The Story of the EC-Council Gender Survey Scandal: Survey Creator Says "It Was Written by Women so it Can't be Sexist"

On Friday 09 April, EC-Council pushed out a ‘women in security’ survey poll on LinkedIn with three abhorrently sexist answer options. As the information security industry rallied to criticize this action, EC-Council blocked those daring to challenge and the subsequent outcry has dominated industry Twitter feeds. Eleanor Dallaway investigates…

It takes a lot to get me working on the weekend (I’ve got young children demanding my attention almost every waking moment of the day), so kudos to EC-Council for doing just that. That will be the last kudos I afford them, however.

If you’re a part of the information security community, unless you’ve been hiding beneath a rock or have lost all internet connection for the past 48 hours, you’ll have read about what can only be described as a catastrophic PR fail and abhorrent lack of judgement from cybersecurity technical certification body, EC-Council.

With just one survey question pushed out to their networks, EC-Council have demonstrated exactly why gender diversity and gender equality is still high on the agenda for the cybersecurity industry.

So, what happened? 

On Friday April 09, in (an ironic) bid to promote an upcoming women in security webinar, EC-Council published a survey question on LinkedIn. I’ve shared the original tweet (Figure 1) as you have to see it to believe it. They asked: “What according to you are the most common challenges faced by women in the cybersecurity domain?”. The multiple choice answers? A: “Only men can do this job”, B: “Women can’t handle this job”, C: “Women aren’t encouraged enough.”

Figure 1: The controversial survey question from EC-Council, published on their LinkedIn page
Figure 1: The controversial survey question from EC-Council, published on their LinkedIn page

We’ll get into the problematic (to say the least) answer choices shortly. What happened next is arguably just as shocking…

On seeing this question asked, many members of the infosec community called out this inexcusable survey question, responding to EC-Council with feedback and many calling for an apology, or at the very least, an explanation. Complaints were forthcoming, not just from women, but from everyone, united in disbelief and anger.

Wow, this can’t get any worse, right?

Wrong. On seeing the commotion and backlash, EC-Council responded by deleting and blocking those speaking out against them – but, from what I’ve personally seen and have heard from others, they only blocked women.

Of course, these women then shared screenshots showing that they’d been blocked by EC-Council which obviously and inevitably led to an even stronger uproar and outcry (Figure 2).

Sorry really was the hardest word

Twitter investigation shows that there was, on average, about a nine-hour time period between the blockings and subsequent un-blockings and apology from EC-Council. Initially (within the first 24 hours) a personal apology was made to only one person, and call me cynical, but is likely no coincidence that it was to Alyssa Miller (@AlyssaM_InfoSec), who has a magic blue tick and a substantial 36k following.

Figure 2: EC-Council begin to block people who call them out on the offensive survey question
Figure 2: EC-Council begin to block people who call them out on the offensive survey question

Furthermore, a formal statement (Figure 3) and apology (Figure 4) came from EC-Council CEO Jay Bavisi around 24 hours after the original survey post. He blamed the delay on time difference (saying he is not currently in the US time zone and the events occurred at 3AM his time). This is what Jay Bavisi had to say:

“I woke up this morning to a major shock (I am not in the US time zone at this time). There was a major blunder committed by one of our team members from the social media team and frankly, it should not have happened.

We inadvertently published a poorly worded version of a survey that did not get QC approval on LinkedIn, and the problematic language was appropriately pointed out by some of our followers. The criticism was shared on Twitter and an over-eager team member panicked (worried about a reprimand) and responded by blocking the posters of the comments - which isn’t something we condone and is without doubt, not in line with company policy. As soon as we learned this, we immediately unblocked those accounts and issued an apology.

Blocking valid opinions is not cool, and frankly, I am flabbergasted that our internal QC processes were sidestepped and caused pain to members of our community.

EC-Council is a multiracial, equal-opportunity, global organization with team members that speak dozens of languages and we pride ourselves on being a member of the infosec community with the goal of making this world a better, more secure place.

As the CEO, I wish to personally apologize and take full responsibility.

We need to do better. We can do better. We will do better.” 

