Political psychologists are exploring whether efforts aimed to increase awareness of women’s under-representation in politics make women less likely to seek public office. Security seems to be in the same situation, with seemingly daily reports aspiring to increase awareness of the under-representation of women, and yet the numbers continue to slide to roughly 10% of the workforce. Clearly, this does not entirely fall on media portrayals, which for good reason highlight many of the real, data-supported and documented challenges women encounter in the field. But by focusing solely on the negative, we do a disservice to the women and men in the industry who are pushing for change. So what can be done? Here are a few tips for you on this International Women’s Day.
Elevate Women’s Expertise
Too often at security conferences the diversity panel is the only one with speakers who happen to be female. While attempting to do good, this focus on women as only experts on gender distracts from the technical expertise of the amazing women in the industry. And as I’ve written elsewhere, we’re tired of being asked to discuss diversity when we’ve gone through years or decades building up our expertise. In fact, it is not a terribly popular topic for speaking opportunities, but it won’t change by ignoring it.
Start by encouraging your female colleagues to submit technical talks to the various cons. This may be easier said than done. As I personally experienced when pulling together our Foreign Policy Interrupted panel, and which has been documented elsewhere, many extremely qualified women hesitate to present or may turn down invitations to present. It is on all of us to help provide that additional push and support. Internal practice talks and local meetups are useful steps to help transition to security’s conference circuit. This not only helps with retention – as it provides concrete professional development, not to mention corporate thought leadership – but it also helps recruitment and addressing the pipeline shortage. As a woman at Girls Who Code told me, and as research on role models supports, if they don’t see it, they won’t be it.
Diminish In-group/Out-group Dynamics
With extensive research stemming from political culture, cultural cohesion (at the most basic level) entails a shared identify. This shared identify cannot occur within an organization if certain social events, shwag, career paths, promotions, business departments, or really anything else, exclude specific demographic groups. Culture is extremely difficult to change and shape, with divisive behavior spreading faster than group cohesion.
Therefore, it requires both top-down and bottom-up strategies to achieve cultural change. At the leadership levels, executives must implement policies focused on diversity and inclusion, while hiring the most qualified candidates. Even simple rules of thumb such as looking for ‘cultural adds’ as opposed to ‘cultural fits’ can help ensure a more diverse workforce. This is possible, and must gain traction across all levels of the company. Even with the proper policies, they are by no means sufficient. Informal and formal leaders must work daily to shape an inclusive culture through daily interactions. Both visible cues and social cues are essential for bottom-up cultural impact, including website representation, interaction within social media, and simply by ensuring a team’s or departments’ social events include all members of the team. These are all common sense, but very rarely do corporations take the time to focus on these internal efforts to build cultural cohesion and increase parity, arguing that there isn’t “time to deal with all this other stuff.” This myopic perspective ignores the wealth of research that not only highlights the positive impact of diversity at all levels on corporate revenue and profitability, but the impact of diversity on innovation as well.
Male Allies
It is well past time for viewing security’s gender gap as a woman’s problem. The gender imbalance within security is a corporate and industry problem, and men are necessary to help fix it. As a recent The Atlantic article noted, “You can’t drive change without men.” By placing the burden on the women in the company, an inherent gender tax is applied, wherein they are expected to do the same job as the men, plus the additional work of serving as the voice and advocate for all women in the industry. And as a reminder, we would much prefer talking about our area of expertise, not our gender.
So what can men do? This gets asked all the time. Jessica Bennett has great insights on this, several of which I’ll paraphrase. Be a norm entrepreneur. Disrupt the status quo. Women are less likely to be cited, and more often to have other people take credit for their work. Provide credit where it is due. Structure equal career paths and promotion opportunities. Be an advocate or sponsor. Speak up. When men take to social media to call out specific misogynistic events or behavior at security conferences, it has an impact. When men refrain from participating on all-male panels, it has an impact. If you are in a position of leadership, be acutely aware of the kind of policies and work environments you foster. In short, be an ally.
Building stronger defenses cannot and will not occur without insights and innovation from half the population. A key component of instigating change is to move beyond (but acknowledge) the regressive statistics and challenges, and focus on supporting and elevating the voice of women currently in the industry.
In a few weeks, I’ll be attending the Women in Cybersecurity Conference with my colleagues in software development and design, and we’ll support our malware researcher Amanda Rousseau’s workshop on reverse engineering. Last year I attended solo, and it’s great to see what a difference a year can make. Clearly, there is much more work to be done, but the onus is on all of us to finally reverse this backward slide.