Early in her career as a network administrator for an American firm, Diana Kelley was groped in a data centre.
“I was [kneeling] on the floor putting in some cables into a router or something … and he grabbed my rear end,” she said in an interview last week before speaking at the Canadian Women in Cybersecurity conference in Toronto.
She reported the incident immediately. “I was quite lucky because the company I worked for responded immediately. I was listened to, and action was taken.”
Kelley didn’t detail what disciplinary move happened, but did say, “I was very pleased.”
Incidents like that aren’t common, although Kelley said that last year at a U.S. conference for women in cybersecurity several attendees wept while telling a panel about their experiences. More common is the dismissive attitude women in technology face from men, who either don’t wait to hear the opinions of their female colleagues or don’t seriously consider them for promotion.
Kelley recalled giving a talk years back at a European conference on the new Payment Card Industry (PCI) security standard. “It was quite technical, and at the end, I asked if there were any questions and a gentleman stood up and said ‘Yeah, what is it like being a little girl in a man’s world?'”
Episodes like these are the reasons why many women are reluctant to enter the largely-male world of IT, particularly the dominantly-male field of cybersecurity.
Kelley admits her career path was for some untypical. During an editorial job at a college textbook publishing firm the company’s network manager — a woman who Kelley describes as a “strong, inspiring leader ” — heard Kelley talk to the sales force about how professors could make use of the software that accompanied the books and offered her a networking job.
That was 1990. After posts with firms including Symantec and IBM she’s now Microsoft’s cybersecurity field CTO, advising CIOs, CISOs and CTOs around the world about cybersecurity.
Women — and minorities — believe that one big way to change attitudes is to increase diversity in workplaces.
“The senior leadership team has to be vocal on the topic,” Joe LoBianco, CIBC’s vice-president of information security said at a conference session on C-suite challenges.
Yet Rhonda White, chief marketing officer at MobileIron, noted that while some $8 billion is spent globally on educating managers and the C-suite on diversity and equality issues “the results are dismal.” Not only is the IT profession overwhelmingly male, there’s still a shortage of infosec pros.
Vicky Laurens, managing director BMO Financial Group, put it down to “unconscious bias” in hiring and promotions. Not every job in cybersecurity must have a technical background (where men dominate), she added. To compensate her team goes out of the way to watch for that in job interviews. She figures 30 per cent don’t have tech backgrounds.
That led panel moderator Sajith Nair of PricewaterhouseCooper to urge the audience to be careful with job descriptions. Phrases like “rock star pen tester” or “guru APSEC person wanted” are “very male-oriented signals.”
Cybersecurity teams need skills like being able to talk to clients and write well, said Stephanie Copp, head of IT security consulting and testing at insurer Munich RE. What counts after a penetration test, she argued, is a report inspires a customer to fix the vulnerabilities. “When you look at what your team needs you’ll find they don’t all look like Python programmers,” said Copp, a former history major. “The tough things like knowing how to keep customers happy, how to prioritize (tasks) those are harder skills to find, and a lot of women have those skills. And if you bring them into your team you’ve going to round out what’s already a strong team into a superb team.”
Yet while panellists acknowledged Canadian leaders general are doing a good job — it is estimated that 65 per cent of the workforce is diverse — when the moderator asked when Canada will achieve gender parity in the workplace the answers were telling:
“A number of years from now,” said Copp. Twenty years, said Michael Webber, Canadian Tire’s senior vice-president for enterprise and cybersecurity. Ten to 15 years, said LoBianco.
However, Laurens said diversity is merely the first step. Having a seat at the table doesn’t mean you’re being heard, she said.
In the interview, Kelley was asked what she would advise women who want a career in cybersecurity. “Number one, lead by example,” she replied. “Get out there, that’s one of the reasons I speak, to let people know there are people in this field.
“Look for companies that are hiring diversely, that encourage diversity and inclusion, that have no tolerance for harassment. Make sure you’re looking for companies that understand and are working towards a more equitable team. And have a voice: If you do see something that’s not right, say it. I cannot say everything should be reported, because different people have different tolerance levels that they’re comfortable with. But every company needs a path for reporting, to be able to listen and take action if there are reports.”
The conference was organized by SiberX, a Toronto-based training and skills development platform.