Women in Cyber: Stories Uncut, Uncensored and Unbelievable
Eleanor Dallaway gets to the heart of the gender gap by telling the uncut, uncensored and unbelievable stories of five people in the cybersecurity industry
Eleanor Dallaway gets to the heart of the gender gap by telling the uncut, uncensored and unbelievable stories of five people in the cybersecurity industry
In the same way that Hugh Grant became synonymous with playing the bumbling, lovable leading man in a rom-com (that is, until The Undoing, what a series!), I have accumulated a reputation for writing about, talking about and being passionate about closing the gender gap in the cybersecurity industry. I’ve got a portfolio of work on this topic, so when cybersecurity membership body CREST asked me to write another whitepaper about gender diversity a year ago, it was the first time I hesitated.
Why was I reluctant? I didn’t believe enough had changed since the 2019 paper I wrote on the topic to produce a new, unique, yet, authentic whitepaper.
You can judge for yourself by perusing the data in the introduction. It’s about more than statistics, however. I haven’t witnessed a sea change in opinion, intent or action worthy of a rewrite. Has progress been made since the 2019 report? Absolutely. Has there been enough of an evolution that the challenges and actions outlined then are now entirely outdated? Absolutely not.
So, I ran a workshop on behalf of CREST to discuss the topic with a large group of their members. Whilst I did not hear tales of extreme evolution, I did hear fascinating stories of personal journeys. As various workshop attendees shared their own experiences, their struggles, their achievements and their hopes, it struck me that whilst the industry might not need an updated whitepaper on gender diversity right now, it does need to feel inspired, and it would absolutely benefit from feeling connected.
Women entering this industry need role models, community, career paths and solidarity. It is human nature to want to seek a sense of belonging. The diverse stories that belong to the women of our industry need to be told. Our present and future infosec professionals need to hear these stories.
These stories have the potential to evoke rage, disappointment, shock, hope, happiness and pride. Whichever of those emotions are brought to light, everyone can relate to or be moved by at least one of these stories. I hope the reader feels a sense of connection, unity, and inspiration.
I decided to protect the identity of the storytellers. In conversation with the interviewees, we agreed that anonymity is essential to allow for brutal honesty whilst safeguarding the privacy of the people and organisations mentioned.
Few things make me happier than being able to tell people’s stories. Giving these narratives the time and immortalisation they deserve by committing them to the page is an honour.
As context to the personal stories, it is important to analyse the most recent data. The (ISC)2 Cybersecurity Workforce Study 2022 observed that 18.6% (calculated as a mean) of the current workforce are women, but that breaks down to 30% of those under 30 and only 14% of those over 60. A similar trend was noted in the National Cyber Security Centre (NCSC) and KPMG Decrypting Diversity 2021 report.
The report discovered a higher weighting of females amongst younger age groups (18-24 and 25-34) compared to men, which suggests that a more significant proportion of women are at relatively early stages of their careers. This bodes well for a more balanced workforce in the future if this trend continues.
34% of senior leadership roles are filled by women, 66% by men
The rest of the NCSC report findings evoke less optimism. Amongst senior leadership roles, only one-third (34%) are filled by women compared to 66% by men, further illustrating the need for greater female representation. Lindy Cameron, CEO of NCSC, says: “We are still evidently a very male profession, with disproportionately male senior leadership. At the NCSC, we are committed to bringing more women into the profession.”
Whilst 37% of women experienced barriers to their careers, only 18% of men experienced the same thing. Over a fifth (22%) of the cybersecurity industry say they have experienced discrimination in the last year, up from one in sixth (16%) in 2020.
Decrypting Diversity 2021 found that women, participants from ethnic minority backgrounds, and those who are lesbian or gay all suffered much higher levels of discrimination.
Gender-based incidents against women continue to be one of the largest issues, with 19% of women experiencing a gender-based incident, up from 15% last year. This compares to just 1% of men. The only solace is evidence of greater reporting of discriminatory incidents, with the proportion of individuals who said they did not report an incident falling from 74% to 65%. However, with almost two-thirds of incidents going unreported, enormous gains are still needed.
