Women in cybersecurity panels aren’t all that rare these days. In fact, I almost skipped the one on the agenda at (ISC)2 Congress in Austin this week because I feel like I’ve been to so many that perhaps I need to take a break.
However, I’d heard two of the panelists speak before (Jennifer Minella and Suzanne Hall) and have always liked what they had to say, so I changed my mind and went along.
Before I go on, I should probably list the panelists. The panel was moderated by freelance journalist Karen E. Hoffman. On the panel were Jennifer Minella, VP Engineering and consulting CISO at Carolina Advanced Digital; Suzanne Hall, managing director at PWC; and Lynn Terwoerds, executive director at Executive Women’s Forum (by the way, if you haven’t been to the EWF event in Arizona, do it, you won’t regret it).
Rather than reporting on the entire panel, which was lengthy (but good lengthy…the panelists were engaging and interesting), I am going to just pick out a few of the more interesting things that were said and share those with you.
According to the latest (ISC)2 Workforce Study, 83% women in information security said that it wasn’t their first career…
OK, well this one doesn’t personally worry me. Almost all of the men in the industry that I interview say this wasn’t their first career either…
Suzanne Hall: “I’ve never seen news coverage, in the wake of a data breach, comment on a CISO’s educational background until Equifax’s female CISO...and it is horrifying”
Yes, I’m with her on this one. The way Susan Mauldin’s education was picked apart was unacceptable, and her lack of technical degree was absolutely not the reason for the company’s failure to prevent the breach. “The lesson from this breach should not have been that the CISO didn’t have a computer science degree,” said Hall, “it should be that you must patch.” For more on this, take a read of The Washington Posts’s story on it. It’s a great read: https://www.washingtonpost.com/news/the-switch/wp/2017/09/19/equifaxs-top-security-exec-made-some-big-mistakes-studying-music-wasnt-one-of-them/?utm_term=.1fc7ca402677
According to the workforce study, men are four times as likely to be in C-level or executive management positions as women, and nine times as likely to be in manager roles…Is there a thick glass ceiling?
According to Hall, the glass ceiling challenge exists because of unconscious (often subtle) bias. “When CFOs/CEOs/CIOs think about security professionals, they think about a guy. Always. That’s how the media portrays cyber.” Hall says that we need to raise the understanding of unconscious bias and change the mentality.
Minella, who hates the term glass ceiling, had a slightly different take, although acknowledged that unconscious bias is very real. “Instead of starting from a point of saying there should be no bias, we should accept that from a neuroscience perspective, there will always be bias. It’s part of being human. So we need to acknowledge that there IS bias as a starting point, and then work from there.”
Minella also added that often women just want different things. “Maybe women don’t always want to be that executive. I, for example, am vice-chair of the (ISC)2 board, that’s where I like to work, I don’t want to be the Chair. There’s also family metrics, we can’t ignore that – to be equal doesn’t mean we have to be the same.”
If our industry had a mascot or personality, it’s the grumpy, skeptical paranoid guy or the guy in a black hoodie in a basement…Jennifer Minella
A lot of women drop-out of information security mid-career…
Terwoerds explained that the workforce study, and experience from working at the EWF, show that many women drop out of the industry mid-career. “It’s extremely problematic and we don’t really have answers to why. There are educated guesses – that women are struggling to balance child care, elder care.” But the study also shows that almost as many men as women are in caregiving roles in their home, which Terwoerds says is a significant change. Men, however are not dropping out of the industry at the same rate.
Women work harder at proving themselves in this industry…
“Women do work harder at proving ourselves and making damn sure we know what we’re talking about”, said Minella. “We do things to bolster and improve our professional selves. I did that – I was blonde, in my 20s and female in an IT industry and needed to demonstrate competency.”
Women need more mentors – both male and female.
Terwoerds said she “wouldn’t be anywhere today without her (all male) mentors” who she describes as pivotal. Hall and Minella also agreed that they, too, have had similar positive experiences with male mentors. But the panel acknowledged a call for female mentors for females. “To do this, women have to recognize the role they play in order to be proactive with mentoring”, said Terwoerds.
It’s time to stop portraying the grumpy arseh*le security guy as our industry mascot
Minella concluded the session by arguing that in order to attract and retain women into the information security industry, we need to change the way we market ourselves. “We market with images of ninjas, pirates…at least we have unicorns now too,” she said. “If our industry had a mascot or personality, it’s the grumpy, skeptical paranoid guy or the guy in a black hoodie in a basement…who wants to walk into that? Nobody! Nobody wants to be the grumpy arseh*le with no life work balance”.
Touché Jennifer Minella, touché.