So, I should probably begin with a disclaimer. I am a woman working in the infosecurity industry, which arguably makes me biased, but certainly puts me in a position to comment on this much-debated topic: the lack of women in information security.
At the RSA Europe conference in October 2012, I attended a panel called ‘Why women are key to the future of security’. There were some disapproving – dare I say feminist – murmurs about how the title should have been ‘Why people are key…’, but that’s just equal rights gone mad. For the sake of clarity and to arouse interest in the session, the title needed to reflect the discussion at hand.
On the panel were four very successful infosecurity professionals, who all happen to be female: Neira Jones, Lisa Lee, Laura Mather, and our very own editorial board member, Patricia Titus.
A few statistics first: While women buy 66% of PCs and start 70% of new businesses, only 10–11% of information security professionals are female. So why the gap? Titus believes that, traditionally, men focus on “hacking and the threat-scape”, while women excel at “policy and risk management. At Symantec, we’re looking to balance threat responders and policy/risk management teams so there is an interface between the sexes”. Within Titus’ team, she has 15 women and 18 men reporting into her. Perhaps, since this does not reflect industry statistics, this is a sign that women are more likely to hire other women?
Lisa Lee argued that women in the industry are “over-mentored and under-sponsored” and believes the industry is doing a bad job of marketing itself to young women. A shame, she said, because “women are natural problem solvers”.
Neira Jones agreed with Lee regarding the marketing of the industry. “We need people who can communicate [the industry] in an attractive way. Communicating it in an unattractive way could cause a lot of damage”, she predicted. Perhaps the scantily clad women who are ‘exhibited’ at various industry conferences and vendor parties are part of this ‘communication problem’.
So far, so good – a collection of uncontroversial, justifiable opinions. That is, until one (male) member of the audience – who I shall not name – came out with the following: “The problem starts at parenthood. We should not be conditioning girls to be traditionally girly. That’s why we don’t have enough women in the industry”. Ah, there it is, the comment I was waiting for to make my blood boil.
It turns out the comment inspired the same outrage from Lisa Lee. “I don’t have to lay my womanhood down to be in the industry”, she replied. “We all have our nails done, we wear nice shoes. I don’t have to give up my feminine side to be good at my job in this industry.” Lisa, I couldn’t have said it better myself.
The following week, I attended an industry advisory committee meeting. The committee was made up of 17 men and one woman. The topic of women in the industry came up again. The consensus of the committee was alarming.
They agreed that we should be encouraging more women to enter the industry because the skill requirements are increasingly less technical and more about risk management and business acumen. While the first part of this argument is stellar (we should be encouraging more women to enter the information security industry), I object to the suggestion that women are non-technical and that they should only be encouraged to enter into the risk management space. How condescending.
The question is not whether we have a lack of women in the industry – we do. The real question should be how can we encourage women to enter the industry, and by typecasting them into non-technical roles, and continuing to promote ‘booth babes’ as a good marketing technique, the information security industry will continue to alienate female graduates and talent.
At the end of the day, we shouldn’t be encouraging people to enter the industry because of their sex, we should be encouraging talent. I, for one, believe if recruitment was based on skills and talent alone – and there was no predetermined stereotype perceiving the industry to be a man’s world – that the percentage of women in information security would supersede 10–11%.
I take my hat off to the four panelists and the rest of the inspiring and very talented female information security professionals in the industry, who continue to prove that you don’t have to act like a man to make it in a man’s world.