It's time to broaden the concept of what a career in information security looks like, particularly for women, reports Teri Robinson.
Amid all the hoopla of Hillary Clinton making history by snagging the Democratic nomination for president, it's important to remember it only took 44 years from the time that Shirley Chisholm, the first African-American woman elected to Congress, made her unsuccessful but groundbreaking run at the presidency for a woman to ascend to the top of a major party's ticket.The climb has not been quite as long and slow for women in information security, although it sure seems that way. But women in the field have yet to reach anything approaching the equivalency of Clinton's milestone.
It's not that the plight of women hasn't been thoroughly deliberated. Repeatedly. On the political stage, the discussion has often been loud, thought-provoking and (sometimes) tinged with sexism – the topics ranging from qualifications to clothing choices to voice modulation to, well, other things that don't bear repeating. In security, the chatter about women has been both laudatory and critical (and even defensive), but by and large boosted the awareness that is the foundation for greater equality between the sexes.
“It's more a top of the mind issue now, more people are aware of it, there are more conversations about how to attract and retain women in security,” says Jewel Timpe, HPE Security Malware Research and Research Communications Manager. Timpe directs HP's Zero-Day Initiative (ZDI) program, which provides zero-day research to mitigate weaknesses in the world's most popular software.
Despite ratcheting up the chatter, women are still under-represented in information security, an industry that quite literally has a shortfall, depending on who you're talking to, of 300,000 to one million skilled workers, and frankly could benefit from a larger universe of qualified personnel.
Yet women remain untapped. The “2015 (ISC)2 Global Information Security Workforce Study” found that the number of women in security is holding steady at 10 percent of the workforce, though retention has dropped a tiny, but significant, bit.
No doubt luring more women into the profession “would lessen the workforce shortfall,” the (ISC)2 report contends.
Still, the incredible growth of the security industry itself means the sheer number of women has increased and they feel less like oddities. “I started practicing law 30 years ago and for years I was the only woman in the room,” says privacy attorney Mary Hildebrand (left), partner at Lowenstein, who found more of her gender as the privacy space grew.
Shari Steele, executive director of The Tor Project, has seen a similar shift among the ranks of those leading nonprofits in the freedom space where just a few years back most were men.
That women are still underrepresented in the broader arena of IT security, though, is not surprising. Tech companies, in general, despite their stated and often earnest efforts to the contrary, still aren't, by nearly any standard imaginable, diverse. A study from the EEOC noted that “the high-tech sector employed a larger share of whites,” compared to the private sector in general – 68.5 percent compared to 63.5 percent. Asian-Americans make up 5.8 percent of the tech workforce compared 14 percent overall, and white men constitute 64 percent of tech compared to 52 percent in the private sector. African-Americans account for 7.4 (private sector: 14.4 percent) and Hispanics eight percent compared to 13.9 percent. Women weigh in at 7.4 percent of tech.
More troubling than their still smallish ranks is the fact that too few women hold leadership positions. “Women are, in general, underrepresented in senior leadership and information technology roles,” the (ISC)2 study notes. “In terms of senior leadership, in a 2015 global survey of senior executives, an estimated 22 percent of senior leadership roles are held by women.”
Those figures vary by region, though, with women leading at rates of 21 and 26 percent in North America and the E.U., respectively. Women fare much better in Eastern Europe where they hold down 35 percent of senior leadership roles, the (ISC)2 study says. But much of that leadership globally is “concentrated in support roles.” It seems that women are not pulling down CIO positions (four percent), but the 22 percent identified in leadership roles are more likely to have titles like human resource director (27 percent). Only nine percent are CEOs.
Nor do their voices boom as loudly in more public forums. Eyeballing the dais at most major security conferences easily bears that out – women behind the podium are still relatively sparse. With a few exceptions – U.S. Attorney General Loretta Lynch's keynote at the RSA Conference (RSAC) in San Francisco in March, for example – women leaders simply don't grace center stage as often as men.
Nor do they make as much money as their male colleagues. Salaries simply haven't kept pace with men's. Even in an information security subgroup, like governance, risk and compliance (GRC) where women clearly do very well, on average they make 4.7 percent less than men ($115,779 versus $121,513). The gap widens over $120,000 where men are represented in a higher percentage than women (47 percent versus 41 percent).
But why is that exactly?
With women making up more than half of the general workforce and the security industry's pressing need for skilled workers yawning wide – and at a time when gender equality dominates the headlines – why do they struggle to gain greater purchase in information security? The idea that in 2016 such disparity exists based on nothing more than gender is baffling.
