SAN FRANCISCO — Kerry Matre is one of the few women who have risen to senior positions in IT security.
As a senior security product marketing manager for Hewlett-Packard Enterprises, she helps build security operations centres for customers. But she admits she’s come close to quitting.
Not from the stress of the work, but from boorish men in the industry, usually at trade shows. “People have a couple of drinks and then decide its OK to speak whatever’s on their mind,” she said in an interview. “Things that begin with ‘I shouldn’t say this in front of girls, but Kerry’s one of the guys.’
“If you start out with a statement like that you shouldn’t be saying it.”
Matre was one of five women who hold IT security-related jobs speaking Monday at the RSA 2016 conference on the trials and joys of being a female in the industry, and how to increase their numbers.
The numbers aren’t pretty. According to research sponsored in part by the International Information Systems Security Certification Consortium (ISC2), which specializes in information security education and certifications, in 2014 women counted for 10 per cent of the global IT security workforce, a percentage unchanged in the previous two years.
There is good news: Within the infosec sector, women hold about 20 per cent of governance, risk and compliance-related positions. Organizations increasingly see the value of risk management, so for women in GRC jobs the future is brighter.
But it also means women are – still – very underrepresented in network and operational security jobs.
Panelists said the obstacles they faced weren’t necessarily from colleagues. Gurdeep Kaur came from a family in India whose attitude was she could study all she wanted but she was still a girl. “I’m going to show you what a girl can do,” she decided. She’s now chief security architect of international insurer AIG.
But there were other incidents. Ping Look, director of information security at Optiv Inc. but formerly an events manager at conference producer Black Hat, recalled one show where a vendor at the trade show attracted attendees with a semi-dressed woman lying on a table covered in shushi.
She spoke to the company to remind them it was a technology event, even though overwhelming attended by men. Did the company want people to come to booth for the woman or to discuss their product, she asked. Separately, Black Hat created a trade show code of conduct.
That was one of the themes panelists and women in the audience mentioned: The need for women – and men — to speak out, to not keep quiet in the face of bad behavior.
Angela Messier, an executive vice-president with cyber security experience at consulting firm Booze Allen Hamilton also emphasized the need to remind companies that diversity among staff is good for business.
You can’t solve problems around cyber unless there’s a diverse team, she said. Teams need people with good technical skills, but also people who are curious and who know how to work together. Women have to push themselves, she added.
But Matre said they also have to fight. Men sometimes tell her they’d like to hire more women but few applied for a job. “Baloney,” she said. If you’re not getting the resumes there’s something wrong with the job posting.
In an interview panel moderator Elise Yacobellis, ISC2’s director of business development for Americas, said she’s optimistic about the future of women in IT. The data in the study is a lagging indicator of what’s happening now, she explained . “There’s a lot of work that has to be done, but I am optimistic that more and more women will join this field, especially as we move it from a deep technology discussion to more of a business risk, and working across all of business. Security is something that everyone has to be accountable for in all parts of business and I think that women have great communications skills to get that out there.”
Kerry Matre isn’t so sure. Generally the industry is great, she said. “There’s a couple of bad seeds, which there will be in any industry. Throw in some alcohol and inappropriate behaviour comes out. I don’t think it’s indicative of the industry, or most men in the industry. It’s just a couple, but it’s enough that it negatively affects the women in the industry. And when stuff like that happens and another male who sees it doesn’t call it out, that’s when you feel very secluded and alone.”
But she said she’s neutral on the future of women in infosec based upon history. In the 1980s the number of women in IT increased and we thought things were getting better she said. “But as we’ve seen that’s not the case.”