The RSA Conference (RSAC) 2018 in San Francisco isn’t just ground zero for 45,000 security professionals and the site of an impressive glass-walled security operations center (SOC). It also served as a forum for several crucial industry conversations about women in security.
Just 11 percent of information security professionals are women, and although women in the field are more likely than their male co-workers to hold a master’s degree or higher, they still hold less workplace authority. With that in mind, and given the ongoing cybersecurity skills shortage, the industry is making meaningful steps toward inclusion, as evidenced by the many engaging discussions on the topic that took place at RSAC 2018.
Advancing Women in Security Means Solving the Pipeline Problem
Many hiring managers want to fill empty seats on their security teams with women, but there’s a lack of talented candidates, also known as the hiring and pipeline problem. When Caroline Wong, moderator of Wednesday’s “Women in Security: A Progressive Movement” panel, asked attendees whether they’d like to talk about the gender pipeline, every single hand in the audience went up.
“It would be ideal if I could find a 70 percent match to job postings based on candidate resumes,” said Suzan Nascimento, senior vice president of application security at Mitsubishi UFJ Financial Group (MUFG). She said she settles for 50 percent and fast-tracks traits such as passion and hunger using assessment tools to measure team chemistry, personality and other individual characteristics.
“I can teach you how to read packets, but I can’t teach you ethics, and I can’t teach you how to play well with others,” said Robin Stuart, principal threat researcher at Salesforce. Putting the best people in the seats of your SOC may not necessarily mean hiring people with technology backgrounds, but the panelists agreed that ethics and interpersonal communications are what matter most on the ground.
“When I talk to CISOs who have diverse teams, they hire the best people,” said Wong. In her experience, the best people don’t always surface based on traditional recruiting techniques, such as keyword-based resume searches, especially in an industry where skill sets change so quickly. Instead, Wong suggested employing focused antibias techniques, such as rephrasing interview questions to include more skills sets.
The panelists agreed that tech-based skills can be taught and that, in today’s cognitive SOC, candidates need to meld seamlessly with their teammates. Solving the pipeline problem and building a better security team means thinking differently about how to recruit the right people from underrepresented backgrounds.
The Secret to Security Talent Sourcing
At 25 percent gender participation in the tech industry, Israel hasn’t achieved gender parity, but this figure is well above the U.S. average.
A panel of experts shared some of their secrets in “The Untold Story of 8200: A Launching Point for Women in Cybersecurity.” The 8200, a prominent Israeli military intelligence unit, has launched the careers of 58 percent of the country’s female cybersecurity workforce, including many global leaders in the field. Several 8200 alumni who now work at Gartner, Cybereason and other firms shared their experiences during RSAC.
The average 8200 recruit is a high school student who has never hacked anything. Usually, these candidates can’t code, and many don’t even game. Instead, they are tested on their ability to make decisions under pressure, analyze information and communicate effectively — an approach that is remarkably similar to what the previous panelists recommended.
Once enlisted, recruits are actively taught to be assertive and take initiative with the help of mentors. The military pay structure is gender-equitable and fully transparent according to pay grade, so there are no issues related to equal pay for equal work.
The 8200’s secret to developing some of the world’s most effective female cybersecurity leaders isn’t profound. It simply involves doing all the right things we’re already talking about: encouraging talented youth early, hiring for personality traits, teaching technical skills after candidates are hired, actively mentoring them and enforcing gender equity in the workplace.
Reversing the Trend of Women Leaving Cybersecurity
While the tone of many of the conversations at RSAC about women in security was decidedly optimistic, one discussion, titled “Women in Computing: Why Are Women Leaving Computing Professions?,” examined factors that may be influencing some women to leave the cybersecurity workforce. But it wasn’t all doom and gloom — the discussion brought to light valuable insights to help industry leaders address this problem.
The percentage of computing occupations held by women has been declining since 1991. The report cited workplace conditions, lack of access to key creative roles and lack of career development opportunities as key reasons for this decline.
Facilitator Karen Worstell, founder and managing principal at W Risk Group LLC, said she wants to reverse the trend by hosting conversations that encourage meaningful changes in how women feel about their place in the cybersecurity field. She acknowledged that achieving true diversity may not be a comfortable or easy process, but it’s a necessity to stop the flight of women from the workforce.
“We need a diverse workforce … to reach new levels of innovation,” she wrote in a LinkedIn post promoting the discussion. “This isn’t about negating the contributions of any group, it’s about multiplying the contributions by making groups whole, authentic and reaping the benefits of authentic diversity.”
Harvard Business Review authors who coined the idea of “collective genius” noted that while we all think of the innovation process as high-speed fun, “the reality is that innovation can be very taxing and uncomfortable.” This process, however laborious, exposes us to new ideas, and that’s where the magic happens. Worstell’s peer-to-peer discussion at RSAC fostered diverse dialogue around this issue and encouraged attendees to embrace innovation as a way to keep women from leaving the cybersecurity profession.
Taking a Chance on Tomorrow’s Talent
Wong may have over a decade of security leadership experience, but she entered the field in an unusual way in 2005 — as a computer engineering undergrad. In fact, information security wasn’t even on her radar until she received an email encouraging her to consider interviewing for an entry-level position.
Wong said she felt good about herself and took a chance after spending an afternoon “memorizing the Wikipedia page about information security.” Although her research methods were less than conventional, Wong was hired.
Today, Wong believes her story has the power to encourage women to reach for information security careers because it instills confidence and expands their horizons, regardless of whether they end up in the field. “I’m here because someone took a chance on me,” she said.
RSAC 2018 featured numerous conversations spanning a wide range of topics pertaining to women in security, but they all shared a common theme: The industry must empower women and tap other underrepresented pools of talent to win the ongoing battle against cybercriminals, minimize the impact of data breaches and strengthen the security of the systems that hold our most valuable data.