It's certainly not for want of education. According to the (ISC)2 study, women have more degrees than men – 58 percent of women leaders have a master's or doctorate degree, compared to 47 percent of men. Although, both genders have shown an uptick in acquiring advanced degrees since 2013.
And by all accounts women bring mad skills to the table. Karen Kabel, operational support and security technology solutions manager at Great-West Life Assurance Company, is cited in a Frost & Sullivan whitepaper as saying, “Being a mother of four kids and working has gained me the skills to multitask, prioritize and deal with stressful situations.”
“A common personality trait in this field is to want to be challenged, but men and women are challenged by different things,” Gurdeep Kaur, chief security architect at AIG, is quoted as saying in the (ISC)2 study. “Emotional Intelligence becomes more important beginning at the middle management level. It plays a big role in translating the dynamics [of people and technologies] that will impact the decisions you make that, in turn, impact risk management for an enterprise.”
They also come in handy for negotiating and teambuilding. “Women that have kids know how to relate to people at any age and to diffuse touchy situations at home, bring everyone to the table, keep things calm while handling sensitive issues,” says Kabel. “That's exactly the skill set you need for a career in GRC and in security leadership.”
But analysts do point out that while women bring skills that are hard to quantify, more men still come a-callin' on recruitment interviews lugging a STEM degree, still the predominate qualifier for landing a job in information security industry. The EEOC cites U.S. Census Bureau figures that show the number of college grads with science and engineering bachelor degrees at 36.4 percent, as well as National Science Foundation research that shows S&E degrees remaining steady at about 30-35 percent for the past four decades, though the sheer numbers have increased, more than doubling between 1966 and 2008.
However, women still hold a very small percentage “in certain STEM fields,” the EEOC study finds.
Women may not be as dominant in STEM as men, but there is evidence that is changing. “While men have a consistent distribution survey over survey, the percent of women with undergraduate degrees in computer science and engineering is increasing,” the (ISC)2 study says.
Women also still face discrimination and unconscious bias in an industry still skewing in favor of men, some of whom remain tone-deaf. Booth babes may have disappeared from the exhibit floor at industry events – RSAC thankfully banned them two years ago – but many shows still have an old school, distinctly male air. As an example, DeGrippo points to an invitation to a burlesque show at Black Hat that was billed as “sexy.”
“I don't want anything to be sexy at my work,” she says. It was off-putting and “certainly felt like a throwback” to Mad Men.
Is it any wonder then that the security industry has a hard time holding on to the ones it manages to snare? “There's more attention, but less retention,” says Timpe (left), pointing to the slight downtick in retention rate that emerged from the (ISC)2 report's findings. “We're going in the wrong direction.”
Where women rock security
That's not to say that building an information security is impossible or even bleak for women, just that the path is often more arduous and different from that of men. Women are more likely to enter security through a non-engineering or non-tech door. While the (ISC)2 study found that the IT security profession is dominated by three degrees: computer and information sciences (49 percent), engineering and engineering technologies (20 percent), and business (10 percent), women often get their start in security via law, human resources or even psychology.
In fact, the (ISC)2 study contends that “women migrating from other disciplines or from the government is a likely contributor” to an observed convergence between the genders in the information security space.
That also might explain why women have taken over disciplines like privacy and governance. The (ISC)2 survey shows that one in five women in information security are in a GRC position while the same is true for only one in eight men. “The GRC role was, until the events of 9/11, a relatively obscure role in IT security,” the study explains, noting that both men and women “recognize the rising importance of this role and other roles concentrated in managing business risk.”
But women were quicker to seize on GRC opportunities “early on,” the study says. “Thus, women as a percent in GRC roles is double their percent in all of IT security – 20 percent versus 10 percent.”
Likewise, women have made strides as privacy professionals and policymakers – or both – and say gender hasn't thwarted their ascent. “Privacy has always been a field where there were many more women than men,” says Anita Fineberg, a privacy barrister at Fineberg & Partners, who notes that many practitioners come from somewhere else, like records management.
Consider Ann Cavoukian, executive director of the Privacy and Big Data Institute at Ryerson University, whose long stint as an information and privacy commissioner in Canada's Ontario province, led her to develop Privacy by Design, confirmed in 2010 as an international framework for improving privacy by knitting it into design specifications of business practices, physical infrastructures and technologies.
Or Hildebrand who notes that as her law career evolved she found “in the privacy space there were more women, more opportunity.”
Fineberg's own journey included getting hooked on data while doing sleep research, law school and a long stint in retail before embracing privacy law full time.
