That there is a dearth of women in the Information Security (InfoSec) community is not news. The news would be if that number were to ratchet up to fifteen or twenty percent, in keeping with the growth that other STEM positions are close to hitting. Women make up only 27% of the population in Science, Technology, Engineering and Math (STEM) careers; 12% of the computer science degree holders were women according to a census in 2011. The number of women currently holding positions in Information Security is a marginal 10-12%. Even as other areas of STEM show an improvement in numbers, the Information Security field remains stagnant.
It is easy to look at these numbers and agree with InfoSec professionals retort that women just are not suited to this kind of work. They cite a lack of women in university courses, training events, and conferences as a sign that women do not seem interested and/or incapable of producing the kind of results that the job requires. Sure, women might start in the industry and if they disappear, the reasoning falls along the lines of imaging they left to start a family or something along those lines. Looking inward, to assign blame, is often quite difficult and not the most natural, first reaction.
“The shortage of women in the field creates a vicious cycle. The profession is seen as unwelcoming by women first choosing a career. And women who are already in the profession can find themselves singled out and stereotyped. That, in turn, makes women feel devalued and passed over for promotions, and means that they are more likely to leave their companies”, according to a recent report from the Anita Borg Institute.
The misogyny is not necessarily entirely mean-spirited and the perpetrators may firmly believe that there is nothing wrong with their behavior. However, after attending Beyond The Gender Gap: Empowering Women In Security at Black Hat 2015, and talking to the four women at my table, it became clear that this is an ongoing/recurring issue. The offenses listed by my table companions, women employed at such companies as Microsoft and IGX, range from what some call passive misogyny which includes:
- companies sponsoring competitions offering prizes that are only suitable for male contestants,
- assuming that if a woman is present at an interview/meeting she must be the project manager, or human resources liaison or quite possibly even the secretary duty bound to fetch refreshments,
- not addressing sexist language/objectionable materials in the work place,
- and using gendered language in their job proposals.
They also cited more active forms of misogyny that include but are not limited to:
- being passed over for advancement,
- and actively denied mentorship.
All of these issues seem to occur as a default to the expectations of former societal norms with outdated expectations, and a focus on exclusivity rather inclusivity. Why bother promoting or investing in a woman, as she will doubtless leave to start a family and default on the investment of on-boarding her in the first place?
If a woman does manage to brave the obstacles against her, the path does not become easier, but presents only new difficulties. Recently, the #ILookLikeAnEngineer campaign highlighted some of the key issues of women in tech. When Isis Wenger started the Twitter hashtag, it was because she fell under heavy criticism for an advertisement campaign run by her employer. “People generating discussions about whether or not I really was a platform engineer for OneLogin were also rather shocking,” she said. The reason behind questioning the legitimacy of the ad is simple yet profoundly disturbing; Wenger was considered too attractive to be an actual platform engineer.
When one openly acknowledges that they are a minority and comes to the startling conclusion that if they are not willing to plow the way ahead for the next one, well, no one will. However, the acceptance of this path comes at a steep personal cost and the numbers reveal that women, when it comes to working in the InfoSec profession, have decided that it is not worth it. As more women enter STEM, one would imagine that the number of female InfoSec professionals would grow but that is not the case. Women entering the profession are only doing so at a rate that replaces the number of women leaving the profession. The reasons for this can be intensely personal, as well as professional.
According to Marsha Wilson in her article, A Woman’s Journey to Cyber Security, “Being a woman in infosec requires you re-demonstrate your chops with every new IS dude gang. It gets exhausting but I find it is just part of the culture. If you don’t like it, you better build a thick skin or go elsewhere.” In short, a woman in the InfoSec community had best accommodate herself to an environment created exclusively by men, for men. This environment certainly does not come across as an inviting atmosphere; her use of the words “exhausting” and “dude gang,” indicates exactly what is likely preventing women from staying in the field once they gain employment.
While the answers to the quandary regarding women in the InfoSec community will likely not be solved tomorrow, all statistics prove that the sooner the gender gap is closed, the better. This blog post barely scratches the surface of what appears to be a complex and ever-evolving problem. However, it behooves us to conclude on a positive note. There are people who have made it their goal to help women join the InfoSec community and their visibility on the web is growing. All of the groups and communities listed below contain inspirational articles, information on classes/workshops, and links to even more resources. The InfoSec community is one of growth and in truth, it needs more women.