As the stories you are about to read will attest to, attracting women is only part of the battle. It’s then up to the cybersecurity industry to create and maintain a safe, inclusive and supportive environment that makes women want to stay. To lose talent through lack of nurturing is undoubtedly the industry’s loss and an unforgivable mistake by an industry fighting a substantial skills gap.
CREST has kindly agreed to let me re-publish the following five stories on Assured Intelligence. The original white paper can be found here.
Without further ado, meet our five incredible interviewees:
Our established and highly-qualified information security professional tells a story of success despite adversity.
Her story (let’s call her EHQP) began studying computing on a course made up of less than 10% women. She credits her can-do attitude to her schooling, a science-heavy all-girls grammar school where you were taught you can do anything.
After graduation, an advertisement for a penetration role caught her attention, and she has never looked back, which may come as a surprise once you’ve heard her story in its entirety.
In her first role, EHQP joined an all-male company. “I was told I was hired because they needed a woman in the team. One co-owner said he was surprised I was doing a good job and ensured I knew that.” This was in 2004.
She recalls feeling “angry and really, really upset. Weirdly, I think it was meant to be a back-handed compliment.”
During her two-year tenure at this company, she often felt under-minded and found it hard to reconcile after that offensive feedback. “I was 23 at the time and didn’t have the confidence to challenge it. I lacked the awareness, at that time, to explain to him what was wrong with that.”
Seventeen years into her career and down the line, EHQP says that she would not hesitate to call that behaviour out. “I’d claim ignorance and demand to know what he meant by that.” She counters this won’t be necessary “as nobody says anything so openly ignorant these days.”
Overt ignorance, she believes, has replaced unconscious bias. “Men refer to women as ‘girls’ rather than ‘women’. I can challenge that now that I’m in a position of power.”
Her next role landed her in her second all-male team. “I was referred to as ‘the girl’. There was no direct discrimination, but it was a hostile environment that was allowed to exist.”
EHQP recalls how her boss would banter with her male team but come and call her ‘sweetheart’.
“Horrible things happened and never got dealt with by HR.” She tells a story that is jaw-droppingly shocking and not for the faint-hearted. “I was once in a meeting with most of the consultancy team. I got up to get a cup of tea, and one of the senior guys in the room knelt by my chair and sniffed it.”
“I was once in a meeting with most of the consultancy team. I got up to get a cup of tea, and one of the senior guys in the room knelt by my chair and sniffed it”
Nobody said anything.” Humiliated and embarrassed, in a junior role at 24 years old, EHQP questioned whether, if everyone else was OK with it, she was the odd one out. In hindsight, of course, she knows “it was disgusting. Knowing what I know now, I’d lay into him and humiliate him. I’d go to HR and make a complaint. At the time, I just didn’t want to make waves or stand out as I was already in the outside group [as a woman].”
Again, EHQP points to the difference in society between then and now. “Behaviour like that was allowed then, but not now.”
To increase her power and thus value to an employer, EHQP pursued an impressive array of qualifications. “Companies have a financial imperative not to lose highly-qualified people. By grabbing many badges, I proved myself and gave myself a lot of power. I made myself employable and hard to get rid of.” As a result, EHQP is one of, if not the most, qualified experts in her field.
“The need to grab all of those letters, badges and qualifications was more to do with proving myself to our clients. They would assume I was the least qualified member of the team when I was actually the most. I got the qualifications on paper to introduce myself to shortcut that assumption.”
EHQP recalls when she was promoted to manage a team, and one of the men in her team moved to London to avoid reporting to a woman. “He was open about that,” she says.
She contends that networking can also be difficult for a woman in the industry. “The reality of structural bias in a society where women take on more responsibility, such as childcare, means that networking events that mostly happen after work, in person, at a venue where alcohol is consumed, means women are less likely to be in the room.
“Those networking spaces are fairly exclusive to men. Women are welcome…if they can get there. There’s a reason many women choose to avoid these environments; I don’t know a woman who hasn’t, at some point, been sexually assaulted or harassed in a place where alcohol is consumed.”
