker Raven Alder’s Tiny Crowbar talk at B-Sides SF. Alder believes that sexism is not always a hindrance because it can be used, from the attacker’s perspective, as a tool for carrying out social engineering attacks, or even gaining trust with other women as part of some sort of “solidarity pitch.”
Jovi Umawing, a Malware Intelligence Analyst at Malwarebytes believes that women in this industry have been represented very well in terms of expertise and skill (that might even be at par with the opposite sex).
There may be strength in numbers, but I think if we, the minority group, continue to learn and do excellent work, which contributes to the overall growth of the community, it wouldn’t really matter much if we’re just a handful.
KC, a freelance journalist who is based out of San Francisco voiced (at her blog) that Defcon was hell for women. Let’s use her 2012 DefCon story as one example of the bad side of Infosec:
Let it be known that I went to Defcon with a reasonable amount of armor on already. I was reasonably aware of the frat party environment I was stepping into. I have many friends who are involved with helping make Defcon roll smoothly each year, from speakers to goons. And still, nothing could have prepared me for the onslaught of bad behavior I experienced.
Like the man who drunkenly tried to lick my shoulder tattoo. Like the man who grabbed my hips while I was waiting for a drink at the EFF party. Like the man who tried to get me to show him my tits so he could punch a hole in a card that, when filled, would net him a favor from one of the official security staff (I do not have words for how slimy it is that the official security staff were in charge of what was essentially a competition to get women to show their boobs).
When women voice their opinions regarding such inappropriate behaviors (as KC experienced at Defcon) – they are often accused of complaining, overreacting, or being overly sensitive. Women like KC who opt to expose these types of perceived indiscretions often open themselves up to further harassment from peers because they actually voiced (AKA: whined) a negative experience on a blog and bounced it off social media.
Kymberlee Price, Director of Ecosystem Strategy at Synack, Inc. really made me double-think oversensitivity issues when she responded to my question “are women underrepresented and smacked down in the Infosec community?” that I posted on the Facebook group Starting a New Dialogue on Women in Security:
…I think there is overwhelming evidence that male privilege is very real, and affects us all. How can a woman expect to be fairly evaluated on their work product if their performance feedback focuses on how they should wear ultra conservative clothing (the men get distracted if a female colleague is too attractive) or modifying their communication to have more smiley faces and be less direct so people don’t think she is a bitch? When have you ever met a woman who was paid as much as her equally qualified male peers? When is the last time a man at a conference elicited a surprised “oh, you’re technical!” response? (answer: never, they are assumed to be technically competent because they are male and why else would they be at a technical conference?) Why is sexuality brought into the workplace in the form of booth babes, burlesque dancers at corporate functions, or mud flap girls on podcast logos, while women are told they are being oversensitive and shouldn’t attend these events if they are uncomfortable? There are tons of everyday examples of how women are made to feel uncomfortable, unwelcome, and unvalued without reaching the extremes of direct sexual harassment, which also happens with disturbing regularity.
Is it just a few bad drunk or high apples that distort and malign people’s boundaries at these Infosec conferences? Is it okay to minimize the problem because the boys club concept is acceptable to both genders? Is physical and verbal harassment a problem for the Infosec community as a whole? These are just a few of the questions that I have been trying to extrapolate during my research on this topic.
Jovi Umawing from Malwarebytes strongly encourages young women to embrace and seek careers in Infosec:
All of us in infosec, however, need to encourage and help build the confidence of young women who feel like they can’t or won’t have a career, good opportunities or a future in the industry. They can and they will. I and my other female colleagues of 5+ years are living proofs of that.
Lee Honeywell, a Security Engineer at Heroku (@hypatiadotca) has this to say:
It’s important to remember that it’s not an either/or. I have had workplaces where I felt supported and heard, and workplaces where I dealt with gross bullshit on a regular basis. I’ve participated in community events where I felt safe, and ones where I distinctly did not.
Those two sets of experiences don’t cancel each other out. They aren’t “two sides of the coin” – the bad ones are bad and the good ones are what everyone regardless of profession should have. The min bar.
People sometimes talk about how the rest of the world is sexist too, so who are we to complain about infosec? Are we any worse? The thing is, it doesn’t actually matter. Regardless of the state of the rest of the world, we can change our own field for the better.
I soon stumbled upon Iftach Ian Amit’s blog post Women in Infosec? That thing again? Where Ian pointed out Jennifer J. Minella’s blog post on Calling Bull$#** on Women in Infosec, where she questioned if it was sexist for women to rely solely on their success by attaching themselves solely to already-successful women.
Jennifer initially responded to my request that I posted in the good section above – and I find her input invaluable. Her question prompted me to question who my mentors were. My main mentors in infosec were males – specifically male hackers.
Then she moved onward to ask the question: Were men such chauvinistic pigs that they would not help women in the overall pursuit of achieving success within the Infosec community?
My personal experiences in the Infosec realm involved good and bad experiences with both men and women. When I worked networking in a university environment I had a coworker [male] who took all the credit for my security research, whereby the female director did not even acknowledge (for two years) that I had any security knowledge.
As far as she knew, I was some low end bimbo that did documentation for Mr. co-worker security guru. When I became aware that this guy was taking all the kudo’s for my work – I marched to her office and corrected the misinformation (and two years of lies). She was shocked. I was pissed and disappointed.
The same type of situation arose a few years later when I worked at a college in New England – only this time, I had females to contend with. That was back during the time of the SQL slammer worm. At that time, I captured all the rogue SQL servers on campus, cleaned them up, password protected them and reported them to the female sysadmin on the IS team.
She demanded to know how I hacked that. She did not even know that there was a management console – I had to show her how I took control. She was not going to acknowledge that they were clueless of threats on their network and that greatly disturbed me. It appeared to be all about ego and how can we control her from making us look bad and not about how can we secure our network…
A House Divided
There is an old biblical adage that I feel the need to dredge up for this post: A house divided against itself cannot stand… The metaphor for this house refers to Infosec. As Lee Honeywell stated above: “Regardless of the state of the rest of the world, we can change our own field for the better.”
About the Author: Bev Robb (@teksquisite) has a B.S. in Sociology from Southern Oregon University and is a self-employed IT consultant. She runs Teksquisite Consulting, a blog about technology, infosec and social media.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Infosec: How Technical is Technical Enough for a Woman?
- A Woman’s Journey to Cyber Security
- Empowering Women in Information Security
- Empowering More Women in Infosec
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock