Women in infosec: Real-life experiences and challenges
In all segments of society and business, minorities encounter problems that the majority rarely or never faces. And information security is – I think we can all agree – a world where men represent a considerable majority.
In this age of social media and easy online presence, people’s experiences can be shared with a wider audience that ever before, and this capability has been effectively used by minorities to make their voices heard.
These experiences can be positive or negative, but it is the negative ones that, deservedly or not, get more widespread attention. Nevertheless, all need to be told, and so we asked several women in the infosec industry to share theirs with Help Net Security.
Dr Jessica Barker is an independent consultant and public speaker who specializes in the human side of cyber security (awareness-raising training, research, etc.).
For her first job in the field, she was head-hunted by a cyber security consultancy in London whilst finishing her PhD.
“My background is in sociology and civic design (my PhD looked at how the post-industrial/knowledge economy has shaped the way cities and institutions develop) but the firm could see how my knowledge and experience looking at ‘human’ issues would fit in cyber security,” she explained to me. After a few years, she left the company and set up her own consultancy, which she has been running for the last four years.
In general, she finds that her gender is not an issue and that a lot of people in the industry want to see more diversity. Being treated equally and judged on the quality of her work and level of expertise rather than anything else is by far the most common experience for her, she says.
“I’ve found a lot of conference organizers to be incredibly encouraging, in fact the first two conferences I spoke at (Bsides Manchester and IRISSCON) were because the organizers reached out and encouraged me to submit,” she shared.
“I now do a lot of public speaking, all around the world. The encouragement I received from people such as Brian Honan, and the positive response I received from attendees at those first few conferences, was instrumental in giving me the confidence to do this. Occasionally I’ve received emails from other women who have seen me speak at an event or seen something I’ve done in the media and have been inspired to either submit to a conference themselves or pursue a career in this industry, and that’s really cool.”
There are many challenges in the infosec industry that both men and women share, she notes. Self-doubt, i.e. the so-called impostor syndrome, is one such problem.
“I do know women who have been paid less than their male counterparts for the same work or in the same position,” she notes, but adds that luckily, her own negative experiences based on gender were few and far between.
She was once approached at a conference where she had just given a talk and was asked whether she thinks she only gets work/speaking engagements because she’s “blonde and pretty”. The curious thing is that the man complimented her talk, said it was very good, but ultimately maintained that she got to where she is because of how she looks.
“I tried to discuss this with him rationally, but he became more insulting and so I tried to end the conversation. He was very persistent until some friends (male) stepped in and told him to leave me alone – which he then did,” she remembers.
“I knew he was wrong in what he said, I know I’ve got to where I am because I’m good at what I do and I work very hard, but the whole thing left me feeling frustrated and I had to resist feeling undermined. I mentioned it on Twitter and then a woman who works in the tech industry accused me of attention-seeking, which I found at least as depressing as the incident itself.”
At another conference where she was scheduled to keynote, and took a couple of hours away from the venue to do some final prep for the talk, she was asked by the (male) conference organisers if she’d been off shoe shopping.
“I can’t imagine they would have asked a male speaker the same thing and, again, it’s an example of the kind of thing that could be quite undermining. It wasn’t a big deal, but is indicative of the kind of lazy stereotyping that I sometimes see/ experience. I don’t know of any male colleagues who have experienced this particular type of negative comments,” she added.
As for advice she would give here younger self when she just started working in the infosec field? Illigitimi non-corborundum.
Leigh-Anne Galloway’s path into the infosec field started with a litigation support company she worked for while at university. After that, she moved into incident response, leading investigations into compromised merchants, and then took a side step into the world of start-ups, aligning her skills with enterprise security software: carrying out network analysis, threat intelligence and dealing with a number of unique problems. She currently works as a contractor.
She says that earlier in her career, there were times when she was in line for roles and getting offered significantly less pay for them than some of her peers. “It’s not comfortable or fair to work in situations where junior colleagues are earning as much as you are,” she noted, but pointed out that she did get something out of it: “It taught me to negotiate and to ask for what I need.”
