Making security a more welcoming field for women

Alethe Denis was on maternity leave when she decided to participate in DEF CON’s Social Engineering Capture the Flag competition in 2019. She took her three-month-old daughter and her husband to Las Vegas and planned the trip to the finest detail.

“Things could have gone wildly wrong,” Denis says. “It was extremely exhausting just to be there, let alone to compete.”

Bringing an infant to a security conference, where crowds are loud and rooms are filled with cigarette smoke, is not something she recommends. “I found myself standing in a bathroom stall nursing quite frequently, which is pretty gross, or changing her quick enough that nobody would walk by and potentially see and be alarmed or disgusted,” she says.

She finished nursing and changing her daughter right before entering the competition. Inside DEF CON’s soundproof booth, she had to target employees working for a tobacco company, calling a few numbers with different pretexts, hoping to get access. At one point when she was still competing, her daughter began to cry–a scenario she feared but was prepared for. So, she was able to focus.

Denis’s performance earned her the Black Badge, one of the most prestigious awards a social engineer can get. “It turned out to be the best scenario,” she says. During the awards ceremony, she brought her daughter on stage with her, one of the few instances in which a small child was cheered by a hacker crowd.

Systemic issues still hamper women in cybersecurity

Denis’s story is not about determination or a can-do attitude. It’s a story of systemic issues that get in the way and drive women out of security. Successful anecdotes like hers are the exception rather than the norm.

Women make up only 24% of the cybersecurity workforce, according to an (ISC)² survey, and although many of them are better educated than their male colleagues, they often earn less, are passed for promotion, and have to prove themselves every day.

While the industry has recently become a bit better at attracting women and underrepresented minorities, some things can still be done to help them stay in security, says Keren “k3r3n3” Elazari, senior researcher at the Tel Aviv University Interdisciplinary Cyber Research Center and co-founder of Leading Cyber Ladies. “It’s worthwhile to talk about how we could foster longevity and make sure that women don’t quit after a couple of years,” she says. “We need to think about how we can keep people engaged without burnout, which is really driving a lot of people away. Burnout can be worse for some females and underrepresented groups.”

In recent years, companies have started to do more to support women. Some allow employees to work fully remotely and have flexible schedules. Others are more transparent when it comes to compensation, and a few walk the extra mile and change their culture.

Companies should change cybersecurity job postings

Most companies agree that diverse teams perform better and would like to hire more women and people from underrepresented groups, but they say few of them apply to job postings. One reason for that might be that some organizations look like frat houses from the outside, says Elazari. To differentiate themselves from the competition, they end up using language that makes women hesitate, because it hints at a male-dominated culture.

“Sometimes job descriptions have these superlatives: Ninja developer, Rock star developer,” she says. “Rock stars are not usually collaborative. Rock stars are very single-focused.”

Using military jargon like “high-caliber developer, cannon or superweapon” can also push away some ladies. It’s why Elazari recommends using down-to-earth terms instead. “I don’t think most women would like to go work for a company that feels like a frat house, where it’s only beer drinking and ping-pong games.”

Before applying for a job, women and underrepresented groups think carefully about these words. They look for potential indicators of microaggressions, lack of psychological safety, or unrealistic expectations. All these can impact gender minorities and can drive them away.

“If your work is always scrutinized more than others, if you need to prove yourself with more data before you are trusted as compared to colleagues, if the office allows inappropriate jokes, if you are regularly misgendered, if you are the only frequently, it wears you down,” says Nicole Schwartz, COO of The Diana Initiative conference, an event committed to helping underrepresented groups in information security.

The lack of psychological safety prevents women from stepping outside their comfort zones and developing new skills. Some struggle with imposter syndrome and are afraid they might not be good enough for the job. “Generally speaking, if there’s a single requirement [in a job posting] that they think they can’t meet, they won’t even try,” says Denis, who spent five years working at a staffing company before going into information security. By contrast, men are more likely to apply for a position even when they meet less than half of the requirements in the job description.

Denis tells women to not take themselves out of the running but let the employer eliminate them if they determine they are not a good fit. “Just apply for everything,” she says. “Every single job that I’ve had, when I started the job, I was not qualified to do it. And through just being receptive to learning, I managed to talk my way into those jobs.”

How women can negotiate a fair salary

The next step of a job hunt, the salary negotiation, also puts women in a disadvantaged position because they often have little data to work with. Many tend to take their current salary as a reference, perpetuating the pay gap. Instead, they should find as much information as possible from platforms like LinkedIn, Glassdoor or PayScale to better understand how much their skills are worth.

Once they do the research, they should “shoot for the high range,” Denis says. “Don’t let your past salary or your doubt or your imposter syndrome influence what you tell them. My rule: every time I jumped from a job to a job, when they asked me for my salary, I would pad it with another $20,000 per year.” If the company cannot offer that, women should always ask for more paid time off, more flexibility, or remote work.

