Let’s Hear it for the Ladies: Women in Information Security

If information security is a man’s world – as it is so commonly declared – then how do you explain the wonderful women who continue to perform and succeed just as impressively as the next man? Eleanor Dallaway spoke to forty of the industry’s finest women about why they’re the minority, why they didn’t let that stop them, and what being a woman in technology means. This article is a canvas for their voice… 

The latest (ISC)² workforce study, published in spring 2013, declares that only 10% of the information security industry’s professionals are female. Attendance at industry events and feedback from hiring managers all contribute to this consensus. Although 76% of those interviewed for this article say that they believe more women are entering the field, all agree this is happening “very slowly”.

There are some initiatives – both internally in the industry and externally through government – intent on increasing and supporting women entering the profession. A recent spike in industry events and seminars focused on women in security – including the upcoming Bletchley Park Women Codebreakers of WII event organized by the Cyber Security Challenge and Women’s Security Society – are testament to the increased awareness about the lack of women in the industry and a desire to honor those who are and encourage new (female) blood. But the first question is whether this is something felt necessary by the industry at whole.

More than half of those Infosecurity interviewed for this article do see this deficiency as problematic and disappointing and are eager for more industry action to change this balance. “More needs to be done. There are only a few organizations out there offering women's scholarships in information security – the (ISC)² Foundation is one of them. Across the board, this issue has been widely ignored but it can't stay this way forever”, says Michelle Schafer, vice president of the security practice at Merritt Group, a PR firm.

Konstantinia Charitoudi, part-time lecturer and security consultant at the University of South Wales, and PhD researcher in information security, is also calling for more to be done. “It’s important that women in the field encourage other women, but it would also be nice if more men were involved in this encouragement, to make women feel welcomed in a field that is supposed to be ‘man’s world’”. She declares stereotypes, culture and lack of encouragement “to blame”.

At the other end of the spectrum you have people like Caitlin Rose Johanson, Sheena Wallace, and Anne Wood. “Gender isn’t important here”, answers Wood when asked whether the government and industry are doing enough to encourage women into the sector. “Skills should be the consideration, irrespective of gender”. Anne Wood is a senior consultant at Sysnet Global Solutions.

Sheena Wallace, lead security consultant at Context Information Security, agrees with Wood. “I’m not sure that there should be a requirement for external bodies to encourage or influence in either direction. As long as there is not active discouragement – which I have never observed – then women [should be] left to make their own minds up as to which industry would best suit them.”

“It doesn’t matter either way as long as we are advancing our security practices”, agrees Caitlin Rose Johanson, senior solutions architect at Veracode, when asked the same question.

Seeking a Sexy Career

Several of the interviewees agree that many women consider information security – and technology generally – to be an “unattractive career choice” and are keen to articulate that this mindset is self-imposed. “I think [the low numbers of women in information security] is more a lack of interest on the part of women than exclusion by men”, says Birgit Thorup Mullen, senior security associate at Bishop Fox. “The motivation to enter an industry has to come from the people who want to be in it”, she argues.

“It’s not a terribly glamorous job”, admits Patricia Titus, former CISO at Symantec, Unisys, and the US Transportation Security Administration (TSA). “We have to deal with some of the scum of cyber space, so you have to have a strong stomach and a lot of intestinal fortitude.”

Bridget Burke, vice president, CIO and CSO at HID Global, points to another possible factor that puts women off. “Women are often collaborators not isolationists, so the field may not seem attractive to them. It is also a risk based-discipline, which women may not see as creative or interesting as other fields of study.”

Brenda Larcom, senior security associate, co-founder and lead developer of Trike, is more concerned with getting the right people into the information security industry, regardless of their gender. “We don't need to get more women into infosec, we need to ensure that everyone who wants to get into [the industry] has the opportunity and comfort level to do so. I don't see an inherent need to encourage women to do any particular thing. We are capable of making our own decisions, as individuals rather than as a demographic group”, she articulates.