Help and support from other people was very important, she says.
“Probably the most significant supporter of my career has been Zach Dahlgren (Head of Threat, vArmour). He really taught me to see opportunities for myself that I wasn’t able to see at the time. With his support I was able to negotiate an annual sabbatical to further my studies outside of work.”
She has found a lot of men to be great advocates of women in security. “In contrast I have found some women to undercut other women,” she noted. “I’m not sure why exactly this is; perhaps because they have found the journey a challenge, they in turn believe you must be subjected to the same process.”
On the other hand, she’s been fortunate to have worked with people like Laura Mather (Founder & CEO of Unitive, which seeks to increase diversity in the industry), who was able to relate to some of the issues she faced along the way.
“Early on in my career I found myself having to go above and beyond to prove that I was technically proficient enough to even engage in conversations. That pressure has definitely lessened, but it is evident that all women in the industry face these barriers,” she also shared, but noted that is likely also a problem for just about anyone who doesn’t fit the external profile of a “geek”, or exhibit strong masculine characteristics.
“As I’ve gotten older I’ve realized that it is really important to retain my own characteristics and not to assimilate certain personality traits as a result of my environment. I don’t need to be aggressive or dress a certain way to be good at my job or to be respected. Also, you don’t have to be tough all the time – vulnerability is also a sign of strength,” she concluded. “Life is long enough to have multiple careers and interests, just be patient, be very kind to yourself and put one foot in front of the other.”
Neha Thethi started working in infosec in 2014, as an Information Security Analyst with BH Consulting. She still holds the same position.
Some of her negative experiences are not strictly tied to the infosec field.
For example, she’s aware that women getting touched on the arm, shoulder, hand, etc. without a reason during a conversation is probably something a lot of women face, independently of the field they work in. Another thing she doesn’t like is when a man takes offense and lashes out verbally when she proves to be better than him in some work aspect. Things like that make her avoid those people in the future.
“Another negative incident that I can recall is when one male client wouldn’t make eye contact with one of our female colleagues or value her opinion even though that person was the main point of contact for that project,” she shared.
“But our boss took note and made sure that situation does not occur again, even if it means not dealing with the client again. That to me was amazing! I consider myself very fortunate to be working in a company that does not discriminate their employees in any way. We have men and women from different backgrounds working here and everyone receives the respect and dignity that one would hope for. As an individual, my opinion is valued and listened to. I am encouraged and offered flexibility to perform a variety of InfoSec tasks (both technical and non-technical).”
In general, she says, the problem of lack of respect is not men- or women-specific. “My boss – a man – didn’t discriminate, while the client – also a man – did. I learned that it’s not about men and women, it’s about individuals – how they were raised, what they were taught or what environment they grew up in.”
But luckily, she had many more positive experiences than negative ones.
“I enrolled for the Information Security course in Dublin at ITB and all my lecturers in the college were male. They were very helpful and equally encouraging to all students throughout the course and still give great advice,” she noted.
“I have also met so many inspiring and supportive individuals at conferences (both men and women) who were ready to help and guide women like me starting off in the industry. This made me less hesitant to approach accomplished people in the industry and seek their help or guidance.”
A special mention must be made of organizations such as OWASP that have put in so much effort to make women more comfortable attending technical workshops/events that would otherwise would be attended mostly by men.
“When I see another woman at such an event I definitely feel more comfortable, and it made me a lot less hesitant to participate in technical events, including CTFs. Just the fact that these men acknowledge there is a problem and it needs to be fixed is quite refreshing.”
She tries to do her part when it comes to making women feel welcome. When she goes to infosec events, she makes sure to talk to at least one or two women and exchange cards.
In general, she feels that having a support system is really important, and she works on it. Colleagues, yes, but according to her, folks on Twitter also provide an amazing support system. Other than that, she advises women to take more risks, don’t try to please everyone, and to stand up for themselves.
“We should keep doing what we love, keep our head high, help others and move towards our goal,” she concluded.