So, how exactly has that gone down?

Hmm. Reading through the comments and responses to the apology, there’s a sea of cynicism, disapproval and discontent. Other tales of EC-Council’s somewhat controversial decisions in the past (See Figure 5 – I simply can’t find the words to talk about this whilst remaining professional) have resurfaced, alongside a renewed feeling of disapproval for the certification body.

Figure 3: EC-Council issues an official statement
Figure 3: EC-Council issues an official statement

Of course, some are coming out in support of Jay and the Council but it’s fair to say those voices are being drowned out by the majority.

We’ll take a more detailed look at this apology - I’ve invited a few industry commentators to help me dissect it - shortly.

When I decided to write about this “major blunder” (Jay’s words), I debated whether to write it as news or a blog. I chose the latter as I didn’t cherish the idea of reporting the incident without allowing my own opinion to seep through. It’s a topic close to my heart and close to a LOT of hearts, so I think a more personal approach is more appropriate.

I contacted Jay Bavisi, CEO of EC-Council, when I decided to write this piece, to give him the opportunity to provide further comment, fill in any gaps and add to the statement he has put out. His response? “I don’t understand your message. Which survey are you talking about?” If I could enter the mind-blown emoji here I would.

Later on, Jay messaged again: “I just realized you must be talking about the Twitter issue? Would you like to talk to me?” I said I would like to talk to him and that I was surprised the survey had slipped his mind. “It slipped my mind as I know a few Eleanors and could not place you immediately. Apologies.” Anyone else as confused as me? (I contacted Jay directly on LinkedIn, so my profile was there to view in the event that I could not be placed immediately or in case which Eleanor I am makes a difference to whether he knew what survey I was talking about!)

Anyway, what transpired is that Jay rescinded his offer to talk to me “as it’s the weekend and everything is slow,” but did offer to answer any questions via messenger. He said that “there are more details than what you see in my LinkedIn statement.”

I asked him to expand on this and he emailed me some new commentary, except it isn’t really new, it reiterates the points in his original apology and adds some detail around the programs, courses and initiatives that EC-Council have executed around women in cybersecurity. He writes: “EC-Council fully supports the inclusion of women and people of diverse backgrounds in our company and our industry. Indeed, we intended this survey to uncover – and begin to redress – the barriers and biases that prevent women from pursuing careers in tech and cybersecurity.”

Figure 4: EC-Council CEO Jay Bavisi issues a personal apology
Figure 4: EC-Council CEO Jay Bavisi issues a personal apology

I do respect that Jay is now (albeit it a little late) actively engaging in the conversation around this, taking ownership and is making a commitment to talking to those affected, improving and making the needed changes. I have watched Jay keynote multiple times and have interviewed him once or twice, and he has always been pleasant and passionate about industry. I’m disappointed with his email to me as it seemingly strings together random generic statements. Saying the right thing is the bare minimum, however. Doing the right thing and making the right changes is what matters.

Ill-crafted, facile, insulting…I could go on…

Alyssa Miller, hacker, researcher and security advocate, was initially alerted to the survey question by @invertedgeek, who posted a screenshot of the question with the caption: “Good morning and Happy Friday to literally everyone except whoever at EC Council posted this hot ass garbage on LinkedIn.”

Miller refers to the poll question as: “ill-crafted and horrendously misogynistic. It minimizes the real issues women face; active discrimination, toxic behaviors of abuse and harassment in the tech industry, and systemic forces that push or keep women out such as pay inequality. The third answer (‘Women aren’t encouraged enough’) implies that women are somehow less capable unless given extra attention and ‘encouragement’. It persists the idea that women are lesser than men and need special help from men to be successful. The only help women need from men is to end the issues I just mentioned. To be allies of equality and take real action to end the toxicity.”

"This poll came wrapped up inside a post inviting the community to attend a webinar moderated by, and paneled with, women, which is a huge slap in the face to them," security analyst @invertedgeek tells me. "The wording of the answers was such that I cannot imagine that a woman was involved at any stage of that poll being created or approved." Whilst this is a perfectly understandable assumption, spoiler, @invertedgeek and the hundreds of others who expressed a similar sentiment on Twitter called this one wrong. I'll come back to this shortly. 

