R-E-S-P-E-C-T in S-E-C-U-R-I-T-Y

Written by

Harassment has devastatingly become more endemic in the infosecurity industry, but Respect in Security aims to fetter that. Eleanor Dallaway meets with its founders to learn more

Respect in Security. Three words and a concept so important and necessary that it seems, well, a little obvious. Except, sadly, it’s not.

In April of this year, I moderated an online harassment panel at Cyber House Party. I had recently written a feature, ‘Trolling, Sexual Harassment and Murder Threats: The Dark Social Web,’ and conducted multiple interviews with victims of harassment. It was jaw-droppingly shocking, and I soon learned that the term ‘troll’ does not do justice to much of the abhorrent behavior taking place in the industry.

It was watching that Cyber House Party panel and listening to one of the panelists from my session, Lisa Forte, unveiling the many ways in which she has been harassed as a prominent figure in the information security industry that caught the attention of Rik Ferguson, VP of security research at Trend Micro.

Until this fateful day in April, Ferguson admits to “living in a bubble of blissful ignorance,” but that bubble was well and truly popped. “I could not believe it,” he recalls. “I had a phone conversation with Marc Avery (co-founder of Respect in Security) and asked ‘what can we do?’”

In the past month, the #infosecbikini movement was born due to InfoSec Bad Girls founder, Coleen Shane, receiving backlash and criticism when she posted a bikini photo of herself on Twitter. In the same month, two separate industry professionals resigned from public speaking because they were made to feel unworthy. “I don’t know if the abuse is increasing or if I’m just more awake to it now,” ponders Ferguson.

From small seeds grow mighty trees, goes the saying. If Forte’s candid chronicle was the seed, then Respect in Security — a new initiative to support victims and encourage coordinated industry action to tackle bullying and harassment — was set to be the mighty tree. At least, that’s the ambition of its eight co-founders.

"Approximately a third of cybersecurity professionals shared personal experiences of harassment online (32%) and in-person (35%)"

“I can’t remember exactly how we came together as co-founders, but what I will say is that it was a natural, organic process,” says Ferguson. He refers to Sean Atkinson, Marc Avery, Regina Bluman, Lisa Forte, Chris Hepple, Clive Room and Nikki Webb.

Trollers Gonna Troll, Troll, Troll 

Respect in Security engaged Sapio Research to poll 302 industry professionals (male, female and non-binary) across multiple age groups, organization sizes and levels of seniority. The results were not a pretty read. 

Approximately a third of cybersecurity professionals shared personal experiences of harassment online (32%) and in-person (35%). Of those that reported experiencing in-person harassment, most said it came at industry events (36%), in the office (47%) or at work socials (48%).

“The trolling is indiscriminate,” says Forte. “It’s not just women; it’s open to anyone with an online profile.”

The research results speak to the need for action. Respect in Security will urge employers to pledge support for a workplace and community free from harassment and fear. “This isn’t designed to replace what we’d expect of a code of conduct that would come out of HR,” explains Ferguson. “It’s about a commitment to eliminate harassment, to guarantee to take reports of harassment seriously and recognize that the employees bringing it to your attention aren’t disloyal. It’s a promise to make that grievance procedure public.” 

What Respect in Security isn’t is a reporting platform or investigative organization. Instead, it signposts all of the relevant resources already available to help victims of abuse, be it online trolling, physical abuse, intimidation or social exclusion. This includes links to relevant law enforcement, advice, mental health help, etc.

“It’s really positive, not just for the victims, but for companies to have a framework for investigating reports of harassment,” Regina Bluman explains. “It’s topical talking about this after the abuse that England footballers and Lewis Hamilton recently suffered online. With a framework in place, companies won’t have to scramble to find the best ways of handling a situation [when it arises]. Respect in Security is there to provide structure and support.”

That formalized structure, according to Forte, is best practice. It’s a better alternative to responding to trolls, engaging with them, or causing a Twitter pile-on by deliberately or inadvertently setting friends or networks on a manhunt slaughter mission. “It’s important to get away from that mob mentality that can happen on Twitter, because in a sense, that’s snowballing it. There’s a right way and a wrong way of reacting to trolling.”

“I’ve been guilty of those pile-ons,” admits Bluman. “You want to defend your mate, and then suddenly it turns into a beast of a thing. We need to call that out, not get involved with posting screengrabs, and stop encouraging people to pile on.”

“The trolls are designing that reaction,” adds Forte. “You’re playing into their hands by amplifying that drama, and that’s why we need the right — publically available — policy and procedures in place. Do not engage the trolls, do not ask your friends to engage the trolls.” If the troll in question works for a company that has taken the Respect in Security pledge, then you should report their behavior to their employer. If not, you should still approach their employer, or in extreme cases, law enforcement.

Be Part of the Mission 

Respect in Security has two primary goals. The first is to recruit organizations to take the pledge (their target is 50 plus by the end of 2021), and the second is to be as visible as possible in order to signpost resources and support for victims.

“The wider the pledge becomes, we go a longer way towards creating an industry free of abuse,” says Ferguson. “It concerns me that I work in an industry where there’s too much quiet, too much acceptance that [harassment is] just banter — it isn’t just banter. Silently condoning the actions of the abusers is not OK.”

Respect in security, the founders tell me, is a global problem. Abuse has no homeland, so the objective is to have Respect in Security as a globally recognizable aspiration for companies. From a UK perspective, the founding team will point to geographically relevant resources, but with the hope that groups of people worldwide will do the same, taking Respect in Security into their own jurisdictions and geographies.

So who can get involved? “Our target is everybody,” the founders tell me. “It’s important to get the bigger companies on board as a green tick rubber stamp for the smaller organizations,” says Ferguson. “At the other end of the spectrum, the smaller organizations are less likely to even have an HR or legal department, so being able to offer them a pledge template and the materials is extremely important and worthwhile.”

"It concerns me that I work in an industry where there's too much quiet, too much acceptance that [harassment is] just banter - it isn't just banter"

Individuals, too, have a part to play in this. “We want people to become a supporter of our mission statement,” explains Forte. “Just take responsibility for yourself. Pledge to not behave in an unacceptable way. We can all control our own behavior.”

Pledge templates, badges, social media frames, banners and other assets are available on the Respect in Security website (www.respectinsecurity.org). Bluman shares that community sessions will also be organized. “We want to hear from everyone across the industry. We want to hear those stories. We don’t want this to be an echo chamber.”

“Respect in Security isn’t about reporting your story, but it is about telling it,” adds Forte. As the inspiration for this entire movement, it’s important that I conclude this article with Forte’s words. “One of the side effects of being a victim of harassment is to feel out of control,” she says, “and we’re trying to give victims the control back.”

There’s no disputing the need for Respect in Security, as sad as that is. In fact, the industry is crying out for it. Take that pledge as an individual, campaign for your organization to take it too, and let’s give power back to the victims.

How to Convince Your Organization to Take the Pledge:

  1. Retrieve the content of the pledge from www.respectinsecurity.org
  2. Find out who to contact in your HR and legal departments
  3. Attach the pledge to your email. Clearly explain what you’re asking your organization to do and why it’s so critical. Articulate that this is an industry-wide endeavor, opening up zero tolerance publically
  4. Don’t give up

What’s hot on Infosecurity Magazine?