Despite the aforementioned events, EHQP considers most of her industry experiences positive. “I really love what I do; I’ve worked with some really supportive teams who have pushed me forward and not let me hide behind my imposter syndrome.”
“Early in my career, I’d get talked over or not given a chance to talk, so I learned to make myself heard. I’m more outspoken and ‘aggressive’ than I would be if I didn’t work in a male industry.”
Generally, EHQP concludes that her career has not suffered at the mercy of her gender. On the contrary, she has received many promotions, her male business partners are “great to work with”, and she considers “my positive experiences have been marred only by little stains.” Hers is an inspiring story of achievement, with resilience and determination at its core.
Our n00bie (we’ll refer to her as NB) tells a story of setbacks, discrimination and resilience.
Deciding to study information security at university was somewhat of a curveball with A-levels in triple science and dreams of being a physicist, but NB explains, “it seemed like the most interesting thing to study at the time.”
NB was one of two girls on the Bachelor’s Degree course of 20 students, “but the other girl dropped out after the first year.”
Her first role out of university was in an information security company where she worked in a small team of four. “Someone was making sexual jokes at my expense, but I was naïve, and someone working there had to point out that it was inappropriate.” She recalls her manager being largely oblivious. “It was a start-up, and I was taken off development and put onto marketing, which made me really uncomfortable too. I have autistic traits, so sometimes, I have to be told what is socially right and socially wrong. Perhaps that’s why the inappropriate sexual jokes didn’t resonate with me at first.”
Her second role was at an information security awareness company. “I was hired as a content writer and trainee software engineer, but I felt like I was hired as a token female, and I still do. They have since said they were naïve to have hired me.” NB describes the corporate culture as “weird” and recalls how the young team would socialise, go clubbing, and sleep at their manager’s house. “I was the only girl, so it was weird. There was nothing creepy about it, but it wasn’t a professional or suitable work environment,” she concludes with hindsight. “They’d egg me on to drink more even though I told them I was a lightweight.”
After reporting that a senior staff member had commented that he’d “do her” to a manager, NB was told to keep quiet. Her tenure ended rather traumatically as MB was backed into a corner and told to hand in her notice through a ‘constructive dismissal’. These events led to her seeking counselling.
Her third role at an information security vendor almost led to her turning her back on the industry for good. She was warned against working for this company due to its bad reputation for people management and culture, “but I was desperate.” After just six weeks in the role, she was fired on the spot. “The day before, I was in the hospital with a severe panic attack after being forced to work 12-hour shifts.” With legal support, NB planned to take the company to court for the dismissal, “but the vendor made up some awful stuff about me, claimed I’d breached confidentiality, which I hadn’t. I thought the situation would stop me from ever getting a job in the future.” NB confesses that this dark time left her feeling like her life was over.
Instead of giving up, NB decided to go back to university – “a factory reset for my life” –and study for a Master’s degree in software engineering. She recalls that around 20% of students were female on this course. She admits that her decision to pursue further education was partly because “it’s more difficult for women to vouch for their skills without formal education to prove it.”
“After reporting that a senior staff member had commented that he’d “do her” to a manager, NB was told to keep quiet”
Her next role, a part-time security engineer in a cybersecurity company, restored her faith in the industry. It was an internship, “I was supposed to stay on after, but due to COVID, they couldn’t honour that promise.” She describes her managers in that role as “amazing. It was a small team, there was one other girl there, and we were all treated the same. She was respected by the company and held a senior role in the development team.” It was a nice environment, and NB fully credits this internship for “saving my opinion of the industry and pulling me back in. I’m glad that happened; I love the Respect in Security initiative. People are making a difference.”
In her current role in the software engineering world, NB admits she is still learning to navigate social situations. “People breach the Equality Act, and I have to know when to report it to HR and when to accept it as human error.” She finds her relationship with the company’s Wellbeing Officer helpful in making those decisions. “But I’m happy to be in the software engineering world instead of information security. There’s less gatekeeping, people are less pretentious about certification, and it’s just about whether you can write code, and I like that.”
On the verge of re-entering the software engineering world in the public sector with a job she could once only have dreamed of, she has big ambitions. “Eventually, I’d like to do some guest lecturing, get a PhD and pursue an astronomy course.
