Threat Intelligence

5/16/2018
10:30 AM
John De Santis
John De Santis
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Want Your Daughter to Succeed in Cyber? Call Her John

It's time to "do the right thing" when it comes to gender in the hiring and promotion of women in cybersecurity. Four women (and a man named John) offer practical solutions for shifting the balance.

Note to parents everywhere: If you want your daughter to rise to the top echelons of power in politics, business, entertainment, or cybersecurity, name them after me — John.

Or possibly James or Michael. That's one (tongue-in-cheek) takeaway from a recent New York Times piece that found women in top jobs are so scarce as to be outnumbered by men named John, or other common names.

There are fewer women among Republican senators than there are men named John. There are fewer women among Fortune 500 CEOs than there are men named James. And there were fewer women among directors of top-grossing movies last year than there are men named James and Michael, according to the Times. You get the point: Women are woefully underrepresented in the halls of American power. The world of cybersecurity is no exception; women represent just 11% of cybersecurity professionals worldwide, according to a report from Forrester Research, with even fewer in leadership roles.

This gender disparity is hardly news, but the pace of change has been glacial, with only pockets of significant progress. I recently had the opportunity to speak with a number of women in leadership roles in cybersecurity. I'm writing this column because I believe their observations and ideas around this issue deserve broad notice. Full disclosure: I am named John and I'm not a woman. So, you may ask, what qualifies me to opine on this topic? Truthfully, nothing. However, as the CEO of an innovative technology company, I am passionate about mining every possible source of talent, whether it be technical, managerial, or leadership/executive. What follows is a roundup of practical solutions for increasing the proportion of women in cybersecurity positions.

Set Concrete Goals
Tammy Moskites is managing director and senior security executive with Accenture, which has more than 150,000 female employees, accounting for nearly 40% of its global workforce. According to Moskites, establishing concrete goals set at the highest levels of the company is key to achieving these impressive numbers. It's also key to creating a pathway to arrive at full gender equality — an objective the company plans to reach by 2025. The consulting firm also plans to have 25% of its managing director positions filled by women. The progress and forward momentum the firm has attained come from visualizing progress and being specific about goals, Moskites says. Accenture is proof positive that goals can become reality and that change is possible.

Keep It Fun
Monica Pal, chief executive officer of 4iQ, sees the gender gap as having far-reaching implications. "To protect people and defend democracy in the 21st century, we need to attract more girls into cybersecurity and keep more women engaged once they start by taking a comprehensive approach," she says. But just getting girls interested in coding or providing mentors for women in cybersecurity is not enough. Pal says we need to get more girls started on the journey and provide support for them every step of the way — and it has to be fun. "If it is not fun, girls will lose interest, and women will find environments that are more welcoming," she says, noting that "a few strong souls will have the motivation and courage to stay on the path, but we need many more women on this journey to secure our future."

Speak Up
Hannah Clifford, vice president of corporate development for Nehemiah Security, stresses the importance of speaking up — even if your viewpoint puts you in the minority. That's how she got into the cybersecurity industry. At the time, she was studying for her MBA at the Fuqua School of Business in Durham, North Carolina. "I had a different opinion on a case study than my adjunct professor, who was a venture capitalist," Clifford recalls. "He hired me after graduation for articulating a differing perspective on the case study versus the rest of the class, then asked me to help turn around a struggling portfolio company in the same industry." Based in Tysons, Virginia, Nehemiah Security has three senior executives who are women. "As a high-growth company, we look to broaden the tent to hire the best people we can in the cyber industry," she says.

Take the Plunge
Hemma Prafullchandra, HyTrust's chief technology officer and executive vice president of products, has already achieved an accomplished career. She urges women to seek out technology positions and "take the plunge; you are more capable than you allow yourself to believe." Prafullchandra says change needs to begin with each individual, and that lack of experience is not an automatic disqualification from advancing. Opportunities present themselves often, and you may well find yourself at a fork in the road that leads to potential advancement. "Don't just look to your current capabilities and experiences," she offers. "Recognize the new things you have learned and know that you can keep on learning. You will have the ability to fulfill a new role when the opportunity presents itself."

