Renee Beckloff never envisioned that the first part of her cybersecurity career would include an expectation to trace electrical wires while in a skirt. Yet, it was common for her bosses to require her to wear skirts while out of the office, even if it meant bending down awkwardly on a raised floor to seek out wire sources.
Now the vice president of customer advocacy at anti-virus firm Cylance, Beckloff said being a woman in cybersecurity can often mean finding yourself in difficult situations.
Today, women make up 11 percent of the global cybersecurity industry, according to a 2017 international survey of cybersecurity workers by The Center for Cyber Safety and Education and the Executive Women’s Forum on Information Security, Risk Management & Privacy. Of those women, 1 percent of female cybersecurity workers are in C-suite leadership positions. This glass ceiling is even higher for women of color.
The gender gap means a smaller pool of potential workers in an industry looking to face 3.5 million unfilled positions by 2021, according to research by Cybersecurity Ventures. But women who are already part of the industry contend it represents a strategic disadvantage for cyber companies. While women hold some of the top cyber leadership positions at the Department of Homeland Security and throughout the Department of Defense, for cyber departments within military branches and defense contractors, this gap could represent an unaddressed tactical disadvantage, they said.
Jennifer Sunshine Steffens, CEO of IOActive said without women on a cybersecurity team “you lose out on a lot of diverse perspectives. Especially in security, we’re trying to fight against ever-changing threat aspects. You want all perspectives … to make sure we can stay up to speed and [to be] as ahead of things as possible.”
The challenges for women in cybersecurity range from meager recruitment of women into cyber-focused college majors to a lack of female advocates and mentors who often make promotion decisions, said May Mitchell, vice president of marketing at Cylance.
It’s “much easier for men to build their support network and get promotions and assigned the cooler projects. The recognition and promotions individuals received were not always based on skills; it was about getting the right sponsors and champions,” Mitchell said.
This creates a disadvantage for cybersecurity companies in subtle but profound ways, experts said. Attackers come from diverse backgrounds and ideas on how to defeat them are often ignored when the decisionmakers are only men. Those teams with ample diversity are more productive and more profitable, said Keenan Skelly, vice president of global partnerships and security evangelist at cybersecurity training company Circadence, citing MIT research.
“Diversity is so crucial right now as we are developing more complex technologies, such as machine learning and artificial intelligence. All the biases we hold as human beings are being transferred to those technologies,” Skelly said. “Without diversity, we cannot create truly diverse technology.”
Beckloff said it’s common for male leaders in the cybersecurity space to rely on an aggressive and fast-paced strategy, sometimes to the detriment of their goals or products.
“Overall, women provide a more well-rounded view of the issues at hand. In defense, we often times need more than an ‘attack first, ask later’ mentality,” she said.
Joanna Hu, principal data scientist at security information and event management firm Exabeam, said in her experience, men in the technology industry tend to focus more on short-term impacts, whereas women look at the long run.
“There’s a trend, like most of the males felt ‘now is the time; we can’t risk more time’ or ‘we can’t spend more money on that,’” even when a product or research topic wasn’t fully vetted and holes were clearly visible, she said. “I also see this pattern in many places [in cyber].”
Women have an easier time developing relationships and building healthy teams, Hu said, and that emotional intelligence can be invaluable in tight spots when protocol alone won’t get the job done.
As an example, she pointed to a time when her team was on a tight deadline to put out a machine learning feature but found some bugs at the last minute. The engineers who would’ve been able to fix the problems lived in Ukraine, but they were off work on a national holiday. It would have taken days to get the bug fix assignment through the normal pipeline, missing the critical deadline.
Hu had spent significant time developing relationships with that team, so she called the engineers and asked if they could do her a favor. Had it been anyone else, perhaps it would have been asking too much. “I’d cultivated such a positive relationship with them,” she said. “They said ‘sure,’ and worked for me using their off time … with their prompt reply and help, we were able to deliver the feature on time.”