Almost unanimously agreed across the board is the determination that women should be recruited based on merit and skills, rather than to tick the equality box. “There shouldn’t be undue exceptions for women; the best person for the role should get the job”, says Tina Stewart, VP marketing at Vormetric.

“I’ve always felt uncomfortable with the idea of targeting specific groups – be it gender or race – for careers”, agrees Christie Grabyan, managing security associate at Bishop Fox.

Burke, on the other hand, is more positive about female-specific recruiting and agrees that information on this would be “useful and of interest to women in the field.”

Judging a Book by Its Cover

It is commonly argued that the information security industry needs to do a better job of marketing itself, perhaps even more relevant when attracting women to the industry. “The word ‘security’ seems to invoke a persona of a male-dominated line of work: padlocks and strong [male] security guards protecting the perimeter. The word cybersecurity brings out the image of hackers hiding behind dark glasses and black hoodies. Neither necessarily inspires females”, argues Haiyan Song, vice president and general manager of ArcSight enterprise security products at HP.

Ian Glover, president of the Council of Registered Ethical Security Testers (CREST), agrees. “The media provides a stereotypical view of the type of people that work in the industry. If we are going to appeal to a wider audience, not just women, we need to provide evidence to contradict the stereotypical views. We need to be conscious of the language we use that unintentionally has a male bias and need to take expert advice to ensure that the material we develop and the presentations we make are gender neutral.”

Many interviewees argued that the lack of women in the industry is a societal issue. Not just the societal norms that cast judgment on women in technical roles, but the working guidelines and standards around part-time staff, flexible hours and maternity policies.

“There is a lot less judgment placed upon an ambitions man versus an ambitious female. Due to some women having different life goals regarding staying home or reduced travel and work hours to facilitate family, the information security field may not be the optimum choice for all”, says Erin Jacobs, founding partner of Urbane Security and former CIO and CSO in the financial services sector.

“Until the industry makes it more attractive for women to remain in the workplace after having children, I think the picture will remain as it does today – lots of women but very few senior ones”, says Alisha Dattani, managing director at TangibleQL. In fact, Dattani felt so strongly about the lack of flexibility surrounding keeping women in roles after they have started a family that she saw a gap in the market for an organization offering the flexibility that women require, and launched TangibleQL.

“I know many women who enjoyed high-earning careers in information security. They had a child, went part-time and tried to carry on, but their roles had been subtly altered to ensure that they no longer had the decision-making clout that they used to”, she explains. Adrienne Hall, director of Trustworthy Computing at Microsoft, recalls a time when she was told “You won’t want to go to that event because you have children.”

Any career can be challenging for women in terms of juggling work and home life, says Fiona Collins, security analyst in the security operations center at BNY Mellon. “There is no reason to think that a career in IT or information security is any more challenging”, she asserts.

Larcom believes that women make a conscious decision to conform to societal expectations. “Most young women care too much about what other people think and what other women do. They choose from the list of socially acceptable careers for women, and hacker still isn't on that list.”

Burke, however, reminds us that sometimes it’s not the female perspective that is the problem. “There are of course individuals that find it difficult to adjust to women in technical roles. There is discrimination in the world and people do treat others differently based on gender, race, religion, etc.”

Let’s Make a Geek Barbie

The majority of the women interviewed were comfortable with the idea of awareness campaigns encouraging women to enter the sector, and almost every single proponent was of the belief that this encouragement has to start early – in a girl’s formative education years.

“We’ve been examining the issue as part of our Global Information Security Workforce Study and have found that subtle cues sent to girls in middle school by parents, teachers, and peers, can shift their interest away from STEM [science, technology, engineering and mathematics) subjects”, recounts Julie Peeler, director of the (ISC)² Foundation. “Generally speaking, there are less women entering STEM majors at university, and IT has the lowest enrolment overall, according to the US Bureau of Labor Statistics.” As a consequence, says Peeler, few women are entering the industry.

Patricia Titus points to the Obama Administration’s STEM program as an initiative “that has been working really hard to change this dynamic. But, we could use more scholarship programs geared toward women in this discipline”, she says.

