Diversity at cybersecurity conferences is too important to ignore

Diversity at cybersecurity conferences became a hot topic in early 2018. Innovation Women founder Bobbie Carlton discusses why it takes more work to get women in security on stage.

In early 2018, the RSA Conference announced its keynote lineup of over 20 speakers. When only one of them was a woman -- activist Monica Lewinsky -- the security industry reacted. From outrage to alternative conferences, diversity at cybersecurity conferences has moved into the spotlight.

However, cybersecurity conferences are not the only offenders. Events across many industries have a disproportionate number of male speakers while women are often kept off stage.

Bobbie Carlton, the founder of Innovation Women, set out to change that. Carlton created a database for women who are interested in speaking at events to be able to connect with event managers.

This is part two of a two-part Q&A. In part one, Carlton discusses what Innovation Women does, why she started it and why it matters.

Editor's note: This interview has been edited for length and clarity.

What do you think the effect is of having more diverse speaking lineups? Does it affect the industry at large? Basically, why does representation matter?

Bobbie Carlton: Well, number one, more interesting events. The more diversity you get, the more interesting conversations you get; the more different, diverse points of view are on stage. That's number one. Give me better events any day.

Bobbie Carlton, founder of Innovation WomenBobbie Carlton

Number two, when women are speaking or more diverse speakers are represented on stage, they are representing to an audience that looks up at them and says 'I could do that.'

You can't be what you can't see is one way of phrasing it. But every time we get a woman on stage, she's able to make her business more successful or her career more successful, but she's also a success example for others. The more women we get on stage, the more women we will get on stage.

Some of the arguments I've heard for why the issues with diversity at cybersecurity conferences exist is that it is just reflective of the inequality in the industry, and that there aren't enough women in the security field with an interest in speaking. What are your thoughts?

Carlton: I've got a database of women that says otherwise. I've got 4,000 people on this platform, 1,000 of whom are speakers, and more women join us every day. So, I would beg to differ.

Every time we see these all-male panels, we get more complaints. And more of these complaints are from women who don't get the chance to speak. My feeling is pretty much that this is BS.

Some folks attribute the economics of getting speakers as part of the problem. Some say the pay-to-play model that RSA Conference, for instance, uses for its keynotes is not conducive to a diverse lineup. If companies have to pay large fees to have a speaker at a conference, they're going to use one of their top people without considering whether or not that person is a man. What do you think?

Carlton: Getting paid to speak or paying to speak is one of the most complex areas of conferences and events and the whole business that we're running here.

You have to understand as a conference organizer how conferences work economically and, most of the time, there is a certain percentage of the people on stage whose companies have paid to get them there. Does that really make for the best conference? It depends on what kind of conference you're running.

RSA Conference is really designed to sell more RSA products. The people who are in the audience are going to be buying cybersecurity products. The way that they've set up their conference, there's a good portion of the keynotes who are getting those keynotes because their company is sponsoring the event.

Every conference needs to take a close look at how they are bringing forth their speakers and their programs, but, at the same time, the companies that are sending people also need to take responsibility for this. They need to say 'I'm going to put more diversity on that stage myself.'

If you're saying to me the only way to represent your corporation is to put an older white man on stage, then maybe you should be looking internally first before you start talking externally.

We actually wrote an article at one point that was 'Dear Mr. Corporate Sponsor, here's some options for you. Number one, you don't have to put just one person on that stage, you can put two, for example.'

I think the corporate sponsors themselves have to take some responsibility for who they put up there. Some of them have to man up, so to speak. Or woman up, in this case, and say 'I will be the one that will drive forth a more diverse conversation by who I use to represent my corporation.'

If you're saying to me the only way to represent your corporation is to put an older white man on stage, then maybe you should be looking internally first before you start talking externally.

Do you think it's the responsibility of the event organizers to demand more diversity at cybersecurity conferences?

Carlton: Yeah, I think it's part of their responsibility to say 'this is something that's important to us, please consider. Here's a whole bunch of options.' Help educate your sponsors with what the options are.

In the case of the RSA Conference this year, its initial keynote lineup had one woman speaker, Monica Lewinsky, who is not a cybersecurity professional. And the updated keynote list wasn't much better.

Carlton: I'll bet you anything [Monica Lewinsky] did not pay for that opportunity, she was paid. And I'll bet you anything it was made initially to provide more diversity on stage.

The keynote lineup was eventually updated, but the speakers still weren't necessarily cybersecurity professionals. What do you think about how RSA Conference handled the situation and the general reaction to it?

Carlton: There's so many different perspectives on this. Number one, I think any time that any major corporation or major event puts forth an agenda, they need to look at it with an eye toward diversity. They need to look at it with a critical eye before they issue the first schedule.

Even if you've got a small number of speakers set down for your event, you need to look at it and say 'okay, first impressions matter. What we send out right now for the first thing promoting our event is going to set the stage for the future.' They need to start off looking at it before the complaints start. Make everybody's lives a lot easier, including theirs.

Number two, I think the addition of nonprofessionals ... I mean, I'm a marketing person, don't get me wrong. I probably have more experience in technology fields than other people, but I'm not going to be a person who goes out and talks about the ins and outs of cybersecurity. Then again, how many others on that stage were going to? Most were corporate leadership.

I think the 'these are not cybersecurity professionals' thing can be taken with a grain of salt. If they're working in the industry, they probably have a very good perspective on what's going on.

I always get nervous when people are saying 'that's not a technical person on stage.' Well, neither are some of the other people up there. If you're working in the industry, you're working in the industry.

Others have said that keynotes aren't going to be the most technical people anyway and you have to go to breakout sessions for those speakers.

Carlton: That's how I think about it. I do think they need to start off with diversity in mind and they need to apply and measure every step of the way.

I was the conference chair for Boston [TiE] StartupCon this year and it was a topic of conversation at every single meeting we had about the speakers. It just kept going. That was not a one-and-done type situation.

Do you think codes of conduct affect female speakers' decisions on whether or not to attend or speak at conferences?

Carlton: I think it's a clear-cut signal that diversity is important to a conference.

I've been to conferences and events where there is no code of conduct. [There were events] where one wasn't needed because everyone knew how to conduct themselves. But I've also been to other conferences where one was needed and one didn't exist.

I do think they're an important signal. South by Southwest put out something where no manels [all-male panels] will be considered and other conferences have done the same thing. It's a very important signal that diversity is important to the organization.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing