Out & Proud: Being LGBTQ+ in Cybersecurity

Cybersecurity loves an acronym, in fact, very few industries house more of them. So LGBTQ+ and the infosecurity industry should be a match made in heaven, right? Eleanor Dallaway reports

In a recent poll of the Infosecurity Magazine readership (more than 100 people were surveyed), 43% told Infosecurity that their organization has either a committee, a social group or some sort of initiative specifically for the LGBTQ+ community. Surprised? So were we.

Rebecca Fox is founder of Gray Blue, a digital and technology professional services consultancy. To her, this statistic is a sign of the times, as she reflects on how the industry has evolved. “Six years ago, it would have been incredibly difficult to be out [in the industry] as LGBT, let alone LGBTQ+. [Cybersecurity] was masculine, it was male-dominated.”

In 2018, Fox was interviewed for a broader diversity feature in Infosecurity and identified as a lesbian trans woman. Today, she identifies simply as a lesbian. “I stopped talking about the trans stuff,” she says, “it was so toxic.” Fox has seen change in the last five or six years, but maintains “it takes a long time to change. It’s easier to change the people than try to change the culture with the same people,” she explains.

Rainbow Recruitment

Changing the people, of course, starts with hiring practices and the HR department. Many organizations now include diversity statements in their job advertisements and have diversity targets for new hires. When hiring for Gray Blue, Fox herself “is not a big fan of hitting a quota.” She does not target LGBTQ+ or people of color, but hopes that the networks the company moves in encourage naturally diverse applicants. “We just want the best people for the job, rather than aiming for diversity.”

Christina Luconi is the chief people officer at Rapid7. “You can’t have sexuality quotas,” she explains, “you can’t actively seek out and track sexual diversity, [like you can with gender or race], but you can create an environment where people feel accepted and celebrated for who they are.”

Rapid7 has a core value that it calls ‘Bring You’, encouraging employees to bring their authentic self to work. “As an organization, we’re culture first,” says Luconi. “Inclusion is something we work on every day, creating an environment where people are comfortable to be themselves, and every single person who works there has the same opportunity to create a career of a lifetime.”

Carly Stephens is marketing manager at Dutch cybersecurity company Zivver. When she was interviewed, she made it clear upfront that she had a female partner. She supports the concept of diversity statements in job advertisements, but is reserved in her optimism. “They have to put that; it’s a standard thing that companies do now. It’s not an insult, but it’s a shame when organizations don’t mean it or act on it.” As such, going into a job interview, there is still a question at the back of Stephens’ mind, “so I test their reaction at interview. I don’t want to work for someone who wouldn’t be OK with it, so it’s my way of checking that there won’t be an issue.”

You could then say that when someone from the LGBTQ+ community interviews for a new company, it’s a two-way interview whereby the interviewee is also testing their potential future employer for acceptance and a compatible culture. “Zivver acts on the diversity statement it puts out there,” says Stephens. “You spend five days a week working, so you need to allow yourself to be open. If you’re working somewhere where you fear that they’ll find out you’re gay, then that isn’t the company for you. I class myself lucky that I’ve never come up against anything negative in my career because of my sexuality, and my fiancée has had the same positive experience.”

Fox, too, is “out and proud” and has worked with great organizations that she considers both inclusive and welcoming. “I never hide who I’m dating,” she says, “this is me, and if you don’t like it, I don’t want to be here.”

“We brought the team together to change her pronoun to the group and be open about the transition. There was so much acceptance”

75% LGBTQ+, 25% Allies

Grizzly Information Security Services goes one big step further. It is a 2020 startup based in California “that came together out of a want to change the way companies build their security teams.” Its staff count is currently 10, and “75% of the company is comprised of and founded by members of the LGBTQ+ community. Of course, the other 25% are allies.” By this statistic, seven and a half of the staff members identify as LGBTQ+. How does that work? “Well, of course, there is bi,” smiles CEO and CISO William Worthington.

Grizzly ISS took the decision to be open and transparent about its stance on diversity and its support of the LGBTQ+ community. “When we actively started supporting these communities, and marketing our company as a supporter of BLM and LGBTQ+, it caused disruption and we parted ways with some people as a result.”

Those that ‘parted ways’ with Grizzly did so in defiance of the company’s outward and vocal support. “They wanted to be neutral, they wanted to sell to everyone and thought us not being neutral would affect that.” However, counters Worthington, “we get to choose who we give our services to, who we are as a company and who we are as individuals. If we can’t be open and show you that, we’re not being honest.”

Any temporary upset in loss of staff is more than countered by the reward of diversity of thought, says Worthington. Company culture is everything: “We ask new members of the team how they want to be addressed, we have a pronoun jar that you pay into when you slip up and then at the end of the week, we get pizza or whatever.” The pronoun jar encourages staff to challenge unconscious bias and encourages positive enforcement.

Safe Spaces & Social Faces

“It’s easy to get people in if you’re actively targeting diverse employees,” says Fox, “but the challenge is in keeping them. You have to make them feel welcome and treat them like an insider.”

For Leon Brown, design director at Tessian, founding a social group and support network for the LGBTQ+ community within Tessian was his way of ensuring the staff that, like him, identify as LGBTQ+, feel welcome and have “a safe space.”

In 2019, Pride month was celebrated by Tessian with a “rainbow-themed social,” recalls Brown. “So this June, I reached out to the director of people in search of something more. We didn’t have visibility of who was part of this community, so we sent out a company-wide email to get that data.”