Rik Ferguson, vice president security research at Trend Micro, considers the survey question “facile, extremely loaded and insulting. It would be entirely reasonable to paraphrase the available answers as 1: Women are physically incapable 2: Women are mentally incapable 3: Women can only function if they are encouraged.”

Out of the frying pan into the fire

I could share many more quotes on the fault with the survey question and unpick it in greater detail, but I’m guessing I’d be preaching to the choir. So let’s move on to the response by EC-Council and the cultural concerns that this represents. As @invertedgeek puts it, “the company’s response only threw gas on an already raging fire.”

Figure 5: In 2015, EC-Council presented this advice to members. Jay Bavisi tells Infosecurity: "That was in 2015. The leader of the team is no longer at ECC. Extensive training was provided to the program teams to ensure they understand that any form of bias will not be tolerated". (Photo credit @MorbitCuriosity))
Figure 5: In 2015, EC-Council presented this advice to members. Jay Bavisi tells Infosecurity: "That was in 2015. The leader of the team is no longer at ECC. Extensive training was provided to the program teams to ensure they understand that any form of bias will not be tolerated". (Photo credit @MorbitCuriosity))

“The blocking of accounts critical of EC-Council was probably the most damning part of this whole thing,” explains Miller. “Any company with mature crisis communications practices knows the way to respond is to be openly conciliatory and take actions to remove or revise the post. By blocking accounts, it sent the message that EC-Council was not interested in hearing criticism and that rather all they wanted to do was silence it. The quiet deletion of the post without public acknowledgement only reinforced this message. I know for me and others, seeing that they blocked us rather than respond to our criticisms was particularly infuriating.”

“The resultant blocking of accounts on Twitter, many of which were respected security professionals who recognize themselves as being female, only reinforced the tone of the questions,” Brian Honan, Founder of BH Consulting, tells me.

“EC Council handled it badly, very badly, from the initial post through to the disastrous panicked blocking, and even the final CEO statement leaves a lot to be desired,” agrees Rik Ferguson. “The CEO apology blames ‘an over eager team member’ and exposes a culture of fear within EC Council, and rash actions taken for fear of a reprimand.”

“It’s terribly concerning that one of [EC-Council’s] team was so afraid of the consequences that they acted unilaterally and with such haste,” adds Miller, who believes that the culture created by EC-Council is the reason behind such a poorly worded survey question which “didn’t just come out of thin air. This wasn’t the first time that EC-Council has been embroiled in controversy over discriminatory and exclusionary behaviors. Clearly any efforts that were made to resolve those situations were not sufficient.”

The formal statement and apology triggered criticism from the industry that this was too reminiscent of “blame the intern”, a phrase heavily associated with the Solar Winds cyber-attack.

In his email to me, Jay Bavisi wrote: “We are still investigating the act of blocking of some of our community members (which we immediately reversed and unblocked as soon we learned about it), and are working to enhance our community moderation processes…I must make it clear – we take full responsibility for a judgement error by an individual / individuals.”

Plot Twist

So here’s where the plot twist comes in…Just as I was adding in the final touches to this article, I received a response from my DM to the EC-Council Twitter account, asking for further comment. It was from Seemaa Bhatia, digital head of EC-Council, telling me that she is responsible for the survey question. For the record, I do appreciate her contacting me. “The survey was conducted by our all-female team of digital marketing for the all-women webinar panel on the topic of Women in Cybersecurity.” Does anyone else have raised eyebrows right now, or just me?

This wasn’t the first time that EC-Council has been embroiled in controversy over discriminatory and exclusionary behaviors. Clearly any efforts that were made to resolve those situations were not sufficientAlyssa Miller

“It hurts me when the entire company is called sexist when it was a genuine mistake from my team. I am a woman, and it was under my responsibility that the message was crafted by an all women team. I am sure , you'd understand - the post cannot be sexist coming from all women teams - Its only a human error - far from what is being projected , not to say we didn't goof-up. The Social Media manager is a new employee who is also a woman and she missed the SOP / established approval process. It was a mistake which we are fixing. We will tighten our processes to ensure this is never repeated.” This is a direct copy/paste, so I haven’t corrected grammar.