Managers and men can help bridge the pay gap

It’s not just women who should aim to bridge the pay gap. Managers can also double-check to see if the salaries in their department are solely based on performance, not bias or negotiation skills. They should “regularly audit job offers, pay, bonuses, and raises, check across multiple dimensions to look for bias,” says Schwartz. She adds that companies should correct any pay disparity: “Don’t only fix it for new hires.”

Men can help, too. They can speak up when they know a colleague is paid less or is passed for a promotion. “It is critical that I do more than Tweet support and actually act to help women and minorities get into cybersecurity and to grow their careers,” says John Stoner, a volunteer for The Diana Initiative. “We need a lot more people doing more than performative acts, especially men.”

His peer, Sarthak Taneja, security engineer at Finoa, agrees: “Men can be allies and advocate for women and minorities in tech. They can encourage and help them counter their impostor syndrome that they develop in the process of striving to prove their worth at every step.”

It’s not just young women who have to prove their worth. Parents who are actively involved in raising their children and leave the office at 5 p.m. sharp to take their kids to sports are also at a disadvantage in the current office culture.

Creating honest work-life balance

Going into information security was a tough decision for Denis. As a mom, she wanted to spend time with her children and saw that most job offers posted online required a chaotic schedule. “The things that kept me out of cybersecurity were the fear that I would not be able to limit my working hours to the time that I had childcare, and the fear that I would have to travel a lot for work,” she says.

The company that employs her, Critical Insight, is supportive, though. “They have done everything to make it possible for me as a mother of four to participate in this industry and be an effective employee and have a flexible schedule and work 100% remotely,” she says.

Working from home and having a role that’s not on-call allows her to see her kids “more than 45 minutes a day.” She says that flexibility and a reliably dependable schedule are things more companies should offer.

Another issue is maternity and paternity leave with paid time off. Denis only took three days off when she gave birth to her second baby. She delivered on a Wednesday, and the next Monday, she went back to work. “This is one of my biggest regrets [in life],” she says. “I just didn’t have the time to bond with the baby without the stress of having to respond to this email, I need to get back to this, I’ve got a phone call in 15 minutes, I need to get this baby quiet so I can get on the phone. There’s just a ton of anxiety and stress that comes with that.”

Sometimes it’s difficult for parents to take time off for their family without the perception that they are being judged, Denis adds. They shouldn’t be looked down upon as a lesser employee because they are efficient, organized, and used to multitasking.

Denis is optimistic. She feels the pandemic has created a lot of understanding and grace for parents. “Bosses who relied primarily on their spouses to take care of children were suddenly sitting in their home office with their kids doing distance learning,” she says. “In these pressure-cooker environments, they’re like: ‘Yeah, this is hard, and I never realized it before.’”

The pandemic has sped up the progress of building better working environments, she argues, and managers have finally accepted remote work and flexible schedules, things parents have long hoped for.

Making cybersecurity conferences easier for women (and all parents)

When she thinks about competing at DEF CON while taking care of an infant, Denis says it again: “I do not recommend it. It wasn’t easy. My preference would be to never bring a child [to a conference].”

If she were, however, to organize one such event, she would include a couple of things that would make a parent’s job easier. “Having a separate space within the conference that is clean, not a bathroom, and dedicated to the needs of children and parents would be phenomenal,” she says.

Some conferences also provide daycare for children of different ages, where they can do activities related to the event. It would be great, Denis says, to teach them about threat analysis and attack vectors. “A lot of people in information security are in that 20 to 40-year-old range where the majority of people have children,” she adds. “A lot of us struggle with the childcare aspects and not attending conferences because we can’t travel eight or ten times a year.”

Everyone should feel welcome and safe at these events, says Elazari, and the industry has already put some effort into that. For example, some conferences now issue transparency reports saying how many cases of harassment they had to deal with and how many complaints they got. They also started to ban those with questionable behavior.

“They’re not hiding it under the rug,” Elazari says. “It’s a strategy that shows to me and to my fellow female participants that this is an event that takes my safety seriously.”

It’s a big step from what it was like 15 years ago when she attended her first big conference. Back then, her friends told Elazari to be careful: “Don’t wear a skirt, don’t put your femininity out there.”

“I was a 20-something-year-old woman excited to participate in my first international hacker conference, and all my male colleagues, my friends had to say was how I should behave differently,” she says. “Not how they should behave differently or how the conference should behave differently.”

As conferences take safety seriously, more women are willing to join. Elazari encourages them to submit talks, stand in the front row, raise their hands, and ask questions. She also praises men who care about these issues and advocate for equal representation in panels and sessions. Some of her peers have declined invitations to join all-male panels, suggesting a lady instead.