Brown was surprised that the number of staff who subsequently identified as LGBTQ+ was as high as 10-15%. “We have a low average age in our company, below 30, so it is more likely to have open LGBTQ+ representation, but so many people that did identify I’d worked with and had no idea!” says Brown.

“My first instinct was to reach out to the executive team. They loved the idea but said they weren’t the right people to run it, which I’m grateful for. They understand, they support, but they don’t drive it, so the group feels less corporate.” Brown does add that someone at SLT level, as a member of the LGBTQ+ community, has indeed joined the group.

In its infancy, the committee – which has been named Plus – is open to LGBTQ+ only. “We’re not trying to reject allies, and are grateful for the support, but the [initial] direction has to be driven by the people that identify as LGBTQ+.”

Plus has a three-channel strategy, explains Brown, “education, communication and socialization. At first I worried that no-one would turn up, but our COO said to me ‘you don’t need critical mass, if you feel it’s needed – just go for it.’” The amount of time that has been invested into Plus and the willingness of its members to be open and communicative has impressed Brown.

The Rapid7 team at the Boston Pride parade
The Rapid7 team at the Boston Pride parade

Talk the Talk & Walk the Walk

Rapid7 has an LGBTQ+ channel on its company Slack called MoosePride. “The content is self-generated from the community, about half of the people in that group are actually straight,” explains Luconi.

In addition to its Slack group, Rapid7 participates in Boston Pride and has, in the past, sponsored QUEERCON, a hacker party inside DEF CON with the largest social network of LGBT hackers from around the world. “Sponsoring QUEERCON was great for lots of reasons. I’ve seen more LGBTQ+ members in the infosec industry than I have in others. QUEERCON celebrates that commonality, so it’s a great opportunity to meet new people and it shows that Rapid7 cares, walks the walk, and puts its stake in the ground.” Of course, it’s also a great recruiting pipeline, admits Luconi.

“I’ve recently found out that we hired four trans people in the past six months and I had no idea,” says Luconi. “I loved that I didn’t know and I didn’t care. We hire for talent.” She explains that one of these recruits, Jen, joined Rapid7 in the middle of her process of surgeries. “Jen is young, technical and very forthcoming about her story and journey. I was so blown away by her ability to share that we built a friendship and the two of us spoke at QUEERCON together. It’s great to be able to celebrate and lean into those moments,” recalls Luconi.

In a previous role as a CIO, Worthington too had a member of staff in transition in his team. “We brought the team together to change her pronoun to the group and be open about the transition. There was so much acceptance, everybody was supportive and encouraging,” he says.

“I’ve worked in cybersecurity for 20 years and both companies I’ve worked for have had a larger than average LGBTQ+ representation”

Spend a Penny

The practical considerations are important too. Rapid7 has gender neutral bathrooms, as well as traditional male and female bathrooms, in its offices. “We do our best to be forward-thinking; the last thing a trans person should have to worry about when they join a company is asking where they can go to the bathroom,” says Luconi.

Tessian’s Brown thinks it pays for an organization to get ahead when it comes to forward-thinking gender neutral (and accessible) facilities. “You don’t want to be in a position where you are backtracking or trying to catch up with diversity. You want them ready for when new recruits arrive.”

Organizations can do more than just flags at Pride events and bathrooms, though. Fox explains how an organization’s social culture can make or break when it comes to welcoming and embracing diversity. “Companies should hold social occasions during the day, not just in the evenings, so that mums and dads can make it. Visit gay bars, the LGBTQ+ community loves for its allies to learn about its community. Make sure your team-building celebrates diversity.” Making the corporate social circle open and inclusive to everyone will help to retain staff, she says.

Inclusive & Progressive

Brown believes there to be a lack of industry-wide LGBTQ+ community collaboration, with most efforts existing internally within organizations. This is something he’d like to see change. “I’d love to see more industry-wide platforms and events that give people a platform and open doors.”

Many smaller companies don’t have the critical mass, and thus bandwidth, to do their own thing, he comments, “so I’d love to see an improved intersectionality between all the different diversity groups coming together to connect these communities.”

Fox also wants to see more inclusive industry-wide events. “Make sure events aren’t just aimed at men, have LGBTQ+ representation and display rainbow flags at events – it makes me feel welcome,” she says.

Although statistics are practically impossible to gather, all interviewees agreed that they believe there to be a greater than average representation of LGBTQ+ in the information security industry. “My expectation of what cybersecurity was going to be like is very different from the reality,” says Brown. “I’ve found it to be an open, communicative and close-knit industry.”

Luconi seconds this. “I’ve worked in cybersecurity for 20 years and both companies I’ve worked for have had a larger than average LGBTQ+ representation.” She attributes this to the “open-mindedness of the industry. Nobody cares as long as you can do the work, cybersecurity is a quirky group of people,” she says.

“With the explosion of digital, we’ve seen a more embracing, more inclusive community,” says Fox. “Beautiful new characters are coming in and the industry has changed.”

Worthington concludes by drawing brilliantly on the tech industry’s ability to change, and indeed flourish with it. “The industry is progressive, it evolves so fast, so change is something that [cybersecurity] people just go with.” As seamlessly and pragmatically as IT has evolved alongside society, it seems to just as progressively have embraced the LGBTQ+ community. Long may the acronym lovers live harmoniously side by side.

What’s Hot on Infosecurity Magazine?