Anyone who's attended an RSA Conference—or any information security event, for that matter—knows all too well what a male-dominated industry security is.
Oh, things have gotten better; there are actually some women at these events today. But a panel of female security veterans clearly believes there is room for improvements that will result, among other things, in security events evolving from the so-called sausage factories they've long been considered. That in itself is a development panelist Kerry Matre, senior product marketing manager for enterprise security at Hewlett Packard, would certainly welcome.
"I've come home from industry events and said, ‘That's it, I'm done’," Matre said, eliciting nods of agreement from dozens of women in the room for the Should I Stay or Should I Go?: How to Attract/Retain Women in the Industry panel.
Progress on this issue has been slow. Elise Yacobellis, director of business development, Americas at (ISC)2, presented the results of a study sponsored by Booz Allen Hamilton, including one finding that showed that the portion of security workers who are women has remained stagnant over the past few years. In fact, the percentage of women working in any security role globally has actually fallen from 11 percent to 10 percent since 2013, as has the percentage of women working as security practitioners.
Fortunately, the panelists see unprecedented opportunities for progress. For instance, there was a strong sense that the time is right to make a bigger push encourage girls to embrace science and technology, either by visiting schools or cheering on our own daughters.
Ping Look, director of information security for Optive, said that young women who are thinking about their career options are more open to that message than ever because of the rising role technology is playing in our everyday lives.
"It's becoming okay to be the geeky girl," said Look, who in her previously role running the Black Hat conference once had to scold a vendor for attracting people to its booth by having attendees eat sushi off of a scantily-clad woman.
Along those lines, the panelists also were in agreement that more women need to step out of their former comfort zones and start calling out inappropriate treatment of women in the workplace. And, as Matre's frustrations indicated, also call them out at IT security events.
Ironically, despite her gut reaction to being subjected to the downsides of an almost entirely male community, Matre acknowledged during a conversation after the panel that male security workers play an important role in attracting and retaining female colleagues.
The ugly secret behind that optimistic thought is that because there are so few women in security roles, they can often see each other as rivals and threats, making them less likely to elevate the other women around them.
"That's why I say that men are better advocates than women are," Matre said.
That said, employers may have the biggest potential impact if they meaningfully address the institutionalized sexism that still has a hold on many of them. One obvious area of potential improvement is the recruitment process.
"I always hear from people who say they'd hire women in a second, but they never get any resumes," said Matre. "Baloney. If you've got a stack of resumes and there are no women in it, there's something wrong with your job post, or there's something wrong with your environment."
Equally fundamental are the efforts employers can make to support women, not only in their career development, but also in the very important work-life balance. This is especially true for younger female security workers, who are more likely to leave the industry over such issues.
Gurdeep Kaur, chief security architect for AIG, said companies can help prevent those young women from having to choose between their careers and their desire to raise a family by introducing policies and programs that prevent them from having to make a choice.
Angie Messer, an executive VP at Booz Allen who heads up a new cyber security unit, suggested that by logically extending that kind of tolerance into everyday business activities, employers can ensure that they have diverse and qualified staffs down the line. Simply throwing out occasional reminders or doing yearly sensitivity training is not going to get the job done.
Said Messer: "You have to keep talking about it until it's how you do business."