So, Bhatia claims that this can’t have been sexist because it was written by women. I whole-heartedly disagree, and sadly, her message (Like Jay Bavisi’s ‘what survey?’ message to me), has only reinforced my opinion that EC-Council is yet to fully appreciate or take ownership for the level of damage that has been done. If day 1 of this “blunder” was about blocking people to ‘hear no evil’, perhaps this represents the next stage of ‘see no evil’.

I have an issue with some of the language used in the apologies and messages coming from the EC-Council. “Goof-up” does not appropriately describe the destruction caused. “Not cool” from Jay Bavisi’s apology is colloquial and in my opinion, plays down what has occurred. Perhaps it’s in a bid to be relatable, but personally, I think it misses the mark.

I also spoke to @invertedgeek – the first person to post uproar with the survey – and she has similar concerns regarding the choice of words coming from EC-Council. “Jay’s words of ‘a poorly-worded survey’ also hit all wrong as I would have liked to see an admission of the fact that it was blatantly toxic and misogynistic. Saying that it was poorly-worded assumes that there is a better way to state something. There is no better way to state any of the options given in the poll. It was not poorly worded. It was entirely insulting, wrong, and a huge step backward. One important aspect of taking responsibility is being able to call a spade a spade, and I do not feel he did that.”

 Mistakes are a fact of life…

…it’s the response to error that counts, said poet Nikki Giovanni. I think it’s fair to say that to date, the response from EC-Council has been more that somewhat lacking, but I, along with many others, hope that this isn’t where the story ends.

Jay’s words of ‘a poorly-worded survey’ also hit all wrong as I would have liked to see an admission of the fact that it was blatantly toxic and misogynistic. Saying that it was poorly-worded assumes that there is a better way to state something. There is no better way to state any of the options given in the poll. It was not poorly worded. It was entirely insulting, wrong, and a huge step backward@InvertedGeek

“There should be a message on the EC-Council’s home page on its website outlining what went wrong, but more importantly what steps will be taken internally to deal with the organizational culture that made various members of staff feel that how they behaved was an appropriate way for a professional body in the 21st century,” says Brian Honan.

“I believe what needs to happen is that EC-Council have to make a tangible commitment to fixing their culture,” Miller explains. “If they were to terminate the employee in question, I feel like that would be the very worst possible outcome. That will prevent this being a learning and growth opportunity. Instead it would merely reinforce the fear-culture that the CEO himself indicated led to the poor actions in response to the public backlash.

“I want to see EC-Council set very tangible goals and build a program to address their culture and attitudes. I want to see them be open about their efforts and provide regular public updates on their progress. Their remediation efforts don’t need to be immediate, they need to be lasting and meaningful,” Miller adds.

Ferguson, too, wants to see big change. “I’d like to see a massive reshuffle of management, resulting in a 50/50 gender balance and a commitment to respect that moving forward, and scholarships to encourage under-represented groups into the industry.”

Alyssa Miller and @invertedgeek tell me about a high-school student who tweeted that this reckless survey has negatively changed her opinion of the industry she is so passionate about. This is just part of the collateral damage done. Further, explains @invertedgeek: “There have been many industry newbies who have come forward expressing that this situation has left a strong distaste in their mouths for even joining this industry. We are in a time in this industry that we need more fresh blood. Now is not the time to be scaring or turning people away with more drama and toxicity — especially from an organization that provides education and certifications.”

When we’re talking about something that is acting as a barrier to much-needed talent coming into our industry, expressions like “goof-up” don’t really cut the mustard. “We’re weaker today than we were yesterday as a result of this situation,” says Miller. “But we will overcome, we’re resilient and we will get better as an industry with or without EC-Council joining us for that ride.”

What better words than to end this surprisingly long and in-depth blog on? Thanks for reading.


If you've been affected by this survey, or any similar issues, and want to get in touch, please contact eleanor.dallaway@reedexpo.co.uk 


What’s Hot on Infosecurity Magazine?