Prafullchandra also underscores the importance of finding and developing sponsors for your advancement: "There are many who can fill the role of a mentor, and you may [want to] strategize different topics with different people [who] can provide meaningful and trusted advice. However, a sponsor lends their credibility and stakes their own reputation for you when they introduce, recommend, and support you for a project, role, or some other form of advancement in your career. [So], of course, you must earn that privilege through building your own reputation and network."

In sum, reaching gender equality in cybersecurity is within our reach. We need to commit to goals and offer the support, mentoring, and coaching to make it happen. In recent months, I have written articles here on "automating ethics" and "doing the right thing" when it comes to either the operation or enforcement of security controls needed to run an IT infrastructure. It's also time to "do the right thing" when it comes to gender in the hiring, promotion, and sponsorship of women in technology and cybersecurity in particular. I am on a mission to effect that change — in spite of my gender and name advantage.

Related Content:

John De Santis has operated at the bleeding edge of innovation and business transformation for over 30 years -- with international and US-based experience at venture-backed technology start-ups as well as large global public companies. Today, he leads HyTrust, whose ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
gmax28
57%
43%
gmax28,
User Rank: Apprentice
5/16/2018 | 12:31:39 PM
A problem where there isn't one
I've been in IT for over 20 years now.  Not once have I seen a time where a woman was restricted, disregarded, or prevented in any way from an IT job, much less Infosec.  The FACT is that men and women LIKE DIFFERENT THINGS.  Where is the concern that 80% of teachers are women?  I don't see articles on 'How Do We Get More Men into Education."   This is just another liberal cause and this guy is falling right in line with it.  The reason there aren't more women in IT, BECAUSE THEY DON'T WANT TO.  Problem solved!  And it didn't take a CEO solve it... as usual. 
Kelly Jackson Higgins
80%
20%
Kelly Jackson Higgins,
User Rank: Strategist
5/17/2018 | 8:49:35 AM
Re: A problem where there isn't one
I have to strongly and respectfully disagree with you, @gmax28. First off, your presumption that men and women "like different things" literally echoes the underlying societal problem here. That's a fallacy that has been propagated by generations of outdated mindsets about women's "roles" in the workforce. You probably haven't seen a woman "restricted, disregarded or prevented" in or from an IT or infosec job because you are a man who hasn't experienced the same hurdles and pay gap issues. Dismissing the gender and diversity issue as a nonissue is a systemic problem and is one of the reasons why we are still grappling with a gender and diversity gap in security. The goal is to give everyone a fair shake to contribute to this massive and critical industry that can't keep up with the demand for people to fill its jobs.
cengel3
50%
50%
cengel3,
User Rank: Apprentice
5/17/2018 | 2:40:47 PM
Re: A problem where there isn't one
Same experience from my perspective with nearly 30 years in IT. It's been a few years since the last time I hired a direct report, however, when I did only about 10 percent of the resumes I got for the position were female. We did a basic skills competency test for all applicants that looked reasonably qualified and of the few women who came in to do the test, not one scored a passing grade. The male applicants didn't do all that stellar either, but at least a few passed.

The test was pretty basic, there was nothing "gender biased" about it.... either an applicant knows what the difference between RAID1 and RAID5 is or they don't.

The simple solution, if you want more females working in IT, have more qualified females apply for jobs in IT.

 

 
JasonTLouis
100%
0%
JasonTLouis,
User Rank: Apprentice
5/18/2018 | 5:56:47 PM
Re: A problem where there isn't one
So, all men and women like the exact same things? When I hear someone say men and women like different things, it isn't an all or nothing issue. It's an "in general" type of situation. You could say more women prefer to go into the social work field because that field tends to be dominated by women. Same thing with nursing or teaching to some extent.

Most people can look at these surveys and agree that the ratio of men to women in the tech field is nowhere near even. I don't think we will EVER achieve that. I'm all about merit. I don't really care who you are, if you're good at what you do, that's all that matters to me.