“I can be boisterous and push for what I want. I do have that kind of personality, which does cause problems – I get my point across, but I just get called bossy.” Some of the world may call it bossy, but really, it’s ambition and determination. We must thank our lucky stars that this ambitious, determined n00bie wasn’t driven away from the industry she serves so well by those who mistreated her.
Our career converter (we’ll call her CC) tells a story of an almost reluctant journey into the information security industry. With a degree in Theology and English and a catalogue of miscellaneous jobs – including a car salesperson and advertising sales – in her back pocket, had you told her that twenty-five years later, she would be a co-owner of an information security vendor with a vast amount of experience and credibility, she’d likely have not believed you.
Her first foray into technical work was SEO, and her first tech job was selling education and remote control desktop software. Though her domain was sales, she recalls her curiosity about the technology and spent much time talking to the people she was selling to. “My tech knowledge grew very rapidly.” CC describes herself as a ‘continual improvement person’, which she considers all successful people to be.
Whatever role CC had, she was dedicated to gaining as much knowledge and understanding as possible to do the best job. “When selling UNIX systems, I made it my responsibility to understand the technology around it. I even helped redesign some of the core features.” However, there was a need for that additional knowledge beyond her ‘continual improvement’ nature. “The industry was incredibly biased; as a woman, you automatically didn’t have credibility. That’s why I needed that technical knowledge to prove myself.” It was a grave realisation and one that sadly is all too familiar.
“I recall condescending conversations, women expected and accepted only in marketing tech roles, women on stands at trade shows as decoration.” She refers to the 1990s and early 2000s, “there were very few front-facing, visible women in technical roles.”
Although CC said it was easy enough to get into tech sales, crossing into a technical role was not as straightforward. “There was no cross-over or defined career path for carving a technical role without a technical background,” she recalls. With that realisation, she left the industry to pursue a career in jewellery. “I had no intention of returning to the tech industry,” she admits.
“There were still jerks who would be deliberately over-complex when talking to you”
In 2011, she re-entered the industry “temporarily”; at least, that was her plan. “It was not my intention to come back,” she admits. “My friends had founded an information security company, and I’d learned how to run a business. I came in to help them run the business – ‘plan on the back of a napkin in Pizza Hut’ style,” she recalls fondly. “I helped to map out their growth. One of my strengths is having the ability to absorb that type of information, database it and learn from it.”
CC was asked not once, not twice, but three times to join that business permanently. Finally, on the third time, she relented, and 11 years later, she is happily still there. “As is my way, I had to become notorious along the way,” she laughs.
What was the reason for that initial reluctance? It goes back to that experience of a biased workforce and an environment that accepted women only in specific roles. By 2011, CC found that attitudes in the industry had largely changed. “There were still jerks who would be deliberately over-complex when talking to you…they’d use as many jargonistic words as they could as a test. They would be jerks on purpose because you were a woman.” At that point, CC reflects, “I was too vulnerable to say anything. That’s something that still happens.”
CC believes that today, women (and other minorities in the industry) are still fighting for more credibility. “Why do they feel like that? Because they’re being made to feel like that because of how they are treated.”
There are more opportunities for women than ever before, including scholarships, women’s awards and networking events, acknowledges CC. “Yet, I still get invited to events about the future of cybersecurity with an all-male panel. What a diversity fail! They can’t be bothered to get a female speaker when advertising the future of cybersecurity. Representation should be more akin to society,” she argues.
CC believes that part of the solution lies with male allies. “Men, if you say you’re an ally, stand up and say something.” She refers to Rik Ferguson’s pledge to refuse to sit on any panel that does not include a woman. “There aren’t enough Rik Fergusons,” she says.
It is frightening that with a career as successful as hers, a brain as powerful, and accomplishments as jaw-droopingly impressive, CC was often subject to the “jerks” that tried to make her feel inadequate simply because of her gender. “The toxic behaviour in the industry is driving people away. The industry needs to work harder,” she concludes.
Our information security student (ISS) tells a story inescapably bleak. She begins the interview with a heart-breaking confession: “I’m currently grappling with giving up on information security and moving onto something bigger and better.”