Alisha Dattani is concerned that girls are “buying into the argument at a very tender age that technology isn’t for them.”

“Girls are simply not encouraged toward more technical roles in childhood and any difference you see in business is a result of that”, agrees Vormetric’s Tina Stewart.

Fiona Collins is also of the mindset that education must start young. “Schools need to encourage girls to go into the field, starting with subjects like math and science.”

The answer, according to Caitlin Rose Johanson, is in the form of a doll. “Make a nerdy Barbie or doll that doubles as a homemaker and underground hacker, and then see where things are in 20 years with the girls who played with them”, she challenges.

Neira Jones, partner at Accourt, agrees that educating young girls about information security should start young. “Awareness should start at nursery. The equivalent of ‘don’t accept sweeties from strangers’ should be applied to the digital age”, she says.

Interestingly, while only a handful of those interviewed recall being actively discouraged from interest in an IT discipline, even fewer shared stories of encouragement. “As the youngest of five children with a very mechanical father, I was always working right alongside him tuning up car engines and fixing things. He was great at making sure his daughters were capable of taking care of their own car issues – we weren’t raised in a gender-biased family”, Titus recalls.

Soraya Viloria Montes de Oca, IT and information security manager in the third sector, was also blessed with support and encouragement. “But, I am originally from Venezuela where women are encouraged to go to university and to take on sciences”, she points out. This was not the only time that acceptance dependent on geography was raised, with a handful of interviewees expressing the opinion that the US market is more accepting of women in technology than Europe or Asia.

Larcom paints a darker picture. “I had a guidance counselor at school (interestingly, a psychologist who prides herself on being an advocate of women in the sciences) who assured me I would be unable to get into the computer science department. I had no trouble whatsoever getting in”, she recalls.

Passionate as Sin

Of those who are happy to challenge the stereotype and invest in an IT career, a vast selection of answers were given in response to the question: What attracted you to the information security profession?

“Women have been taught from a young age to be aware of their surroundings and to be very security conscious. I think women intuitively grasp the need for security”, responds Penny Leavy, VP and general manager of ManTech MCIS/HBGary, and co-founder of HBGary and Cenzic.

Other responses included attraction to a fast-evolving industry, interest in mathematics, a technical curiosity and a ‘break-it’ mentality.

These answers and interests somewhat contradict the sometimes voiced opinion that women in the information security industry are more suited to the less technical roles; an opinion that Infosecurity presented to the interviewees and invited their candid feedback.

Although approximately a third of respondents agreed with this generalization, those who disagreed did so with passion.

“The idea that female brains are somehow less suited to technical disciplines than their male counterparts is insulting, patronizing and plain wrong”, asserted Alisha Dattani.

“Generalizations about female non-suitability for technical work have been made for decades”, says Bridget Burke. “Yet, somehow women are successful in technical roles when they decide to pursue them.”

Jane Frankland, of the Jane Frankland Agency, and former owner of Corsair and associate director of operations for NCC Group, points to her children as the perfect example of why she disagrees with the statement. “When I look at my three children, it's my daughter who's really getting the technical side of things. She's only 11 years old, has got her own website and is coding”, she says.

The other side of the argument is presented by Fiona Collins. “I agree that women probably are better than men at the risk management and marketing side. They are more likely to take a step back and look at the wider implications to what they are doing”, she observes.

Anne Wood also believes there is some truth in the argument. “[Information security] takes a certain set of skills and interests that are more commonly found in men. It's not necessarily a discrimination thing, or an environmentally (social) enforced gender stereotype”, she argues.

Painting a Pretty Picture

Being a woman in a male-dominated industry isn’t necessarily a negative, argued many of the interviewees. Indeed, to the contrary, many contended that it is beneficial to be a woman in a ‘man’s world’. During a recent Infosecurity magazine webinar on women in security, the audience of 300 viewers was polled on this very question. Twenty-four percent believe it to be an advantage, 29% believe it a disadvantage and the remaining 47% declared it “irrelevant”.