The gender pay gap is an interesting issue. When we look at these studies, it takes everyone and then averages it out. It also looks at maternity leave, taking more part time jobs, etc, to raise a family. It's being blatantly disingenuous to not mention that when it comes to the pay gap. All these surveys take that into account as to why many women are paid less than men in the same career field. Now, I'm not saying there could be cases where women are just paid less, but the majority of these surveys look at everything with regards to pay, including time you take off. Most men do not take any kind of maternity leave. You also have many women not taking more stressful or demanding jobs because of family related things. This obviously doesn't apply to all but whenever you read an article about the pay gap, they NEVER include how they came to those conclusions and what variables are included. You have to look at the methodology to figure out how they came to those conclusions. Just looking at a graph that says women are paid less is fooling yourself if all these companies are illegally paying people less because of their gender. Remember, there are federal and state laws against that kind of behavior.

At the end of the day, more men than women enroll in tech oriented programs. More men than women are looking for tech related jobs. More men than women are wanting to get into the tech field. Security included. That probably won't change anytime soon. What needs to change is starting at the family/education level and removing all stigmas around women in tech or "encouraging" someone to not get into that field due to their gender. They need to realize it doesn't matter, just be good at what you do and you will succeed.
Surfer808
100%
0%
Surfer808,
User Rank: Apprentice
5/18/2018 | 8:01:39 PM
Re: A problem where there isn't one
I agree 100% that if a man or woman does not have the minimum technical skills to perform an IT security job AND they are not trainable under your coaching/teaching/mentoring, then you are setting him/her up for ultimate failure in the position.


That being said, good security talent is challenging to find. It is incumbent upon good leaders and good companies to seek out a broad, diverse & highly qualified pool of applicants. Most innovative security companies I know are reaching early into academia to seek out the best & brightest, they look to social media to find who is an expert in the area they're pursuing. With this, you get a diversity of opinion on how to address problems and find solutions to propel your organization forward. Without it, you will be stuck in group think and continue to plow down the same rut in your journey.

BTW, RAID is high-reliability storage that divides and replicates data amongst drives in a group. For brevity, RAID1 is primarily used for heavy processing requirements while RAID5 is more used for transactional applications. RAID was introduced in the 1980's when I was in elementary school. Personally, I am more a supporter of the emerging technology like FEC which does away with the arcane issues with RAID storage. Now that's a useful debate.
JohnDeSantis
80%
20%
JohnDeSantis,
User Rank: Author
5/19/2018 | 1:13:18 PM
Re: A problem where there isn't one
"If more men/women applied for these jobs then there wouldn't be a problem" is a very tired argument that has been used to justify racial, gender, foreign origin and religious imbalances for years. I believe we instinctively tend to follow our embedded tribal/family traditions and learnings to follow careers and callings that feel comfortable to us and to go to places where we feel we belong. Maybe it's a survival thing. When one of my children went to college, one of the most interesting bits of advice he got for picking a major was this: look left, look right, are these the people you want to spend the rest of your life working with? In other words, do you feel you belong in this field? The point of the writing was to make more talented women feel that they could belong - and even thrive - if they were moved and/or attracted to the space, and that there were role models, mentors and sponsors that would help them find a path there. In spite of any tribal, family upbringing bias', or education choices made in the past, they could take a leap and belong to this new and exciting field full of opportunity and exciting prospects.
frk055
50%
50%
frk055,
User Rank: Apprentice
5/21/2018 | 12:37:07 PM
Changing perceptions and realities in cyber security
 

Rob Clyde with ISACA recently noted their research on the topic: https://www.linkedin.com/pulse/isaca-data-diversity-issues-rob-clyde/

"An overall 31-point gap was found when it came to male and female perceptions of career advancement opportunities for women, compared to a 10-point gap for those with diversity programs in place within their organization"

If there continues to be a perception that women do not have the same advancement opportunities as men in IT and cyber security, fewer are likely choose to pursue it as a career path. ISACA research data indicates that programs may help or at least change perceptions about advancement opportunities. Programs are a start, but I do not think that they alone can drive the shift that is needed. The points raised about merit and hiring the best candidate are solid ones, yet there's a need for cyber security leaders take action to address both the perceptions and realities of the issue so that we have a larger talent pool of both women and men to fill the need for cyber security professionals.

Full report from ISACA at: https://cybersecurity.isaca.org/state-of-cybersecurity

 
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.