There is a lot to unpack with this story. ISS is an information security undergraduate, having previously flirted with a career in engineering. Unfortunately, overt sexism and relentless and unwanted teasing from male colleagues tainted her experience in that industry. “Customers wouldn’t hesitate to tell me they did not want a girl working on their project.” The sexism was worse from the older generation, she adds, but the memories, understandably, still sting. “After that, I felt like I could go into anything, and it wouldn’t bother me.”
Studying information security in a class made up of around 20% female students, ISS feels passionately about the discipline and the industry. “However, even at university, I feel like my work is scrutinised differently by my fellow students because I’m a woman.
In conjunction with her studies, ISS was working for an information security company to gain work experience in the industry. Sadly, the experience was contaminated by the poor mentorship and career advice she received while there. “Despite the fact that I clearly showed as much, if not more, potential than anyone else in the team, I was consistently advised about moving into a different discipline, a less technical one.” This ‘advice’ was given, she believes, purely because of her gender.
“Despite the fact that I clearly showed as much, if not more, potential than anyone else in the team, I was consistently advised about moving into a different discipline, a less technical one”
“I just picked up on women being scrutinised in a different way to men. We have to achieve more to be perceived as achieving the same.” It’s no wonder that this realisation has made her reconsider her career path.
She was also uncomfortable with some of the conversations on the team chats. “There was a time when it reduced me to tears,” she recalls. “When I confided in a colleague, I was advised not to report it outside our immediate team. I was told, ‘chill out, it’s no big deal, this is just what he’s like, and he says stuff like this all the time. It’s not personal.’” Sadly, it’s not the first or last time this tale will be told.
“It was a strange culture. Standing up and speaking your mind, as a woman, is perceived as being problematic.” She adds that being right and calling out problems was labelled as argumentative.
This story highlights the importance of management leading the way regarding a top-down culture of diversity, equality and respect. Employees should feel empowered to report or call out any uncomfortable or wrong behaviours with confidence that the complaint will be handled appropriately and respectfully.
ISS is battling the juxtaposition of a discipline and industry that she is excited and passionate about with an industry culture that makes her want to run away.
This again raises the very valid issue of retention beyond acquisition. Attracting women into the industry is only part of the battle. It is equally important to retain them. In this story, ISS is attracted to information security; she is technical, passionate about the mission and ready to pursue a career in this industry, crying out for talent and diversity. Yet, she is feeling resistance from the very people and industry that should welcome her with wide arms.
“I’m at a crossroads, I don’t want my degree to have been a wasted mission, but at the same time, I don’t want a repeat of the experience I had in my first industry.”
This story is evidence that it is actually the industry at a crossroads. With a skills gap of 2.7 million according to (ISC)2, those metaphorical arms need to be wide open. Otherwise, we will mournfully watch the back of talent like ISS as it walks away in self-defence.
While this paper aims to explore and celebrate female stories, it is essential to invite a male perspective. The role of the male ally was raised several times in the CREST workshop and the stories unveiled for this paper. The decision to protect the identities of the women interviewed for this paper was taken to enable them to speak freely and protect the identities of people or companies referenced in their stories.
Our male voice, however, belongs to Rik Ferguson, VP security intel for Forescout and outspoken ally of women in information security. Rik is also a co-founder of Respect in Security. With specific details in the interview that make him identifiable, hiding his identity for consistency would be a fruitless endeavour.
Rik put a stake in the ground signalling his dedication to inclusivity and gender diversity in 2017 when he tweeted: “Public note: If you ask me to sit on any public panel, I will decline if there are no women on the panel. I can’t do much but I can do this.”
The tweet was widely acclaimed. “That tweet put me out there as someone prepared to take a stand. People noticed it, appreciated it, and after that first step, I was able to stand up again and again.” Rik is humble about the gesture. “What I’ve done isn’t magic or brave; it’s super low-effort – if anything, it’s just turning down commitments. I am not standing in the line of fire,” he says. Yet it’s these small individual actions that will end up changing the industry. “If my tweet encourages someone else to take the same stand, that’s brilliant.”
