All Articles

We Need More Women in Security

In creating the series of inspiring quotes from security professionals (here, here, here and here), I noticed a network dominated by male figureheads. Then at a recent security conference, someone joked “you know you’re at a security conference when there is a line for the men’s bathroom and not the women’s.”

That’s a problem. Odds are you’re male. 68% of my readers in June were male. As you read through the next series of posts, think about how you can impact getting more women interested and engaged in the information security profession.

I went through my network and asked a number of my female colleagues about how we can encourage more women to become security professionals. In the next few posts, I’ll share many of those thoughts. One from Cassia Martin stood out.

“We need more mentorship, entry-level jobs, and clear paths to knowledge. When I got into the industry, and possibly even today, you learned infosec by doing infosec. The question of how you start to do infosec is unanswered. In my experience it turns it [into] an apprenticeship model, where people informally pull in their friends. If the primary growth model is a network based effect, an industry that starts male dominated will stay that way.

In the later stages of my career at Cigital, I started interviewing more and more people who had taken security classes and even application security classes in college. I think this is fantastic for our industry. A structured way to introduce people to key concepts will give us more, better security people and will even educate eventual developers on how to avoid large classes of bugs.

Here are my tips for how an individual working in the security space can help create a welcoming workspace:

  1. Keep an eye out for people who need support. Especially watch out for people who are starting out and haven’t yet figured out what questions they are supposed to be asking. If someone wanders into a room and is staring at the projector in confusion, go up to them! Tell them what you’re working on and ask what they are interested in.
  2. Teach before you test. Too much of what passes for “training” in our industry takes the form of challenges. Some people will thrive when asked to invent a SQL injection payload without spaces. Other people will freeze unless they first got a grounding in SQL syntax and some exposure to obfuscation techniques.
  3. Be humble and honest. If you boast at work about how any idiot can find a firmware exploit, your experienced colleague might swap warstories and/or call you an ass. A newbie will believe that they are an idiot for not knowing how to find the exploit, and might give up before they even start.”