Then, there's Anita D'Amico (left), CEO of Code Dx, who wandered into security by way of experimental psychology. “I never took a computer course in my life,” she says, yet she's carved out a career in tech, essentially “how to make things better for people who are making decisions” often about technical and security issues -- as the head of Northrop Grumman's first Information Warfare Team, working on the Panama Canal rebuild and as part of the Space Shuttle program that includes surveillance flights. “I'm a starter up, an imagining person,” says D'Amico, who was also identified by Forbes magazine as one of five cool women in security who should be seen as role models for high school girls interested in cybersecurity. “Because I'm not an engineer, I don't think of what can't be done.”
Steele, too, came to cybersecurity through law. She was just out of law school where a first semester course on the First Amendment hooked her on free speech issues and led her “in this weird way to security.” That started with a 16-year stint at the Electronic Frontier Foundation (EFF), where she eventually became executive director, before assuming the reins at Tor, where she's spending a lot of time trying to build a support infrastructure around a “technical critical infrastructure for information freedom. “
Steele's mettle was recently tested when revered Tor developer and activist Jacob Appelbaum resigned amid mounting charges of sexual abuse.
Getting from here to there
As SC Magazine's 2015 Women in Security issue noted, “you've come a long way, baby, but not far enough,” and that holds true today. So, how do women get unstuck from the stereotypes and move around the obstacles to get ahead?
The most obvious tool is education. On whole, cybersecurity education is lagging in the U.S. For instance, a recent CloudPassage study found that of the top 120 U.S. universities that have undergraduate computer science programs, none of the top 10 required a cybersecurity course and three of those 10 don't even offer a cybersecurity course.
In fact, the University of Michigan stands alone among the top 40 collegiate computer science programs nationwide in making a security course a requirement for graduation. And, the University of Alabama, while not ranked, is the only college in the study that requires three or more such classes, CloudPassages says.
Tech companies have joined the push to educate women. At the Consumer Electronics Show (CES) in Las Vegas in 2015, Intel announced that it would contribute $300 million toward improving tech diversity. And Microsoft has thrown its support behind, among other things, the National Center for Women & Information Technology (NCWIT), to encourage women to complete four-year college degrees.
HPE in April revealed 16 recipients of the third annual Scholarship for Women Studying Information Security (SWSIS), a scholarship program for women pursuing careers in the IT security industry. SWSIS, supported by HPE, Applied Computer Security Associates (ACSA) and the Computing Research Association's Committee on the Status of Women in Computing Research (CRA-W), has awarded 46 scholarships in three years, Timpe points out.
After investing $3 million in Anita Borg Scholarships for women going after computer science degrees and other initiatives, Google said “22 percent of software engineers hired through campus outreach were women.” And the company also is partnering with Code2040, donating $775,000 in grants early in 2015 to help minorities succeed in tech.
Apple, SC Magazine reported last year, not only works with the NCWIT, but in years to come will put $50 million toward creating jobs for veterans, women and other minorities – with $40 million going to the Thurgood Marshall College Fund aimed at supporting the education of students at historically black colleges and universities (HBCUs).
And the White House said in 2015 that the Commerce Department would put $25 million toward grants for cybersecurity education at HCBUs.
But education is not a quick fix, Timpe says. And more is needed to reorient the industry toward a more diverse workforce.
Amping up training programs and establishing career paths can help tech companies recruit and retain talent – according to Appirio, 77 percent of students in the U.S. remain at their first jobs for less than one year.
By creating a program dedicated to bringing in top-notch talent from colleges and universities around its headquarter state and putting them on a path to grow into its leaders, Appirio has retained 95 percent of the hires that have gone through the program and experienced a return of over $5 million. The company also says its 2016 class is its most diverse yet with 37 percent female and 32 percent minorities.
Finding companies that either encourage women to thrive or by their very structure don't hamper them. D'Amico says her work in “largely military-like environments” turned out to be untainted by gender. “There's chain of command and if you were the leader, then you were the leader,” she says. “There was respect for the rank irrespective of gender.”
And, say women in the field, it's time to broaden the concept of what a career in information security looks like away from the stereotypical anti-social guy holed up in a dark room, face aglow in the light of his computer monitor. “Don't be stuck in the idea that you have to be a hacker,” says Sherrod DeGrippo, director of emerging threats at Proofpoint, who became hooked on tech when she was 14-years-old. “We need reverse engineers, analysts, developers.”
And, she says, people with a passion for security. Passion, interest and curiosity are the core requirements, she says.
And drive. Rep. Chisholm, who famously said her gender was a bigger obstacle than her race, also urged women to bring on a revolution by not backing down even in the face of entrenched ideas and stereotypes. “Women in this country must become revolutionaries,” said Chisholm. “We must refuse to accept the old, the traditional roles and stereotypes…We must replace the old, negative thoughts about our femininity with positive thoughts and positive action affirming it, and more.”