For me, the name Coleen Shane was always synonymous with #InfosecBikini. Her legacy may be tantamount to a black swimsuit (and she’s cool with that), but there’s so much more to this Quick Quack Car Wash network security engineer from Minneapolis.
For one, she’s a trans woman in cybersecurity. Two, she’s from an under-privileged background – or, in her words, “I come from the hood” – and three, she didn’t graduate high school. That’s three big ticks in under-represented groups in infosec. It’s no wonder she’s so passionate about diversity, but we’ll come to that later.
We meet at the Carousel next to the Moscone Center. The sun is scorching, we sip on iced coffee (me) and Coke (her), and I am utterly in awe of how open, honest and articulate Coleen is. It’s Coleen’s first RSA Conference and she gasps when I confess it’s my thirteenth. “I expected it to be stodgy and uptight,” she confesses, immediately adding, “to a certain extent it is, there’s a lot of suits.” We’re at a table looking down at the entrance to the Moscone, watching a sea of suits entering and exiting the conference center.
She draws a comparison with DEF CON. “There, you get the purple-hair brigade, the non-binary, the more diverse people of the industry. You get the lower-level people, the hackers and as such, the less represented people are represented.”
Management roles in the industry are occupied by a far less diverse crowd, says Coleen. The higher you climb, the fewer diverse faces you see. She does express surprise, however, at the number of women at RSA in management roles. “Representation matters; being at events like this just reinforces how important representation is.”
Earning Those Greys
Coleen raises the lesser-discussed issue of age diversity; a topic being tackled in the upcoming Q3 issue of Infosecurity Magazine. “We want and need younger people, but so many older people are also bringing gifts to the table. I’m coming up to 48, I’m earning these greys and I don’t want to feel like I’m aging out at all.”
She notes that there are friends of hers on Twitter who are feeling the repercussions of age discrimination.
Coleen’s greatest hurdle when it comes to breaking down diversity barriers, however, is undoubtedly being a member of the transgender community. “As a transgender woman, I’ve definitely felt that there has, at times, been an unwillingness to give me a role.” She recalls an interview a decade ago when the interviewing manager asked her what excited her about the opportunity to work for that company. “I said that the company was representative of the LGBTQ+ community and I felt like I’d be safe and welcome there. I saw the change on his face immediately. He didn’t offer me the job.” The recruiter fed back that the team loved her, but they were looking for a more experienced candidate. “I think it was just an excuse,” she says. “After all, people feel comfortable hiring people like themselves. He couldn’t relate to me.”
We agree that it’s important to hire different types of candidates to expose your blind spots. “Take a chance on people,” she says.
Coleen tells me that the trans community in the cybersecurity industry is far from small. “I know a ton of trans people in this industry. The life we’ve led has steered us to security,” she contemplates. “So many still in the closet reach out to me privately, it’s not just the ones that are out.” She adores this role, a confidante for those grappling with their identity and coming out. “I love to be able to talk to them, it warms my heart.”
I tell her she must be a role model to many, and she grins. “Some people are afraid of coming out, that’s why I try to be out and as proud as possible, to take the heat for them.”
Why does the life of a trans person lead so often to this industry, I ask? “It’s because we’ve had to deal with risk. Always wondering ‘Am I safe? Where’s the exit? Do I feel threatened?’” That is certainly true in the Mid-West, she adds, “and I’m afraid to travel in the South. When I speak, it pisses people off. It shatters the illusion [for them] or their desire.” Coleen took the decision to keep her voice, “it would feel contrived to change it,” she explains, “It would make me feel like I’m becoming submissive.” Another thing she has kept is the name “Dad.” Coleen has a son and daughter, 24 and 28, “and I didn’t want to take the name Dad away from them,” she says.
“From the Hood”
Coleen grew up in Indianapolis, but more specifically, she calls it “the hood.” She refers to high school as a “tremulous” time and recalls that her parents were never around. “There were girls to chase at school, my dad didn’t pay child support, there were food stamps, and we were constantly being kicked out of houses and hotels when mum couldn’t pay the rent.”
She credits her ex-wife for pulling her “out of the hood. Actually, we pulled each other out,” she adds.
Her background starkly contrasts that of the average cybersecurity professional, she says, considering that “most come from privileged backgrounds, or at the very least, parents who were present and able to put them through school.” She says that at DEF CON, you find the exception, home to people from all backgrounds. “The purple-hair hackers have different stories,” she says warmly. “There’s way more diversity at DEFCON, a representation that is exciting. There you can find the up-and-coming talent, the ones that will be making decisions in suits at RSA in the future.”
Given the picture that she paints of her childhood, it’s surprising and encouraging that she has got to where she has, living in San Diego and working in a great job. “Computers were my hobby, and I went back to school in 2008, getting my degree in computer science in 2013.” Not having a degree was holding her back, she recalls, “it was wrong because I had the experience and the contacts, but the hiring managers’ hands were tied. That’s common now, hirers demanding a CISSP or a master’s in science. It is so narrow-minded and short-sighted.” I couldn’t agree more.
Felt Cute, Won’t Delete Later
Finally, we land back on #InfosecBikini, a decision and thus a movement that put Coleen on the map, so to speak, but also had a progressive impact on the industry. For anyone cut off from the internet in June 2021 (and given our line of work that’s probably very few of you), let me catch you up.
Coleen posted a photograph of herself in a black bikini on her Twitter account, “why? Because I was on the way to the beach and I felt cute as shit that day,” she laughs unapologetically. “I thought I’d get the usual 20 or 30 likes,” but instead, the post went viral after “that comment from the dude.” She is referring to his comment that there was “no warning” for the image, intimating that “otherwise respectable people” should not be posting such pictures.
“The double standard really got to me. You see buff guys lifting heavy weights getting nothing but praise. Yet only women get berated for posting non-infosec content. That type of treatment never happens to men. I thought ‘screw this double-standard.’”
Coleen wasn’t alone in that thought. The information security industry, almost entirely united in its support of Coleen, started posting photographs of themselves in bikinis (men too!) using the hashtag #InfosecBikini. Publications and bloggers around the world wrote about the viral campaign. “I couldn’t believe the impact, it woke people up and made a real difference, a real impact.”
She did address a disappointing aspect of the campaign. “Some people did it just to be seen doing it, fake support from some people that I know don’t like me. But there was definitely more support than not, and the footprint is still growing.”
Coleen’s story has recently appeared in the book Reinventing Cybersecurity, the first cybersecurity book written entirely by women and non-binary experts. “When I wrote my chapter, initially the bikini part was red-lined, but I pushed back because it was a huge part of my story. The editor told me to chill and assured me that story would go back in.” As I said at the beginning, Coleen is synonymous with #InfosecBikini and she’s, rightly, proud of that.
So, does Coleen still post bikini photos? “All the time,” she grins. “I’m single so a big motivator for me is to post pictures.” That black bikini may have catapulted her to a higher follower count and boosted her name in the industry, but her talent as a security engineer and her admirable transparency and candor has earned her the right to stay. Here’s to Coleen and that notorious black bikini.