“I find a male-dominated environment to be empowering. I know that I’m in my position and given more responsibility on merit”, says Gemma Parkes, information security officer for Computacenter UK Ltd, who is now in an, albeit rare, “balanced security team with 40% female colleagues”.

Adrienne Hall agrees. “There are times when you’re the only woman in the room and I see that as an opportunity to stand out. Providing you’re credible, you have a platform that is advantageous.”

Suzanne Lovell is a web developer at Intuitiv. In her experience, “managers are generally keen to have females in programming teams to mix up team dynamics”. Leavy agrees that typical female traits are desired in information security teams. “As women, we tend to listen and ask more questions in order to fully understand each challenge”, she says.

“The value of diverse background trumps gender or geography”, says Hall.

Jennifer Steffens, CEO at IOActive, says she has never felt intimidated, although she does acknowledge that the perception of the industry is one that discriminates. “I’ve always found that knowledge-thirsty people and inquiring minds were welcomed and that gender is irrelevant”. Taking it one step further, Christie Grabyan suggests that to the contrary, “entering a female-dominated industry would be more intimidating.”

Although Konstantinia Charitoudi admits there are “an occasional few that are reluctant to have more women in the field”, she says that most are both welcoming and supportive.

When asked what the best thing is about being a woman in information security, more than one person answered “the same things that are great about being a man in information security”, although Soraya Viloria Montes de Oca concludes that “the best thing about being a woman in infosec is being a woman.”

Other answers included pioneering the way for other women, being memorable, having an instant platform and audience, and, of course, shorter queues in toilets – which at least half of interviewees quoted as a benefit.

“In a previous role, Bill Clinton and Al Gore came to visit. There were thousands of employees who wanted to be chosen to meet them, but I was chosen because I was a female and a minority”, recalls I-Ching Wang, senior director of engineering at Vormetric.

No, I Will Not Make the Tea

Almost unanimous across the board is the acceptance that being a woman in a perceived man’s world requires a more thorough and vigorous ‘proving yourself’ process. “You need to spend more time gaining trust”, confirms Wang.

Whereas some enjoy this challenge and thrive on surprising and impressing their male colleagues, others find the necessity tiring and frustrating. “Any illusion that I’m female ergo can’t know what I’m talking about is dispelled relatively quickly”, claims Anne Wood.

Christy Wyatt, too, believes any initial judgments or assumptions are not “an immoveable object”. She calls it an “underestimation” and recounts various times where people have (wrongly) assumed that her male colleague is “the one in charge”. At Good Technology, where Wyatt is CEO, 27% of total employees are female and 40% of the executive team.

“Your colleagues wait for you to prove yourself in order to accept you, whilst they would take for granted that a male colleague is capable until he might prove otherwise”, Charitoudi says with honesty. Caitlin Rose Johanson also admits that she has “fought to maintain credibility as a subject matter expert because I’m a girl. When those who are too quick to judge actually realize I know what I’m talking about, that’s what I love.”

Few of the women interviewed told tales of direct or obvious discrimination, although more than one mentioned they have been expected to make the tea, have been denied access to mentors, have been excluded from male-focused social events (golf, for example) or have been told to “flutter my eyelashes when I asked for advice on objection handling.”

Brenda Larcom recalls how co-workers at her first job out of school, “could not hear me when I was wearing a skirt. I haven't worn a skirt to work in the 16 years since.”

“The one or two times that I realized no matter how qualified I was, I was not going to be successful working for a particular (male) person, I moved on”, states Patricia Titus.

Of course, there is the argument that any potential gender discrimination or exclusion is not unique to the information security or technology industry. “Exclusion due to gender is sadly a part of nature in the workplace, and it is not exclusive to the technology disciplines”, says Erin Jacobs. “This exclusion has come in the form of not being invited to corporate gatherings that are male-focused. Due to the relationships that are built during these events, it can be a disadvantage.”