“I laughed along too many times with cringe banter and jokes. The easiest thing to do is laugh along, although internally cringing”
Other men, according to Rik, have made similar pledges, although he concedes that his profile means his action is more visible. “The response has been overwhelmingly positive. One or two commented that it’s positive discrimination, but if you need to change things, you need to change things, whatever it takes.” And need to change things we do.
Event organisers know they will be held accountable for not having diversity at an event. “Sometimes they try their best but still can’t fill those holes,” laments Rik. “I understand why women may feel like a speaking invitation [may represent] a tick in the diversity box, which is demeaning, insulting, and I would feel the same way. However, if we want to solve this issue, we have to be proactive about it – and that means positively discriminating.”
Rik once produced an all-non-male season on his interview series, Talking Security. “It was a conscious choice to be non-male and not all white. I had to go and search for the right experts, but they had to be experts – primarily, it was about having a great conversation.” Whilst the initial qualifying factor for Rik’s speaker acquisition was “not a white man”, there were plenty of factors beyond that regarding expertise. “It’s fine if the primary filter is ‘non-white man’ because that’s the only way to get diversity. We cannot change the ecosystem overnight. Each person has to take action.”
Rik recalls a time earlier in his career when he didn’t have the same commitment to making a stand as he does now. “I laughed along too many times with cringe banter and jokes. The easiest thing to do is laugh along, although internally cringing.” He recalls that he would revise his opinions on those making the inappropriate jokes but admits, “that didn’t change anything.” It takes tremendous courage to be outspoken in those situations, and Rik’s fear of being disliked or ejected for challenging the ‘banter’ created a barrier to speaking out.
“I recall an office environment earlier in my career when one woman was fed up with the ‘banter’. She asked for it to change. The manager called a meeting for everyone except the woman that complained, and she became the problem. The manager’s solution was ‘just don’t say it in front of her’. People see the complainer as the problem, not the behaviour,” says Rik. The reluctance to be seen as ‘the problem’ often prevents women from speaking out. This may also go some way to explaining the lack of incident reporting mentioned in the introduction.
The tipping point for Rik was a MANEL (all-male panel) he sat on, with Wendy Nather as moderator. After this event, he resolved to take a stance. “A journalist covered the panel and omitted Wendy from the story.” For Rik, this represented a systemic elevation of men at the expense of women in the industry. “I decided off the back of that to never sit on a panel of all men again.”
Inaction, explains Rik, makes you partially responsible for the gender imbalance in this industry. “It’s about taking responsibility for your role in creating change.”
Next, Rik points to recognising the role women are playing and celebrating their achievements. “I’ve had a lot of positive female role models; I’ve reported to more women than men. It’s important to show appreciation for the role they play. “So comment on their accomplishments, congratulate them, say something!” Whatever positive action can be taken, take it, says Rik, “because just thinking the right thing will not change anything.”
“Make a difference because as much as you can do is enough. Just thinking the right things is not enough,” he concludes.
First and foremost, I sincerely hope that you found something that lit a spark in one or all of these stories, whether that spark took the form of admiration, determination, inspiration or even a sense of camaraderie or belonging.
At the CREST gender diversity workshop I ran, we invited attendees to share thoughts on creating inclusive environments. This is a selection of the ideas, advice and asks made by those present:
It was my absolute honour to hear the stories told in this paper first-hand. It reminded me of the importance of retention regarding the diverse professionals and talent our industry desperately needs.
These stories have brought to life the frankly shameful practices and cultures that are apparent in some pockets of this industry. Many will have experiences careers blissfully unaffected by discrimination.
Don’t let the strength, determination and aptitude of these women cover up the mistreatment and sexism that has tainted their experiences. Their ability to overcome those experiences says more about them than it does the individuals or organisations concerned.
Storytelling is our obligation to the next generation. My hope is that these stories inspire each and every reader and serve as a reminder that as individuals, small acts of taking a stand may seem insignificant, but when multiplied by the masses, those small acts can, and will, make a huge difference.
Assured Intelligence would like to thank CREST for allowing us to refresh and republish this body of work, originally written for CREST by Eleanor Dallaway.