Alisha Dattani, too, believes that discrimination is not unique to IT. “There are lots of women in IT – they just tend to be in the less technical and less senior roles. IT is no different from the rest of the corporate sector in this respect”, she says.

Potential discrimination and exclusions aside, 90% of those interviewed said that they do not believe they would be doing a different role if they were a man, although some guessed that they’d be making more money. Louise Robertson, marketing director at Mimesweeper Technology, also believes “men gain promotion quicken in IT”.

“I’m doing exactly what I love to do. Being a man wouldn’t change that”, says Jennifer Steffens.

Leading the Charge

Although progress for increasing the amount of female – especially senior female – information security professionals might be slow and steady, there is optimism and a confidence from most that things are improving.

“There are many more women leading the charge for large global organizations, as CEO’s of vendor companies and as partners in consulting firms, than there were 10 years ago. The Executive Women’s Forum is a testament to the number of powerful, creative, smart, influential women thought leaders in our field”, says Joyce Brocaglia, CEO of Alta Associates and founder of the Executive Women's Forum.

“I spent much of my recruiting career as the only woman in the room and as time went on I got to know more and more women that were becoming indispensable to their companies and obtaining key leadership roles. Although I knew many of the women, it was apparent to me that they didn’t know each other, so in 2002, I organized the first Executive Women’s Forum conference as a safe venue that women could come and learn from each other and build trusted relationships.” Today, the EWF is a community of nearly 1000 prominent women in the field in the US.

“In the US, our last Secretary of State, and the last head of Department of Homeland Security were both women. This sent a very strong message that females can take on the role of protector rather than just the protectee. Female executives are taking on more prominent roles in both government and business”, says Haiyan Song.

Christie Grabyan is of the belief that it will take time for what is a relatively new market to be “marketed and made available to a cross-section of society”, but is hopeful that it will happen. Michelle Schafer also has high hopes for the future, predicting “in the next 10 to 20 years, I think this shift will naturally happen as women see job stability, growth and career opportunities ahead of them in this field.”

An increase in women in this field, says I-Ching Wang, “will be better for women, better for men, and better for the industry”. The footnote that applies to this statement is voiced by Charitoudi: “It’s important to get more females into information security, but it is more important to get the right females into information security.”

Each interviewee was asked to name one person who inspires them in the industry. Fifty percent picked female role models. This supports the majority call for more female mentors in the industry, with a third of interviewees suggesting that “getting a great mentor” is their best advice to any woman thinking of entering the profession.

The (ISC)² Women in Security Group has recently launched a mentoring scheme supporting this call for mentoring women. “This mentoring scheme will support women with all levels of experience by helping them to evaluate their options, explore areas of interest and identify new career paths to meet their professional and personal goals”, says Emili Evripidou, coordinator of the WiS group and information security consultant at EY.

The Smartest, Toughest and Brightest

Erin Jacobs is not wrong when she says “the females that survive our industry are some of the smartest and toughest career women around.”

The information security industry allocates respect based on accomplishment, explains Jennifer Steffens, rebuking the perception of the industry as one polluted by inequality and discrimination.

Consideration of gender, says Adrienne Hall, should be secondary to that of accomplishment or talent. Hall recently won a women in security award at IFSEC 2013.

Although it is argued by some that having a separate award for women is condescending or somehow suggests that women will not succeed in an overall ‘security professional category’, Hall disagrees. “It’s a good thing because it brings attention to the fact that there are successful women in the tech industry. It’s a relatively young industry, so visibility of female professionals is important. The spotlight is on achievement, and the secondary consideration is that you’re female”, she says. “It would be great to have the gender discussion go away and just have people working.”

In time, this could – and should – happen. In the meantime, sharing the stories and accomplishments of the women who make this industry what it is today can only act to encourage more female talent.

 The final word has to go Konstantinia Charitoudi, who says: “It is quite usual to hear in the corridor that it takes a special type of women to join the field”. The forty women interviewed for this feature and the hundreds more researched for this article are testament to this. Ladies, we salute you.